summaryrefslogtreecommitdiff
path: root/bin/nit-picker
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2019-11-05 09:10:21 +0100
committerErich Eckner <git@eckner.net>2019-11-05 09:13:32 +0100
commit5330d56ae97da42aa163d32ca709b2c2fc2e3544 (patch)
tree17347205ca13a13ee8410c974d2b4eea86aa6b65 /bin/nit-picker
parentd376187cd5c285509cbb3d205bf0689268f023a5 (diff)
downloadbuilder-5330d56ae97da42aa163d32ca709b2c2fc2e3544.tar.xz
bin/nit-picker: check expiry of keys in Keyring
Diffstat (limited to 'bin/nit-picker')
-rwxr-xr-xbin/nit-picker58
1 files changed, 57 insertions, 1 deletions
diff --git a/bin/nit-picker b/bin/nit-picker
index 2b92b84..0094a01 100755
--- a/bin/nit-picker
+++ b/bin/nit-picker
@@ -148,6 +148,21 @@ while pgrep -x ii >/dev/null \
printf ';\n'
if "${do_once_a_day_checks}"; then
+ printf 'SELECT DISTINCT'
+ printf ' "keyring",'
+ mysql_package_name_query
+ printf ' FROM `binary_packages`'
+ mysql_join_binary_packages_architectures
+ printf ' LEFT'
+ mysql_join_binary_packages_compressions
+ mysql_join_binary_packages_binary_packages_in_repositories
+ mysql_join_binary_packages_in_repositories_repositories
+ printf ' WHERE `repositories`.`is_on_master_mirror`'
+ printf ' AND `binary_packages`.`pkgname` IN ('
+ printf '"archlinux32-keyring",'
+ printf '"archlinux32-keyring-transition"'
+ printf ');\n'
+
printf 'SELECT'
printf ' "build-duration",'
printf '`build_slaves`.`name`'
@@ -322,7 +337,6 @@ while pgrep -x ii >/dev/null \
"${tmp_dir}/pkg-deps"
;;
'binary-signature')
-# TODO: check signature against keyring from package, not against installed keyring
if ! ${master_mirror_rsync_command} \
"${master_mirror_rsync_directory}/pool/${parameters}" \
"${master_mirror_rsync_directory}/pool/${parameters}.sig" \
@@ -450,6 +464,48 @@ while pgrep -x ii >/dev/null \
sleep 60
fi
;;
+ 'keyring')
+ if ! ${master_mirror_rsync_command} \
+ "${master_mirror_rsync_directory}/pool/${parameters}" \
+ "${tmp_dir}/"; then
+ rm -f "${tmp_dir}/${parameters}"
+ continue
+ fi
+ mkdir "${tmp_dir}/pkg" "${tmp_dir}/gpg-home"
+ bsdtar -C "${tmp_dir}/pkg" -xf "${tmp_dir}/${parameters}" --strip-components=4 'usr/share/pacman/keyrings'
+
+ gpg --no-permission-warning --quiet --homedir "${tmp_dir}/gpg-home" --import \
+ < "${tmp_dir}/pkg/archlinux32.gpg"
+ cut -d: -f1 "${tmp_dir}/pkg/archlinux32-trusted" \
+ | while read -r gpg_key; do
+ gpg --no-permission-warning --homedir "${tmp_dir}/gpg-home" --with-colons --list-keys "0x${gpg_key}" \
+ | grep '^pub:\|^sub:' \
+ | cut -d: -f7 \
+ | grep -vxF '' \
+ | sort -u \
+ | while read -r expiration; do
+ expiration_days=$(((expiration - $(date +%s))/24/60/60))
+ if [ ${expiration_days} -lt 100 ]; then
+ printf 'key %s (from %s) in package %s expires on %s (in %s < 100 days).\n' \
+ "${gpg_key}" \
+ "$(
+ gpg --batch --homedir "${tmp_dir}/gpg-home" --with-colons --list-keys "0x${gpg_key}" \
+ 2>/dev/null \
+ | grep '^\(uid\):' \
+ | cut -d: -f10
+ )" \
+ "${parameters}" \
+ "$(date -I -d@"${expiration}")" \
+ "${expiration_days}" \
+ | local_irc_say
+ fi
+ done
+ done
+
+ rm "${tmp_dir}/${parameters}"
+ rm -rf --one-file-system "${tmp_dir}/gpg-home" "${tmp_dir}/pkg"
+ :
+ ;;
*)
>&2 printf 'action "%s" is not yet implemented ...\n' "${action}"
;;