frederickding/gpg2-vmimage.sh

## gpg2-vmimage.sh
#!/bin/bash
## Usage: gpg2-vmimage.sh FILENAME
##
## FILENAME can be:
##   - a tar archive (in which case this script will apply zstd
##     compression before encrypting & signing with GnuPG)
##   - an already-compressed OVA file (in which case this script
##     will not further compress)
##
## The output will be a .zstd.gpg or .gpg of the input file and
## a signed SHA256 checksum file (containing the hashes of the input file,
## the intermediate .zstd archive, if any, and the encrypted output file).

# hardcode the PGP recipients here before using
RECIPIENTS="-r userid@example.com -r 0x12345678"

input_filename=$1
if [ ! -f "$input_filename" ]; then
    echo "$input_filename does not exist!"
    exit 128
fi

# check if is a tar by stripping off any .tar extension
test_basename=${input_filename%.tar}
if [ "$test_basename" == "$input_filename" ]; then
    # not a tar
    input_basename=${input_filename%.*}
else
    # is a tar, so zstd compress first
    sha256sum "$input_filename" | tee -a "$test_basename.sha256sum"
    printf "First, going to compress this tar: %s\n" $input_filename
    # you may want to tweak this line for performance/compression settings
    zstd --long -T4 -19 "$input_filename"
    input_basename=$test_basename
    input_filename="$input_filename.zst"
fi

printf "About to hash, encrypt, and sign %s\n" $input_filename
sha256sum "$input_filename" | tee -a "$input_basename.sha256sum"
printf "Invoking GPG to encrypt and sign...\n"
gpg2 --encrypt --sign --compress-algo none \
    $RECIPIENTS \
    -o "$input_filename.gpg" "$input_filename"
sha256sum "$input_filename.gpg" | tee -a "$input_basename.sha256sum"
gpg2 --clearsign -o "$input_basename.asc" "$input_basename.sha256sum"

# can comment out if you want to see how it works and keep the intermediate file
if [ $? -eq 0 ]; then
    rm "$input_basename.sha256sum"
fi
	#!/bin/bash
	## Usage: gpg2-vmimage.sh FILENAME
	##
	## FILENAME can be:
	## - a tar archive (in which case this script will apply zstd
	## compression before encrypting & signing with GnuPG)
	## - an already-compressed OVA file (in which case this script
	## will not further compress)
	##
	## The output will be a .zstd.gpg or .gpg of the input file and
	## a signed SHA256 checksum file (containing the hashes of the input file,
	## the intermediate .zstd archive, if any, and the encrypted output file).

	# hardcode the PGP recipients here before using
	RECIPIENTS="-r userid@example.com -r 0x12345678"

	input_filename=$1
	if [ ! -f "$input_filename" ]; then
	echo "$input_filename does not exist!"
	exit 128
	fi

	# check if is a tar by stripping off any .tar extension
	test_basename=${input_filename%.tar}
	if [ "$test_basename" == "$input_filename" ]; then
	# not a tar
	input_basename=${input_filename%.*}
	else
	# is a tar, so zstd compress first
	sha256sum "$input_filename" \| tee -a "$test_basename.sha256sum"
	printf "First, going to compress this tar: %s\n" $input_filename
	# you may want to tweak this line for performance/compression settings
	zstd --long -T4 -19 "$input_filename"
	input_basename=$test_basename
	input_filename="$input_filename.zst"
	fi

	printf "About to hash, encrypt, and sign %s\n" $input_filename
	sha256sum "$input_filename" \| tee -a "$input_basename.sha256sum"
	printf "Invoking GPG to encrypt and sign...\n"
	gpg2 --encrypt --sign --compress-algo none \
	$RECIPIENTS \
	-o "$input_filename.gpg" "$input_filename"
	sha256sum "$input_filename.gpg" \| tee -a "$input_basename.sha256sum"
	gpg2 --clearsign -o "$input_basename.asc" "$input_basename.sha256sum"

	# can comment out if you want to see how it works and keep the intermediate file
	if [ $? -eq 0 ]; then
	rm "$input_basename.sha256sum"
	fi