From 40ea22c0535beb79e5809b0e41e6e072eee2b3bb Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Sat, 25 May 2013 12:48:49 +0200 Subject: [PATCH] Define a list of revoked keys Use the file packager-revoked-keyids to revoke certain keys. --- packager-revoked-keyids | 0 update-keys | 26 +++++++++++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 packager-revoked-keyids diff --git a/packager-revoked-keyids b/packager-revoked-keyids new file mode 100644 index 0000000..e69de29 diff --git a/update-keys b/update-keys index 71c4ca6..ca60170 100755 --- a/update-keys +++ b/update-keys @@ -22,8 +22,8 @@ Expire-Date: 0 %echo Done EOF -rm -rf master packager archlinux-trusted -mkdir master packager +rm -rf master packager packager-revoked archlinux-trusted archlinux-revoked +mkdir master packager packager-revoked while read -ra data; do keyid="${data[0]}" @@ -32,7 +32,7 @@ while read -ra data; do printf 'minimize\nquit\ny\n' | \ ${GPG} --command-fd 0 --edit-key ${keyid} ${GPG} --yes --lsign-key ${keyid} &>/dev/null - ${GPG} --armor --output master/${username}.asc --export ${keyid} + ${GPG} --armor --no-emit-version --output master/${username}.asc --export ${keyid} echo "${keyid}:4:" >> archlinux-trusted done < master-keyids ${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null @@ -48,10 +48,26 @@ while read -ra data; do if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then echo "key is not fully trusted: ${keyid} ${username}" else - ${GPG} --armor --output packager/${username}.asc --export ${keyid} + ${GPG} --armor --no-emit-version --output packager/${username}.asc --export ${keyid} fi done < packager-keyids -cat master/*.asc packager/*.asc > archlinux.gpg +while read -ra data; do + keyid="${data[0]}" + username="${data[1]}" + ${GPG} --recv-keys ${keyid} &>/dev/null + printf 'clean\nquit\ny\n' | \ + ${GPG} --command-fd 0 --edit-key ${keyid} + FD=$(mktemp) + exec 4>"${FD}" + if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then + ${GPG} --armor --no-emit-version --output packager-revoked/${username}.asc --export ${keyid} + echo "${keyid}" >> archlinux-revoked + else + echo "key is still fully trusted: ${keyid} ${username}" + fi +done < packager-revoked-keyids + +cat master/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg popd >/dev/null