2 # No way I try to deal with a crippled sh just for POSIX foo.
4 # Copyright (C) 2011 Joerg Jaspert <joerg@debian.org>
6 # This program is free software; you can redistribute it and/or
7 # modify it under the terms of the GNU General Public License as
8 # published by the Free Software Foundation; version 2.
10 # This program is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 # General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program; if not, write to the Free Software
17 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 # make sure to only use defined variables
24 # ERR traps should be inherited from functions too.
27 # import the general variable set.
28 export SCRIPTVARS=/srv/ftp-master.debian.org/dak/config/debian/vars
33 # And use one locale, no matter what the caller has set
36 PROGRAM="buildd-add-keys"
38 # common functions are "outsourced"
39 . "${configdir}/common"
43 trap - ERR EXIT TERM HUP INT QUIT
45 for TEMPFILE in GPGSTATUS GPGLOGS GPGOUTF TEMPKEYDATA; do
46 TFILE=${TEMPFILE:=$TEMPFILE}
48 if [ -n "${DELF}" ] && [ -f "${DELF}" ]; then
55 base="${base}/scripts/builddkeyrings"
56 INCOMING="${base}/incoming"
57 ERRORS="${base}/errors"
58 ADMINS="${base}/adminkeys.gpg"
59 STAMPFILE="${base}/updatedkeyring"
61 # Default options for our gpg calls
62 DEFGPGOPT="--no-default-keyring --batch --no-tty --no-options --exit-on-status-write-error --no-greeting"
64 if ! [ -d "${INCOMING}" ]; then
65 log "Missing incoming dir, nothing to do"
70 KEYS=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.key | sed -e "s,./,," | xargs)
71 if [ -z "${KEYS}" ]; then
75 trap cleanup ERR EXIT TERM HUP INT QUIT
77 # Tell prepare-dir that there is an update and it can run
80 # Whenever something goes wrong, its put in there.
83 # We process all new files in our incoming directory
84 for file in ${KEYS}; do
86 # First we want to see if we recognize the filename. The buildd people have
87 # to follow a certain schema:
88 # architecture_builddname.YEAR-MONTH-DAY_HOURMINUTE.key
89 if [[ $file =~ (.*)_(.*).([0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}[0-9]{2}).key ]]; then
90 ARCH=${BASH_REMATCH[1]}
91 BUILDD=${BASH_REMATCH[2]}
92 # Right now timestamp is unused
93 TIMESTAMP=${BASH_REMATCH[3]}
95 log "Unknown file ${file}, not processing"
96 mv "${INCOMING}/${file}" "${ERRORS}/unknown.${file}.$(date -Is)"
100 # Do we know the architecture?
102 for carch in ${archs}; do
103 if [ "${ARCH}" == "${carch}" ]; then
104 log "Known arch ${ARCH}, buildd ${BUILDD}"
110 if [ ${found} -eq 0 ]; then
111 log "Unknown architecture ${ARCH}"
112 mv "${INCOMING}/${file}" "${ERRORS}/unknownarch.${file}.$(date -Is)"
116 # If we did have a file with this name already somethings wrong
117 if [ -f "${base}/${ARCH}/${file}" ]; then
118 log "Already processed this file"
119 mv "${INCOMING}/${file}" "${ERRORS}/duplicate.${file}.$(date -Is)"
123 # Where we want the status-fd from gpgv turn up
124 GPGSTATUS=$(mktemp -p "${TMPDIR}" GPGSTATUS.XXXXXX)
125 # Same for the loggger-fd
126 GPGLOGS=$(mktemp -p "${TMPDIR}" GPGLOGS.XXXXXX)
127 # And "decrypt" gives us output, the key without the pgp sig around it
