trap - ERR EXIT TERM HUP INT QUIT
for TEMPFILE in GPGSTATUS GPGLOGS GPGOUTF TEMPKEYDATA; do
- TFILE=${TEMPFILE:=$TEMPFILE}
- DELF=${!TFILE:-""}
+ DELF=${!TEMPFILE:-""}
if [ -n "${DELF}" ] && [ -f "${DELF}" ]; then
rm -f "${DELF}"
fi
done
exit $ERRVAL
}
-trap cleanup ERR EXIT TERM HUP INT QUIT
base="${base}/scripts/builddkeyrings"
INCOMING="${base}/incoming"
ERRORS="${base}/errors"
-ADMINS="${base}/admins"
+ADMINS="${base}/adminkeys.gpg"
REMOVED="${base}/removed-buildd-keys.gpg"
+STAMPFILE="${base}/updatedkeyring"
# Default options for our gpg calls
DEFGPGOPT="--no-default-keyring --batch --no-tty --no-options --exit-on-status-write-error --no-greeting"
exit 1
fi
+cd "${INCOMING}"
+KEYS=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.del | sed -e "s,./,," | xargs)
+if [ -z "${KEYS}" ]; then
+ exit 0
+fi
+
+trap cleanup ERR EXIT TERM HUP INT QUIT
+
+# Tell prepare-dir that there is an update and it can run
+touch "${STAMPFILE}"
+
# Whenever something goes wrong, its put in there.
mkdir -p "${ERRORS}"
# We process all new files in our incoming directory
-for file in $(ls -1 ${INCOMING}/*.del ); do
+for file in ${KEYS}; do
file=${file##*/}
# First we want to see if we recognize the filename. The buildd people have
# to follow a certain schema:
- # architecture_builddname.YEAR-MONTH-DAY_HOUR:MINUTE.del
- if [[ $file =~ (.*)_(.*).([0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}).del ]]; then
+ # architecture_builddname.YEAR-MONTH-DAY_HOURMINUTE.del
+ if [[ $file =~ (.*)_(.*).([0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}[0-9]{2}).del ]]; then
ARCH=${BASH_REMATCH[1]}
BUILDD=${BASH_REMATCH[2]}
# Right now timestamp is unused
exec 5> "${GPGLOGS}"
# So lets run gpg, status/logger into the two files, to "decrypt" the keyfile
- if ! gpg ${DEFGPGOPT} --keyring "${ADMINS}/${ARCH}.gpg" --status-fd 4 --logger-fd 5 --decrypt "${INCOMING}/${file}" > "${GPGOUTF}"; then
+ if ! gpg ${DEFGPGOPT} --keyring "${ADMINS}" --status-fd 4 --logger-fd 5 --decrypt "${INCOMING}/${file}" > "${GPGOUTF}"; then
ret=$?
log "gpg returned with ${ret}, not removing key using ${file}"
DATE=$(date -Is)
fi
done
+ COMMENT=${COMMENT:-"The bad ${KEYSUBMITTER} hasn't supplied a comment"}
+
# Right, we have the keyid, know the arch, lets see if we can remove it
ARCHKEYRING="${base}/${ARCH}/keyring.gpg"
# Is the key in there?
- KEYNO=$(gpg ${DEFGPGOPT} --keyring "${ARCHKEYRING}" --with-colons --list-keys ${KEYID} | grep -c '^pub:')
+ KEYNO=$(gpg ${DEFGPGOPT} --keyring "${ARCHKEYRING}" --with-colons --list-keys ${KEYID} | grep -c '^pub:' || /bin/true )
if [ $KEYNO -eq 1 ]; then
# Right, exactly one there, lets get rid of it
# So put it into the removed keyring
gpg ${DEFGPGOPT} --keyring "${ARCHKEYRING}" --export ${KEYID} | gpg ${DEFGPGOPT} --keyring "${REMOVED}" --import 2>/dev/null
if gpg ${DEFGPGOPT} --keyring "${ARCHKEYRING}" --yes --delete-keys ${KEYID}; then
- log "Removed key ${KEYID}, reason: ${COMMENT}"
+ KEYSUBMITTER=$(cat "${GPGSTATUS}"|grep GOODSIG)
+ KEYSUBMITTER=${KEYSUBMITTER##*GOODSIG}
+ log "${KEYSUBMITTER} removed key ${KEYID} for ${ARCH} buildd ${BUILDD}, reason: ${COMMENT}"
mv "${INCOMING}/${file}" "${base}/${ARCH}"
continue
fi