kgess-mirror/debian-keyring
1
0
Fork 0
mirror of https://salsa.debian.org/debian-keyring/keyring.git synced 2026-01-16 23:12:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
debian-keyring/scripts/replace-key
Jonathan McDowell 7ce054f088
Remove removed-keys.gpg and removed-1024.gpg keyrings 
With the keyrings stored in git there is no reason to keep keys we do
not trust and do not intend to ever use again around. They can be
retrieved from the commit history if necessary. Remove all
infrastructure around maintaining these removed keyrings, and the keys
themselves.
2017-05-04 09:58:21 +01:00

172 lines
4.9 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
# Copyright (c) 2014 Gunnar Wolf <gwolf@debian.org>,
# Based on 2008 Jonathan McDowell <noodles@earth.li>
# GNU GPL; v2 or later
# Replaces an existing key with a new one in its same keyring directory
set -e
if [ -z "$1" ] || [ -z "$2" ]; then
echo "Usage: replace-key oldkeyid newkeyid" >&2
exit 1
fi
scriptdir=`dirname $0`
oldkey=$1
newkey=$2
# avoid gnupg touching ~/.gnupg
GNUPGHOME=$(mktemp -d -t jetring.XXXXXXXX)
export GNUPGHOME
cat > "$GNUPGHOME"/gpg.conf <<EOF
keyid-format 0xlong
keyserver hkps.pool.sks-keyservers.net
EOF
trap cleanup exit
cleanup () {
rm -rf "$GNUPGHOME"
}
newkeytemp=`mktemp -t newkey.XXXXXXXXX`
gpg --recv-key "$newkey"
gpg --no-auto-check-trustdb --options /dev/null \
--keyring output/keyrings/debian-keyring.gpg \
--keyring output/keyrings/debian-nonupload.gpg \
--keyring output/keyrings/debian-maintainers.gpg \
--export-options export-clean,no-export-attributes \
--export "$newkey" > $newkeytemp
# strip leading 0x from fingerprints
oldkey=${oldkey##0x}
newkey=${newkey##0x}
if [ $(echo -n $oldkey|wc -c) -eq 16 ]; then
key='0x'$(echo $oldkey|tr a-z A-Z)
elif [ $(echo -n $oldkey|wc -c) -eq 40 ] ; then
key='0x'$(echo -n $oldkey | cut -b 25-)
else
echo "Please supply either a long keyid or a full fingerprint for the old key."
exit 1
fi
for dir in *-gpg/; do
if [ -f $dir/$key ]; then
oldkeyfile=$(readlink -f "$dir/$key")
keydir=$(readlink -f $dir)
keyring=`basename $keydir`
break
fi
done
if [ -z "$oldkeyfile" -o -z "$keydir" ]; then
echo "Requested key '$oldkey' not found (looked for '*-gpg/$key')"
exit 1
fi
oldkeyfp=$(gpg --with-colons --fingerprint --no-auto-check-trustdb --no-default-keyring --keyring $oldkeyfile| grep '^fpr' | cut -d : -f 10)
newkeyfp=$(gpg --with-colons --fingerprint --no-auto-check-trustdb --no-default-keyring --keyring $newkeytemp| grep '^fpr' | cut -d : -f 10)
oldkeydata=$(gpg --with-colons --keyid long --options /dev/null --no-auto-check-trustdb < $oldkeyfile|grep '^pub')
newkeydata=$(gpg --with-colons --keyid long --options /dev/null --no-auto-check-trustdb < $newkeytemp|grep '^pub')
oldkeyuser=$(echo $oldkeydata | cut -d : -f 10)
newkeyuser=$(echo $newkeydata | cut -d : -f 10)
oldkeylen=$(echo $oldkeydata | cut -d : -f 3)
newkeylen=$(echo $newkeydata | cut -d : -f 3)
oldkeyalg=$(echo $oldkeydata | cut -d : -f 4)
if [ "$oldkeyalg" == "1" ]; then
oldkeyalg='R'
elif [ "$oldkeyalg" == "17" ]; then
oldkeyalg='D'
else
oldkeyalg='UNK'
fi
newkeyalg=$(echo $newkeydata | cut -d : -f 4)
if [ "$newkeyalg" == "1" ]; then
newkeyalg='R'
elif [ "$newkeyalg" == "17" ]; then
newkeyalg='D'
else
newkeyalg='UNK'
fi
echo $oldkeydata
echo ""
echo "About to replace key $oldkey ($oldkeyuser)"
echo " with NEW key $newkey ($newkeyuser)"
echo " in the $keyring keyring."
echo "Are you sure you want to update this key? (y/n)"
read n
if [ "x$n" = "xy" -o "x$n" = "xY" ]; then
destkeyring="$keyring"
if ! $scriptdir/add-key $newkeytemp $destkeyring ; then
echo "add-key failed"
exit 1
fi
if [ "$keyring" = "debian-keyring-gpg" -o "$keyring" = "debian-nonupload-gpg" ]; then
name=`grep $newkey keyids | sed 's/^[^ ]* //'|sed s/\<.*//`
account=`grep $newkey keyids | sed 's/.*\<//'|sed s/\>$//`
if [ "$keyring" = "debian-nonupload-gpg" ]; then
role='DD-NU'
else
role='DD'
fi
elif [ "$keyring" = "debian-maintainers-gpg" ]; then
echo -n "Enter full name of new key: "
read name
role='DM'
else
echo "*** Key to be replaced is of a strange type (not DD, NonUplDD, DM)"
echo " Be sure you are doing the right thing before committing. Double-check"
echo " the log message, as it will most likely not be correct."
name="Unknown"
fi
echo -n 'RT issue ID this change closes, if any: '
read rtid
name=$(echo $name | sed -r 's/^ *(.*) *$/\1/')
log="Replace 0x$oldkey with 0x$newkey ($name) (RT #$rtid)"
git rm $oldkeyfile
VERSION=$(head -1 debian/changelog | awk '{print $2}' | sed 's/[\(\)]//g')
RELEASE=$(head -1 debian/changelog | awk '{print $3}' | sed 's/;$//')
case $RELEASE in
UNRELEASED)
dch --multimaint-merge -D UNRELEASED -a "$log"
;;
unstable)
NEWVER=$(date +%Y.%m.xx)
if [ "$VERSION" = "$NEWVER" ]
then
echo '* Warning: New version and previous released version are'
echo " the same: $VERSION. This should not be so!"
echo ' Check debian/changelog'
fi
dch -D UNRELEASED -v $NEWVER "$log"
;;
*)
echo "Last release $VERSION for unknown distribution «$RELEASE»."
echo "Not calling dch, do it manually."
;;
esac
git add debian/changelog
cat > git-commit-template <<EOF
$log
Action: replace
Subject: $name
Username: $account
Role: $role
Old-key: $oldkeyfp
Old-key-type: $oldkeylen$oldkeyalg
New-key: $newkeyfp
New-key-type: $newkeylen$newkeyalg
RT-Ticket: $rtid
Request-signed-by: \$oldkey
New-key-certified-by: \$oldkey,
EOF
fi
Reference in a new issue View git blame Copy permalink