9cbe1e1414
As the SKS infrastructure is offline for good, we need to switch to keyserver.ubuntu.com for the time being. The Ubuntu keyservers to not support EC keys, thus we have to ignore failure when refreshing keys.
99 lines
2.8 KiB
Bash
Executable File
99 lines
2.8 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
set -e
|
|
|
|
export LANG=C
|
|
|
|
TMPDIR=$(mktemp -d)
|
|
trap "rm -rf '${TMPDIR}'" EXIT
|
|
|
|
KEYSERVER='hkps://keyserver.ubuntu.com'
|
|
GPG=(gpg --homedir "${TMPDIR}")
|
|
|
|
cat << __EOF__ > "${TMPDIR}"/gpg.conf
|
|
quiet
|
|
batch
|
|
no-tty
|
|
no-permission-warning
|
|
export-options no-export-attributes,export-clean
|
|
keyserver ${KEYSERVER}
|
|
keyserver-options no-self-sigs-only
|
|
armor
|
|
no-emit-version
|
|
__EOF__
|
|
|
|
cd "$(dirname "$0")"
|
|
|
|
"${GPG[@]}" --gen-key <<EOF
|
|
%echo Generating Arch Linux keyring temporary master key...
|
|
Key-Type: RSA
|
|
Key-Length: 2048
|
|
Key-Usage: sign
|
|
Name-Real: Arch Linux keyring temporary master key
|
|
Name-Email: archlinux-keyring@localhost
|
|
Expire-Date: 0
|
|
%no-protection
|
|
%commit
|
|
%echo Done
|
|
EOF
|
|
|
|
"${GPG[@]}" --import < archlinux.gpg
|
|
|
|
rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
|
|
mkdir master packager master-revoked packager-revoked
|
|
|
|
# refresh/receive all keys
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[@]:1}"
|
|
if "${GPG[@]}" --list-keys ${keyid} >/dev/null &>/dev/null; then
|
|
# Ignore refresh failure; Ubuntu keyserver lacks support for EC keys
|
|
# TODO: Remove the "|| true" when the above is no longer an issue
|
|
"${GPG[@]}" --refresh-keys ${keyid} &>/dev/null || true
|
|
else
|
|
"${GPG[@]}" --recv-keys ${keyid} &>/dev/null
|
|
fi
|
|
done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)
|
|
|
|
# master-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[@]:1}"
|
|
"${GPG[@]}" --yes --lsign-key ${keyid} &>/dev/null
|
|
"${GPG[@]}" --comment "master-key: ${username} (${keyid})" --export ${keyid} >> master/${username}.asc
|
|
echo "${keyid}:4:" >> archlinux-trusted
|
|
done < master-keyids
|
|
"${GPG[@]}" --import-ownertrust < archlinux-trusted 2>/dev/null
|
|
|
|
# master-revoked-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[1]}"
|
|
"${GPG[@]}" --comment "revoked master-key: ${username} (${keyid})" --export ${keyid} >> master-revoked/${username}.asc
|
|
echo "${keyid}" >> archlinux-revoked
|
|
done < master-revoked-keyids
|
|
|
|
# packager-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[@]:1}"
|
|
if ! "${GPG[@]}" --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
|
|
echo "WARNING: key is not fully trusted: ${keyid} ${username}"
|
|
"${GPG[@]}" --comment "marginal trust: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
|
|
else
|
|
"${GPG[@]}" --comment "packager: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
|
|
fi
|
|
done < packager-keyids
|
|
|
|
# packager-revoked-keyids
|
|
while read -ra data; do
|
|
keyid="${data[0]}"
|
|
username="${data[1]}"
|
|
"${GPG[@]}" --comment "revoked packager: ${username} (${keyid})" --export ${keyid} >> packager-revoked/${username}.asc
|
|
echo "${keyid}" >> archlinux-revoked
|
|
done < packager-revoked-keyids
|
|
|
|
cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg
|