mirror of
https://salsa.debian.org/debian-keyring/keyring.git
synced 2026-01-16 23:12:26 +00:00
b74cbceeb9
* Greetings from Prizren! Keyring updated during Debconf :-} * Import changes sent to keyring.debian.org HKP interface: * 0x00BAE74B343369F1 Nilesh Patra <nilesh> uid:1 sig:1 * 0x04EE131AE6D621BE Christoph Martin <chrism> sig:5 * 0x065FE53932DC551D Geoffroy Berret <kaliko> uid:1 sig:1 * 0x083781A2D2ACE48B Adriano Rafael Gomes <adrianorg> sig:1 * 0x12580AC9CE1FA236 Kartik Kulkarni <kartik-karz> sub:3 sig:11 * 0x1365720913D2F22D Boian Nikolaev Bonev <bbonev> sig:4 * 0x1E759A726A9FDD74 Christopher Knadle <krait> sig:2 * 0x223AE055BD94E154 Milan Kupcevic <milan> sig:2 * 0x2C7C3146C1A00121 Jonas Smedegaard <js> sig:3 * 0x309374D8374C3B48 Marcel Fourné <mfourne> sig:6 * 0x3116BA5E9FFA69A3 Paul Wise <pabs> sig:3 * 0x32247FBB40AD1FA6 Nobuhiro Iwamatsu <iwamatsu> sig:1 * 0x3C4107E6826C40E4 Valentin Vidic <vvidic> sig:5 * 0x4799A35146D12B35 Sudip Mukherjee <sudip> sig:2 * 0x4B043FCDB9444540 Mattia Rizzolo <mattia> sig:15 * 0x5556A34E04A3610B Sascha Steinbiss <satta> sig:5 * 0x56034877E1F87C35 Ximin Luo <infinity0> sub:1 sig:1 * 0x57930DAB0B86B067 Joost van Baal <joostvb> sig:2 * 0x603B832661F9CA53 Paul Martin <pm> sig:6 * 0x63FE10EAD55D0FDB Ondřej Kobližek <kobla> sig:4 * 0x689A04020D7EA9A1 Sebastian Humenda [DM] sig:8 * 0x6F31F7545A885252 Nicolas Dandrimont <olasd> sub:1 sig:1 * 0x71A7E533F291A324 Aurélien COUDERC <coucouf> sig:3 * 0x76B534B2E99007E0 Thorsten Glaser <tg> sig:4 * 0x786C63F330D7CB92 Felix Yan <felixonmars> uid:1 sig:8 * 0x78A1B4DFE8F9C57E Ludovic Rousseau <rousseau> sig:2 * 0x792152527B75921E Antoine Beaupré <anarcat> sig:9 * 0x7A749064D38F11A3 Thomas Vincent <tvincent> sub:1 sig:3 * 0x84E624545A27D942 David da Silva Polverari <polverari> sig:4 * 0x95A42FE8353525F9 Vincent Bernat <bernat> sig:1 * 0x9EDCC991D9AB457E Giovanni Mascellani <gio> sig:6 * 0xAD6916967393982B Philip Rinn [DM] sig:2 * 0xBB3A68018649AA06 Gregor Herrmann <gregoa> sig:4 * 0xCF0E265B7DFBB2F2 Shengjing Zhu <zhsj> sub:1 sig:1 * 0xD04BA3A00125D5C0 Philip Hands <philh> sig:1 * 0xD15D313882004173 Russ Allbery <rra> uid:1 sig:1 * 0xD265C08531ED8AEF Rémi Vanicat <vanicat> sig:3 * 0xD3EBB5966BB99196 Arnaud Ferraris <aferraris> uid:1 sig:1 * 0xD599FF6101809E2A Elena Grandi <valhalla> sig:5 * 0xDB16CF5BB12525C4 Joerg Jaspert <joerg> sig:3 * 0xE352D5C51C5041D4 Iain Lane <laney> sig:3 * 0xE3AE978E834E5E7E Alex Muntada <alexm> sig:80 * 0xF5C83C05D9CEEEEE Chris Boot <bootc> sig:3
178 lines
5 KiB
Bash
Executable file
178 lines
5 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Copyright (c) 2014 Gunnar Wolf <gwolf@debian.org>,
|
|
# Based on 2008 Jonathan McDowell <noodles@earth.li>
|
|
# GNU GPL; v2 or later
|
|
# Replaces an existing key with a new one in its same keyring directory
|
|
|
|
set -e
|
|
|
|
if [ -z "$1" ] || [ -z "$2" ]; then
|
|
echo "Usage: replace-key oldkeyid newkeyid" >&2
|
|
exit 1
|
|
fi
