add gpg signing for apt cache

config

@@ -20,7 +20,8 @@
 ## libdevuansdk configuration
 
 vars+=(release version mirror section blend_name image_name vm_name)
-vars+=(arch earch aptcachedir APT_CACHE)
+vars+=(arch earch)
+vars+=(aptcachedir APT_CACHE aptcachegpg)
 vars+=(usercredentials rootcredentials)
 
 arrs+=(core_packages base_packages purge_packages blend_packages)
@@ -28,6 +29,8 @@ arrs+=(core_packages base_packages purge_packages blend_packages)
 ## enable local apt cache
 APT_CACHE=1
 aptcachedir="$LIBPATH/apt-cache"
+## key used to sign the cache's Release
+aptcachegpg="0xdeadbeefdeadbeef"
 
 os="devuan"
 release="jessie"

zlibs/bootstrap

@@ -74,6 +74,17 @@ bootstrap_complete_base() {
 
 
 	chroot-script -d thirdstage || zerr
+
+	[[ $APT_CACHE = 1 ]] && {
+		notice "adding apt cache gpg pubkey"
+		cat <<EOF | sudo tee ${strapdir}/addcachepubkey >/dev/null
+#!/bin/sh
+gpgkey="$(gpg --export -a $aptcachegpg)"
+printf "%s" "\$gpgkey" | apt-key add -
+EOF
+		chroot-script addcachepubkey || zerr
+	}
+
 	sleep 1
 
 	bootstrap_tar_pack             || zerr

zlibs/cache

@@ -68,9 +68,15 @@ SHA256:
  $(sha256sum Packages.gz | cut -d' ' -f1)    $(du -b Packages.gz)
 EOF
 		rm -f Packages
-		## TODO: XXX: gpg sign Release
+		gpg --sign --detach-sign --sign-with $aptcachegpg Release || zerr
 	popd
 
 
 	sudo sed -i -e '@deb file:/mnt@d' "$strapdir/etc/apt/sources.list"
+	notice "removing apt cache gpg pubkey"
+	cat <<EOF | sudo tee ${strapdir}/delcachepubkey >/dev/null
+#!/bin/sh
+apt-key del ${aptcachegpg}
+EOF
+	chroot-script delcachepubkey || zerr
 }