-#!/bin/bash -l
+#!/bin/bash
-set -e
-set -x
+# Usage: $0 [-r]
+# -r means dont refresh keys from keyservers
+#
+# See https://gluestick.office.fsf.org/checklists/person/crypto-keys/ for
+# upload command.
+
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+dos_attack_bytes=1000000
refresh-gpg-key() {
key=$1
error=999
- for keyserver in pgp.mit.edu pool.sks-keyservers.net keyring.debian.org; do
+ for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do
+ echo "Trying $keyserver..."
set +e
cmd="gpg --keyserver $keyserver --recv-keys $key"
- # keyservers are not very reliable, so retry
+ # Keyservers are not very reliable, so retry a few times.
for x in {1..3}; do
$cmd &>/dev/null
ret=$?
- if (( ret == 0 )); then break; fi
+ if (( ret == 0 )); then
+ break; fi
sleep 1
done
set -e
KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms
KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns
KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh
-KEYS+="CEA951DB865D0D257BB0A14DCEB69E6F9B36C195 " #andrew
-KEYS+="13A0851D6307FC54FCCB81BA2C1008316F3E89B7 " #donald
-KEYS+="EF6643D6E1F115D1A9B7D59C92D16583E1E7C532 " #jeanne
-KEYS+="04C45B4E3AF05E9EB140FD148B10E9C6407BD6E1 " #matt
-KEYS+="318C679D94F17700CC847DE646A70073E4E50D4E " #ruben
-KEYS+="0CCB3494C13CCD8F6EC73AA06DA6B7D151C7643E " #dana
+KEYS+="1487E002421112A3B6C76B545FA66D3CA7518DBF " #andrew
+KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne
KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian
-KEYS+="ECE5B5BF952A3AEA92C137F9C9230A4849ACE0DB " #molly
KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt
-KEYS+="E9A271C071964891AA57663D9EA33414F5852F4E " #mako
-KEYS+="A2F4F1966D9E35C673EC30D5B6F1D83E9ACD9EBB " #bkuhn
KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth
KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael
KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe
+KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf
+KEYS+="5BE81180271798C6B4866C54598E4925C518D5DC " #davis
+KEYS+="2E0ECE75F8162B407D666767879738E6D6440D57 " #devinu
+KEYS+="D86097B5E291BA771FA64D357014A6BE08494155" #odile
rm -f /tmp/keys.asc ./fsf-keyring.gpg
for KEY in $KEYS ; do
if $refresh; then
+ echo "Key: $KEY"
refresh-gpg-key $KEY
fi
- gpg --export --armor $KEY >> /tmp/keys.asc
done
-# note: this doesn't work with gpg2. i dunno what the equivalent is in
-# gpg2, likely just exporting all the keys.
-command gpg --trust-model always --no-default-keyring --keyring ./fsf-keyring.gpg --import /tmp/keys.asc
-gpg --sign ./fsf-keyring.gpg
-mv fsf-keyring.gpg.gpg fsf-keyring.gpg
-rm fsf-keyring.gpg~
+gpg --armor --export $KEYS > key-export
+
+(( "$(stat -c %s key-export)" > "${dos_attack_bytes}" )) && echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n" && exit 1
+
+mv key-export fsf-keyring.gpg
+
+gpg --armor --sign ./fsf-keyring.gpg
+mv fsf-keyring.gpg.asc fsf-keyring.gpg
+rm -f fsf-keyring.gpg~
projects / fsf-keyring.git / blobdiff