This section describes how to use swbis to place GPG signatures into a source code management repository such as CVS. The application of swbis simply involves adding the ./catalog/ directory and its contents to the repository and is not specific to any particular SCM. The files in the ./catalog/ directory are either directories or ascii text regular files.
The first step is to perfectly sync-up with the repository. Empty directories should be removed and created on the fly by the Makefiles. Stray junk files in the working directory and repository need to be deleted from both. Failure to do this will result in failed verification although the partial success can still be useful. (Also the RCS style file Id's used by CVS may interfere the verification of the file digests.)
Step two is to initialize, add, and commit the ./catalog/ directory in the top level module. Just make the regular files empty for now. The order does not matter. The files are:
catalog/ catalog/INDEX catalog/dfiles/ catalog/dfiles/INFO catalog/dfiles/checkdigest catalog/dfiles/md5sum catalog/dfiles/sha1sum catalog/dfiles/adjunct_md5sum catalog/dfiles/files catalog/dfiles/sig_header catalog/dfiles/signature catalog/pfiles/ catalog/pfiles/INFO catalog/INFO
Next, checkout the ./catalog/ directory. Treat it just like any other directory except you will be using the swign command to generate its contents. Then at any point of your choosing sign your working directory by running swign and then commit all of your changes to the repository including the ./catalog/ directory.
Here's how to sign:
make distclean; SWPACKAGEPASSFD=agent; GNUPGNAME="Your Name" swign --name-version=module_name-1.2.3 -s PSF.in --no-remove @.
This swign invocation will only alter files in ./catalog/.
Note that the
--no-remove option is required as this prevents the SCM control files from being deleted.
--name-version option is required.
The PSF.in file has several specializatons.
%__revision macros must be used and the
exclude directive must exclude the SCM's working
directory control files. The PSF.in file must also specify a
checkdigest script as this is required to verify the
directory form of a package. The checkdigest.sh file from swbis version 0.496 is a working example of this script.
Next, you should tag this point so it can retrieved in the future. Now, export (to exclude the SCM's control files)
the module to a new directory and run swverify with the
--scm option (The swverify version must be
at least 0.496).
cvs export -r your_tag_name module_name cd module_name swverify -d --scm @.