CondorCORE/condorcore-keyring
CondorCORE/condorcore-keyring
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c4264b6784
condorcore-keyring/update-keys
Eli Schwartz c4264b6784 update-keys: move armor to gpg.conf 
This option only affects --export, and we always use armored keys.

Signed-off-by: Christian Hesse <mail@eworm.de>
2019-08-06 09:35:52 +02:00

96 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e
export LANG=C
TMPDIR=$(mktemp -d)
trap "rm -rf '${TMPDIR}'" EXIT
KEYSERVER='hkp://pool.sks-keyservers.net'
GPG=(gpg --homedir "${TMPDIR}")
cat << __EOF__ > "${TMPDIR}"/gpg.conf
quiet
batch
no-tty
no-permission-warning
export-options no-export-attributes,export-clean
keyserver ${KEYSERVER}
armor
no-emit-version
__EOF__
pushd "$(dirname "$0")" >/dev/null
"${GPG[@]}" --gen-key <<EOF
%echo Generating Arch Linux keyring temporary master key...
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign
Name-Real: Arch Linux keyring temporary master key
Name-Email: archlinux-keyring@localhost
Expire-Date: 0
%no-protection
%commit
%echo Done
EOF
"${GPG[@]}" --import < archlinux.gpg
rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
mkdir master packager master-revoked packager-revoked
# refresh/receive all keys
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
if "${GPG[@]}" --list-keys ${keyid} >/dev/null &>/dev/null; then
"${GPG[@]}" --refresh-keys ${keyid} &>/dev/null
else
"${GPG[@]}" --recv-keys ${keyid} &>/dev/null
fi
done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)
# master-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
printf 'minimize\nquit\ny\n' | "${GPG[@]}" --command-fd 0 --edit-key ${keyid}
"${GPG[@]}" --yes --lsign-key ${keyid} &>/dev/null
"${GPG[@]}" --export ${keyid} >> master/${username}.asc
echo "${keyid}:4:" >> archlinux-trusted
done < master-keyids
"${GPG[@]}" --import-ownertrust < archlinux-trusted 2>/dev/null
# master-revoked-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
"${GPG[@]}" --export-options export-minimal --export ${keyid} >> master-revoked/${username}.asc
echo "${keyid}" >> archlinux-revoked
done < master-revoked-keyids
# packager-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
if ! "${GPG[@]}" --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
echo "key is not fully trusted: ${keyid} ${username}"
else
"${GPG[@]}" --export ${keyid} >> packager/${username}.asc
fi
done < packager-keyids
# packager-revoked-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
"${GPG[@]}" --export-options export-minimal --export ${keyid} >> packager-revoked/${username}.asc
echo "${keyid}" >> archlinux-revoked
done < packager-revoked-keyids
cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg
popd >/dev/null
Reference in New Issue View Git Blame Copy Permalink