summaryrefslogtreecommitdiffstats
path: root/dm-packaging/keycheck
blob: ba44eacb83e7994188f3896823c029ebdef2b402 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/sh
# This is a hacked up version of NM's keycheck.sh that understands jetring
# changesets.

# Copyright (C) 2003-2007 Joerg Jaspert <joerg@debian.org> and others
# This little script is free software; you can redistribute
# it and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2.
#
# On Debian systems, the complete text of the GNU General Public
# License can be found in /usr/share/common-licenses/GPL-2 file.

set -e

CACHE=./cache
TMPRING=./keyring.tmp
# Which keyserver
KEYSERVER=keyring.debian.org
# The options for the gpg call in this script.
# Contains only options used in ALL gpg calls.
GPGOPTS=" -q --no-options --no-default-keyring --no-auto-check-trustdb --keyring $TMPRING --trust-model always"
# For the following calls use LANG=C - some output is used for
# reports to a list / for an english report.
LANG=C
export LANG

changeset="$1"
if [ -z "$changeset" ]; then
	echo "Usage: keycheck changeset" >&2
	exit 1
fi

trap cleanup EXIT

cleanup () {
	rm -f $TMPRING*
}

keycheck () {
	gpg ${GPGOPTS} -v --with-fingerprint --keyring $CACHE/debian-keyring.gpg --keyring $CACHE/debian-keyring.pgp --check-sigs "$KEYID"
	echo "Let's test if its a version 4 or greater key"
	VERSION=$(gpg ${GPGOPTS} --with-colons --with-fingerprint --list-keys "0x$KEYID" | awk -F : '$1 == "fpr" {print length($10)}')

	if [ $VERSION -eq 32 ]; then
		echo "Warning: It looks like this key is an Version 3 GPG key. This is bad."
		echo "Please doublecheck and then get your applicant to send you a correct"
		echo "key if this is script isnt wrong."
	else
		echo "Key is ok"
	fi

	echo "Check for key expire stuff"
	EXPIRE=$(gpg ${GPGOPTS} --with-colons --check-sigs "0x$KEYID" |awk -F : ' $1 == "sub" && $2 != "r" {print $7} ')
	
	if [ -z "$EXPIRE" ]; then
	    echo "Key has no expiration date set, nothing to check."
	else
		echo "Key has an expiration date of "\"${EXPIRE}\""."
		echo "Please check that its not in the past, AND that it is not too"
		echo "near in the future to make adding this applicant pointless."
	fi
}

make
cp debian-maintainers.gpg $TMPRING
KEYID=$(jetring-apply $TMPRING "$changeset" 2>&1 | grep -m 1 '^gpg: key' | sed 's/^gpg: key \([a-fA-F0-9]*\):.*/\1/')
if [ -z "$KEYID" ]; then
	echo "Changeset failed to apply, or failed to parse key id from gpg output" >&2
	rm -f $TMPRING*
	exit 1
fi

make rsync-keys

echo "Checking key id $KEYID"
val=$(keycheck 2>&1 | sed -e 's/^$/./' -e 's/^/  /')

echo "Adding KeyCheck field to $changeset"
printf "" > "$changeset.new"
# Try to add it before the Data block.
added=
IFS="
"
for line in $(cat "$changeset"); do
	if [ "$line" = "Action: import" ]; then
		echo "KeyCheck:" >> "$changeset.new"
		echo "$val" >> "$changeset.new"
		added=1
	fi
	echo "$line" >> "$changeset.new"
done
if [ ! "$added" ]; then
	echo "KeyCheck:" >> "$changeset.new"
	echo "$val" >> "$changeset.new"
fi
mv -f "$changeset.new" "$changeset"