128 GPGOUTF=$(mktemp -p "${TMPDIR}" GPGOUTF.XXXXXX)
130 # Open the filehandles, assigning them to the two files, so we can let gpg use them
131 exec 4> "${GPGSTATUS}"
134 # So lets run gpg, status/logger into the two files, to "decrypt" the keyfile
135 if ! gpg ${DEFGPGOPT} --keyring "${ADMINS}" --status-fd 4 --logger-fd 5 --decrypt "${INCOMING}/${file}" > "${GPGOUTF}"; then
137 log "gpg returned with ${ret}, not adding key from file ${file}"
139 mv "${INCOMING}/${file}" "${ERRORS}/gpgerror.${file}.${DATE}"
140 mv "${GPGSTATUS}" "${ERRORS}/gpgerror.${file}.gpgstatus.${DATE}"
141 mv "${GPGLOGS}" "${ERRORS}/gpgerror.${file}.gpglogs.${DATE}"
146 # Read in the status output
147 GPGSTAT=$(cat "${GPGSTATUS}")
148 # And check if we like the sig. It has to be both, GOODISG and VALIDSIG or we don't accept it
149 if [[ ${GPGSTAT} =~ "GOODSIG" ]] && [[ ${GPGSTAT} =~ "VALIDSIG" ]]; then
150 log "Signature for ${file} accepted"
152 log "We are missing one of GOODSIG or VALIDSIG"
154 mv "${INCOMING}/${file}" "${ERRORS}/badsig.${file}.${DATE}"
155 mv "${GPGSTATUS}" "${ERRORS}/badsig.${file}.gpgstatus.${DATE}"
156 mv "${GPGLOGS}" "${ERRORS}/badsig.${file}.gpglogs.${DATE}"
161 # So at this point we know we accepted the signature of the file as valid,
162 # that is it is from a key allowed for this architecture. Which only
163 # leaves us with the task of checking if the key fulfills the requirements
164 # before we add it to the architectures keyring.
166 # Those currently are:
167 # - keysize 4096 or larger
168 # - RSA key, no encryption capability
169 # - UID matching "buildd autosigning key BUILDDNAME <buildd_ARCH-BUILDDNAME@buildd.debian.org>
170 # - expire within a 120 days
171 # - maximum 2 keys per architecture and buildd
173 TEMPKEYDATA=$(mktemp -p "${TMPDIR}" BDKEYS.XXXXXX)
175 gpg ${DEFGPGOPT} --with-colons "${GPGOUTF}" > "${TEMPKEYDATA}"
177 # Read in the TEMPKEYDATAFILE, but avoid using a subshell like a
178 # while read line otherwise would do
179 exec 4<> "${TEMPKEYDATA}"
181 #pub:-:4096:1:FAB983612A6554FA:2011-03-24:2011-07-22::-:buildd autosigning key poulenc <buildd_powerpc-poulenc@buildd.debian.org>:
183 # Of course this sucky gpg crapshit of an "interface" does give you different things depending on how people
184 # created their keys. And of course the buildd people created the test keys differently to what they now do
185 # which just means extra work for nothing. So as they now do other steps, the thing we get back suddenly looks like
187 #pub:-:4096:1:99595DC7865BEAD2:2011-03-26:2011-07-24::-:
188 #uid:::::::::buildd autosigning key corelli <buildd_mips-corelli@buildd.debian.org>:
190 # Besides fiddling out the data we need to check later, this regex also check:
191 # - the keytype (:1:, 1 there means RSA)
193 # - that the key does have an expiration date (or it wont match, the second date
194 # field would be empty
195 regex="^pub:-:([0-9]{4}):1:([0-9A-F]{16}):([0-9]{4}-[0-9]{2}-[0-9]{2}):([0-9]{4}-[0-9]{2}-[0-9]{2})::-:(buildd autosigning key ${BUILDD} <buildd_${ARCH}-${BUILDD}@buildd.debian.org>):$"
196 regex2="^pub:-:([0-9]{4}):1:([0-9A-F]{16}):([0-9]{4}-[0-9]{2}-[0-9]{2}):([0-9]{4}-[0-9]{2}-[0-9]{2})::-:$"
