save release and package name in build report, rename build report to package-build.assert

bin/gsign

@@ -63,15 +63,25 @@ package_name = sanitize(package_name, "package name")
 result_file = "#{package_name}-res.yml"
 result_path = File.join(result_dir, result_file)
 File.exists?(result_path) or raise "#{result_path} does not exist"
+result = YAML.load_file(result_path)
 
 destination = @options[:destination] || File.join(base_dir, "sigs", package_name)
-release = @options[:release] || "current"
+release = @options[:release] || "test"
 release = sanitize(release, "release")
+
+result['release'] = release
+result['name'] = package_name
+result['type'] = 'build'
+
 signer = @options[:signer] or raise "must supply signer with --signer"
 
 FileUtils.mkdir_p(destination)
 
 release_path = File.join(destination, release, signer)
 FileUtils.mkdir_p(release_path)
+assert_path = File.join(release_path, "#{package_name}-build.assert")
+File.open(assert_path, "w") do |io|
+  io.write result.to_yaml
+end
 FileUtils.cp(result_path, release_path)
-system!("gpg --detach-sign -u \"#{signer}\" -o \"#{release_path}/signature.pgp\" #{result_path}")
+system!("gpg --detach-sign -u \"#{signer}\" #{assert_path}")

bin/gverify

@@ -63,9 +63,8 @@ release_path = File.join(destination, release)
 
 File.exists?(release_path) or raise "#{release_path} does not exist"
 
-result_file = "#{package_name}-res.yml"
-
-#system!("gpg --detach-sign -u #{signer} -o #{release_path}/signature.pgp #{result_path}")
+result_file = "#{package_name}-build.assert"
+sig_file = "#{result_file}.sig"
 
 current_manifest = nil
 
@@ -76,9 +75,21 @@ Dir.foreach(release_path) do |signer_dir|
   signer_path = sanitize_path(File.join(release_path, signer_dir), "signer path")
   next if !File.directory?(signer_path)
   result_path = sanitize_path(File.join(signer_path, result_file), "result path")
+  sig_path = sanitize_path(File.join(signer_path, sig_file), "result path")
+
+  if !File.exist?(result_path)
+    puts "missing result at #{result_path}"
+    next
+  end
+
+  if !File.exist?(sig_path)
+    puts "missing signature at #{sig_path}"
+    next
+  end
+
   result = YAML.load_file(result_path)
   system("gpg --keyserver pgp.mit.edu --recv-keys `gpg --quiet --batch --verify \"#{File.join(signer_path, 'signature.pgp')}\" \"#{result_path}\" 2>&1 | head -n1 | grep \"key ID\" | awk '{ print $15 }'` > /dev/null 2>&1")
-  out = `gpg --quiet --batch --verify \"#{File.join(signer_path, 'signature.pgp')}\" \"#{result_path}\" 2>&1`
+  out = `gpg --quiet --batch --verify \"#{sig_path}\" \"#{result_path}\" 2>&1`
   if $? != 0
     out.each do |line|
       if line =~ /^gpg: Signature made/
@@ -89,7 +100,7 @@ Dir.foreach(release_path) do |signer_dir|
     end
     puts "#{signer_dir}: BAD SIGNATURE"
     did_fail = true
-  elsif current_manifest and result['out_manifest'] != current_manifest
+  elsif current_manifest and (result['out_manifest'] != current_manifest or result['release'] != release or result['name'] != package_name)
     out.each do |line|
       if line =~ /^gpg: Signature made/
         info(line)

doc/NOTES

@@ -1,5 +1,10 @@
 Downloader
 
 * incremental update of dest directory
-* check version #
+  * check that manifest exists
+  * check version # increases
+  * overwrite existing files (optionally balk if sha256sum changed)
+  * remove files that are in manifest and not in new version
+  * remove empty dirs as result of previous action
+  * save version in manifest
 * json