condorcore-keyring/update-keys

#!/bin/bash

set -e

export LANG=C

TMPDIR=$(mktemp -d)
trap "rm -rf '${TMPDIR}'" EXIT

KEYSERVER='hkp://pool.sks-keyservers.net'
GPG=(gpg --homedir "${TMPDIR}")

cat << __EOF__ > "${TMPDIR}"/gpg.conf
quiet
batch
no-tty
no-permission-warning
export-options no-export-attributes,export-clean
keyserver ${KEYSERVER}
keyserver-options no-self-sigs-only
armor
no-emit-version
__EOF__

cd "$(dirname "$0")"

"${GPG[@]}" --gen-key <<EOF
%echo Generating Arch Linux keyring temporary master key...
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign
Name-Real: Arch Linux keyring temporary master key
Name-Email: archlinux-keyring@localhost
Expire-Date: 0
%no-protection
%commit
%echo Done
EOF

"${GPG[@]}" --import < archlinux.gpg

rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
mkdir master packager master-revoked packager-revoked

# refresh/receive all keys
while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	if "${GPG[@]}" --list-keys ${keyid} >/dev/null &>/dev/null; then
		"${GPG[@]}" --refresh-keys ${keyid} &>/dev/null
	else
		"${GPG[@]}" --recv-keys ${keyid} &>/dev/null
	fi
done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)

# master-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	"${GPG[@]}" --yes --lsign-key ${keyid} &>/dev/null
	"${GPG[@]}" --comment "master-key: ${username} (${keyid})" --export ${keyid} >> master/${username}.asc
	echo "${keyid}:4:" >> archlinux-trusted
done < master-keyids
"${GPG[@]}" --import-ownertrust < archlinux-trusted 2>/dev/null

# master-revoked-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[1]}"
	"${GPG[@]}" --comment "revoked master-key: ${username} (${keyid})" --export ${keyid} >> master-revoked/${username}.asc
	echo "${keyid}" >> archlinux-revoked
done < master-revoked-keyids

# packager-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	if ! "${GPG[@]}" --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
		echo "WARNING: key is not fully trusted: ${keyid} ${username}"
		"${GPG[@]}" --comment "marginal trust: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
	else
		"${GPG[@]}" --comment "packager: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
	fi
done < packager-keyids

# packager-revoked-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[1]}"
	"${GPG[@]}" --comment "revoked packager: ${username} (${keyid})" --export ${keyid} >> packager-revoked/${username}.asc
	echo "${keyid}" >> archlinux-revoked
done < packager-revoked-keyids

cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg
Add keyid lists and update script * The keyid lists are retreived from archweb * The update script can be run to refresh all keys 2012-02-12 10:04:59 -06:00			`#!/bin/bash`

exit immediately on error Intermittent errors (due to broker network connectivity, key server failure, whatever ...) could result in an incomplete keyring. So exit immediately on error. 2017-10-19 03:47:12 -05:00			`set -e`

Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`export LANG=C`

Add keyid lists and update script * The keyid lists are retreived from archweb * The update script can be run to refresh all keys 2012-02-12 10:04:59 -06:00			`TMPDIR=$(mktemp -d)`
			`trap "rm -rf '${TMPDIR}'" EXIT`

Use more reliable default keyserver; same as in pacman >= 4.0.3 2012-04-07 11:38:26 -05:00			`KEYSERVER='hkp://pool.sks-keyservers.net'`
update-keys: use gpg.conf to persist versions It is easier than passing around a dozen options on the command line. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:16:04 -05:00			`GPG=(gpg --homedir "${TMPDIR}")`

			`cat << __EOF__ > "${TMPDIR}"/gpg.conf`
			`quiet`
			`batch`
			`no-tty`
			`no-permission-warning`
update-keys: move export-clean to gpg.conf instead of cleaning the keyring before export This has the same effect, but causes only the exported version of the key to be cleaned. Cleaning the internal copy doesn't matter. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:25:45 -05:00			`export-options no-export-attributes,export-clean`
update-keys: use gpg.conf to persist versions It is easier than passing around a dozen options on the command line. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:16:04 -05:00			`keyserver ${KEYSERVER}`
update-keys: (re-)enable web of trust We need web of trust to download the master key signatures... So enable it. 2020-06-29 02:42:13 -05:00			`keyserver-options no-self-sigs-only`
update-keys: move armor to gpg.conf This option only affects --export, and we always use armored keys. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:30:35 -05:00			`armor`
			`no-emit-version`
update-keys: use gpg.conf to persist versions It is easier than passing around a dozen options on the command line. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:16:04 -05:00			`__EOF__`
Add keyid lists and update script * The keyid lists are retreived from archweb * The update script can be run to refresh all keys 2012-02-12 10:04:59 -06:00
update-keys: don't restore cwd in a subprocess Using popd at the very end of a shell script is unnecessary, because, as the very last command, there is nothing to restore state for. Immediately after, the shell subprocess is ended, and processes don't control the cwd of the parent process. Changing the cwd for the last microsecond of the shell process, during which no commands are run, is a mildly expensive no-op. By the same measure, if popd is never used, pushd is not needed to record the old cwd. So simply use 'cd'. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:47:41 -05:00			`cd "$(dirname "$0")"`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00
update-keys: use array for $GPG Embedding quotes in a string doesn't work, it just causes KEYSERVER to not be quoted at all. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:05:17 -05:00			`"${GPG[@]}" --gen-key <<EOF`
Modify the temporary master key generation 2019-01-23 16:12:15 -06:00			`%echo Generating Arch Linux keyring temporary master key...`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`Key-Type: RSA`
Modify the temporary master key generation 2019-01-23 16:12:15 -06:00			`Key-Length: 2048`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`Key-Usage: sign`
Modify the temporary master key generation 2019-01-23 16:12:15 -06:00			`Name-Real: Arch Linux keyring temporary master key`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`Name-Email: archlinux-keyring@localhost`
			`Expire-Date: 0`
GPG 2.1 compatibility 2015-02-07 03:28:34 -06:00			`%no-protection`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`%commit`
			`%echo Done`
			`EOF`