197 regex3="^uid:::::::::(buildd autosigning key ${BUILDD} <buildd_${ARCH}-${BUILDD}@buildd.debian.org>):$"
198 while read line <&4; do
199 if [[ $line =~ $regex ]]; then
200 KEYSIZE=${BASH_REMATCH[1]}
201 KEYID=${BASH_REMATCH[2]}
202 KEYCREATE=${BASH_REMATCH[3]}
203 KEYEXPIRE=${BASH_REMATCH[4]}
204 KEYUID=${BASH_REMATCH[5]}
205 elif [[ $line =~ $regex2 ]]; then
206 KEYSIZE=${BASH_REMATCH[1]}
207 KEYID=${BASH_REMATCH[2]}
208 KEYCREATE=${BASH_REMATCH[3]}
209 KEYEXPIRE=${BASH_REMATCH[4]}
210 elif [[ $line =~ $regex3 ]]; then
211 KEYUID=${BASH_REMATCH[1]}
213 log "Didn't recognize the key. Go kiss gpg"
215 mv "${INCOMING}/${file}" "${ERRORS}/badkey.${file}.${DATE}"
216 mv "${GPGSTATUS}" "${ERRORS}/badkey.${file}.gpgstatus.${DATE}"
217 mv "${GPGLOGS}" "${ERRORS}/badkey.${file}.gpglogs.${DATE}"
222 if [ -z "${KEYUID}" ]; then
223 log "Did not recognize the UID format"
225 mv "${INCOMING}/${file}" "${ERRORS}/keyuid.${file}.${DATE}"
226 mv "${GPGSTATUS}" "${ERRORS}/keyuid.${file}.gpgstatus.${DATE}"
227 mv "${GPGLOGS}" "${ERRORS}/keyuid.${file}.gpglogs.${DATE}"
231 # We do want 4096 or anything above
232 if [ ${KEYSIZE} -lt 4096 ]; then
233 log "Keysize ${KEYSIZE} too small"
235 mv "${INCOMING}/${file}" "${ERRORS}/keysize.${file}.${DATE}"
236 mv "${GPGSTATUS}" "${ERRORS}/keysize.${file}.gpgstatus.${DATE}"
237 mv "${GPGLOGS}" "${ERRORS}/keysize.${file}.gpglogs.${DATE}"
242 # We want a maximum lifetime of 120 days, so check that.
243 # Easiest to compare in epoch, so lets see, 120 days midnight from now,
244 # compared with their set expiration date at midnight
245 # maxdate should turn out higher. just in case we make it 121 for this check
246 maxdate=$(date -d '121 day 00:00:00' +%s)
247 theirexpire=$(date -d "${KEYEXPIRE} 00:00:00" +%s)
248 if [ ${theirexpire} -gt ${maxdate} ]; then
249 log "Key expiry ${KEYEXPIRE} wrong"
251 mv "${INCOMING}/${file}" "${ERRORS}/keyexpire.${file}.${DATE}"
252 mv "${GPGSTATUS}" "${ERRORS}/keyexpire.${file}.gpgstatus.${DATE}"
253 mv "${GPGLOGS}" "${ERRORS}/keyexpire.${file}.gpglogs.${DATE}"
258 # And now lets check how many keys this buildd already has. 2 is the maximum, so key
259 # rollover works. 3 won't, they have to rm one first
260 # We need to check for the amount of keys
261 ARCHKEYRING="${base}/${ARCH}/keyring.gpg"
263 KEYNO=$(gpg ${DEFGPGOPT} --keyring "${ARCHKEYRING}" --with-colons --list-keys "buildd_${ARCH}-${BUILDD}@buildd.debian.org" | grep -c '^pub:' || /bin/true )
264 if [ ${KEYNO} -gt 2 ]; then
266 mv "${INCOMING}/${file}" "${ERRORS}/toomany.${file}.${DATE}"
267 mv "${GPGSTATUS}" "${ERRORS}/toomany.${file}.gpgstatus.${DATE}"
268 mv "${GPGLOGS}" "${ERRORS}/toomany.${file}.gpglogs.${DATE}"
273 # Right. At this point everything should be in order, which means we should put the key into
275 KEYSUBMITTER=$(cat "${GPGSTATUS}"|grep GOODSIG)
276 KEYSUBMITTER=${KEYSUBMITTER##*GOODSIG}
277 log "${KEYSUBMITTER} added key ${KEYID} for ${ARCH} buildd ${BUILDD}, expire ${KEYEXPIRE}"
278 gpg ${DEFGPGOPT} --status-fd 4 --logger-fd 5 --keyring "${ARCHKEYRING}" --import "${GPGOUTF}" 2>/dev/null
280 mv "${INCOMING}/${file}" "${base}/${ARCH}"