diff options
| author | Erich Eckner <git@eckner.net> | 2023-07-07 21:39:24 +0200 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2023-07-07 21:39:24 +0200 |
| commit | 8712387a029b5dbc9e4e94e58477b1521ad2341c (patch) | |
| tree | 1a3e6ecc1a9287efaa743e24a2358e3188b58952 /crypt-expiry-check.in | |
| parent | d82f06896815991be88781c9a44857e2be9cea9f (diff) | |
| download | crypt-expiry-check-8712387a029b5dbc9e4e94e58477b1521ad2341c.tar.xz | |
gpg:
* consider newest key only
* consider oldest sig of this key
* clean up date parsing
Diffstat (limited to 'crypt-expiry-check.in')
| -rwxr-xr-x | crypt-expiry-check.in | 37 |
1 files changed, 21 insertions, 16 deletions
diff --git a/crypt-expiry-check.in b/crypt-expiry-check.in index 14f7432..c24dfbc 100755 --- a/crypt-expiry-check.in +++ b/crypt-expiry-check.in @@ -495,22 +495,27 @@ check_gpg_key_status() { exit 1 fi - KEY_INFO=$(${GPG_COMMAND} --list-secret-keys "${GPG_ADDRESS}" 2> /dev/null) - [ -z "${KEY_INFO}" ] && KEY_INFO=$(${GPG_COMMAND} --list-keys "${GPG_ADDRESS}") - - KEY_DATE_STR=$( - echo "${KEY_INFO}" | \ - ${GREP} "\[\(expire[ds]\|verfallen\|verf..\?llt\):[^]]*]" | \ - ${SED} "s#^.*\[\(expire[ds]\|verfallen\|verf..\?llt\):\s*\(\S[^]]*\)].*\$#\2#" | \ - ${SORT} -r | \ - ${TAIL} -n1 - ) - if [ -z "${KEY_DATE_STR}" ] + KEYS=$(${GPG_COMMAND} --list-secret-keys --with-colons "${GPG_ADDRESS}" 2>/dev/null) + [ -z "${KEYS}" ] && KEYS=$(${GPG_COMMAND} --list-keys --with-colons "${GPG_ADDRESS}" 2>/dev/null) + + KEY_DATE=$( + echo "${KEYS}" \ + | ${AWK} -F: '$1 == "fpr" {print $10}' \ + | ${SORT} -u \ + | while read -r KEY; do + ${GPG_COMMAND} --list-keys --with-colons "${KEY}" \ + | awk -F: '$1 == "sub" || $1 == "pub" {print $7}' \ + | ${SORT} -r \ + | tail -n1 + done \ + | ${SORT} \ + | tail -n1 + ) + if [ -z "${KEY_DATE}" ] then echo "No valid gpg-key found for ${GPG_ADDRESS}." | ${TEE} -a ${MAILOUT_TMP} >> ${STDOUT_TMP} set_retcode 2 - else - KEY_DATE=$(${DATE} +%s -ud "${KEY_DATE_STR}") + return fi KEY_DIFF=$[${KEY_DATE} - $(${DATE} +%s)] @@ -524,17 +529,17 @@ check_gpg_key_status() { if [ ${KEY_DIFF} -lt 0 ] then echo "The GPG key for ${GPG_ADDRESS} has expired!" >> ${MAILOUT_TMP} - prints "GPG" " ${GPG_ADDRESS}" "Expired" "${KEY_DATE_STR}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP} + prints "GPG" " ${GPG_ADDRESS}" "Expired" "${KEY_DATE}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP} set_retcode 2 elif [ ${KEY_DIFF} -lt ${FWARNDAYS} ] then echo "The GPG key for ${GPG_ADDRESS} will expire on ${KEY_DATE_STR}" >> ${MAILOUT_TMP} - prints "GPG" " ${GPG_ADDRESS}" "Expiring" "${KEY_DATE_STR}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP} + prints "GPG" " ${GPG_ADDRESS}" "Expiring" "${KEY_DATE}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP} set_retcode 1 else - prints "GPG" " ${GPG_ADDRESS}" "Valid" "${KEY_DATE_STR}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP} + prints "GPG" " ${GPG_ADDRESS}" "Valid" "${KEY_DATE}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP} fi } |