| 1 | #!/bin/bash |
| 2 | |
| 3 | # Usage: $0 [-r] |
| 4 | # -r means dont refresh keys from keyservers |
| 5 | # |
| 6 | # See https://gluestick.office.fsf.org/checklists/person/crypto-keys/ for |
| 7 | # upload command. |
| 8 | |
| 9 | shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 |
| 10 | set -eE -o pipefail |
| 11 | trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR |
| 12 | |
| 13 | dos_attack_bytes=1000000 |
| 14 | |
| 15 | refresh-gpg-key() { |
| 16 | |
| 17 | key=$1 |
| 18 | |
| 19 | error=999 |
| 20 | for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do |
| 21 | echo "Trying $keyserver..." |
| 22 | set +e |
| 23 | cmd="gpg --keyserver $keyserver --recv-keys $key" |
| 24 | # Keyservers are not very reliable, so retry a few times. |
| 25 | for x in {1..3}; do |
| 26 | $cmd &>/dev/null |
| 27 | ret=$? |
| 28 | if (( ret == 0 )); then |
| 29 | break; fi |
| 30 | sleep 1 |
| 31 | done |
| 32 | set -e |
| 33 | error=$(( ret < error ? ret : error )) # use lowest return |
| 34 | done |
| 35 | |
| 36 | return $error |
| 37 | } |
| 38 | |
| 39 | check-sig-dos() { |
| 40 | (( "$(stat -c %s "$1")" > "${dos_attack_bytes}" )) && echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n" && exit 1 |
| 41 | } |
| 42 | |
| 43 | refresh=true |
| 44 | if [[ $1 == -r ]]; then |
| 45 | refresh=false |
| 46 | fi |
| 47 | |
| 48 | KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms |
| 49 | KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns |
| 50 | KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh |
| 51 | KEYS+="1487E002421112A3B6C76B545FA66D3CA7518DBF " #andrew |
| 52 | KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne |
| 53 | KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian |
| 54 | KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt |
| 55 | KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth |
| 56 | KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael |
| 57 | KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe |
| 58 | KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf |
| 59 | KEYS+="5BE81180271798C6B4866C54598E4925C518D5DC " #davis |
| 60 | KEYS+="2E0ECE75F8162B407D666767879738E6D6440D57 " #devinu |
| 61 | KEYS+="D86097B5E291BA771FA64D357014A6BE08494155" #odile |
| 62 | |
| 63 | check-sig-dos fsf-keyring.gpg |
| 64 | gpg --import fsf-keyring.gpg |
| 65 | |
| 66 | rm -f /tmp/keys.asc ./fsf-keyring.gpg |
| 67 | |
| 68 | for KEY in $KEYS ; do |
| 69 | if $refresh; then |
| 70 | echo "Key: $KEY" |
| 71 | refresh-gpg-key $KEY |
| 72 | fi |
| 73 | done |
| 74 | |
| 75 | gpg --armor --export $KEYS > key-export |
| 76 | |
| 77 | check-sig-dos key-export |
| 78 | |
| 79 | mv key-export fsf-keyring.gpg |
| 80 | |
| 81 | rm -f fsf-keyring.gpg.asc ./fsf-keyring.gpg~ key-export |
| 82 | gpg --armor --detach-sign ./fsf-keyring.gpg |