2012-02-12 17:04:59 +01:00
|
|
|
#!/bin/bash
|
2021-04-26 16:55:29 +02:00
|
|
|
#
|
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2012-02-12 17:04:59 +01:00
|
|
|
|
2017-10-19 10:47:12 +02:00
|
|
|
set -e
|
|
|
|
|
|
2012-02-12 22:42:01 +01:00
|
|
|
export LANG=C
|
|
|
|
|
|
2012-02-12 17:04:59 +01:00
|
|
|
TMPDIR=$(mktemp -d)
|
|
|
|
|
trap "rm -rf '${TMPDIR}'" EXIT
|
|
|
|
|
|
2021-08-02 13:06:47 +02:00
|
|
|
KEYSERVER='hkps://keyserver.ubuntu.com'
|
2019-08-05 17:16:04 -04:00
|
|
|
GPG=(gpg --homedir "${TMPDIR}")
|
|
|
|
|
|
|
|
|
|
cat << __EOF__ > "${TMPDIR}"/gpg.conf
|
|
|
|
|
quiet
|
|
|
|
|
batch
|
|
|
|
|
no-tty
|
|
|
|
|
no-permission-warning
|
2019-08-05 17:25:45 -04:00
|
|
|
export-options no-export-attributes,export-clean
|
2019-08-05 17:16:04 -04:00
|
|
|
keyserver ${KEYSERVER}
|
2020-06-29 09:42:13 +02:00
|
|
|
keyserver-options no-self-sigs-only
|
2019-08-05 17:30:35 -04:00
|
|
|
armor
|
|
|
|
|
no-emit-version
|
2019-08-05 17:16:04 -04:00
|
|
|
__EOF__
|
2012-02-12 17:04:59 +01:00
|
|
|
|
2019-08-05 17:47:41 -04:00
|
|
|
cd "$(dirname "$0")"
|
2012-02-12 22:42:01 +01:00
|
|
|
|
2019-08-05 17:05:17 -04:00
|
|
|
"${GPG[@]}" --gen-key <<EOF
|
2019-01-23 23:12:15 +01:00
|
|
|
%echo Generating Arch Linux keyring temporary master key...
|
2012-02-12 22:42:01 +01:00
|
|
|
Key-Type: RSA
|
2019-01-23 23:12:15 +01:00
|
|
|
Key-Length: 2048
|
2012-02-12 22:42:01 +01:00
|
|
|
Key-Usage: sign
|
2019-01-23 23:12:15 +01:00
|
|
|
Name-Real: Arch Linux keyring temporary master key
|
2012-02-12 22:42:01 +01:00
|
|
|
Name-Email: archlinux-keyring@localhost
|
|
|
|
|
Expire-Date: 0
|
2015-02-07 10:28:34 +01:00
|
|
|
%no-protection
|
2012-02-12 22:42:01 +01:00
|
|
|
%commit
|
|
|
|
|
%echo Done
|
|
|
|
|
EOF
|
|
|
|
|
|
2019-08-05 17:05:17 -04:00
|
|
|
"${GPG[@]}" --import < archlinux.gpg
|
2019-01-23 10:27:58 +01:00
|
|
|
|
2017-03-20 21:40:37 +01:00
|
|
|
rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
|
|
|
|
|
mkdir master packager master-revoked packager-revoked
|
2012-02-12 22:42:01 +01:00
|
|
|
|
2019-01-23 21:59:37 +01:00
|
|
|
# refresh/receive all keys
|
2012-02-12 22:42:01 +01:00
|
|
|
while read -ra data; do
|
|
|
|
|
keyid="${data[0]}"
|
|
|
|
|
username="${data[@]:1}"
|
2019-08-05 17:05:17 -04:00
|
|
|
if "${GPG[@]}" --list-keys ${keyid} >/dev/null &>/dev/null; then
|
2021-08-02 13:06:47 +02:00
|
|
|
# Ignore refresh failure; Ubuntu keyserver lacks support for EC keys
|
|
|
|
|
# TODO: Remove the "|| true" when the above is no longer an issue
|
|
|
|
|
"${GPG[@]}" --refresh-keys ${keyid} &>/dev/null || true
|
2019-01-23 21:59:37 +01:00
