detach sign the keyring
[fsf-keyring.git] / fsf-keyring.sh
CommitLineData
3fc145d4 1#!/bin/bash
3e4c32c3 2
725b460c
IK
3# Usage: $0 [-r]
4# -r means dont refresh keys from keyservers
d27f8055
IK
5#
6# See https://gluestick.office.fsf.org/checklists/person/crypto-keys/ for
7# upload command.
725b460c 8
e9702c48
IK
9shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
10set -eE -o pipefail
11trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
3e4c32c3 12
098d6762
AE
13dos_attack_bytes=1000000
14
227fa583
IK
15refresh-gpg-key() {
16
17 key=$1
18
19 error=999
1e2b0c22
MM
20 for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do
21 echo "Trying $keyserver..."
227fa583
IK
22 set +e
23 cmd="gpg --keyserver $keyserver --recv-keys $key"
1e2b0c22 24 # Keyservers are not very reliable, so retry a few times.
227fa583
IK
25 for x in {1..3}; do
26 $cmd &>/dev/null
27 ret=$?
55a1be4b
IK
28 if (( ret == 0 )); then
29 break; fi
227fa583
IK
30 sleep 1
31 done
32 set -e
33 error=$(( ret < error ? ret : error )) # use lowest return
34 done
35
36 return $error
37}
3e4c32c3 38
e72d434b
IK
39refresh=true
40if [[ $1 == -r ]]; then
41 refresh=false
42fi
43
11077deb 44KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms
3e4c32c3
IK
45KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns
46KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh
cb5e2f5a 47KEYS+="1487E002421112A3B6C76B545FA66D3CA7518DBF " #andrew
403f4f95 48KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne
3e4c32c3 49KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian
f4caeebe 50KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt
3e4c32c3 51KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth
06ea525c 52KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael
47309b71 53KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe
7c4333a9 54KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf
f06d187e 55KEYS+="5BE81180271798C6B4866C54598E4925C518D5DC " #davis
7eb9830e 56KEYS+="2E0ECE75F8162B407D666767879738E6D6440D57 " #devinu
f8faa2d3 57KEYS+="D86097B5E291BA771FA64D357014A6BE08494155" #odile
7c4333a9 58
3e4c32c3
IK
59rm -f /tmp/keys.asc ./fsf-keyring.gpg
60
61for KEY in $KEYS ; do
e72d434b 62 if $refresh; then
1e2b0c22 63 echo "Key: $KEY"
e72d434b
IK
64 refresh-gpg-key $KEY
65 fi
3e4c32c3
IK
66done
67
098d6762
AE
68gpg --armor --export $KEYS > key-export
69
70(( "$(stat -c %s key-export)" > "${dos_attack_bytes}" )) && echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n" && exit 1
71
72mv key-export fsf-keyring.gpg
55a1be4b 73
5f942ca3
AE
74rm -f fsf-keyring.gpg.asc ./fsf-keyring.gpg~
75gpg --armor --detach-sign ./fsf-keyring.gpg