CondorCORE/condorcore-keyring
CondorCORE/condorcore-keyring
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Define a list of revoked keys

Browse Source 
Use the file packager-revoked-keyids to revoke certain keys.
This commit is contained in:
Pierre Schmitz 2013-05-25 12:48:49 +02:00
parent 73315bdda8
commit 40ea22c053
2 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
packager-revoked-keyids Normal file
View File

26
update-keys
View File

@ -22,8 +22,8 @@ Expire-Date: 0
%echo Done %echo Done
EOF EOF
rm -rf master packager archlinux-trusted rm -rf master packager packager-revoked archlinux-trusted archlinux-revoked
mkdir master packager mkdir master packager packager-revoked
while read -ra data; do while read -ra data; do
keyid="${data[0]}" keyid="${data[0]}"
@ -32,7 +32,7 @@ while read -ra data; do
printf 'minimize\nquit\ny\n' | \ printf 'minimize\nquit\ny\n' | \
${GPG} --command-fd 0 --edit-key ${keyid} ${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --yes --lsign-key ${keyid} &>/dev/null ${GPG} --yes --lsign-key ${keyid} &>/dev/null
${GPG} --armor --output master/${username}.asc --export ${keyid} ${GPG} --armor --no-emit-version --output master/${username}.asc --export ${keyid}
echo "${keyid}:4:" >> archlinux-trusted echo "${keyid}:4:" >> archlinux-trusted
done < master-keyids done < master-keyids
${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null ${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null
@ -48,10 +48,26 @@ while read -ra data; do
if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
echo "key is not fully trusted: ${keyid} ${username}" echo "key is not fully trusted: ${keyid} ${username}"
else else
${GPG} --armor --output packager/${username}.asc --export ${keyid} ${GPG} --armor --no-emit-version --output packager/${username}.asc --export ${keyid}
fi fi
done < packager-keyids done < packager-keyids
cat master/*.asc packager/*.asc > archlinux.gpg while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
${GPG} --recv-keys ${keyid} &>/dev/null
printf 'clean\nquit\ny\n' | \
${GPG} --command-fd 0 --edit-key ${keyid}
FD=$(mktemp)
exec 4>"${FD}"
if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
${GPG} --armor --no-emit-version --output packager-revoked/${username}.asc --export ${keyid}
echo "${keyid}" >> archlinux-revoked
else
echo "key is still fully trusted: ${keyid} ${username}"
fi
done < packager-revoked-keyids
cat master/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg
popd >/dev/null popd >/dev/null