From a8d43bc3cf4452e9e9c0e013a29c7f0b11f83b9e Mon Sep 17 00:00:00 2001
From: Eric F Crist <ecrist@secure-computing.net>
Date: Sat, 10 Jun 2023 09:01:27 -0500
Subject: [PATCH] Release v3.1.5

* update build script to sign/verify using gpg
* update ChangeLog for release

Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
---
 ChangeLog           |  3 ++-
 build/build-dist.sh | 40 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 823981f..4245ad9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 Easy-RSA 3 ChangeLog
 
-3.1.5 (2023-06-12)
+3.1.5 (2023-06-10)
+   * Build Update: script now supports signing and verifying
    * Automate support-file creation (Free packaging) (#964)
    * build-ca: New command option 'raw-ca', abbrevation: 'raw' (#963)
 
diff --git a/build/build-dist.sh b/build/build-dist.sh
index e0e16be..d1e0983 100755
--- a/build/build-dist.sh
+++ b/build/build-dist.sh
@@ -22,7 +22,7 @@ build-dist options:
  --no-windows	do not build for Windows
  --no-unix	do not build for UNIX
  --no-compress  do not create zip/tar
-
+ --sign         Use GPG to sign and verify packages
  --dist-clean	rm -rf the DIST_ROOT w/out prompts
 __EOF__
 
@@ -56,6 +56,38 @@ main() {
 	$SKIP_ZIP || make_zip
 }
 
+# perform sign and verify
+sign_verify() {
+	# make sure gpg exists
+	gpgbin=$(which gpg)
+	if [ $? -ne 0 ];
+	then
+		echo "No gpg binary found in path."
+		return 1
+	fi
+
+	# $1 is our filename, it should exist
+	if [ -e "$1" ]; then
+		sign_out=$(gpg -qb "$1" 2>&1 )
+		# if signing worked, let's verify it
+		if [ $? -eq 0 ];
+		then
+			verify_out=$(gpg -q --verify "$1.sig" 2>&1 )
+			# if it's verified, return true
+			if [ $? -eq 0 ];
+			then
+				note "Sign and verify successful!"
+				return 0
+			fi
+		fi
+		# signing failed
+		note "Signing failed."
+		return 1
+	else
+		note "The file $1 doesn't exist or isn't readable."
+	fi
+}
+
 # prep DIST_ROOT
 dist_clean() {
 	if [ -e "$DIST_ROOT" ]; then
@@ -142,6 +174,7 @@ stage_win() {
 make_tar() {
 	(cd "$DIST_ROOT/unix/"; tar -czf "../${PV}.tgz" "$PV") || die "tar failed"
 	note "tarball created at: $DIST_ROOT/${PV}.tgz"
+	$SKIP_SIGN || sign_verify "$DIST_ROOT/${PV}.tgz"
 }
 
 make_zip() {
@@ -149,6 +182,7 @@ make_zip() {
 	do
 		(cd "$DIST_ROOT/$win/"; zip -qr "../${PV}-$win.zip" "$PV") || die "zip failed"
 		note "zip file created at: $DIST_ROOT/${PV}-$win.zip"
+		$SKIP_SIGN || sign_verify "$DIST_ROOT/${PV}-$win.zip"
 	done
 }
 
@@ -156,6 +190,7 @@ SKIP_WIN=false
 SKIP_UNIX=false
 SKIP_ZIP=false
 SKIP_TAR=false
+SKIP_SIGN=true
 # parse CLI options:
 while [ -n "$1" ]
 do
@@ -180,6 +215,9 @@ do
 			# shellcheck disable=SC2034
 			BIN_DEST="$val"
 			;;
+		--sign)
+			SKIP_SIGN=false
+			;;
 		--dist-clean)
 			DISTCLEAN=1
 			;;