diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:19:41 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:19:41 +0000 |
commit | a27c8b00ebf173659f22f53ce65679e94e7dfb1b (patch) | |
tree | 02c68ec259348b63c6328896aa73265eb7b3d730 /scripts/add-key | |
parent | Initial commit. (diff) | |
download | debian-keyring-upstream.tar.xz debian-keyring-upstream.zip |
Adding upstream version 2022.12.24.upstream/2022.12.24upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'scripts/add-key')
-rwxr-xr-x | scripts/add-key | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/scripts/add-key b/scripts/add-key new file mode 100755 index 0000000..313719f --- /dev/null +++ b/scripts/add-key @@ -0,0 +1,144 @@ +#!/bin/bash + +# Copyright (c) 2008 Jonathan McDowell <noodles@earth.li> +# GNU GPL; v2 or later +# Adds a new key to a keyring directory + +set -e + +if [ -z "$1" ] || [ -z "$2" ]; then + echo "Usage: add-key keyfile dir" >&2 + echo "Or: add-key fingerprint dir" >&2 + exit 1 +fi + +# avoid gnupg touching ~/.gnupg +GNUPGHOME=$(mktemp -d -t jetring.XXXXXXXX) +export GNUPGHOME +trap cleanup exit +cleanup () { + rm -rf "$GNUPGHOME" +} + +if echo -n "$1" | egrep -q '^[[:xdigit:]]{40}$'; then + fpr=$1 + keyserver=${KEYSERVER:=pool.sks-keyservers.net} + keyfile=$(mktemp -p $GNUPGHOME newkyXXXXXX) + echo "Retrieving key $fpr from keyserver $keyserver" + gpg --keyserver $keyserver --recv-key "$fpr" + gpg --export "$fpr" > $keyfile +else + keyfile=$(readlink -f "$1") # gpg works better with absolute keyring paths +fi +keydir="$2" + +basename=$(basename "$keyfile") +date=`date -R` + +if [ -f $keyfile ]; then + keyid=$(gpg --with-colons --keyid long --options /dev/null --no-auto-check-trustdb < $keyfile | grep '^pub' | cut -d : -f 5) +else + keyid=${1: -16:16} +fi + +for keyring in *-pgp/ *-gpg/; do + if [ -e $keyring/0x$keyid ]; then + echo "0x$keyid already exists in $keyring - existing key or error." + exit 1 + fi +done + +# Check we have our keyrings available for checking the signatures +if [ ! -e output/keyrings/debian-keyring.gpg ]; then + make +fi + +if [ -f $keyfile ]; then + gpg --quiet --import $keyfile +else + gpg --quiet --keyserver the.earth.li --recv-key $1 || true + gpg --quiet --keyserver pgp.mit.edu --recv-key $1 || true + gpg --quiet --keyserver keyserver.ubuntu.com --recv-key $1 || true + gpg --quiet --keyserver the.earth.li --send-key $1 +fi +gpg --keyring output/keyrings/debian-keyring.gpg \ + --keyring output/keyrings/debian-nonupload.gpg --check-sigs \ + --with-fingerprint --keyid-format 0xlong 0x$keyid | \ +sensible-pager + +echo "We want signatures from at least two other DDs." +echo "If this is a key transition, we also want a signature from the DD's old key." +echo "Are you sure you want to update this key? (y/n)" +read n + +if ( echo $keydir | egrep -q '^(\./)?debian-keyring-gpg/?$' ); then + dest=DD +elif ( echo $keydir | egrep -q '^(\./)?debian-nonupload-gpg/?$' ); then + dest=DN +elif ( echo $keydir | egrep -q '^(\./)?debian-maintainers-gpg/?$' ); then + dest=DM +fi + +if [ "x$n" = "xy" -o "x$n" = "xY" ]; then + gpg --no-auto-check-trustdb --options /dev/null \ + --keyring output/keyrings/debian-keyring.gpg \ + --keyring output/keyrings/debian-nonupload.gpg \ + --keyring output/keyrings/debian-maintainers.gpg \ + --export-options export-clean,no-export-attributes \ + --export $keyid > $keydir/0x$keyid + git add $keydir/0x$keyid + echo -n "Enter full name of new key: " + read name + echo -n 'RT issue ID this change closes, if any: ' + read rtid + if [ "$dest" = DD -o "$dest" = DN ]; then + echo -n "Enter Debian login of new key: " + read login + echo "0x$keyid $name <$login>" >> keyids + sort keyids > keyids.$$ && mv keyids.$$ keyids + git add keyids + fi + + log="Add new $dest key 0x${fpr:24:16} ($name) (RT #$rtid)" + VERSION=$(head -1 debian/changelog | awk '{print $2}' | sed 's/[\(\)]//g') + RELEASE=$(head -1 debian/changelog | awk '{print $3}' | sed 's/;$//') + case $RELEASE in + UNRELEASED) + dch --multimaint-merge -D UNRELEASED -a "$log" + ;; + unstable) + NEWVER=$(date +%Y.%m.xx) + if [ "$VERSION" = "$NEWVER" ] + then + echo '* Warning: New version and previous released version are' + echo " the same: $VERSION. This should not be so!" + echo ' Check debian/changelog' + fi + dch -D UNRELEASED -v $NEWVER "$log" + ;; + *) + echo "Last release $VERSION for unknown distribution «$RELEASE»." + echo "Not calling dch, do it manually." + ;; + esac + git add debian/changelog + + cat > git-commit-template <<EOF +$log + +Action: add +Subject: $name +Username: $login +Role: $dest +Key: $fpr +Key-type: +RT-Ticket: $rtid +Request-signed-by: +Key-certified-by: +Details: +EOF + +else + echo "Not adding key." + exit 1 +fi |