projects / fsf-keyring.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
testing out another invocation of script
[fsf-keyring.git] / fsf-keyring.sh
diff --git a/fsf-keyring.sh b/fsf-keyring.sh
index 264cc39dec72e70f78468a9d64076cf010009e09..9a8910e0bb836a8aaa71073ba2d879a8a8608395 100755 (executable)
--- a/fsf-keyring.sh
+++ b/fsf-keyring.sh
@@ -10,15 +10,18 @@ shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
+dos_attack_bytes=1000000
+
 refresh-gpg-key() {
 
   key=$1
 
   error=999
-  for keyserver in keyring.debian.org keyserver.ubuntu.com pool.sks-keyservers.net; do
+  for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do
+    echo "Trying $keyserver..."
     set +e
     cmd="gpg --keyserver $keyserver --recv-keys $key"
-    # keyservers are not very reliable, so retry
+    # Keyservers are not very reliable, so retry a few times.
     for x in {1..3}; do
       $cmd &>/dev/null
       ret=$?
@@ -33,6 +36,13 @@ refresh-gpg-key() {
   return $error
 }
 
+check-sig-dos() {
+  if (( "$(stat -c %s "$1")" > "$dos_attack_bytes" )) ; then
+    echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n"
+    exit 1
+  fi
+}
+
 refresh=true
 if [[ $1 == -r ]]; then
   refresh=false
@@ -41,38 +51,35 @@ fi
 KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms
 KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns
 KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh
-KEYS+="22DD43AF4C1F68C7AF784F1A7F861E72F9682D6F " #andrew
-KEYS+="13A0851D6307FC54FCCB81BA2C1008316F3E89B7 " #donald
+KEYS+="1487E002421112A3B6C76B545FA66D3CA7518DBF " #andrew
 KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne
-KEYS+="318C679D94F17700CC847DE646A70073E4E50D4E " #ruben
-KEYS+="0CCB3494C13CCD8F6EC73AA06DA6B7D151C7643E " #dana
 KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian
 KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt
 KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth
 KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael
 KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe
 KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf
+KEYS+="5BE81180271798C6B4866C54598E4925C518D5DC " #davis
+KEYS+="2E0ECE75F8162B407D666767879738E6D6440D57 " #devinu
 KEYS+="D86097B5E291BA771FA64D357014A6BE08494155"  #odile
 
+check-sig-dos fsf-keyring.gpg
+gpg --import fsf-keyring.gpg
 
 rm -f /tmp/keys.asc ./fsf-keyring.gpg
 
 for KEY in $KEYS ; do
   if $refresh; then
-    echo
+    echo "Key: $KEY"
     refresh-gpg-key $KEY
   fi
 done
 
-gpg2 --armor --export $KEYS > fsf-keyring.gpg
-
-echo "Please verify in another terminal window that the keyring doesn't contain many spam signatures before signing:"
-echo
-echo "ls -lh fsf-keyring.gpg"
-echo
-echo "Press [enter] to continue."
-echo
-read
-gpg2 --armor --sign ./fsf-keyring.gpg
-mv fsf-keyring.gpg.asc fsf-keyring.gpg
-rm -f fsf-keyring.gpg~
+gpg --armor --export $KEYS > key-export
+
+check-sig-dos key-export
+
+mv key-export fsf-keyring.gpg
+
+rm -f fsf-keyring.gpg.asc ./fsf-keyring.gpg~ key-export
+gpg --armor --detach-sign ./fsf-keyring.gpg
Unnamed repository; edit this file 'description' to name the repository.