condorcore-keyring/update-keys
Christian Hesse de4326f4d4 exit immediately on error
Intermittent errors (due to broker network connectivity, key server
failure, whatever ...) could result in an incomplete keyring. So exit
immediately on error.
2017-10-19 10:47:12 +02:00

82 lines
2.4 KiB
Bash
Executable File

#!/bin/bash
set -e
export LANG=C
TMPDIR=$(mktemp -d)
trap "rm -rf '${TMPDIR}'" EXIT
KEYSERVER='hkp://pool.sks-keyservers.net'
GPG="gpg --quiet --batch --no-tty --no-permission-warning --export-options no-export-attributes --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"
pushd "$(dirname "$0")" >/dev/null
$GPG --gen-key <<EOF
%echo Generating Arch Linux Keyring keychain master key...
Key-Type: RSA
Key-Length: 1024
Key-Usage: sign
Name-Real: Arch Linux Keyring Keychain Master Key
Name-Email: archlinux-keyring@localhost
Expire-Date: 0
%no-protection
%commit
%echo Done
EOF
rm -rf master{,-revoked} packager{,-revoked} archlinux-{trusted,revoked}
mkdir master packager master-revoked packager-revoked
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
${GPG} --recv-keys ${keyid} &>/dev/null
printf 'minimize\nquit\ny\n' | \
${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --yes --lsign-key ${keyid} &>/dev/null
${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc
echo "${keyid}:4:" >> archlinux-trusted
done < master-keyids
${GPG} --import-ownertrust < archlinux-trusted 2>/dev/null
while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
${GPG} --recv-keys ${keyid} &>/dev/null
printf 'clean\nquit\ny\n' | \
${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> master-revoked/${username}.asc
echo "${keyid}" >> archlinux-revoked
done < master-revoked-keyids
while read -ra data; do
keyid="${data[0]}"
${GPG} --recv-keys ${keyid} &>/dev/null
done < packager-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
printf 'clean\nquit\ny\n' | \
${GPG} --command-fd 0 --edit-key ${keyid}
if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
echo "key is not fully trusted: ${keyid} ${username}"
else
${GPG} --armor --no-emit-version --export ${keyid} >> packager/${username}.asc
fi
done < packager-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
${GPG} --recv-keys ${keyid} &>/dev/null
printf 'clean\nquit\ny\n' | \
${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --armor --no-emit-version --export-options export-minimal --export ${keyid} >> packager-revoked/${username}.asc
echo "${keyid}" >> archlinux-revoked
done < packager-revoked-keyids
cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinux.gpg
popd >/dev/null