From 8712387a029b5dbc9e4e94e58477b1521ad2341c Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Fri, 7 Jul 2023 21:39:24 +0200
Subject: gpg:

* consider newest key only
* consider oldest sig of this key
* clean up date parsing
---
 crypt-expiry-check.in | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/crypt-expiry-check.in b/crypt-expiry-check.in
index 14f7432..c24dfbc 100755
--- a/crypt-expiry-check.in
+++ b/crypt-expiry-check.in
@@ -495,22 +495,27 @@ check_gpg_key_status() {
         exit 1
     fi
 
-    KEY_INFO=$(${GPG_COMMAND} --list-secret-keys "${GPG_ADDRESS}" 2> /dev/null)
-    [ -z "${KEY_INFO}" ] && KEY_INFO=$(${GPG_COMMAND} --list-keys "${GPG_ADDRESS}")
-
-    KEY_DATE_STR=$(
-        echo "${KEY_INFO}" | \
-            ${GREP} "\[\(expire[ds]\|verfallen\|verf..\?llt\):[^]]*]" | \
-            ${SED} "s#^.*\[\(expire[ds]\|verfallen\|verf..\?llt\):\s*\(\S[^]]*\)].*\$#\2#" | \
-            ${SORT} -r | \
-            ${TAIL} -n1
-        )
-    if [ -z "${KEY_DATE_STR}" ]
+    KEYS=$(${GPG_COMMAND} --list-secret-keys --with-colons "${GPG_ADDRESS}" 2>/dev/null)
+    [ -z "${KEYS}" ] && KEYS=$(${GPG_COMMAND} --list-keys --with-colons "${GPG_ADDRESS}" 2>/dev/null)
+
+    KEY_DATE=$(
+        echo "${KEYS}" \
+        | ${AWK} -F: '$1 == "fpr" {print $10}' \
+        | ${SORT} -u \
+        | while read -r KEY; do
+            ${GPG_COMMAND} --list-keys --with-colons "${KEY}" \
+            | awk -F: '$1 == "sub" || $1 == "pub" {print $7}' \
+            | ${SORT} -r \
+            | tail -n1
+        done \
+        | ${SORT} \
+        | tail -n1
+    )
+    if [ -z "${KEY_DATE}" ]
     then
         echo "No valid gpg-key found for ${GPG_ADDRESS}." | ${TEE} -a ${MAILOUT_TMP} >> ${STDOUT_TMP}
         set_retcode 2
-    else
-        KEY_DATE=$(${DATE} +%s -ud "${KEY_DATE_STR}")
+        return
     fi
 
     KEY_DIFF=$[${KEY_DATE} - $(${DATE} +%s)]
@@ -524,17 +529,17 @@ check_gpg_key_status() {
     if [ ${KEY_DIFF} -lt 0 ]
     then
         echo "The GPG key for ${GPG_ADDRESS} has expired!" >> ${MAILOUT_TMP}
-        prints "GPG" " ${GPG_ADDRESS}" "Expired" "${KEY_DATE_STR}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP}
+        prints "GPG" " ${GPG_ADDRESS}" "Expired" "${KEY_DATE}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP}
         set_retcode 2
 
     elif [ ${KEY_DIFF} -lt ${FWARNDAYS} ]
     then
         echo "The GPG key for ${GPG_ADDRESS} will expire on ${KEY_DATE_STR}" >> ${MAILOUT_TMP}
-        prints "GPG" " ${GPG_ADDRESS}" "Expiring" "${KEY_DATE_STR}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP}
+        prints "GPG" " ${GPG_ADDRESS}" "Expiring" "${KEY_DATE}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP}
         set_retcode 1
 
     else
-        prints "GPG" " ${GPG_ADDRESS}" "Valid" "${KEY_DATE_STR}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP}
+        prints "GPG" " ${GPG_ADDRESS}" "Valid" "${KEY_DATE}" "${KEY_DIFF}" "" "" "" >> ${STDOUT_TMP}
     fi
 }
 
-- 
cgit v1.2.3-54-g00ecf