update-keys: use array for $GPG Embedding quotes in a string doesn't work, it just causes KEYSERVER to not be quoted at all. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:05:17 -05:00			`"${GPG[@]}" --import < archlinux.gpg`
Import archlinux.gpg into the temporary keyring This makes sure we do not loose signatures depending on key server used. 2019-01-23 03:27:58 -06:00
Update keyring - add keys of new Trusted Users: zorin, shibumi, archangegabriel - revoke keys of ex-TUs: flexiondotorg, dicebot - revoke Dan's master key Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> 2017-03-20 14:40:37 -06:00			`rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}`
			`mkdir master packager master-revoked packager-revoked`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`# refresh/receive all keys`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[@]:1}"`
update-keys: use array for $GPG Embedding quotes in a string doesn't work, it just causes KEYSERVER to not be quoted at all. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:05:17 -05:00			`if "${GPG[@]}" --list-keys ${keyid} >/dev/null &>/dev/null; then`
			`"${GPG[@]}" --refresh-keys ${keyid} &>/dev/null`
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`else`
update-keys: use array for $GPG Embedding quotes in a string doesn't work, it just causes KEYSERVER to not be quoted at all. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:05:17 -05:00			`"${GPG[@]}" --recv-keys ${keyid} &>/dev/null`
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`fi`
			`done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)`

			`# master-keyids`
			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[@]:1}"`
update-keys: use array for $GPG Embedding quotes in a string doesn't work, it just causes KEYSERVER to not be quoted at all. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:05:17 -05:00			`"${GPG[@]}" --yes --lsign-key ${keyid} &>/dev/null`
Export with comment ... containing username and keyid 2019-10-07 06:12:53 -05:00			`"${GPG[@]}" --comment "master-key: ${username} (${keyid})" --export ${keyid} >> master/${username}.asc`
Create keyring that can be used by pacman-key --populate We also remove unused signatures from the keys to keep the history more readable 2012-03-03 11:16:04 -06:00			`echo "${keyid}:4:" >> archlinux-trusted`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`done < master-keyids`
update-keys: use array for $GPG Embedding quotes in a string doesn't work, it just causes KEYSERVER to not be quoted at all. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:05:17 -05:00			`"${GPG[@]}" --import-ownertrust < archlinux-trusted 2>/dev/null`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`# master-revoked-keyids`
Update keyring - add keys of new Trusted Users: zorin, shibumi, archangegabriel - revoke keys of ex-TUs: flexiondotorg, dicebot - revoke Dan's master key Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> 2017-03-20 14:40:37 -06:00			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[1]}"`
Export with comment ... containing username and keyid 2019-10-07 06:12:53 -05:00			`"${GPG[@]}" --comment "revoked master-key: ${username} (${keyid})" --export ${keyid} >> master-revoked/${username}.asc`
Revoke keys unconditionally 2017-10-17 07:01:23 -05:00			`echo "${keyid}" >> archlinux-revoked`
Update keyring - add keys of new Trusted Users: zorin, shibumi, archangegabriel - revoke keys of ex-TUs: flexiondotorg, dicebot - revoke Dan's master key Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> 2017-03-20 14:40:37 -06:00			`done < master-revoked-keyids`

Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`# packager-keyids`
Import all keys before cleaning them up 2013-06-10 07:18:32 -05:00			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[@]:1}"`
update-keys: use array for $GPG Embedding quotes in a string doesn't work, it just causes KEYSERVER to not be quoted at all. Signed-off-by: Christian Hesse <mail@eworm.de> 2019-08-05 16:05:17 -05:00			`if ! "${GPG[@]}" --list-keys --with-colons ${keyid} 2>/dev/null \| grep -q '^pub:f:'; then`
update-keys: also collect keys with marginal trust 2019-10-09 09:51:15 -05:00			`echo "WARNING: key is not fully trusted: ${keyid} ${username}"`
			`"${GPG[@]}" --comment "marginal trust: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`else`
Export with comment ... containing username and keyid 2019-10-07 06:12:53 -05:00			`"${GPG[@]}" --comment "packager: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`fi`
			`done < packager-keyids`

Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`# packager-revoked-keyids`
Define a list of revoked keys Use the file packager-revoked-keyids to revoke certain keys. 2013-05-25 05:48:49 -05:00			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[1]}"`
Export with comment ... containing username and keyid 2019-10-07 06:12:53 -05:00			`"${GPG[@]}" --comment "revoked packager: ${username} (${keyid})" --export ${keyid} >> packager-revoked/${username}.asc`
Revoke keys unconditionally 2017-10-17 07:01:23 -05:00			`echo "${keyid}" >> archlinux-revoked`
Define a list of revoked keys Use the file packager-revoked-keyids to revoke certain keys. 2013-05-25 05:48:49 -05:00			`done < packager-revoked-keyids`

Update keyring - add keys of new Trusted Users: zorin, shibumi, archangegabriel - revoke keys of ex-TUs: flexiondotorg, dicebot - revoke Dan's master key Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> 2017-03-20 14:40:37 -06:00			`cat master/.asc master-revoked/.asc packager/.asc packager-revoked/.asc > archlinux.gpg`