summaryrefslogtreecommitdiff
path: root/update-keys
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2022-01-01 11:38:36 +0100
committerErich Eckner <git@eckner.net>2022-01-01 11:38:36 +0100
commit130310519e961be6b4391d406ac1ae94d905cb01 (patch)
treebe589c02a8f7dccc1387392e38c19f5bcd2bc22b /update-keys
downloadarchlinuxewe-keyring-130310519e961be6b4391d406ac1ae94d905cb01.tar.xz
initial version20220101
Diffstat (limited to 'update-keys')
-rwxr-xr-xupdate-keys69
1 files changed, 69 insertions, 0 deletions
diff --git a/update-keys b/update-keys
new file mode 100755
index 0000000..25443a8
--- /dev/null
+++ b/update-keys
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+export LANG=C
+
+TMPDIR=$(mktemp -d)
+trap "rm -rf '${TMPDIR}'" EXIT
+
+KEYSERVER='hkp://keys.gnupg.net'
+GPG_OPTIONS='--quiet --batch --no-tty --no-permission-warning'
+GPG="gpg ${GPG_OPTIONS} --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"
+
+pushd "$(dirname "$0")" >/dev/null
+
+$GPG --gen-key <<EOF
+%echo Generating Arch Linux Ewe Keyring keychain master key...
+Key-Type: RSA
+Key-Length: 1024
+Key-Usage: sign
+Name-Real: Arch Linux Ewe Keyring Keychain Master Key
+Name-Email: archlinuxewe-keyring@localhost
+Expire-Date: 0
+%no-protection
+%no-ask-passphrase
+%commit
+%echo Done
+EOF
+
+rm -rf master master-revoked archlinuxewe-trusted archlinuxewe-revoked
+mkdir master master-revoked
+
+while read -ra data; do
+ keyid="${data[0]}"
+ username="${data[@]:1}"
+ ${GPG} --recv-keys ${keyid} &>/dev/null
+ gpg ${GPG_OPTIONS} -a --export ${keyid} </dev/null | \
+ ${GPG} --import &>/dev/null
+ curl -Ss "https://archlinux32.org/keys.php?k=${keyid}" | \
+ ${GPG} --import &>/dev/null
+ printf 'minimize\nquit\ny\n' | \
+ ${GPG} --command-fd 0 --edit-key ${keyid}
+ ${GPG} --yes --lsign-key ${keyid} &>/dev/null
+ ${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc
+ echo "${keyid}:4:" >> archlinuxewe-trusted
+done < master-keyids
+${GPG} --import-ownertrust < archlinuxewe-trusted 2>/dev/null
+
+touch archlinuxewe-revoked
+
+while read -ra data; do
+ keyid="${data[0]}"
+ username="${data[2]}"
+ ${GPG} --recv-keys ${keyid} &>/dev/null
+ gpg ${GPG_OPTIONS} -a --export ${keyid} | \
+ ${GPG} --import &>/dev/null
+ curl -Ss "https://archlinux32.org/keys.php?k=${keyid}" | \
+ ${GPG} --import &>/dev/null
+ printf 'clean\nquit\ny\n' | \
+ ${GPG} --command-fd 0 --edit-key ${keyid}
+ if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
+ ${GPG} --armor --no-emit-version --export ${keyid} >> master-revoked/${username}.asc
+ echo "${keyid}" >> archlinuxewe-revoked
+ else
+ echo "key is still fully trusted: ${keyid} ${username}"
+ fi
+done < master-revoked-keyids
+
+cat master/*.asc master-revoked/*.asc packager/*.asc packager-revoked/*.asc > archlinuxewe.gpg
+
+popd >/dev/null