diff options
Diffstat (limited to 'scripts/replace-key')
-rwxr-xr-x | scripts/replace-key | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/scripts/replace-key b/scripts/replace-key new file mode 100755 index 0000000..caad499 --- /dev/null +++ b/scripts/replace-key @@ -0,0 +1,178 @@ +#!/bin/bash + +# Copyright (c) 2014 Gunnar Wolf <gwolf@debian.org>, +# Based on 2008 Jonathan McDowell <noodles@earth.li> +# GNU GPL; v2 or later +# Replaces an existing key with a new one in its same keyring directory + +set -e + +if [ -z "$1" ] || [ -z "$2" ]; then + echo "Usage: replace-key oldkeyid newkeyid" >&2 + exit 1 +fi + +scriptdir=`dirname $0` +oldkey=$1 +newkey=$2 + +# avoid gnupg touching ~/.gnupg +GNUPGHOME=$(mktemp -d -t jetring.XXXXXXXX) +export GNUPGHOME +cat > "$GNUPGHOME"/gpg.conf <<EOF +keyid-format 0xlong +keyserver pgpkeys.eu +no-autostart +EOF +trap cleanup exit +cleanup () { + rm -rf "$GNUPGHOME" +} + +newkeytemp=`mktemp -t newkey.XXXXXXXXX` +gpgconf --launch dirmngr +gpg --recv-key "$newkey" +gpg --no-auto-check-trustdb --options /dev/null \ + --keyring output/keyrings/debian-keyring.gpg \ + --keyring output/keyrings/debian-nonupload.gpg \ + --keyring output/keyrings/debian-maintainers.gpg \ + --export-options export-clean,no-export-attributes \ + --export "$newkey" > $newkeytemp + +# strip leading 0x from fingerprints +oldkey=${oldkey##0x} +newkey=${newkey##0x} + +if [ $(echo -n $oldkey|wc -c) -eq 16 ]; then + key='0x'$(echo $oldkey|tr a-z A-Z) +elif [ $(echo -n $oldkey|wc -c) -eq 40 ] ; then + key='0x'$(echo -n $oldkey | cut -b 25-) +else + echo "Please supply either a long keyid or a full fingerprint for the old key." + exit 1 +fi + +for dir in *-gpg/; do + if [ -f $dir/$key ]; then + oldkeyfile=$(readlink -f "$dir/$key") + keydir=$(readlink -f $dir) + keyring=`basename $keydir` + break + fi +done + +if [ -z "$oldkeyfile" -o -z "$keydir" ]; then + echo "Requested key '$oldkey' not found (looked for '*-gpg/$key')" + exit 1 +fi + +oldkeyfp=$(gpg --with-colons --fingerprint --no-auto-check-trustdb --no-default-keyring --keyring $oldkeyfile| grep '^fpr' | cut -d : -f 10) +newkeyfp=$(gpg --with-colons --fingerprint --no-auto-check-trustdb --no-default-keyring --keyring $newkeytemp| grep '^fpr' | cut -d : -f 10) + +oldkeydata=$(gpg --with-colons --keyid long --options /dev/null --no-auto-check-trustdb < $oldkeyfile|grep '^pub') +newkeydata=$(gpg --with-colons --keyid long --options /dev/null --no-auto-check-trustdb < $newkeytemp|grep '^pub') +oldkeyuser=$(echo $oldkeydata | cut -d : -f 10) +newkeyuser=$(echo $newkeydata | cut -d : -f 10) +oldkeylen=$(echo $oldkeydata | cut -d : -f 3) +newkeylen=$(echo $newkeydata | cut -d : -f 3) +oldkeyalg=$(echo $oldkeydata | cut -d : -f 4) +if [ "$oldkeyalg" == "1" ]; then + oldkeyalg='R' +elif [ "$oldkeyalg" == "17" ]; then + oldkeyalg='D' +elif [ "$oldkeyalg" == "22" ]; then + oldkeyalg='E' +else + oldkeyalg='UNK' +fi +newkeyalg=$(echo $newkeydata | cut -d : -f 4) +if [ "$newkeyalg" == "1" ]; then + newkeyalg='R' +elif [ "$newkeyalg" == "17" ]; then + newkeyalg='D' +elif [ "$oldkeyalg" == "22" ]; then + oldkeyalg='E' +else + newkeyalg='UNK' +fi +echo $oldkeydata + +echo "" +echo "About to replace key $oldkey ($oldkeyuser)" +echo " with NEW key $newkey ($newkeyuser)" +echo " in the $keyring keyring." +echo "Are you sure you want to update this key? (y/n)" +read n + +if [ "x$n" = "xy" -o "x$n" = "xY" ]; then + destkeyring="$keyring" + if ! $scriptdir/add-key $newkeytemp $destkeyring ; then + echo "add-key failed" + exit 1 + fi + + if [ "$keyring" = "debian-keyring-gpg" -o "$keyring" = "debian-nonupload-gpg" ]; then + name=`grep $newkey keyids | sed 's/^[^ ]* //'|sed s/\<.*//` + account=`grep $newkey keyids | sed 's/.*\<//'|sed s/\>$//` + if [ "$keyring" = "debian-nonupload-gpg" ]; then + role='DD-NU' + else + role='DD' + fi + elif [ "$keyring" = "debian-maintainers-gpg" ]; then + echo -n "Enter full name of new key: " + read name + role='DM' + else + echo "*** Key to be replaced is of a strange type (not DD, NonUplDD, DM)" + echo " Be sure you are doing the right thing before committing. Double-check" + echo " the log message, as it will most likely not be correct." + name="Unknown" + fi + echo -n 'RT issue ID this change closes, if any: ' + read rtid + name=$(echo $name | sed -r 's/^ *(.*) *$/\1/') + + log="Replace 0x$oldkey with 0x$newkey ($name) (RT #$rtid)" + + git rm $oldkeyfile + VERSION=$(head -1 debian/changelog | awk '{print $2}' | sed 's/[\(\)]//g') + RELEASE=$(head -1 debian/changelog | awk '{print $3}' | sed 's/;$//') + case $RELEASE in + UNRELEASED) + dch --multimaint-merge -D UNRELEASED -a "$log" + ;; + unstable) + NEWVER=$(date +%Y.%m.xx) + if [ "$VERSION" = "$NEWVER" ] + then + echo '* Warning: New version and previous released version are' + echo " the same: $VERSION. This should not be so!" + echo ' Check debian/changelog' + fi + dch -D UNRELEASED -v $NEWVER "$log" + ;; + *) + echo "Last release $VERSION for unknown distribution «$RELEASE»." + echo "Not calling dch, do it manually." + ;; + esac + git add debian/changelog + + cat > git-commit-template <<EOF +$log + +Action: replace +Subject: $name +Username: $account +Role: $role +Old-key: $oldkeyfp +Old-key-type: $oldkeylen$oldkeyalg +New-key: $newkeyfp +New-key-type: $newkeylen$newkeyalg +RT-Ticket: $rtid +Request-signed-by: \$oldkey +New-key-certified-by: \$oldkey, +EOF + +fi |