de4326f4d4
Intermittent errors (due to broker network connectivity, key server failure, whatever ...) could result in an incomplete keyring. So exit immediately on error.
82 lines
2.4 KiB
Bash
Executable File
82 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
export LANG=C
|
|
|
|
TMPDIR=$(mktemp -d)
|
|
trap "rm -rf '${TMPDIR}'" EXIT
|
|
|
|
KEYSERVER='hkp://pool.sks-keyservers.net'
|
|
GPG="gpg --quiet --batch --no-tty --no-permission-warning --export-options no-export-attributes --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"
|
|
|
|
pushd "$(dirname "$0")" >/dev/null
|
|
|
|
$GPG --gen-key <<EOF
|
|
%echo Generating Arch Linux Keyring keychain master key...
|
|
Key-Type: RSA
|
|
Key-Length: 1024
|
|
Key-Usage: sign
|
|
Name-Real: Arch Linux Keyring Keychain Master Key
|
|
Name-Email: archlinux-keyring@localhost
|
|
Expire-Date: 0
|
|
%no-protection
|
|
%commit
|
|
%echo Done
|
|
EOF
|
|
|
|
rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
|
|
mkdir master packager master-revoked packager-revoked
|
|
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[@]:1}"
|
|
${GPG} --recv-keys ${keyid} &>/dev/null
|
|
printf 'minimize\nquit\ny\n' | \
|
|
${GPG} --command-fd 0 --edit-key ${keyid}
|
|
${GPG} --yes --lsign-key ${keyid} &>/dev/null
|
|
${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc
|
|
echo "${keyid}:4:" >> archlinux-trusted
|
|
done < master-keyids
|
|
${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null
|
|
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[1]}"
|
|
${GPG} --recv-keys ${keyid} &>/dev/null
|
|
printf 'clean\nquit\ny\n' | \
|
|
${GPG} --command-fd 0 --edit-key ${keyid}
|
|
${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> master-revoked/${username}.asc
|
|
echo "${keyid}" >> archlinux-revoked
|
|
done < master-revoked-keyids
|
|
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
${GPG} --recv-keys ${keyid} &>/dev/null
|
|
done < packager-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[@]:1}"
|
|
printf 'clean\nquit\ny\n' | \
|
|
${GPG} --command-fd 0 --edit-key ${keyid}
|
|
if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
|
|
echo "key is not fully trusted: ${keyid} ${username}"
|
|
else
|
|
${GPG} --armor --no-emit-version --export ${keyid} >> packager/${username}.asc
|
|
fi
|
|
done < packager-keyids
|
|
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[1]}"
|
|
${GPG} --recv-keys ${keyid} &>/dev/null
|
|
printf 'clean\nquit\ny\n' | \
|
|
${GPG} --command-fd 0 --edit-key ${keyid}
|
|
${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> packager-revoked/${username}.asc
|
|
echo "${keyid}" >> archlinux-revoked
|
|
done < packager-revoked-keyids
|
|
|
|
cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg
|
|
|
|
popd >/dev/null
|