|
|
|
|
scriptdir=`dirname $0`
|
|
oldkey=$1
|
|
newkey=$2
|
|
|
|
# avoid gnupg touching ~/.gnupg
|
|
GNUPGHOME=$(mktemp -d -t jetring.XXXXXXXX)
|
|
export GNUPGHOME
|
|
cat > "$GNUPGHOME"/gpg.conf <<EOF
|
|
keyid-format 0xlong
|
|
keyserver pgpkeys.eu
|
|
no-autostart
|
|
EOF
|
|
trap cleanup exit
|
|
cleanup () {
|
|
rm -rf "$GNUPGHOME"
|
|
}
|
|
|
|
newkeytemp=`mktemp -t newkey.XXXXXXXXX`
|
|
gpgconf --launch dirmngr
|
|
gpg --recv-key "$newkey"
|
|
gpg --no-auto-check-trustdb --options /dev/null \
|
|
--keyring output/keyrings/debian-keyring.gpg \
|
|
--keyring output/keyrings/debian-nonupload.gpg \
|
|
--keyring output/keyrings/debian-maintainers.gpg \
|
|
--export-options export-clean,no-export-attributes \
|
|
--export "$newkey" > $newkeytemp
|
|
|
|
# strip leading 0x from fingerprints
|
|
oldkey=${oldkey##0x}
|
|
newkey=${newkey##0x}
|
|
|
|
if [ $(echo -n $oldkey|wc -c) -eq 16 ]; then
|
|
key='0x'$(echo $oldkey|tr a-z A-Z)
|
|
elif [ $(echo -n $oldkey|wc -c) -eq 40 ] ; then
|
|
key='0x'$(echo -n $oldkey | cut -b 25-)
|
|
else
|
|
echo "Please supply either a long keyid or a full fingerprint for the old key."
|
|
exit 1
|
|
fi
|
|
|
|
for dir in *-gpg/; do
|
|
if [ -f $dir/$key ]; then
|
|
oldkeyfile=$(readlink -f "$dir/$key")
|
|
keydir=$(readlink -f $dir)
|
|
keyring=`basename $keydir`
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ -z "$oldkeyfile" -o -z "$keydir" ]; then
|
|
echo "Requested key '$oldkey' not found (looked for '*-gpg/$key')"
|
|
exit 1
|
|
fi
|
|
|
|
oldkeyfp=$(gpg --with-colons --fingerprint --no-auto-check-trustdb --no-default-keyring --keyring $oldkeyfile| grep '^fpr' | cut -d : -f 10)
|
|
newkeyfp=$(gpg --with-colons --fingerprint --no-auto-check-trustdb --no-default-keyring --keyring $newkeytemp| grep '^fpr' | cut -d : -f 10)
|
|
|
|
oldkeydata=$(gpg --with-colons --keyid long --options /dev/null --no-auto-check-trustdb < $oldkeyfile|grep '^pub')
|
|
newkeydata=$(gpg --with-colons --keyid long --options /dev/null --no-auto-check-trustdb < $newkeytemp|grep '^pub')
|
|
oldkeyuser=$(echo $oldkeydata | cut -d : -f 10)
|
|
newkeyuser=$(echo $newkeydata | cut -d : -f 10)
|
|
oldkeylen=$(echo $oldkeydata | cut -d : -f 3)
|
|
newkeylen=$(echo $newkeydata | cut -d : -f 3)
|
|
oldkeyalg=$(echo $oldkeydata | cut -d : -f 4)
|
|
if [ "$oldkeyalg" == "1" ]; then
|
|
oldkeyalg='R'
|
|
elif [ "$oldkeyalg" == "17" ]; then
|
|
oldkeyalg='D'
|
|
elif [ "$oldkeyalg" == "22" ]; then
|
|
oldkeyalg='E'
|
|
else
|
|
oldkeyalg='UNK'
|
|
fi
|
|
newkeyalg=$(echo $newkeydata | cut -d : -f 4)
|
|
if [ "$newkeyalg" == "1" ]; then
|
|
newkeyalg='R'
|
|
elif [ "$newkeyalg" == "17" ]; then
|
|
newkeyalg='D'
|
|
elif [ "$oldkeyalg" == "22" ]; then
|
|
oldkeyalg='E'
|
|
else
|
|
newkeyalg='UNK'
|
|
fi
|
|
echo $oldkeydata
|
|
|
|
echo ""
|
|
echo "About to replace key $oldkey ($oldkeyuser)"
|
|
echo " with NEW key $newkey ($newkeyuser)"
|
|
echo " in the $keyring keyring."
