Verified Commit a153071e authored by David Runge's avatar David Runge
Browse files

Create ephemeral keyring

keyring.sh:
Create an ephemeral keyring in a temporary location, into which all
public keys are imported and tested from.

NOTE: import and tests are still a WIP
parent d74b0b0d
......@@ -4,41 +4,80 @@
set -eu
# TODO: use a keyring that is assembled from the existing public keys
homedir="/etc/pacman.d/gnupg"
GNUPGHOME="$(mktemp -d --tmpdir archlinux-keyring-XXXXXXXXX)"
export GNUPGHOME
trap 'rm -rf $GNUPGHOME' EXIT INT TERM QUIT
now=$(date +%s)
# 90 days in seconds
expiration_limit=7776000
raw_key_colons=""
import_key_from_keyserver() {
# import a public key from a keyserver into the keyring
local key_id="$1"
printf "Import key ID %s from key server.\n" "$key_id"
gpg --recv "${key_id}"
}
import_key_from_file() {
# import a public key from file into the keyring
local key_id="$1"
gpg --import "${key_id}"
}
import_keys_from_directory() {
# import keys from *.asc files in a directory
local directory="$1"
for key_file in "${directory}/"*.asc; do
import_key_from_file "$key_file"
done
}
import_ownertrust_from_file() {
# import ownertrust from a file
local _file="$1"
gpg --import-ownertrust < "${_file}" 2>/dev/null
}
import_keys_from_list() {
# import keys from a keyserver using a list of PGP key IDs from a file
local list="$1"
while read -r key; do
printf "Key ID: %s\n" "$key"
import_key_from_keyserver "$(awk '{print $1}' - <<<"$key")"
done < "$list"
}
print_key_info() {
# print the long format of a PGP key ID
local key_id="$1"
gpg --homedir "$homedir" --keyid-format long --list-key "$key_id" 2>/dev/null
gpg --keyid-format long --list-key "$key_id" 2>/dev/null
}
print_lint_info() {
print_hokey_lint_info() {
# print the output of hokey lint for a PGP key ID
local key_id="$1"
hkt export-pubkeys "$key_id" --keyring "${homedir}/pubring.gpg" |hokey lint
printf "hokey lint for %s\n" "$key_id"
gpg --export "$key_id" | hokey lint
}
print_sequoia_lint_info() {
# print the output of sq-keyring-linter if it exits with a non-zero exit code
local key_id="$1"
set +e
sq-keyring-linter -q <(gpg --homedir "$homedir" --export "$key_id" 2>/dev/null)
if [[ $? -ne 0 ]]; then
sq-keyring-linter <(gpg --homedir "$homedir" --export "$key_id" 2>/dev/null)
print_lint_info "$key_id"
if ! sq-keyring-linter -q <(gpg --export "$key_id" 2>/dev/null); then
sq-keyring-linter <(gpg --export "$key_id" 2>/dev/null)
print_hokey_lint_info "$key_id"
fi
set -e
}
get_valid_raw_key_colons() {
# assign list of public keys in colon representation
# see /usr/share/doc/gnupg/DETAILS for details on the format
# assign list of public keys in colon representation
# see /usr/share/doc/gnupg/DETAILS for details on the format
raw_key_colons="$(
gpg --homedir "$homedir" --list-key --with-colons 2>/dev/null \
gpg --list-key --with-colons 2>/dev/null \
| awk -F':' \
'function key_type(x) {
if (x ~ /(pub|sub)/)
......@@ -47,7 +86,7 @@ get_valid_raw_key_colons() {
return ""
}
function key_validity(x) {
if (x ~ /f/)
if (x !~ /(e|r)/)
return 1
else
return ""
......@@ -66,7 +105,7 @@ get_valid_raw_key_colons() {
}
list_expiring_keys() {
# list public keys, that will expire in less than 90 days
# list public keys, that will expire in less than 90 days
local expiring_keys=""
expiring_keys="$(awk -F':' -v now="$now" -v expiration_limit=$expiration_limit \
'function key_expiry(x) {
......@@ -90,7 +129,7 @@ list_expiring_keys() {
}
list_unsafe_keys() {
# list public keys, that are potentially unsafe or use weak algorithms
# list public keys, that are potentially unsafe or use weak algorithms
local unsafe_keys=""
unsafe_keys="$(awk -F':' \
'function key_length(x) {
......@@ -130,15 +169,29 @@ list_unsafe_keys() {
list_keyring_lint() {
local keys=""
keys="$(awk -F':' '{print $5}' <<< "$1")"
printf "all keys: %s\n" "$keys"
while read -r key_id; do
print_lint_info "$key_id"
printf "hokey lint output for %s\n" "$key_id"
print_hokey_lint_info "$key_id"
done <<< "$keys"
while read -r key_id; do
print_sequoia_lint_info "$key_id"
done <<< "$keys"
}
# WIP
# import_keys_from_directory 'master'
# import_key_from_file 'keyring.gpg'
# import_ownertrust_from_file 'archlinux-trusted'
# import_keys_from_directory 'master-revoked'
# import_keys_from_directory 'packager'
# import_keys_from_directory 'packager-revoked'
# import_keys_from_list 'packager-keyids'
# import_keys_from_list 'master-keyids'
get_valid_raw_key_colons
printf "%s\n" "$raw_key_colons"
list_expiring_keys "$raw_key_colons"
list_unsafe_keys "$raw_key_colons"
list_keyring_lint "$raw_key_colons"
# list_keyring_lint "$raw_key_colons"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment