Script to refresh existing keys of archlinux-keyring

wkd_sync/archlinux-keyring-wkd-sync: Add script to refresh existing keys of archlinux-keyring on user systems based on the state of the distribution's Web Key Directory (WKD). Invalid or revoked keys are ignored.

Script to refresh existing keys of archlinux-keyring
e5a2665a · David Runge · 11c500a1 · e5a2665a
Verified Commit e5a2665a authored 2 years ago by David Runge
--- a/wkd_sync/archlinux-keyring-wkd-sync
+++ b/wkd_sync/archlinux-keyring-wkd-sync
+#!/usr/bin/bash
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# Update all locally existing PGP keys in pacman's gnupg keyring, that are
+# relevant for Arch Linux packaging using the distribution's Web Key Directory
+# (WKD).
+# This ensures, that new signatures on already existing keys are fetched before
+# a new version of archlinux-keyring is installed. Fetching signatures early
+# prevents marginal trust issues with packages that are signed by keys which
+# only gain full trust when updating to a new version of archlinux-keyring in
+# that same system upgrade action.
+
+set -eu
+
+readonly main_key_domain_match="@master-key.archlinux.org$"
+readonly packager_domain_match="@archlinux.org$"
+readonly homedir="$(pacman-conf GPGDir)"
+
+domain_match=""
+uid=""
+gpg_locate_external=(
+    # force update a key using WKD
+    gpg
+    --homedir
+    "$homedir"
+    --quiet
+    --no-permission-warning
+    --auto-key-locate
+    "clear,nodefault,wkd"
+    --locate-external-keys
+)
+# a list of <fingerprint> <mbox> tuples of all keys in the keyring
+# e.g.:
+# C7E7849466FE2358343588377258734B41C31549 dvzrv@archlinux.org
+# 8FC15A064950A99DD1BD14DD39E4B877E62EB915 svenstaro@gmail.com
+fingerprint_mboxes="$(
+    gpg --homedir "$homedir" --no-permission-warning --list-keys --list-options show-only-fpr-mbox
+)"
+
+# a list of <fingerprints> of all revoked keys and keys that have no valid main
+# key signatures
+old_fingerprints="$(
+    gpg --homedir "$homedir" --no-permission-warning --list-keys --with-colons |
+    awk -F: '$1 == "pub" && $2 ~ /-|q|r/ { getline; print $10 }'
+)"
+
+if (( EUID != 0 )); then
+     printf "This script must be run as root.\n" >&2
+     exit 1
+fi
+
+# first update the main signing keys, then the packager keys
+for domain_match in "$main_key_domain_match" "$packager_domain_match"; do
+    while read -ra fpr_email; do
+        if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} ]]; then
+            printf "Refreshing key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
+            "${gpg_locate_external[@]}" "${fpr_email[1]}"
+        else
+            printf "Skipping key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
+        fi
+    done <<< "$fingerprint_mboxes"
+done