sign-autobuilds.sh: ensure all tarballs, netboots, and latest*txt are signed20231008T235650Z

Some binary release artifacts were not being signed:
- older tarballs with different suffix
- netboot files
- latest marker files.

Ensure they are signed going forward, and a little bit of future
proofing for other compress suffixes.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

1 files changed, 25 insertions, 1 deletions

diff --git a/sign-autobuilds.sh b/sign-autobuilds.sh
index bbb835b..cac8b7e 100755
--- a/sign-autobuilds.sh
+++ b/sign-autobuilds.sh
@@ -49,7 +49,31 @@ pushd $RELEASES/$a >/dev/null || continue
 
 #echo "Release files:"
 
-files="$(find autobuilds -name '*.tar.xz' -or -name '*.iso' -or -name '*.tar.bz2' -or -name '*.lif')"
+# 2023/10/08: Unknown if the latest files are consumed by any machine-readable
+# process that would break if the changed into being clearsigned, so use a
+# detached signature for now.
+find_files_cmd=(
+	find autobuilds
+	-type f
+	'('
+		-false
+		-or -name '*.tar.xz'
+		-or -name '*.tar.bz2' # old builds
+		-or -name '*.tar.gz' # old builds
+		-or -name '*.tar.zst' # future builds?
+		-or -name '*.tar.zstd' # future builds?
+		-or -name '*.iso'
+		-or -name '*.tar.bz2'
+		# hppa netboot
+		-or -name '*.lif'
+		# s390 netboot
+		-or -name 'netboot*T[0-9][0-9][0-9][0-9][0-9][0-9]Z'
+		# marker files to declare latest builds.
+		-or -name 'latest*txt'
+	')'
+)
+
+files="$( "${find_files_cmd[@]}" )"
 sigs="$(find autobuilds -name '*.asc' )"
 unsigned="$(comm -23 <(echo "$files" |sort) <(echo "$sigs" | sed -e 's,.asc$,,g' |sort))"