Rework the update process

* use --refresh-keys if key is available, not --recv-keys
* refresh/receive in one go
This commit is contained in:
Christian Hesse 2019-01-23 21:59:37 +01:00
parent a48a66dfd6
commit 0e79570527

View File

@ -30,37 +30,42 @@ ${GPG} --import < archlinux.gpg
rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked} rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
mkdir master packager master-revoked packager-revoked mkdir master packager master-revoked packager-revoked
# refresh/receive all keys
while read -ra data; do while read -ra data; do
keyid="${data[0]}" keyid="${data[0]}"
username="${data[@]:1}" username="${data[@]:1}"
if ${GPG} --list-keys ${keyid} >/dev/null &>/dev/null; then
${GPG} --refresh-keys ${keyid} &>/dev/null
else
${GPG} --recv-keys ${keyid} &>/dev/null ${GPG} --recv-keys ${keyid} &>/dev/null
printf 'minimize\nquit\ny\n' | \ fi
${GPG} --command-fd 0 --edit-key ${keyid} done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)
# master-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --yes --lsign-key ${keyid} &>/dev/null ${GPG} --yes --lsign-key ${keyid} &>/dev/null
${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc ${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc
echo "${keyid}:4:" >> archlinux-trusted echo "${keyid}:4:" >> archlinux-trusted
done < master-keyids done < master-keyids
${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null ${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null
# master-revoked-keyids
while read -ra data; do while read -ra data; do
keyid="${data[0]}" keyid="${data[0]}"
username="${data[1]}" username="${data[1]}"
${GPG} --recv-keys ${keyid} &>/dev/null printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
printf 'clean\nquit\ny\n' | \
${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> master-revoked/${username}.asc ${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> master-revoked/${username}.asc
echo "${keyid}" >> archlinux-revoked echo "${keyid}" >> archlinux-revoked
done < master-revoked-keyids done < master-revoked-keyids
while read -ra data; do # packager-keyids
keyid="${data[0]}"
${GPG} --recv-keys ${keyid} &>/dev/null
done < packager-keyids
while read -ra data; do while read -ra data; do
keyid="${data[0]}" keyid="${data[0]}"
username="${data[@]:1}" username="${data[@]:1}"
printf 'clean\nquit\ny\n' | \ printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --command-fd 0 --edit-key ${keyid}
if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
echo "key is not fully trusted: ${keyid} ${username}" echo "key is not fully trusted: ${keyid} ${username}"
else else
@ -68,12 +73,11 @@ while read -ra data; do
fi fi
done < packager-keyids done < packager-keyids
# packager-revoked-keyids
while read -ra data; do while read -ra data; do
keyid="${data[0]}" keyid="${data[0]}"
username="${data[1]}" username="${data[1]}"
${GPG} --recv-keys ${keyid} &>/dev/null printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
printf 'clean\nquit\ny\n' | \
${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> packager-revoked/${username}.asc ${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> packager-revoked/${username}.asc
echo "${keyid}" >> archlinux-revoked echo "${keyid}" >> archlinux-revoked
done < packager-revoked-keyids done < packager-revoked-keyids