condorcore-keyring/wkd_sync/archlinux-keyring-wkd-sync

#!/usr/bin/bash
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# Update all locally existing PGP keys in pacman's gnupg keyring, that are
# relevant for Arch Linux packaging using the distribution's Web Key Directory
# (WKD).
# This ensures, that new signatures on already existing keys are fetched before
# a new version of archlinux-keyring is installed. Fetching signatures early
# prevents marginal trust issues with packages that are signed by keys which
# only gain full trust when updating to a new version of archlinux-keyring in
# that same system upgrade action.

set -eu

readonly main_key_domain_match="@master-key.archlinux.org$"
readonly packager_domain_match="@archlinux.org$"
readonly homedir="$(pacman-conf GPGDir)"

domain_match=""
uid=""
gpg_locate_external=(
    # force update a key using WKD
    gpg
    --homedir
    "$homedir"
    --quiet
    --no-permission-warning
    --auto-key-locate
    "clear,nodefault,wkd"
    --locate-external-keys
)
# a list of <fingerprint> <mbox> tuples of all keys in the keyring
# e.g.:
# C7E7849466FE2358343588377258734B41C31549 dvzrv@archlinux.org
# 8FC15A064950A99DD1BD14DD39E4B877E62EB915 svenstaro@gmail.com
fingerprint_mboxes="$(
    gpg --homedir "$homedir" --no-permission-warning --list-keys --list-options show-only-fpr-mbox
)"

# a list of <fingerprints> of all revoked keys and keys that have no valid main
# key signatures
old_fingerprints="$(
    gpg --homedir "$homedir" --no-permission-warning --list-keys --with-colons |
    awk -F: '$1 == "pub" && $2 ~ /-|q|r/ { getline; print $10 }'
)"

if (( EUID != 0 )); then
     printf "This script must be run as root.\n" >&2
     exit 1
fi

# first update the main signing keys, then the packager keys
for domain_match in "$main_key_domain_match" "$packager_domain_match"; do
    while read -ra fpr_email; do
        if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} ]]; then
            printf "Refreshing key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
            "${gpg_locate_external[@]}" "${fpr_email[1]}"
        else
            printf "Skipping key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
        fi
    done <<< "$fingerprint_mboxes"
done
Script to refresh existing keys of archlinux-keyring wkd_sync/archlinux-keyring-wkd-sync: Add script to refresh existing keys of archlinux-keyring on user systems based on the state of the distribution's Web Key Directory (WKD). Invalid or revoked keys are ignored. 2022-07-22 18:02:09 -05:00			`#!/usr/bin/bash`
			`#`
			`# SPDX-License-Identifier: GPL-3.0-or-later`
			`#`
			`# Update all locally existing PGP keys in pacman's gnupg keyring, that are`
			`# relevant for Arch Linux packaging using the distribution's Web Key Directory`
			`# (WKD).`
			`# This ensures, that new signatures on already existing keys are fetched before`
			`# a new version of archlinux-keyring is installed. Fetching signatures early`
			`# prevents marginal trust issues with packages that are signed by keys which`
			`# only gain full trust when updating to a new version of archlinux-keyring in`
			`# that same system upgrade action.`

			`set -eu`

			`readonly main_key_domain_match="@master-key.archlinux.org$"`
			`readonly packager_domain_match="@archlinux.org$"`
			`readonly homedir="$(pacman-conf GPGDir)"`

			`domain_match=""`
			`uid=""`
			`gpg_locate_external=(`
			`# force update a key using WKD`
			`gpg`
			`--homedir`
			`"$homedir"`
			`--quiet`
			`--no-permission-warning`
			`--auto-key-locate`
			`"clear,nodefault,wkd"`
			`--locate-external-keys`
			`)`
			`# a list of <fingerprint> <mbox> tuples of all keys in the keyring`
			`# e.g.:`
			`# C7E7849466FE2358343588377258734B41C31549 dvzrv@archlinux.org`
			`# 8FC15A064950A99DD1BD14DD39E4B877E62EB915 svenstaro@gmail.com`
			`fingerprint_mboxes="$(`
			`gpg --homedir "$homedir" --no-permission-warning --list-keys --list-options show-only-fpr-mbox`
			`)"`

			`# a list of <fingerprints> of all revoked keys and keys that have no valid main`
			`# key signatures`
			`old_fingerprints="$(`
			`gpg --homedir "$homedir" --no-permission-warning --list-keys --with-colons \|`
			`awk -F: '$1 == "pub" && $2 ~ /-\|q\|r/ { getline; print $10 }'`
			`)"`

			`if (( EUID != 0 )); then`
			`printf "This script must be run as root.\n" >&2`
			`exit 1`
			`fi`

			`# first update the main signing keys, then the packager keys`
			`for domain_match in "$main_key_domain_match" "$packager_domain_match"; do`
			`while read -ra fpr_email; do`
			`if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} ]]; then`
			`printf "Refreshing key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"`
			`"${gpg_locate_external[@]}" "${fpr_email[1]}"`
			`else`
			`printf "Skipping key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"`
			`fi`
			`done <<< "$fingerprint_mboxes"`
			`done`