Create ephemeral keyring

keyring.sh: Create an ephemeral keyring in a temporary location, into which all public keys are imported and tested from. NOTE: import and tests are still a WIP

Create ephemeral keyring
keyring.sh: Create an ephemeral keyring in a temporary location, into which all public keys are imported and tested from. NOTE: import and tests are still a WIP
a153071e · David Runge · d74b0b0d · a153071e
Verified Commit a153071e authored May 07, 2021 by David Runge 🐿
--- a/keyring.sh
+++ b/keyring.sh
@@ -4,41 +4,80 @@

 set -eu

-# TODO: use a keyring that is assembled from the existing public keys
-homedir="/etc/pacman.d/gnupg"
+GNUPGHOME="$(mktemp -d --tmpdir archlinux-keyring-XXXXXXXXX)"
+export GNUPGHOME
+trap 'rm -rf $GNUPGHOME' EXIT INT TERM QUIT
+
 now=$(date +%s)
 # 90 days in seconds
 expiration_limit=7776000
-
 raw_key_colons=""

+import_key_from_keyserver() {
+	# import a public key from a keyserver into the keyring
+	local key_id="$1"
+	printf "Import key ID %s from key server.\n" "$key_id"
+	gpg --recv "${key_id}"
+}
+
+import_key_from_file() {
+	# import a public key from file into the keyring
+	local key_id="$1"
+	gpg --import "${key_id}"
+}
+
+import_keys_from_directory() {
+	# import keys from *.asc files in a directory
+	local directory="$1"
+	for key_file in "${directory}/"*.asc; do
+		import_key_from_file "$key_file"
+	done
+}
+
+import_ownertrust_from_file() {
+	# import ownertrust from a file
+	local _file="$1"
+	gpg --import-ownertrust < "${_file}" 2>/dev/null
+}
+
+import_keys_from_list() {
+	# import keys from a keyserver using a list of PGP key IDs from a file
+	local list="$1"
+	while read -r key; do
+		printf "Key ID: %s\n" "$key"
+		import_key_from_keyserver "$(awk '{print $1}' - <<<"$key")"
+	done < "$list"
+}

 print_key_info() {
+	# print the long format of a PGP key ID
 	local key_id="$1"
-	gpg --homedir "$homedir" --keyid-format long --list-key "$key_id" 2>/dev/null
+	gpg --keyid-format long --list-key "$key_id" 2>/dev/null
 }

-print_lint_info() {
+print_hokey_lint_info() {
+	# print the output of hokey lint for a PGP key ID
 	local key_id="$1"
-	hkt export-pubkeys "$key_id" --keyring "${homedir}/pubring.gpg" |hokey lint
+	printf "hokey lint for %s\n" "$key_id"
+	gpg --export "$key_id" | hokey lint
 }

 print_sequoia_lint_info() {
+	# print the output of sq-keyring-linter if it exits with a non-zero exit code
 	local key_id="$1"
 	set +e
-	sq-keyring-linter -q <(gpg --homedir "$homedir" --export "$key_id" 2>/dev/null)
-	if [[ $? -ne 0 ]]; then
-		sq-keyring-linter <(gpg --homedir "$homedir" --export "$key_id" 2>/dev/null)
-		print_lint_info "$key_id"
+	if ! sq-keyring-linter -q <(gpg --export "$key_id" 2>/dev/null); then
+		sq-keyring-linter <(gpg --export "$key_id" 2>/dev/null)
+		print_hokey_lint_info "$key_id"
 	fi
 	set -e
 }

 get_valid_raw_key_colons() {
-# assign list of public keys in colon representation
-# see /usr/share/doc/gnupg/DETAILS for details on the format
+	# assign list of public keys in colon representation
+	# see /usr/share/doc/gnupg/DETAILS for details on the format
 	raw_key_colons="$(
-	gpg --homedir "$homedir" --list-key --with-colons 2>/dev/null \
+		gpg --list-key --with-colons 2>/dev/null \
 		| awk -F':' \
 		'function key_type(x) {
 			if (x ~ /(pub|sub)/)
@@ -47,7 +86,7 @@ get_valid_raw_key_colons() {
 				return ""
 		}
 		function key_validity(x) {
-			if (x ~ /f/)
+			if (x !~ /(e|r)/)
 				return 1
 			else
 				return ""
@@ -66,7 +105,7 @@ get_valid_raw_key_colons() {
 }

 list_expiring_keys() {
-# list public keys, that will expire in less than 90 days
+	# list public keys, that will expire in less than 90 days
 	local expiring_keys=""
 	expiring_keys="$(awk -F':' -v now="$now" -v expiration_limit=$expiration_limit \
 	'function key_expiry(x) {
@@ -90,7 +129,7 @@ list_expiring_keys() {
 }

 list_unsafe_keys() {
-# list public keys, that are potentially unsafe or use weak algorithms
+	# list public keys, that are potentially unsafe or use weak algorithms
 	local unsafe_keys=""
 	unsafe_keys="$(awk -F':' \
 	'function key_length(x) {
@@ -130,15 +169,29 @@ list_unsafe_keys() {
 list_keyring_lint() {
 	local keys=""
 	keys="$(awk -F':' '{print $5}' <<< "$1")"
+	printf "all keys: %s\n" "$keys"
 	while read -r key_id; do
-		print_lint_info "$key_id"
+		printf "hokey lint output for %s\n" "$key_id"
+		print_hokey_lint_info "$key_id"
 	done <<< "$keys"
 	while read -r key_id; do
 		print_sequoia_lint_info "$key_id"
 	done <<< "$keys"
 }

+# WIP
+# import_keys_from_directory 'master'
+# import_key_from_file 'keyring.gpg'
+# import_ownertrust_from_file 'archlinux-trusted'
+# import_keys_from_directory 'master-revoked'
+# import_keys_from_directory 'packager'
+# import_keys_from_directory 'packager-revoked'
+# import_keys_from_list 'packager-keyids'
+# import_keys_from_list 'master-keyids'
+
 get_valid_raw_key_colons
+printf "%s\n" "$raw_key_colons"
 list_expiring_keys "$raw_key_colons"
 list_unsafe_keys "$raw_key_colons"
-list_keyring_lint "$raw_key_colons"
+# list_keyring_lint "$raw_key_colons"
+