condorcore-keyring/update-keys
Christian Hesse 9cbe1e1414
update-keys: switch to keyserver keyserver.ubuntu.com
As the SKS infrastructure is offline for good, we need to switch to
keyserver.ubuntu.com for the time being.

The Ubuntu keyservers to not support EC keys, thus we have to ignore
failure when refreshing keys.
2021-08-02 13:23:39 +02:00

99 lines
2.8 KiB
Bash
Executable File

#!/bin/bash
#
# SPDX-License-Identifier: GPL-3.0-or-later
set -e
export LANG=C
TMPDIR=$(mktemp -d)
trap "rm -rf '${TMPDIR}'" EXIT
KEYSERVER='hkps://keyserver.ubuntu.com'
GPG=(gpg --homedir "${TMPDIR}")
cat << __EOF__ > "${TMPDIR}"/gpg.conf
quiet
batch
no-tty
no-permission-warning
export-options no-export-attributes,export-clean
keyserver ${KEYSERVER}
keyserver-options no-self-sigs-only
armor
no-emit-version
__EOF__
cd "$(dirname "$0")"
"${GPG[@]}" --gen-key <<EOF
%echo Generating Arch Linux keyring temporary master key...
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign
Name-Real: Arch Linux keyring temporary master key
Name-Email: archlinux-keyring@localhost
Expire-Date: 0
%no-protection
%commit
%echo Done
EOF
"${GPG[@]}" --import < archlinux.gpg
rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
mkdir master packager master-revoked packager-revoked
# refresh/receive all keys
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
if "${GPG[@]}" --list-keys ${keyid} >/dev/null &>/dev/null; then
# Ignore refresh failure; Ubuntu keyserver lacks support for EC keys
# TODO: Remove the "|| true" when the above is no longer an issue
"${GPG[@]}" --refresh-keys ${keyid} &>/dev/null || true
else
"${GPG[@]}" --recv-keys ${keyid} &>/dev/null
fi
done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)
# master-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
"${GPG[@]}" --yes --lsign-key ${keyid} &>/dev/null
"${GPG[@]}" --comment "master-key: ${username} (${keyid})" --export ${keyid} >> master/${username}.asc
echo "${keyid}:4:" >> archlinux-trusted
done < master-keyids
"${GPG[@]}" --import-ownertrust < archlinux-trusted 2>/dev/null
# master-revoked-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
"${GPG[@]}" --comment "revoked master-key: ${username} (${keyid})" --export ${keyid} >> master-revoked/${username}.asc
echo "${keyid}" >> archlinux-revoked
done < master-revoked-keyids
# packager-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
if ! "${GPG[@]}" --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
echo "WARNING: key is not fully trusted: ${keyid} ${username}"
"${GPG[@]}" --comment "marginal trust: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
else
"${GPG[@]}" --comment "packager: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
fi
done < packager-keyids
# packager-revoked-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
"${GPG[@]}" --comment "revoked packager: ${username} (${keyid})" --export ${keyid} >> packager-revoked/${username}.asc
echo "${keyid}" >> archlinux-revoked
done < packager-revoked-keyids
cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg