1 files changed, 38 insertions, 0 deletions

diff --git a/sign-mirror.sh b/sign-mirror.sh
new file mode 100755
index 0000000..c2002ae
--- /dev/null
+++ b/sign-mirror.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+# sign-mirror.sh
+# Generate detached PGP signature for stygian.failzero.net/mirror
+
+MIRROR_PATH="/mnt/brimstone/mirror/signatures"
+SIGNING_KEY="doc@filenotfound.org"
+BASENAME="SHA256SUMS"
+TS=$(date +"%Y%m%d-%H%M%S")
+CHECKSUM_FILE="$MIRROR_PATH/${BASENAME}-$TS"
+
+echo "[*] Generating $CHECKSUM_FILE..."
+(
+  cd "$MIRROR_PATH"
+  find . -type f -not -xtype l ! -name "SHA256SUMS*" -exec sha256sum {} \;
+) > "$CHECKSUM_FILE"
+
+echo "[*] Signing with GPG key: $SIGNING_KEY"
+gpg --batch --yes --default-key "$SIGNING_KEY" \
+    --armor --detach-sign "$CHECKSUM_FILE"
+
+echo "[*] Verifying signature..."
+gpg --verify "$CHECKSUM_FILE.asc" "$CHECKSUM_FILE"
+
+# Rotate old files, keep last 3
+echo "[*] Rotating old signatures (keeping last 3)..."
+cd "$MIRROR_PATH"
+(ls -1t ${BASENAME}-* 2>/dev/null || true) | tail -n +4 | xargs -r rm -f || true
+(ls -1t ${BASENAME}-*.asc 2>/dev/null || true) | tail -n +4 | xargs -r rm -f || true
+
+# Update symlinks to latest
+echo "[*] Updating symlinks..."
+LATEST=$(ls -1t ${BASENAME}-* | head -n1)
+ln -sf "$LATEST" "${BASENAME}"
+ln -sf "$LATEST.asc" "${BASENAME}.asc"
+
+echo "[+] Done. Latest signature: ${LATEST}.asc"