condorcore-keyring/update-keys

#!/bin/bash

set -e

export LANG=C

TMPDIR=$(mktemp -d)
trap "rm -rf '${TMPDIR}'" EXIT

KEYSERVER='hkp://pool.sks-keyservers.net'
GPG="gpg --quiet --batch --no-tty --no-permission-warning --export-options no-export-attributes --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"

pushd "$(dirname "$0")" >/dev/null

$GPG --gen-key <<EOF
%echo Generating Arch Linux keyring temporary master key...
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign
Name-Real: Arch Linux keyring temporary master key
Name-Email: archlinux-keyring@localhost
Expire-Date: 0
%no-protection
%commit
%echo Done
EOF

${GPG} --import < archlinux.gpg

rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
mkdir master packager master-revoked packager-revoked

# refresh/receive all keys
while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	if ${GPG} --list-keys ${keyid} >/dev/null &>/dev/null; then
		${GPG} --refresh-keys ${keyid} &>/dev/null
	else
		${GPG} --recv-keys ${keyid} &>/dev/null
	fi
done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)

# master-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
	${GPG} --yes --lsign-key ${keyid} &>/dev/null
	${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc
	echo "${keyid}:4:" >> archlinux-trusted
done < master-keyids
${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null

# master-revoked-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[1]}"
	printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
	${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> master-revoked/${username}.asc
	echo "${keyid}" >> archlinux-revoked
done < master-revoked-keyids

# packager-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
	if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
		echo "key is not fully trusted: ${keyid} ${username}"
	else
		${GPG} --armor --no-emit-version --export ${keyid} >> packager/${username}.asc
	fi
done < packager-keyids

# packager-revoked-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[1]}"
	printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
	${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> packager-revoked/${username}.asc
	echo "${keyid}" >> archlinux-revoked
done < packager-revoked-keyids

cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg

popd >/dev/null
Add keyid lists and update script * The keyid lists are retreived from archweb * The update script can be run to refresh all keys 2012-02-12 10:04:59 -06:00			`#!/bin/bash`

exit immediately on error Intermittent errors (due to broker network connectivity, key server failure, whatever ...) could result in an incomplete keyring. So exit immediately on error. 2017-10-19 03:47:12 -05:00			`set -e`

Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`export LANG=C`

Add keyid lists and update script * The keyid lists are retreived from archweb * The update script can be run to refresh all keys 2012-02-12 10:04:59 -06:00			`TMPDIR=$(mktemp -d)`
			`trap "rm -rf '${TMPDIR}'" EXIT`

Use more reliable default keyserver; same as in pacman >= 4.0.3 2012-04-07 11:38:26 -05:00			`KEYSERVER='hkp://pool.sks-keyservers.net'`
Do not export attribute user IDs (photo IDs) There's no need to have images in pacman keyring... Signed-off-by: Christian Hesse <mail@eworm.de> 2017-10-17 04:57:02 -05:00			`GPG="gpg --quiet --batch --no-tty --no-permission-warning --export-options no-export-attributes --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"`
Add keyid lists and update script * The keyid lists are retreived from archweb * The update script can be run to refresh all keys 2012-02-12 10:04:59 -06:00
			`pushd "$(dirname "$0")" >/dev/null`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00
			`$GPG --gen-key <<EOF`
Modify the temporary master key generation 2019-01-23 16:12:15 -06:00			`%echo Generating Arch Linux keyring temporary master key...`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`Key-Type: RSA`
Modify the temporary master key generation 2019-01-23 16:12:15 -06:00			`Key-Length: 2048`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`Key-Usage: sign`
Modify the temporary master key generation 2019-01-23 16:12:15 -06:00			`Name-Real: Arch Linux keyring temporary master key`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`Name-Email: archlinux-keyring@localhost`
			`Expire-Date: 0`
GPG 2.1 compatibility 2015-02-07 03:28:34 -06:00			`%no-protection`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`%commit`
			`%echo Done`
			`EOF`

Import archlinux.gpg into the temporary keyring This makes sure we do not loose signatures depending on key server used. 2019-01-23 03:27:58 -06:00			`${GPG} --import < archlinux.gpg`

