From 68035c1e4e90dba3bd0dfa0ae5f4bc60ef096b74 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Wed, 29 Mar 2017 13:50:29 +0200
Subject: [PATCH] OCI: Support signing build-bundld --oci output

---
 app/flatpak-builtins-build-bundle.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/app/flatpak-builtins-build-bundle.c b/app/flatpak-builtins-build-bundle.c
index 12eb93d7..e812da0a 100644
--- a/app/flatpak-builtins-build-bundle.c
+++ b/app/flatpak-builtins-build-bundle.c
@@ -48,6 +48,8 @@ static char *opt_runtime_repo;
 static gboolean opt_runtime = FALSE;
 static char **opt_gpg_file;
 static gboolean opt_oci = FALSE;
+static char **opt_gpg_key_ids;
+static char *opt_gpg_homedir;
 
 static GOptionEntry options[] = {
   { "runtime", 0, 0, G_OPTION_ARG_NONE, &opt_runtime, N_("Export runtime instead of app"), NULL },
@@ -56,6 +58,8 @@ static GOptionEntry options[] = {
   { "runtime-repo", 0, 0, G_OPTION_ARG_STRING, &opt_runtime_repo, N_("Url for runtime flatpakrepo file"), N_("URL") },
   { "gpg-keys", 0, 0, G_OPTION_ARG_FILENAME_ARRAY, &opt_gpg_file, N_("Add GPG key from FILE (- for stdin)"), N_("FILE") },
   { "oci", 0, 0, G_OPTION_ARG_NONE, &opt_oci, N_("Export oci image instead of flatpak bundle"), NULL },
+  { "gpg-sign", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_gpg_key_ids, N_("GPG Key ID to sign the OCI image with"), N_("KEY-ID") },
+  { "gpg-homedir", 0, 0, G_OPTION_ARG_STRING, &opt_gpg_homedir, N_("GPG Homedir to use when looking for keyrings"), N_("HOMEDIR") },
 
   { NULL }
 };
@@ -401,6 +405,26 @@ build_oci (OstreeRepo *repo, GFile *dir,
 
   flatpak_oci_export_annotations (manifest->annotations, manifest_desc->annotations);
 
+  if (opt_gpg_key_ids)
+    {
+      g_autoptr(FlatpakOciSignature) sig = flatpak_oci_signature_new (manifest_desc->digest, ref);
+      g_autoptr(GBytes) sig_bytes = flatpak_json_to_bytes (FLATPAK_JSON (sig));
+      g_autoptr(GBytes) res = NULL;
+      g_autofree char *signature_digest = NULL;
+
+      res = flatpak_oci_sign_data (sig_bytes, (const char **)opt_gpg_key_ids, opt_gpg_homedir, error);
+      if (res == NULL)
+        return FALSE;
+
+      signature_digest = flatpak_oci_registry_store_blob (registry, res, cancellable, error);
+      if (signature_digest == NULL)
+        return FALSE;
+
+      g_hash_table_replace (manifest_desc->annotations,
+                            g_strdup ("org.flatpak.signature-digest"),
+                            g_strdup (signature_digest));
+    }
+
   index = flatpak_oci_registry_load_index (registry, NULL, NULL, NULL, NULL);
   if (index == NULL)
     index = flatpak_oci_index_new ();