#!/bin/bash
# No way I try to deal with a crippled sh just for POSIX foo.
-# Copyright (C) 2011 Joerg Jaspert <joerg@debian.org>
+# Copyright (C) 2011,2012 Joerg Jaspert <joerg@debian.org>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
trap - ERR EXIT TERM HUP INT QUIT
for TEMPFILE in GPGSTATUS GPGLOGS GPGOUTF TEMPKEYDATA; do
- TFILE=${TEMPFILE:=$TEMPFILE}
- DELF=${!TFILE:-""}
+ DELF=${!TEMPFILE:-""}
if [ -n "${DELF}" ] && [ -f "${DELF}" ]; then
rm -f "${DELF}"
fi
INCOMING="${base}/incoming"
ERRORS="${base}/errors"
ADMINS="${base}/adminkeys.gpg"
+ARCHADMINS="${base}/archadminkeys"
STAMPFILE="${base}/updatedkeyring"
# Default options for our gpg calls
exec 4> "${GPGSTATUS}"
exec 5> "${GPGLOGS}"
+ KEYRINGS="--keyring ${ADMINS}"
+ if [ -f "${ARCHADMINS}/${ARCH}.gpg" ]; then
+ KEYRINGS="${KEYRINGS} --keyring ${ARCHADMINS}/${ARCH}.gpg"
+ fi
# So lets run gpg, status/logger into the two files, to "decrypt" the keyfile
- if ! gpg ${DEFGPGOPT} --keyring "${ADMINS}" --status-fd 4 --logger-fd 5 --decrypt "${INCOMING}/${file}" > "${GPGOUTF}"; then
+ if ! gpg ${DEFGPGOPT} ${KEYRINGS} --status-fd 4 --logger-fd 5 --decrypt "${INCOMING}/${file}" > "${GPGOUTF}"; then
ret=$?
log "gpg returned with ${ret}, not adding key from file ${file}"
DATE=$(date -Is)
mv "${GPGLOGS}" "${ERRORS}/gpgerror.${file}.gpglogs.${DATE}"
rm -f "${GPGOUTF}"
continue
- fi
+ fi # gpg broke
# Read in the status output
GPGSTAT=$(cat "${GPGSTATUS}")
# - keysize 4096 or larger
# - RSA key, no encryption capability
# - UID matching "buildd autosigning key BUILDDNAME <buildd_ARCH-BUILDDNAME@buildd.debian.org>
- # - expire within a 120 days
+ # - expire within a 360 days
# - maximum 2 keys per architecture and buildd
TEMPKEYDATA=$(mktemp -p "${TMPDIR}" BDKEYS.XXXXXX)
- gpg ${DEFGPGOPT} --with-colons "${GPGOUTF}" > "${TEMPKEYDATA}"
+ # We also need to ensure this works, otherwise manually mangled files can break us here
+ if ! gpg ${DEFGPGOPT} --with-colons "${GPGOUTF}" > "${TEMPKEYDATA}"; then
+ log "For some reason we could validate the sig but failed on getting key details"
+ DATE=$(date -Is)
+ mv "${INCOMING}/${file}" "${ERRORS}/badsig.${file}.${DATE}"
+ mv "${GPGSTATUS}" "${ERRORS}/badsig.${file}.gpgstatus.${DATE}"
+ mv "${GPGLOGS}" "${ERRORS}/badsig.${file}.gpglogs.${DATE}"
+ rm -f "${GPGOUTF}"
+ rm -f "${TMPKEYDATA}"
+ continue
+ fi
# Read in the TEMPKEYDATAFILE, but avoid using a subshell like a
# while read line otherwise would do
continue
fi
- # We want a maximum lifetime of 120 days, so check that.
- # Easiest to compare in epoch, so lets see, 120 days midnight from now,
+ # We want a maximum lifetime of 365 days, so check that.
+ # Easiest to compare in epoch, so lets see, 365 days midnight from now,
# compared with their set expiration date at midnight
- # maxdate should turn out higher. just in case we make it 121 for this check
- maxdate=$(date -d '121 day 00:00:00' +%s)
+ # maxdate should turn out higher. just in case we make it 366 for this check
+ maxdate=$(date -d '366 day 00:00:00' +%s)
theirexpire=$(date -d "${KEYEXPIRE} 00:00:00" +%s)
if [ ${theirexpire} -gt ${maxdate} ]; then
log "Key expiry ${KEYEXPIRE} wrong"
# We need to check for the amount of keys
ARCHKEYRING="${base}/${ARCH}/keyring.gpg"
- KEYNO=$(gpg ${DEFGPGOPT} --keyring "${ARCHKEYRING}" --with-colons --list-keys "buildd_${ARCH}-${BUILDD}@buildd.debian.org" | grep -c '^pub:' || /bin/true )
+ KEYNO=$(gpg ${DEFGPGOPT} --keyring "${ARCHKEYRING}" --with-colons --list-keys "buildd_${ARCH}-${BUILDD}@buildd.debian.org" 2>/dev/null | grep -c '^pub:' || /bin/true )
if [ ${KEYNO} -gt 2 ]; then
+ log "Too many keys for ${ARCH} buildd ${BUILDD}"
DATE=$(date -Is)
mv "${INCOMING}/${file}" "${ERRORS}/toomany.${file}.${DATE}"
mv "${GPGSTATUS}" "${ERRORS}/toomany.${file}.gpgstatus.${DATE}"
# Right. At this point everything should be in order, which means we should put the key into
# the keyring
- log "Accepting key ${KEYID} for ${ARCH} buildd ${BUILDD}, expire ${KEYEXPIRE}"
+ KEYSUBMITTER=$(cat "${GPGSTATUS}"|grep GOODSIG)
+ KEYSUBMITTER=${KEYSUBMITTER##*GOODSIG}
+ log "${KEYSUBMITTER} added key ${KEYID} for ${ARCH} buildd ${BUILDD}, expire ${KEYEXPIRE}"
gpg ${DEFGPGOPT} --status-fd 4 --logger-fd 5 --keyring "${ARCHKEYRING}" --import "${GPGOUTF}" 2>/dev/null
mv "${INCOMING}/${file}" "${base}/${ARCH}"