From 5330d56ae97da42aa163d32ca709b2c2fc2e3544 Mon Sep 17 00:00:00 2001 From: Erich Eckner Date: Tue, 5 Nov 2019 09:10:21 +0100 Subject: bin/nit-picker: check expiry of keys in Keyring --- bin/nit-picker | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) (limited to 'bin/nit-picker') diff --git a/bin/nit-picker b/bin/nit-picker index 2b92b84..0094a01 100755 --- a/bin/nit-picker +++ b/bin/nit-picker @@ -148,6 +148,21 @@ while pgrep -x ii >/dev/null \ printf ';\n' if "${do_once_a_day_checks}"; then + printf 'SELECT DISTINCT' + printf ' "keyring",' + mysql_package_name_query + printf ' FROM `binary_packages`' + mysql_join_binary_packages_architectures + printf ' LEFT' + mysql_join_binary_packages_compressions + mysql_join_binary_packages_binary_packages_in_repositories + mysql_join_binary_packages_in_repositories_repositories + printf ' WHERE `repositories`.`is_on_master_mirror`' + printf ' AND `binary_packages`.`pkgname` IN (' + printf '"archlinux32-keyring",' + printf '"archlinux32-keyring-transition"' + printf ');\n' + printf 'SELECT' printf ' "build-duration",' printf '`build_slaves`.`name`' @@ -322,7 +337,6 @@ while pgrep -x ii >/dev/null \ "${tmp_dir}/pkg-deps" ;; 'binary-signature') -# TODO: check signature against keyring from package, not against installed keyring if ! ${master_mirror_rsync_command} \ "${master_mirror_rsync_directory}/pool/${parameters}" \ "${master_mirror_rsync_directory}/pool/${parameters}.sig" \ @@ -450,6 +464,48 @@ while pgrep -x ii >/dev/null \ sleep 60 fi ;; + 'keyring') + if ! ${master_mirror_rsync_command} \ + "${master_mirror_rsync_directory}/pool/${parameters}" \ + "${tmp_dir}/"; then + rm -f "${tmp_dir}/${parameters}" + continue + fi + mkdir "${tmp_dir}/pkg" "${tmp_dir}/gpg-home" + bsdtar -C "${tmp_dir}/pkg" -xf "${tmp_dir}/${parameters}" --strip-components=4 'usr/share/pacman/keyrings' + + gpg --no-permission-warning --quiet --homedir "${tmp_dir}/gpg-home" --import \ + < "${tmp_dir}/pkg/archlinux32.gpg" + cut -d: -f1 "${tmp_dir}/pkg/archlinux32-trusted" \ + | while read -r gpg_key; do + gpg --no-permission-warning --homedir "${tmp_dir}/gpg-home" --with-colons --list-keys "0x${gpg_key}" \ + | grep '^pub:\|^sub:' \ + | cut -d: -f7 \ + | grep -vxF '' \ + | sort -u \ + | while read -r expiration; do + expiration_days=$(((expiration - $(date +%s))/24/60/60)) + if [ ${expiration_days} -lt 100 ]; then + printf 'key %s (from %s) in package %s expires on %s (in %s < 100 days).\n' \ + "${gpg_key}" \ + "$( + gpg --batch --homedir "${tmp_dir}/gpg-home" --with-colons --list-keys "0x${gpg_key}" \ + 2>/dev/null \ + | grep '^\(uid\):' \ + | cut -d: -f10 + )" \ + "${parameters}" \ + "$(date -I -d@"${expiration}")" \ + "${expiration_days}" \ + | local_irc_say + fi + done + done + + rm "${tmp_dir}/${parameters}" + rm -rf --one-file-system "${tmp_dir}/gpg-home" "${tmp_dir}/pkg" + : + ;; *) >&2 printf 'action "%s" is not yet implemented ...\n' "${action}" ;; -- cgit v1.2.3-70-g09d2