[fsf-keyring.git] / fsf-keyring.sh

#!/bin/bash

# Usage: $0 [-r]
# -r means dont refresh keys from keyservers
#
# See https://gluestick.office.fsf.org/checklists/person/crypto-keys/ for
# upload command.

shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

dos_attack_bytes=1000000

refresh-gpg-key() {

  key=$1

  error=999
  # johns is the only one in keyring.debian.org at this time.
  for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do
    echo "Trying $keyserver..."
    set +e
    cmd="gpg --keyserver $keyserver --recv-keys $key"
    # Keyservers are not very reliable, so retry a few times.
    for x in {1..3}; do
      $cmd &>/dev/null
      ret=$?
      if (( ret == 0 )); then
        break; fi
      sleep 1
    done
    set -e
    error=$(( ret < error ? ret : error )) # use lowest return
  done

  return $error
}

check-sig-dos() {
  if (( "$(stat -c %s "$1")" > "$dos_attack_bytes" )) ; then
    echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n"
    exit 1
  fi
}

refresh=true
if [[ $1 == -r ]]; then
  refresh=false
fi

KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms
#KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns
#KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh
KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne
KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian
KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt
KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth
KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael
KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe
KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf
KEYS+="005D03724A11C08A5A353D2C906DB6E398AA6CF6 " #miriam
KEYS+="2D1304056F4F061DADEAE299A2C76C5425EF14E8 " #dawn
KEYS+="476B712A9FA8788EDA2089F78B656B4E5A98CE74 " #anouk
KEYS+="6DC9E66336DB958881AB7E43267124EFFC9CD84E " #krzyzstof
KEYS+="D86097B5E291BA771FA64D357014A6BE08494155"  #odile

if [[ -e fsf-keyring.gpg ]] ; then
  check-sig-dos fsf-keyring.gpg
  gpg --import fsf-keyring.gpg
else
  gpg --armor --export $KEYS > fsf-keyring.gpg
fi

for KEY in $KEYS ; do
  if $refresh; then
    echo "Key: $KEY"
    refresh-gpg-key $KEY || (echo "unable to download $KEY" >&2 ; exit 1)
  fi
done

gpg --export $KEYS > key-export
check-sig-dos key-export
mv key-export fsf-keyring.gpg

# Clean up
rm -f fsf-keyring.gpg.asc ./fsf-keyring.gpg~ key-export

echo -e "You will now sign the keyring. Prepare your GPG password.\n"
read -p "Press any key to continue..." -n1 -s
gpg --armor --detach-sign ./fsf-keyring.gpg
Commit	Line	Data
3fc145d4	1	#!/bin/bash
3e4c32c3	2
725b460c IK	3	# Usage: $0 [-r]
725b460c IK	4	# -r means dont refresh keys from keyservers
d27f8055 IK	5	#
	6	# See https://gluestick.office.fsf.org/checklists/person/crypto-keys/ for
	7	# upload command.
725b460c	8
e9702c48 IK	9	shopt -s inherit_errexit 2>/dev/null \|\|: # ignore fail in bash < 4.4
	10	set -eE -o pipefail
	11	trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
3e4c32c3	12
098d6762 AE	13	dos_attack_bytes=1000000
098d6762 AE	14
227fa583 IK	15	refresh-gpg-key() {
	16
	17	key=$1
	18
	19	error=999
43ec6c3d	20	# johns is the only one in keyring.debian.org at this time.
1e2b0c22 MM	21	for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do
1e2b0c22 MM	22	echo "Trying $keyserver..."
227fa583 IK	23	set +e
227fa583 IK	24	cmd="gpg --keyserver $keyserver --recv-keys $key"
1e2b0c22	25	# Keyservers are not very reliable, so retry a few times.
227fa583 IK	26	for x in {1..3}; do
	27	$cmd &>/dev/null
	28	ret=$?
55a1be4b IK	29	if (( ret == 0 )); then
55a1be4b IK	30	break; fi
227fa583 IK	31	sleep 1
	32	done
	33	set -e
	34	error=$(( ret < error ? ret : error )) # use lowest return
	35	done
	36
	37	return $error
	38	}
3e4c32c3	39
1f9413db	40	check-sig-dos() {
daa8fa96 AE	41	if (( "$(stat -c %s "$1")" > "$dos_attack_bytes" )) ; then
	42	echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n"
	43	exit 1
	44	fi
1f9413db AE	45	}
1f9413db AE	46
e72d434b IK	47	refresh=true
	48	if [[ $1 == -r ]]; then
	49	refresh=false
	50	fi
	51
11077deb	52	KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms
73d2b975 MM	53	#KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns
73d2b975 MM	54	#KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh
403f4f95	55	KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne
3e4c32c3	56	KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian
f4caeebe	57	KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt
3e4c32c3	58	KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth
06ea525c	59	KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael
47309b71	60	KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe
7c4333a9	61	KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf
bedfe658	62	KEYS+="005D03724A11C08A5A353D2C906DB6E398AA6CF6 " #miriam
3f491138	63	KEYS+="2D1304056F4F061DADEAE299A2C76C5425EF14E8 " #dawn
43ec6c3d	64	KEYS+="476B712A9FA8788EDA2089F78B656B4E5A98CE74 " #anouk
33f24836	65	KEYS+="6DC9E66336DB958881AB7E43267124EFFC9CD84E " #krzyzstof
f8faa2d3	66	KEYS+="D86097B5E291BA771FA64D357014A6BE08494155" #odile
7c4333a9	67
f05e6c9d AE	68	if [[ -e fsf-keyring.gpg ]] ; then
	69	check-sig-dos fsf-keyring.gpg
	70	gpg --import fsf-keyring.gpg
	71	else
	72	gpg --armor --export $KEYS > fsf-keyring.gpg
	73	fi
3e4c32c3 IK	74
3e4c32c3 IK	75	for KEY in $KEYS ; do
e72d434b	76	if $refresh; then
1e2b0c22	77	echo "Key: $KEY"
f70fa6cd	78	refresh-gpg-key $KEY \|\| (echo "unable to download $KEY" >&2 ; exit 1)
e72d434b	79	fi
3e4c32c3 IK	80	done
3e4c32c3 IK	81
2394c187	82	gpg --export $KEYS > key-export
1f9413db	83	check-sig-dos key-export
098d6762	84	mv key-export fsf-keyring.gpg
55a1be4b	85
43ec6c3d	86	# Clean up
cc77691c	87	rm -f fsf-keyring.gpg.asc ./fsf-keyring.gpg~ key-export
43ec6c3d MM	88
	89	echo -e "You will now sign the keyring. Prepare your GPG password.\n"
	90	read -p "Press any key to continue..." -n1 -s
5f942ca3	91	gpg --armor --detach-sign ./fsf-keyring.gpg