From 5330d56ae97da42aa163d32ca709b2c2fc2e3544 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Tue, 5 Nov 2019 09:10:21 +0100
Subject: bin/nit-picker: check expiry of keys in Keyring

---
 bin/nit-picker | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

(limited to 'bin/nit-picker')

diff --git a/bin/nit-picker b/bin/nit-picker
index 2b92b84..0094a01 100755
--- a/bin/nit-picker
+++ b/bin/nit-picker
@@ -148,6 +148,21 @@ while pgrep -x ii >/dev/null \
         printf ';\n'
 
         if "${do_once_a_day_checks}"; then
+          printf 'SELECT DISTINCT'
+          printf ' "keyring",'
+          mysql_package_name_query
+          printf ' FROM `binary_packages`'
+          mysql_join_binary_packages_architectures
+          printf ' LEFT'
+          mysql_join_binary_packages_compressions
+          mysql_join_binary_packages_binary_packages_in_repositories
+          mysql_join_binary_packages_in_repositories_repositories
+          printf ' WHERE `repositories`.`is_on_master_mirror`'
+          printf ' AND `binary_packages`.`pkgname` IN ('
+            printf '"archlinux32-keyring",'
+            printf '"archlinux32-keyring-transition"'
+          printf ');\n'
+
           printf 'SELECT'
           printf ' "build-duration",'
           printf '`build_slaves`.`name`'
@@ -322,7 +337,6 @@ while pgrep -x ii >/dev/null \
             "${tmp_dir}/pkg-deps"
         ;;
         'binary-signature')
-# TODO: check signature against keyring from package, not against installed keyring
           if ! ${master_mirror_rsync_command} \
             "${master_mirror_rsync_directory}/pool/${parameters}" \
             "${master_mirror_rsync_directory}/pool/${parameters}.sig" \
@@ -450,6 +464,48 @@ while pgrep -x ii >/dev/null \
             sleep 60
           fi
         ;;
+        'keyring')
+          if ! ${master_mirror_rsync_command} \
+            "${master_mirror_rsync_directory}/pool/${parameters}" \
+            "${tmp_dir}/"; then
+            rm -f "${tmp_dir}/${parameters}"
+            continue
+          fi
+          mkdir "${tmp_dir}/pkg" "${tmp_dir}/gpg-home"
+          bsdtar -C "${tmp_dir}/pkg" -xf "${tmp_dir}/${parameters}" --strip-components=4 'usr/share/pacman/keyrings'
+
+          gpg --no-permission-warning --quiet --homedir "${tmp_dir}/gpg-home" --import \
+          < "${tmp_dir}/pkg/archlinux32.gpg"
+          cut -d: -f1 "${tmp_dir}/pkg/archlinux32-trusted" \
+          | while read -r gpg_key; do
+            gpg --no-permission-warning --homedir "${tmp_dir}/gpg-home" --with-colons --list-keys "0x${gpg_key}" \
+            | grep '^pub:\|^sub:' \
+            | cut -d: -f7 \
+            | grep -vxF '' \
+            | sort -u \
+            | while read -r expiration; do
+              expiration_days=$(((expiration - $(date +%s))/24/60/60))
+              if [ ${expiration_days} -lt 100 ]; then
+                printf 'key %s (from %s) in package %s expires on %s (in %s < 100 days).\n' \
+                "${gpg_key}" \
+                "$(
+                  gpg --batch --homedir "${tmp_dir}/gpg-home" --with-colons --list-keys "0x${gpg_key}" \
+                  2>/dev/null \
+                  | grep '^\(uid\):' \
+                  | cut -d: -f10
+                )" \
+                "${parameters}" \
+                "$(date -I -d@"${expiration}")" \
+                "${expiration_days}" \
+                | local_irc_say
+              fi
+            done
+          done
+
+          rm "${tmp_dir}/${parameters}"
+          rm -rf --one-file-system "${tmp_dir}/gpg-home" "${tmp_dir}/pkg"
+          :
+        ;;
         *)
           >&2 printf 'action "%s" is not yet implemented ...\n' "${action}"
         ;;
-- 
cgit v1.2.3-54-g00ecf