Commit | Line | Data |
---|---|---|
3fc145d4 | 1 | #!/bin/bash |
3e4c32c3 | 2 | |
725b460c IK |
3 | # Usage: $0 [-r] |
4 | # -r means dont refresh keys from keyservers | |
d27f8055 IK |
5 | # |
6 | # See https://gluestick.office.fsf.org/checklists/person/crypto-keys/ for | |
7 | # upload command. | |
725b460c | 8 | |
e9702c48 IK |
9 | shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 |
10 | set -eE -o pipefail | |
11 | trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR | |
3e4c32c3 | 12 | |
098d6762 AE |
13 | dos_attack_bytes=1000000 |
14 | ||
227fa583 IK |
15 | refresh-gpg-key() { |
16 | ||
17 | key=$1 | |
18 | ||
19 | error=999 | |
43ec6c3d | 20 | # johns is the only one in keyring.debian.org at this time. |
1e2b0c22 MM |
21 | for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do |
22 | echo "Trying $keyserver..." | |
227fa583 IK |
23 | set +e |
24 | cmd="gpg --keyserver $keyserver --recv-keys $key" | |
1e2b0c22 | 25 | # Keyservers are not very reliable, so retry a few times. |
227fa583 IK |
26 | for x in {1..3}; do |
27 | $cmd &>/dev/null | |
28 | ret=$? | |
55a1be4b IK |
29 | if (( ret == 0 )); then |
30 | break; fi | |
227fa583 IK |
31 | sleep 1 |
32 | done | |
33 | set -e | |
34 | error=$(( ret < error ? ret : error )) # use lowest return | |
35 | done | |
36 | ||
37 | return $error | |
38 | } | |
3e4c32c3 | 39 | |
1f9413db | 40 | check-sig-dos() { |
daa8fa96 AE |
41 | if (( "$(stat -c %s "$1")" > "$dos_attack_bytes" )) ; then |
42 | echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n" | |
43 | exit 1 | |
44 | fi | |
1f9413db AE |
45 | } |
46 | ||
e72d434b IK |
47 | refresh=true |
48 | if [[ $1 == -r ]]; then | |
49 | refresh=false | |
50 | fi | |
51 | ||
11077deb | 52 | KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms |
73d2b975 MM |
53 | #KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns |
54 | #KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh | |
403f4f95 | 55 | KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne |
3e4c32c3 | 56 | KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian |
f4caeebe | 57 | KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt |
3e4c32c3 | 58 | KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth |
06ea525c | 59 | KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael |
47309b71 | 60 | KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe |
7c4333a9 | 61 | KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf |
bedfe658 | 62 | KEYS+="005D03724A11C08A5A353D2C906DB6E398AA6CF6 " #miriam |
3f491138 | 63 | KEYS+="2D1304056F4F061DADEAE299A2C76C5425EF14E8 " #dawn |
43ec6c3d | 64 | KEYS+="476B712A9FA8788EDA2089F78B656B4E5A98CE74 " #anouk |
33f24836 | 65 | KEYS+="6DC9E66336DB958881AB7E43267124EFFC9CD84E " #krzyzstof |
f8faa2d3 | 66 | KEYS+="D86097B5E291BA771FA64D357014A6BE08494155" #odile |
7c4333a9 | 67 | |
f05e6c9d AE |
68 | if [[ -e fsf-keyring.gpg ]] ; then |
69 | check-sig-dos fsf-keyring.gpg | |
70 | gpg --import fsf-keyring.gpg | |
71 | else | |
72 | gpg --armor --export $KEYS > fsf-keyring.gpg | |
73 | fi | |
3e4c32c3 IK |
74 | |
75 | for KEY in $KEYS ; do | |
e72d434b | 76 | if $refresh; then |
1e2b0c22 | 77 | echo "Key: $KEY" |
f70fa6cd | 78 | refresh-gpg-key $KEY || (echo "unable to download $KEY" >&2 ; exit 1) |
e72d434b | 79 | fi |
3e4c32c3 IK |
80 | done |
81 | ||
2394c187 | 82 | gpg --export $KEYS > key-export |
1f9413db | 83 | check-sig-dos key-export |
098d6762 | 84 | mv key-export fsf-keyring.gpg |
55a1be4b | 85 | |
43ec6c3d | 86 | # Clean up |
cc77691c | 87 | rm -f fsf-keyring.gpg.asc ./fsf-keyring.gpg~ key-export |
43ec6c3d MM |
88 | |
89 | echo -e "You will now sign the keyring. Prepare your GPG password.\n" | |
90 | read -p "Press any key to continue..." -n1 -s | |
5f942ca3 | 91 | gpg --armor --detach-sign ./fsf-keyring.gpg |