summaryrefslogtreecommitdiff
path: root/update-keys
diff options
context:
space:
mode:
authorKevin Mihelich <kevin@archlinuxarm.org>2014-01-18 17:26:29 -0700
committerKevin Mihelich <kevin@archlinuxarm.org>2014-01-18 17:26:29 -0700
commit30a51c450efdeea9b5a59ce3400f5b5fe06d5180 (patch)
treee844915c8579e5e01596e8329a0ca552ce2c0756 /update-keys
downloadarchlinux32-keyring-30a51c450efdeea9b5a59ce3400f5b5fe06d5180.tar.xz
Initial commit
Diffstat (limited to 'update-keys')
-rwxr-xr-xupdate-keys74
1 files changed, 74 insertions, 0 deletions
diff --git a/update-keys b/update-keys
new file mode 100755
index 0000000..0c44544
--- /dev/null
+++ b/update-keys
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+export LANG=C
+
+TMPDIR=$(mktemp -d)
+trap "rm -rf '${TMPDIR}'" EXIT
+
+KEYSERVER='hkp://pgp.mit.edu'
+GPG="gpg --quiet --batch --no-tty --no-permission-warning --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"
+
+pushd "$(dirname "$0")" >/dev/null
+
+$GPG --gen-key <<EOF
+%echo Generating Arch Linux ARM Keyring keychain master key...
+Key-Type: RSA
+Key-Length: 1024
+Key-Usage: sign
+Name-Real: Arch Linux ARM Keyring Keychain Master Key
+Name-Email: archlinuxarm-keyring@localhost
+Expire-Date: 0
+%commit
+%echo Done
+EOF
+
+rm -rf master packager packager-revoked archlinuxarm-trusted archlinuxarm-revoked
+mkdir master packager packager-revoked
+
+while read -ra data; do
+ keyid="${data[0]}"
+ username="${data[@]:1}"
+ ${GPG} --recv-keys ${keyid} &>/dev/null
+ printf 'minimize\nquit\ny\n' | \
+ ${GPG} --command-fd 0 --edit-key ${keyid}
+ ${GPG} --yes --lsign-key ${keyid} &>/dev/null
+ ${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc
+ echo "${keyid}:4:" >> archlinuxarm-trusted
+done < master-keyids
+${GPG} --import-ownertrust < archlinuxarm-trusted 2>/dev/null
+
+while read -ra data; do
+ keyid="${data[0]}"
+ ${GPG} --recv-keys ${keyid} &>/dev/null
+done < packager-keyids
+while read -ra data; do
+ keyid="${data[0]}"
+ username="${data[@]:1}"
+ printf 'clean\nquit\ny\n' | \
+ ${GPG} --command-fd 0 --edit-key ${keyid}
+ if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
+ echo "key is not fully trusted: ${keyid} ${username}"
+ else
+ ${GPG} --armor --no-emit-version --export ${keyid} >> packager/${username}.asc
+ fi
+done < packager-keyids
+
+# uncomment when we have keys to revoke
+
+#while read -ra data; do
+# keyid="${data[0]}"
+# username="${data[1]}"
+# ${GPG} --recv-keys ${keyid} &>/dev/null
+# printf 'clean\nquit\ny\n' | \
+# ${GPG} --command-fd 0 --edit-key ${keyid}
+# if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
+# ${GPG} --armor --no-emit-version --export ${keyid} >> packager-revoked/${username}.asc
+# echo "${keyid}" >> archlinuxarm-revoked
+# else
+# echo "key is still fully trusted: ${keyid} ${username}"
+# fi
+#done < packager-revoked-keyids
+
+cat master/*.asc packager/*.asc packager-revoked/*.asc > archlinuxarm.gpg
+
+popd >/dev/null