diff options
Diffstat (limited to 'update-keys')
| -rwxr-xr-x | update-keys | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/update-keys b/update-keys new file mode 100755 index 0000000..0c44544 --- /dev/null +++ b/update-keys @@ -0,0 +1,74 @@ +#!/bin/bash + +export LANG=C + +TMPDIR=$(mktemp -d) +trap "rm -rf '${TMPDIR}'" EXIT + +KEYSERVER='hkp://pgp.mit.edu' +GPG="gpg --quiet --batch --no-tty --no-permission-warning --keyserver "${KEYSERVER}" --homedir ${TMPDIR}" + +pushd "$(dirname "$0")" >/dev/null + +$GPG --gen-key <<EOF +%echo Generating Arch Linux ARM Keyring keychain master key... +Key-Type: RSA +Key-Length: 1024 +Key-Usage: sign +Name-Real: Arch Linux ARM Keyring Keychain Master Key +Name-Email: archlinuxarm-keyring@localhost +Expire-Date: 0 +%commit +%echo Done +EOF + +rm -rf master packager packager-revoked archlinuxarm-trusted archlinuxarm-revoked +mkdir master packager packager-revoked + +while read -ra data; do + keyid="${data[0]}" + username="${data[@]:1}" + ${GPG} --recv-keys ${keyid} &>/dev/null + printf 'minimize\nquit\ny\n' | \ + ${GPG} --command-fd 0 --edit-key ${keyid} + ${GPG} --yes --lsign-key ${keyid} &>/dev/null + ${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc + echo "${keyid}:4:" >> archlinuxarm-trusted +done < master-keyids +${GPG} --import-ownertrust < archlinuxarm-trusted 2>/dev/null + +while read -ra data; do + keyid="${data[0]}" + ${GPG} --recv-keys ${keyid} &>/dev/null +done < packager-keyids +while read -ra data; do + keyid="${data[0]}" + username="${data[@]:1}" + printf 'clean\nquit\ny\n' | \ + ${GPG} --command-fd 0 --edit-key ${keyid} + if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then + echo "key is not fully trusted: ${keyid} ${username}" + else + ${GPG} --armor --no-emit-version --export ${keyid} >> packager/${username}.asc + fi +done < packager-keyids + +# uncomment when we have keys to revoke + +#while read -ra data; do +# keyid="${data[0]}" +# username="${data[1]}" +# ${GPG} --recv-keys ${keyid} &>/dev/null +# printf 'clean\nquit\ny\n' | \ +# ${GPG} --command-fd 0 --edit-key ${keyid} +# if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then +# ${GPG} --armor --no-emit-version --export ${keyid} >> packager-revoked/${username}.asc +# echo "${keyid}" >> archlinuxarm-revoked +# else +# echo "key is still fully trusted: ${keyid} ${username}" +# fi +#done < packager-revoked-keyids + +cat master/*.asc packager/*.asc packager-revoked/*.asc > archlinuxarm.gpg + +popd >/dev/null |