X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=fsf-keyring.sh;h=9a8910e0bb836a8aaa71073ba2d879a8a8608395;hb=1cae805c785c17966563cb5026e8bc3419d7673b;hp=2237296f6a10b42b0debf4b38a6619153b72f3ee;hpb=7f8b8bae3697e9ad302ffbd1d69f5b00a7332fe1;p=fsf-keyring.git

diff --git a/fsf-keyring.sh b/fsf-keyring.sh
index 2237296..9a8910e 100755
--- a/fsf-keyring.sh
+++ b/fsf-keyring.sh
@@ -10,15 +10,18 @@ shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
+dos_attack_bytes=1000000
+
 refresh-gpg-key() {
 
   key=$1
 
   error=999
-  for keyserver in keyring.debian.org keyserver.ubuntu.com pool.sks-keyservers.net; do
+  for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do
+    echo "Trying $keyserver..."
     set +e
     cmd="gpg --keyserver $keyserver --recv-keys $key"
-    # keyservers are not very reliable, so retry
+    # Keyservers are not very reliable, so retry a few times.
     for x in {1..3}; do
       $cmd &>/dev/null
       ret=$?
@@ -33,46 +36,50 @@ refresh-gpg-key() {
   return $error
 }
 
+check-sig-dos() {
+  if (( "$(stat -c %s "$1")" > "$dos_attack_bytes" )) ; then
+    echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n"
+    exit 1
+  fi
+}
+
 refresh=true
 if [[ $1 == -r ]]; then
   refresh=false
 fi
 
+KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms
 KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns
 KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh
-KEYS+="CEA951DB865D0D257BB0A14DCEB69E6F9B36C195 " #andrew
-KEYS+="13A0851D6307FC54FCCB81BA2C1008316F3E89B7 " #donald
-KEYS+="EF6643D6E1F115D1A9B7D59C92D16583E1E7C532 " #jeanne
-KEYS+="04C45B4E3AF05E9EB140FD148B10E9C6407BD6E1 " #matt
-KEYS+="318C679D94F17700CC847DE646A70073E4E50D4E " #ruben
-KEYS+="0CCB3494C13CCD8F6EC73AA06DA6B7D151C7643E " #dana
+KEYS+="1487E002421112A3B6C76B545FA66D3CA7518DBF " #andrew
+KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne
 KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian
-KEYS+="ECE5B5BF952A3AEA92C137F9C9230A4849ACE0DB " #molly
 KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt
 KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth
 KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael
 KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe
 KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf
-KEYS+="A8CAA4A2EB655D07BA1F367BC338CAA4FA700A3A" # oliva
+KEYS+="5BE81180271798C6B4866C54598E4925C518D5DC " #davis
+KEYS+="2E0ECE75F8162B407D666767879738E6D6440D57 " #devinu
+KEYS+="D86097B5E291BA771FA64D357014A6BE08494155"  #odile
 
+check-sig-dos fsf-keyring.gpg
+gpg --import fsf-keyring.gpg
 
 rm -f /tmp/keys.asc ./fsf-keyring.gpg
 
 for KEY in $KEYS ; do
   if $refresh; then
+    echo "Key: $KEY"
     refresh-gpg-key $KEY
   fi
 done
 
-gpg2 --armor --export $KEYS > fsf-keyring.gpg
-
-echo "Please verify in another terminal window that the keyring doesn't contain many spam signatures before signing:"
-echo
-echo "gpg2 --no-default-keyring --keyring=./fsf-keyring.gpg --list-sigs | less"
-echo
-echo "Press [enter] to continue."
-echo
-read
-gpg2 --armor --sign ./fsf-keyring.gpg
-mv fsf-keyring.gpg.asc fsf-keyring.gpg
-rm -f fsf-keyring.gpg~
+gpg --armor --export $KEYS > key-export
+
+check-sig-dos key-export
+
+mv key-export fsf-keyring.gpg
+
+rm -f fsf-keyring.gpg.asc ./fsf-keyring.gpg~ key-export
+gpg --armor --detach-sign ./fsf-keyring.gpg