Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/update-keys
blob: 89051f75d07721107983712c1b8406a3a6008943 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/bash

export LANG=C

TMPDIR=$(mktemp -d)
trap "rm -rf '${TMPDIR}'" EXIT

KEYSERVER='hkp://pgp.mit.edu'
GPG="gpg --quiet --batch --no-tty --no-permission-warning --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"

pushd "$(dirname "$0")" >/dev/null

$GPG --gen-key <<EOF
%echo Generating Arch Linux 32 Keyring keychain master key...
Key-Type: RSA
Key-Length: 1024
Key-Usage: sign
Name-Real: Arch Linux 32 Keyring Keychain Master Key
Name-Email: archlinux32-keyring@localhost
Expire-Date: 0
%commit
%echo Done
EOF

rm -rf master packager packager-revoked archlinux32-trusted archlinux32-revoked
mkdir master packager packager-revoked

while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	${GPG} --recv-keys ${keyid} &>/dev/null
	printf 'minimize\nquit\ny\n' | \
		${GPG} --command-fd 0 --edit-key ${keyid}
	${GPG} --yes --lsign-key ${keyid} &>/dev/null
	${GPG} --armor --no-emit-version --export ${keyid} >> master/${username}.asc
	echo "${keyid}:4:" >> archlinux32-trusted
done < master-keyids
${GPG} --import-ownertrust < archlinux32-trusted 2>/dev/null

while read -ra data; do
	keyid="${data[0]}"
	${GPG} --recv-keys ${keyid} &>/dev/null
done < packager-keyids
while read -ra data; do
	keyid="${data[0]}"
	username="${data[@]:1}"
	printf 'clean\nquit\ny\n' | \
		${GPG} --command-fd 0 --edit-key ${keyid}
	if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
		echo "key is not fully trusted: ${keyid} ${username}"
		${GPG} --list-keys --with-colons ${keyid}
		echo
		${GPG} --list-sigs ${keyid}
		while read -r a b; do
		  echo
		  ${GPG}  --list-keys --with-colons ${a}
		done < master-keyids
	else
		${GPG} --armor --no-emit-version --export ${keyid} >> packager/${username}.asc
	fi
done < packager-keyids

# uncomment when we have keys to revoke

#while read -ra data; do
#	keyid="${data[0]}"
#	username="${data[1]}"
#	${GPG} --recv-keys ${keyid} &>/dev/null
#	printf 'clean\nquit\ny\n' | \
#		${GPG} --command-fd 0 --edit-key ${keyid}
#	if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
#		${GPG} --armor --no-emit-version --export ${keyid} >> packager-revoked/${username}.asc
#		echo "${keyid}" >> archlinux32-revoked
#	else
#		echo "key is still fully trusted: ${keyid} ${username}"
#	fi
#done < packager-revoked-keyids

#cat master/*.asc packager/*.asc packager-revoked/*.asc > archlinux32.gpg

cat master/*.asc packager/*.asc > archlinux32.gpg

popd >/dev/null