5cb23e4ce6
Using popd at the very end of a shell script is unnecessary, because, as the very last command, there is nothing to restore state for. Immediately after, the shell subprocess is ended, and processes don't control the cwd of the parent process. Changing the cwd for the last microsecond of the shell process, during which no commands are run, is a mildly expensive no-op. By the same measure, if popd is never used, pushd is not needed to record the old cwd. So simply use 'cd'. Signed-off-by: Christian Hesse <mail@eworm.de>
94 lines
2.5 KiB
Bash
Executable File
94 lines
2.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
export LANG=C
|
|
|
|
TMPDIR=$(mktemp -d)
|
|
trap "rm -rf '${TMPDIR}'" EXIT
|
|
|
|
KEYSERVER='hkp://pool.sks-keyservers.net'
|
|
GPG=(gpg --homedir "${TMPDIR}")
|
|
|
|
cat << __EOF__ > "${TMPDIR}"/gpg.conf
|
|
quiet
|
|
batch
|
|
no-tty
|
|
no-permission-warning
|
|
export-options no-export-attributes,export-clean
|
|
keyserver ${KEYSERVER}
|
|
armor
|
|
no-emit-version
|
|
__EOF__
|
|
|
|
cd "$(dirname "$0")"
|
|
|
|
"${GPG[@]}" --gen-key <<EOF
|
|
%echo Generating Arch Linux keyring temporary master key...
|
|
Key-Type: RSA
|
|
Key-Length: 2048
|
|
Key-Usage: sign
|
|
Name-Real: Arch Linux keyring temporary master key
|
|
Name-Email: archlinux-keyring@localhost
|
|
Expire-Date: 0
|
|
%no-protection
|
|
%commit
|
|
%echo Done
|
|
EOF
|
|
|
|
"${GPG[@]}" --import < archlinux.gpg
|
|
|
|
rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
|
|
mkdir master packager master-revoked packager-revoked
|
|
|
|
# refresh/receive all keys
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[@]:1}"
|
|
if "${GPG[@]}" --list-keys ${keyid} >/dev/null &>/dev/null; then
|
|
"${GPG[@]}" --refresh-keys ${keyid} &>/dev/null
|
|
else
|
|
"${GPG[@]}" --recv-keys ${keyid} &>/dev/null
|
|
fi
|
|
done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)
|
|
|
|
# master-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[@]:1}"
|
|
printf 'minimize\nquit\ny\n' | "${GPG[@]}" --command-fd 0 --edit-key ${keyid}
|
|
"${GPG[@]}" --yes --lsign-key ${keyid} &>/dev/null
|
|
"${GPG[@]}" --export ${keyid} >> master/${username}.asc
|
|
echo "${keyid}:4:" >> archlinux-trusted
|
|
done < master-keyids
|
|
"${GPG[@]}" --import-ownertrust < archlinux-trusted 2>/dev/null
|
|
|
|
# master-revoked-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[1]}"
|
|
"${GPG[@]}" --export-options export-minimal --export ${keyid} >> master-revoked/${username}.asc
|
|
echo "${keyid}" >> archlinux-revoked
|
|
done < master-revoked-keyids
|
|
|
|
# packager-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[@]:1}"
|
|
if ! "${GPG[@]}" --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
|
|
echo "key is not fully trusted: ${keyid} ${username}"
|
|
else
|
|
"${GPG[@]}" --export ${keyid} >> packager/${username}.asc
|
|
fi
|
|
done < packager-keyids
|
|
|
|
# packager-revoked-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[1]}"
|
|
"${GPG[@]}" --export-options export-minimal --export ${keyid} >> packager-revoked/${username}.asc
|
|
echo "${keyid}" >> archlinux-revoked
|
|
done < packager-revoked-keyids
|
|
|
|
cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg
|