download-missing-kernel-keys


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

#!/bin/bash

GPG='gpg --homedir /var/cache/kernelKeys/.gnupg --keyserver hkp://keys.gnupg.net'

if [ $# -eq 1 ] && [[ "$1" == *".sign" ]]
then
  curl "$1" | \
    ${GPG} --verify - "$0" 2>&1 | \
    grep '^gpg: Signature made .* using \S\+ key ID [0-9A-F]\+$' | \
    sed 's|^gpg: Signature made .* using \S\+ key ID \([0-9A-F]\+\)$|0x\1|'
  exit 0
fi

[ $# -eq 1 ] && lvl=$1 || lvl=2

${GPG} --check-trustdb

signatures="$(
  curl 'https://kernel.org/' 2>/dev/null | \
    tr '"' '\n' | \
    grep '\.sign$'
)"

alteKeyIds=""

for ((i=0; i<$lvl; i++))
do
  if [ ${i} -eq 0 ]
  then
    keyIds="$(
      echo "${signatures}" | \
        parallel -j0 "$0" "{}" \; 2> /dev/null | \
        sort -u
    )"
  else
    keyIds="$(
      ${GPG} --list-sigs --fast-list-mode --fixed-list-mode --with-colons --no-auto-check-trustdb ${alteKeyIds} | \
        grep '^sig:' | \
        cut -d: -f 5 | \
        sed 's|^|0x|' | \
        sort -u
    )"
  fi
  echo "stage ${i}:" $(echo "${alteKeyIds}" | wc -l) "keys ->" $(echo "${keyIds}" | wc -l) "keys."
  bekannteKeyIds="$(
    ${GPG} --list-keys --fast-list-mode --fixed-list-mode --with-colons --no-auto-check-trustdb | \
      grep '^pub:' | \
      cut -d: -f 5 | \
      sed 's|^|0x|' | \
      sort -u
  )"
  alleKeyIds="$(
    (
      echo "${keyIds}"
      echo "${bekannteKeyIds}"
    ) | \
      sort -u
  )"

  ignoreKeys=(
    '0x0000000000000000'
    '0x0300CF9DD2A7ED31'
    '0x04E798D46847B36B'
    '0x064B9A705F3E5E9B'
    '0x07C1D922C037EB03'
    '0x0B1F1653827A9C28'
    '0x0C20FF26C0091C99'
    '0x11BFB2AD1CEE3C17'
    '0x11D77768B021FACA'
    '0x12639545B8A08E2F'
    '0x13CD61F62AAC2190'
    '0x16A1A8CB94E2F77D'
    '0x197293F87B49F554'
    '0x236D7C128750D22B'
    '0x24843A563DCFF785'
    '0x24D3E7B98804A308'
    '0x26807DD07E962E4C'
    '0x293B4E7C610EDA3B'
    '0x2ADDBCF9671AC80B'
    '0x3C5318F8187E064C'
    '0x3F42A005F39EA031'
    '0x40E4FB09EF837293'
    '0x42B235B468237EF0'
    '0x493E31A0CE94CC28'
    '0x51D1511F8CEC4BD8'
  )

  neueKeyIds="$(
    (
      echo "${alleKeyIds}"
      echo "${bekannteKeyIds}"
      for k in "${ignoreKeys[@]}"
      do
        echo "${k}"
        echo "${k}"
      done
    ) | \
      sort | \
      uniq -u
  )"

  echo "new keys: $(echo "${neueKeyIds}" | wc -l)"

  echo "${neueKeyIds}" | \
    xargs -n50 ${GPG} --recv-keys --no-auto-check-trustdb
  err=$?

  if [ ${err} -ne 0 ]
  then
    for s in ${neueKeyIds}
    do
      ${GPG} -q --recv-keys --no-auto-check-trustdb "${s}" || echo "${s}"
    done
    exit ${err}
  fi

  alteKeyIds="${keyIds}"
done

echo "checking trustdb ..."
${GPG} --check-trustdb
echo "... done"