#!/bin/bash if [ $# -eq 1 ] && [[ "$1" == *".kernel.org/"* ]] then curl "$1" | \ gpg --verify - "$0" 2>&1 | \ grep '^gpg: Signature made .* using \S\+ key ID [0-9A-F]\+$' | \ sed 's|^gpg: Signature made .* using \S\+ key ID \([0-9A-F]\+\)$|0x\1|' exit 0 fi [ $# -eq 1 ] && lvl=$1 || lvl=2 signatures="$( curl 'https://kernel.org/' 2>/dev/null | \ tr '"' '\n' | \ grep '\.sign$' )" gpg --check-trustdb alteKeyIds="$( echo "${signatures}" | \ parallel -j0 "$0" "{}" \; 2> /dev/null | \ sort -u )" for ((i=0; i<$lvl; i++)) do keyIds="$( gpg --list-sigs --fast-list-mode --fixed-list-mode --with-colons --no-auto-check-trustdb ${alteKeyIds} | \ grep '^sig:' | \ cut -d: -f 5 | \ sed 's|^|0x|' | \ sort -u )" echo "stage ${i}:" $(echo "${alteKeyIds}" | wc -l) "keys ->" $(echo "${keyIds}" | wc -l) "keys." bekannteKeyIds="$( gpg --list-keys --fast-list-mode --fixed-list-mode --with-colons --no-auto-check-trustdb | \ grep '^pub:' | \ cut -d: -f 5 | \ sed 's|^|0x|' | \ sort -u )" alleKeyIds="$( ( echo "${keyIds}" echo "${bekannteKeyIds}" ) | \ sort -u )" ignoreKeys=( '0x0000000000000000' '0x0300CF9DD2A7ED31' '0x04E798D46847B36B' '0x064B9A705F3E5E9B' '0x07C1D922C037EB03' '0x0B1F1653827A9C28' '0x0C20FF26C0091C99' '0x11BFB2AD1CEE3C17' '0x11D77768B021FACA' '0x12639545B8A08E2F' '0x13CD61F62AAC2190' '0x16A1A8CB94E2F77D' '0x197293F87B49F554' '0x236D7C128750D22B' '0x24843A563DCFF785' '0x24D3E7B98804A308' '0x26807DD07E962E4C' '0x293B4E7C610EDA3B' '0x2ADDBCF9671AC80B' '0x3C5318F8187E064C' '0x3F42A005F39EA031' '0x40E4FB09EF837293' '0x42B235B468237EF0' '0x493E31A0CE94CC28' '0x51D1511F8CEC4BD8' ) neueKeyIds="$( ( echo "${alleKeyIds}" echo "${bekannteKeyIds}" for k in "${ignoreKeys[@]}" do echo "${k}" echo "${k}" done ) | \ sort | \ uniq -u )" echo "${neueKeyIds}" | \ xargs -n50 gpg --recv-keys --no-auto-check-trustdb err=$? if [ ${err} -ne 0 ] then for s in ${neueKeyIds} do gpg -q --recv-keys --no-auto-check-trustdb "${s}" || echo "${s}" done exit ${err} fi alteKeyIds="${keyIds}" done echo "checking trustdb ..." gpg --check-trustdb echo "... done"