fsf-keyring.sh

   1 #!/bin/bash
   2
   3 # Usage: $0 [-r]
   4 # -r means dont refresh keys from keyservers
   5 #
   6 # See https://gluestick.office.fsf.org/checklists/person/crypto-keys/ for
   7 # upload command.
   8
   9 shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
  10 set -eE -o pipefail
  11 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
  12
  13 dos_attack_bytes=1000000
  14
  15 refresh-gpg-key() {
  16
  17   key=$1
  18
  19   error=999
  20   # johns is the only one in keyring.debian.org at this time.
  21   for keyserver in keyring.debian.org keyserver.ubuntu.com pgp.mit.edu; do
  22     echo "Trying $keyserver..."
  23     set +e
  24     cmd="gpg --keyserver $keyserver --recv-keys $key"
  25     # Keyservers are not very reliable, so retry a few times.
  26     for x in {1..3}; do
  27       $cmd &>/dev/null
  28       ret=$?
  29       if (( ret == 0 )); then
  30         break; fi
  31       sleep 1
  32     done
  33     set -e
  34     error=$(( ret < error ? ret : error )) # use lowest return
  35   done
  36
  37   return $error
  38 }
  39
  40 check-sig-dos() {
  41   if (( "$(stat -c %s "$1")" > "$dos_attack_bytes" )) ; then
  42     echo -e "\n\nerror: keyring is very large. did we get a signature DoS attack?\n\n"
  43     exit 1
  44   fi
  45 }
  46
  47 refresh=true
  48 if [[ $1 == -r ]]; then
  49   refresh=false
  50 fi
  51
  52 KEYS+="67819B343B2AB70DED9320872C6464AF2A8E4C02 " #rms
  53 KEYS+="A4626CBAFF376039D2D7554497BA9CE761A0963B " #johns
  54 KEYS+="759C0A4A39A02A079712FB5061B826E87A80C8D6 " #johnh
  55 KEYS+="8556112E9B88B1A8B3E3631B58A39239D50484E8 " #jeanne
  56 KEYS+="B125F60B7B287FF6A2B7DF8F170AF0E2954295DF " #ian
  57 KEYS+="36C9950D2F68254ED89C7C03F9C13A10581AB853 " #craigt
  58 KEYS+="2C31130BF7D5A459AFF2A3F3C9DFFE4A33AA52D9 " #knauth
  59 KEYS+="43372794C8ADD5CA8FCFFA6CD03759DAB600E3C0 " #michael
  60 KEYS+="B102017CCF698F79423EF9CC069C04D206A59505 " #zoe
  61 KEYS+="7CCC7ECD3D78EB384F6C02C8966951617A149C73 " #gregf
  62 KEYS+="2E0ECE75F8162B407D666767879738E6D6440D57 " #devinu
  63 KEYS+="005D03724A11C08A5A353D2C906DB6E398AA6CF6 " #miriam
  64 KEYS+="2D1304056F4F061DADEAE299A2C76C5425EF14E8 " #dawn
  65 KEYS+="476B712A9FA8788EDA2089F78B656B4E5A98CE74 " #anouk
  66 KEYS+="2985A29A7ECF1679063A4D5659EB02F5619B3C7E " #krzyzstof
  67 KEYS+="D86097B5E291BA771FA64D357014A6BE08494155"  #odile
  68
  69 if [[ -e fsf-keyring.gpg ]] ; then
  70   check-sig-dos fsf-keyring.gpg
  71   gpg --import fsf-keyring.gpg
  72 else
  73   gpg --armor --export $KEYS > fsf-keyring.gpg
  74 fi
  75
  76 for KEY in $KEYS ; do
  77   if $refresh; then
  78     echo "Key: $KEY"
  79     refresh-gpg-key $KEY || (echo "unable to download $KEY" >&2 ; exit 1)
  80   fi
  81 done
  82
  83 gpg --export $KEYS > key-export
  84 check-sig-dos key-export
  85 mv key-export fsf-keyring.gpg
  86
  87 # Clean up
  88 rm -f fsf-keyring.gpg.asc ./fsf-keyring.gpg~ key-export
  89
  90 echo -e "You will now sign the keyring. Prepare your GPG password.\n"
  91 read -p "Press any key to continue..." -n1 -s
  92 gpg --armor --detach-sign ./fsf-keyring.gpg