Update keyring - add keys of new Trusted Users: zorin, shibumi, archangegabriel - revoke keys of ex-TUs: flexiondotorg, dicebot - revoke Dan's master key Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> 2017-03-20 14:40:37 -06:00			`rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}`
			`mkdir master packager master-revoked packager-revoked`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`# refresh/receive all keys`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[@]:1}"`
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`if ${GPG} --list-keys ${keyid} >/dev/null &>/dev/null; then`
			`${GPG} --refresh-keys ${keyid} &>/dev/null`
			`else`
			`${GPG} --recv-keys ${keyid} &>/dev/null`
			`fi`
			`done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)`

			`# master-keyids`
			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[@]:1}"`
			`printf 'minimize\nquit\ny\n' \| ${GPG} --command-fd 0 --edit-key ${keyid}`
Simplify/cleanup update script 2012-03-31 10:40:22 -06:00			`${GPG} --yes --lsign-key ${keyid} &>/dev/null`
Support multiple keys per username 2013-09-26 15:55:57 -05:00			`${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc`
Create keyring that can be used by pacman-key --populate We also remove unused signatures from the keys to keep the history more readable 2012-03-03 11:16:04 -06:00			`echo "${keyid}:4:" >> archlinux-trusted`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`done < master-keyids`
Simplify/cleanup update script 2012-03-31 10:40:22 -06:00			`${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`# master-revoked-keyids`
Update keyring - add keys of new Trusted Users: zorin, shibumi, archangegabriel - revoke keys of ex-TUs: flexiondotorg, dicebot - revoke Dan's master key Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> 2017-03-20 14:40:37 -06:00			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[1]}"`
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`printf 'clean\nquit\ny\n' \| ${GPG} --command-fd 0 --edit-key ${keyid}`
Revoke keys unconditionally 2017-10-17 07:01:23 -05:00			`${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> master-revoked/${username}.asc`
			`echo "${keyid}" >> archlinux-revoked`
Update keyring - add keys of new Trusted Users: zorin, shibumi, archangegabriel - revoke keys of ex-TUs: flexiondotorg, dicebot - revoke Dan's master key Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> 2017-03-20 14:40:37 -06:00			`done < master-revoked-keyids`

Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`# packager-keyids`
Import all keys before cleaning them up 2013-06-10 07:18:32 -05:00			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[@]:1}"`
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`printf 'clean\nquit\ny\n' \| ${GPG} --command-fd 0 --edit-key ${keyid}`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null \| grep -q '^pub:f:'; then`
			`echo "key is not fully trusted: ${keyid} ${username}"`
			`else`
Support multiple keys per username 2013-09-26 15:55:57 -05:00			`${GPG} --armor --no-emit-version --export ${keyid} >> packager/${username}.asc`
Verify packager keys using the master keys The update script creates key files for master keys and all developers with fully trusted keys. 2012-02-12 15:42:01 -06:00			`fi`
			`done < packager-keyids`

Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`# packager-revoked-keyids`
Define a list of revoked keys Use the file packager-revoked-keyids to revoke certain keys. 2013-05-25 05:48:49 -05:00			`while read -ra data; do`
			`keyid="${data[0]}"`
			`username="${data[1]}"`
Rework the update process * use --refresh-keys if key is available, not --recv-keys * refresh/receive in one go 2019-01-23 14:59:37 -06:00			`printf 'clean\nquit\ny\n' \| ${GPG} --command-fd 0 --edit-key ${keyid}`
Revoke keys unconditionally 2017-10-17 07:01:23 -05:00			`${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> packager-revoked/${username}.asc`
			`echo "${keyid}" >> archlinux-revoked`
Define a list of revoked keys Use the file packager-revoked-keyids to revoke certain keys. 2013-05-25 05:48:49 -05:00			`done < packager-revoked-keyids`

Update keyring - add keys of new Trusted Users: zorin, shibumi, archangegabriel - revoke keys of ex-TUs: flexiondotorg, dicebot - revoke Dan's master key Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> 2017-03-20 14:40:37 -06:00			`cat master/.asc master-revoked/.asc packager/.asc packager-revoked/.asc > archlinux.gpg`
Create keyring that can be used by pacman-key --populate We also remove unused signatures from the keys to keep the history more readable 2012-03-03 11:16:04 -06:00
Add keyid lists and update script * The keyid lists are retreived from archweb * The update script can be run to refresh all keys 2012-02-12 10:04:59 -06:00			`popd >/dev/null`