|
|
|
else
|
2019-08-05 17:05:17 -04:00
|
|
|
"${GPG[@]}" --recv-keys ${keyid} &>/dev/null
|
2019-01-23 21:59:37 +01:00
|
|
|
fi
|
|
|
|
|
done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)
|
|
|
|
|
|
|
|
|
|
# master-keyids
|
|
|
|
|
while read -ra data; do
|
|
|
|
|
keyid="${data[0]}"
|
|
|
|
|
username="${data[@]:1}"
|
2019-08-05 17:05:17 -04:00
|
|
|
"${GPG[@]}" --yes --lsign-key ${keyid} &>/dev/null
|
2019-10-07 13:12:53 +02:00
|
|
|
"${GPG[@]}" --comment "master-key: ${username} (${keyid})" --export ${keyid} >> master/${username}.asc
|
2012-03-03 18:16:04 +01:00
|
|
|
echo "${keyid}:4:" >> archlinux-trusted
|
2012-02-12 22:42:01 +01:00
|
|
|
done < master-keyids
|
2019-08-05 17:05:17 -04:00
|
|
|
"${GPG[@]}" --import-ownertrust < archlinux-trusted 2>/dev/null
|
2012-02-12 22:42:01 +01:00
|
|
|
|
2019-01-23 21:59:37 +01:00
|
|
|
# master-revoked-keyids
|
2017-03-20 21:40:37 +01:00
|
|
|
while read -ra data; do
|
|
|
|
|
keyid="${data[0]}"
|
|
|
|
|
username="${data[1]}"
|
2019-10-07 13:12:53 +02:00
|
|
|
"${GPG[@]}" --comment "revoked master-key: ${username} (${keyid})" --export ${keyid} >> master-revoked/${username}.asc
|
2017-10-17 14:01:23 +02:00
|
|
|
echo "${keyid}" >> archlinux-revoked
|
2017-03-20 21:40:37 +01:00
|
|
|
done < master-revoked-keyids
|
|
|
|
|
|
2019-01-23 21:59:37 +01:00
|
|
|
# packager-keyids
|
2013-06-10 14:18:32 +02:00
|
|
|
while read -ra data; do
|
|
|
|
|
keyid="${data[0]}"
|
|
|
|
|
username="${data[@]:1}"
|
2019-08-05 17:05:17 -04:00
|
|
|
if ! "${GPG[@]}" --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
|
2019-10-09 16:51:15 +02:00
|
|
|
echo "WARNING: key is not fully trusted: ${keyid} ${username}"
|
|
|
|
|
"${GPG[@]}" --comment "marginal trust: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
|
2012-02-12 22:42:01 +01:00
|
|
|
else
|
2019-10-07 13:12:53 +02:00
|
|
|
"${GPG[@]}" --comment "packager: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
|
2012-02-12 22:42:01 +01:00
|
|
|
fi
|
|
|
|
|
done < packager-keyids
|
|
|
|
|
|
2019-01-23 21:59:37 +01:00
|
|
|
# packager-revoked-keyids
|
2013-05-25 12:48:49 +02:00
|
|
|
while read -ra data; do
|
|
|
|
|
keyid="${data[0]}"
|
|
|
|
|
username="${data[1]}"
|
2019-10-07 13:12:53 +02:00
|
|
|
"${GPG[@]}" --comment "revoked packager: ${username} (${keyid})" --export ${keyid} >> packager-revoked/${username}.asc
|
2017-10-17 14:01:23 +02:00
|
|
|
echo "${keyid}" >> archlinux-revoked
|
2013-05-25 12:48:49 +02:00
|
|
|
done < packager-revoked-keyids
|
|
|
|
|
|
2017-03-20 21:40:37 +01:00
|
|
|
cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg
|