|
|
echo "Are you sure you want to update this key? (y/n)"
|
|
read n
|
|
|
|
if [ "x$n" = "xy" -o "x$n" = "xY" ]; then
|
|
destkeyring="$keyring"
|
|
if ! $scriptdir/add-key $newkeytemp $destkeyring ; then
|
|
echo "add-key failed"
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$keyring" = "debian-keyring-gpg" -o "$keyring" = "debian-nonupload-gpg" ]; then
|
|
name=`grep $newkey keyids | sed 's/^[^ ]* //'|sed s/\<.*//`
|
|
account=`grep $newkey keyids | sed 's/.*\<//'|sed s/\>$//`
|
|
if [ "$keyring" = "debian-nonupload-gpg" ]; then
|
|
role='DD-NU'
|
|
else
|
|
role='DD'
|
|
fi
|
|
elif [ "$keyring" = "debian-maintainers-gpg" ]; then
|
|
echo -n "Enter full name of new key: "
|
|
read name
|
|
role='DM'
|
|
else
|
|
echo "*** Key to be replaced is of a strange type (not DD, NonUplDD, DM)"
|
|
echo " Be sure you are doing the right thing before committing. Double-check"
|
|
echo " the log message, as it will most likely not be correct."
|
|
name="Unknown"
|
|
fi
|
|
echo -n 'RT issue ID this change closes, if any: '
|
|
read rtid
|
|
name=$(echo $name | sed -r 's/^ *(.*) *$/\1/')
|
|
|
|
log="Replace 0x$oldkey with 0x$newkey ($name) (RT #$rtid)"
|
|
|
|
git rm $oldkeyfile
|
|
VERSION=$(head -1 debian/changelog | awk '{print $2}' | sed 's/[\(\)]//g')
|
|
RELEASE=$(head -1 debian/changelog | awk '{print $3}' | sed 's/;$//')
|
|
case $RELEASE in
|
|
UNRELEASED)
|
|
dch --multimaint-merge -D UNRELEASED -a "$log"
|
|
;;
|
|
unstable)
|
|
NEWVER=$(date +%Y.%m.xx)
|
|
if [ "$VERSION" = "$NEWVER" ]
|
|
then
|
|
echo '* Warning: New version and previous released version are'
|
|
echo " the same: $VERSION. This should not be so!"
|
|
echo ' Check debian/changelog'
|
|
fi
|
|
dch -D UNRELEASED -v $NEWVER "$log"
|
|
;;
|
|
*)
|
|
echo "Last release $VERSION for unknown distribution «$RELEASE»."
|
|
echo "Not calling dch, do it manually."
|
|
;;
|
|
esac
|
|
git add debian/changelog
|
|
|
|
cat > git-commit-template <<EOF
|
|
$log
|
|
|
|
Action: replace
|
|
Subject: $name
|
|
Username: $account
|
|
Role: $role
|
|
Old-key: $oldkeyfp
|
|
Old-key-type: $oldkeylen$oldkeyalg
|
|
New-key: $newkeyfp
|
|
New-key-type: $newkeylen$newkeyalg
|
|
RT-Ticket: $rtid
|
|
Request-signed-by: \$oldkey
|
|
New-key-certified-by: \$oldkey,
|
|
EOF
|
|
|
|
fi
|