-
Notifications
You must be signed in to change notification settings - Fork 9
/
update-keys
executable file
·96 lines (81 loc) · 2.65 KB
/
update-keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/bash
set -e
export LANG=C
TMPDIR=$(mktemp -d)
trap "rm -rf '${TMPDIR}'" EXIT
KEYSERVER='keyserver.ubuntu.com'
GPG=(gpg --homedir "${TMPDIR}")
cat << __EOF__ > "${TMPDIR}"/gpg.conf
quiet
batch
no-tty
no-permission-warning
export-options no-export-attributes,export-clean
keyserver ${KEYSERVER}
keyserver-options no-self-sigs-only
armor
no-emit-version
allow-weak-key-signatures
__EOF__
cd "$(dirname "$0")"
"${GPG[@]}" --gen-key <<EOF
%echo Generating MSYS2 keyring temporary master key...
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign
Name-Real: MSYS2 keyring temporary master key
Name-Email: msys2-keyring@localhost
Expire-Date: 0
%no-protection
%commit
%echo Done
EOF
"${GPG[@]}" --import < msys2.gpg
rm -rf master{,-revoked} packager{,-revoked} msys2-{trusted,revoked}
mkdir master packager master-revoked packager-revoked
# refresh/receive all keys
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
if "${GPG[@]}" --list-keys ${keyid} >/dev/null &>/dev/null; then
"${GPG[@]}" --refresh-keys ${keyid} &>/dev/null
else
"${GPG[@]}" --recv-keys ${keyid} &>/dev/null
fi
done < <(cat master-keyids master-revoked-keyids packager-keyids packager-revoked-keyids)
# master-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
"${GPG[@]}" --yes --lsign-key ${keyid} &>/dev/null
"${GPG[@]}" --comment "master-key: ${username} (${keyid})" --export ${keyid} >> master/${username}.asc
echo "${keyid}:4:" >> msys2-trusted
done < master-keyids
"${GPG[@]}" --import-ownertrust < msys2-trusted 2>/dev/null
# master-revoked-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
"${GPG[@]}" --comment "revoked master-key: ${username} (${keyid})" --export ${keyid} >> master-revoked/${username}.asc
echo "${keyid}" >> msys2-revoked
done < master-revoked-keyids
# packager-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[@]:1}"
if ! "${GPG[@]}" --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
echo "WARNING: key is not fully trusted: ${keyid} ${username}"
"${GPG[@]}" --comment "marginal trust: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
else
"${GPG[@]}" --comment "packager: ${username} (${keyid})" --export ${keyid} >> packager/${username}.asc
fi
done < packager-keyids
# packager-revoked-keyids
while read -ra data; do
keyid="${data[0]}"
username="${data[1]}"
"${GPG[@]}" --comment "revoked packager: ${username} (${keyid})" --export ${keyid} >> packager-revoked/${username}.asc
echo "${keyid}" >> msys2-revoked
done < packager-revoked-keyids
shopt -s nullglob
cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > msys2.gpg