X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=scripts%2Fdebian%2Fbuildd-add-keys;h=61cd154c27127fea3a9b3869f8693bb7528ff5a6;hb=3a929d70fd9efac4e07dbdd7c35252a340f5b35f;hp=2100f590c6a9000e708983eb08ffea60c8a091af;hpb=ceb0606b4e2194dd44e185efc128717cdfa0f0d7;p=dak.git diff --git a/scripts/debian/buildd-add-keys b/scripts/debian/buildd-add-keys index 2100f590..61cd154c 100755 --- a/scripts/debian/buildd-add-keys +++ b/scripts/debian/buildd-add-keys @@ -1,7 +1,7 @@ #!/bin/bash # No way I try to deal with a crippled sh just for POSIX foo. -# Copyright (C) 2011 Joerg Jaspert +# Copyright (C) 2011,2012 Joerg Jaspert # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as @@ -55,6 +55,7 @@ base="${base}/scripts/builddkeyrings" INCOMING="${base}/incoming" ERRORS="${base}/errors" ADMINS="${base}/adminkeys.gpg" +ARCHADMINS="${base}/archadminkeys" STAMPFILE="${base}/updatedkeyring" # Default options for our gpg calls @@ -130,8 +131,12 @@ for file in ${KEYS}; do exec 4> "${GPGSTATUS}" exec 5> "${GPGLOGS}" + KEYRINGS="--keyring ${ADMINS}" + if [ -f "${ARCHADMINS}/${ARCH}.gpg" ]; then + KEYRINGS="${KEYRINGS} --keyring ${ARCHADMINS}/${ARCH}.gpg" + fi # So lets run gpg, status/logger into the two files, to "decrypt" the keyfile - if ! gpg ${DEFGPGOPT} --keyring "${ADMINS}" --status-fd 4 --logger-fd 5 --decrypt "${INCOMING}/${file}" > "${GPGOUTF}"; then + if ! gpg ${DEFGPGOPT} ${KEYRINGS} --status-fd 4 --logger-fd 5 --decrypt "${INCOMING}/${file}" > "${GPGOUTF}"; then ret=$? log "gpg returned with ${ret}, not adding key from file ${file}" DATE=$(date -Is) @@ -140,7 +145,7 @@ for file in ${KEYS}; do mv "${GPGLOGS}" "${ERRORS}/gpgerror.${file}.gpglogs.${DATE}" rm -f "${GPGOUTF}" continue - fi + fi # gpg broke # Read in the status output GPGSTAT=$(cat "${GPGSTATUS}") @@ -166,7 +171,7 @@ for file in ${KEYS}; do # - keysize 4096 or larger # - RSA key, no encryption capability # - UID matching "buildd autosigning key BUILDDNAME - # - expire within a 120 days + # - expire within a 360 days # - maximum 2 keys per architecture and buildd TEMPKEYDATA=$(mktemp -p "${TMPDIR}" BDKEYS.XXXXXX) @@ -238,11 +243,11 @@ for file in ${KEYS}; do continue fi - # We want a maximum lifetime of 120 days, so check that. - # Easiest to compare in epoch, so lets see, 120 days midnight from now, + # We want a maximum lifetime of 365 days, so check that. + # Easiest to compare in epoch, so lets see, 365 days midnight from now, # compared with their set expiration date at midnight - # maxdate should turn out higher. just in case we make it 121 for this check - maxdate=$(date -d '121 day 00:00:00' +%s) + # maxdate should turn out higher. just in case we make it 366 for this check + maxdate=$(date -d '366 day 00:00:00' +%s) theirexpire=$(date -d "${KEYEXPIRE} 00:00:00" +%s) if [ ${theirexpire} -gt ${maxdate} ]; then log "Key expiry ${KEYEXPIRE} wrong"