diff options
author | Erich Eckner <git@eckner.net> | 2022-01-01 11:38:36 +0100 |
---|---|---|
committer | Erich Eckner <git@eckner.net> | 2022-01-01 11:38:36 +0100 |
commit | 130310519e961be6b4391d406ac1ae94d905cb01 (patch) | |
tree | be589c02a8f7dccc1387392e38c19f5bcd2bc22b /update-keys | |
download | archlinuxewe-keyring-2b9dc377e5d9ee7f5cbc037ba3791dd7e6e5ea8c.tar.xz |
initial version20220101
Diffstat (limited to 'update-keys')
-rwxr-xr-x | update-keys | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/update-keys b/update-keys new file mode 100755 index 0000000..25443a8 --- /dev/null +++ b/update-keys @@ -0,0 +1,69 @@ +#!/bin/bash + +export LANG=C + +TMPDIR=$(mktemp -d) +trap "rm -rf '${TMPDIR}'" EXIT + +KEYSERVER='hkp://keys.gnupg.net' +GPG_OPTIONS='--quiet --batch --no-tty --no-permission-warning' +GPG="gpg ${GPG_OPTIONS} --keyserver "${KEYSERVER}" --homedir ${TMPDIR}" + +pushd "$(dirname "$0")" >/dev/null + +$GPG --gen-key <<EOF +%echo Generating Arch Linux Ewe Keyring keychain master key... +Key-Type: RSA +Key-Length: 1024 +Key-Usage: sign +Name-Real: Arch Linux Ewe Keyring Keychain Master Key +Name-Email: archlinuxewe-keyring@localhost +Expire-Date: 0 +%no-protection +%no-ask-passphrase +%commit +%echo Done +EOF + +rm -rf master master-revoked archlinuxewe-trusted archlinuxewe-revoked +mkdir master master-revoked + +while read -ra data; do + keyid="${data[0]}" + username="${data[@]:1}" + ${GPG} --recv-keys ${keyid} &>/dev/null + gpg ${GPG_OPTIONS} -a --export ${keyid} </dev/null | \ + ${GPG} --import &>/dev/null + curl -Ss "https://archlinux32.org/keys.php?k=${keyid}" | \ + ${GPG} --import &>/dev/null + printf 'minimize\nquit\ny\n' | \ + ${GPG} --command-fd 0 --edit-key ${keyid} + ${GPG} --yes --lsign-key ${keyid} &>/dev/null + ${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc + echo "${keyid}:4:" >> archlinuxewe-trusted +done < master-keyids +${GPG} --import-ownertrust < archlinuxewe-trusted 2>/dev/null + +touch archlinuxewe-revoked + +while read -ra data; do + keyid="${data[0]}" + username="${data[2]}" + ${GPG} --recv-keys ${keyid} &>/dev/null + gpg ${GPG_OPTIONS} -a --export ${keyid} | \ + ${GPG} --import &>/dev/null + curl -Ss "https://archlinux32.org/keys.php?k=${keyid}" | \ + ${GPG} --import &>/dev/null + printf 'clean\nquit\ny\n' | \ + ${GPG} --command-fd 0 --edit-key ${keyid} + if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then + ${GPG} --armor --no-emit-version --export ${keyid} >> master-revoked/${username}.asc + echo "${keyid}" >> archlinuxewe-revoked + else + echo "key is still fully trusted: ${keyid} ${username}" + fi +done < master-revoked-keyids + +cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinuxewe.gpg + +popd >/dev/null |