1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
#!/bin/sh
# This is a hacked up version of NM's keycheck.sh that understands jetring
# changesets.
# Copyright (C) 2003-2007 Joerg Jaspert <joerg@debian.org> and others
# This little script is free software; you can redistribute
# it and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2.
#
# On Debian systems, the complete text of the GNU General Public
# License can be found in /usr/share/common-licenses/GPL-2 file.
set -e
CACHE=./cache
TMPRING=./keyring.tmp
# Which keyserver
KEYSERVER=keyring.debian.org
# The options for the gpg call in this script.
# Contains only options used in ALL gpg calls.
GPGOPTS=" -q --no-options --no-default-keyring --no-auto-check-trustdb --keyring $TMPRING --trust-model always"
# For the following calls use LANG=C - some output is used for
# reports to a list / for an english report.
LANG=C
export LANG
changeset="$1"
if [ -z "$changeset" ]; then
echo "Usage: keycheck changeset" >&2
exit 1
fi
trap cleanup EXIT
cleanup () {
rm -f $TMPRING*
}
keycheck () {
gpg ${GPGOPTS} -v --with-fingerprint --keyring $CACHE/debian-keyring.gpg --keyring $CACHE/debian-keyring.pgp --check-sigs "$KEYID"
echo "Let's test if its a version 4 or greater key"
VERSION=$(gpg ${GPGOPTS} --with-colons --with-fingerprint --list-keys "0x$KEYID" | awk -F : '$1 == "fpr" {print length($10)}')
if [ $VERSION -eq 32 ]; then
echo "Warning: It looks like this key is an Version 3 GPG key. This is bad."
echo "Please doublecheck and then get your applicant to send you a correct"
echo "key if this is script isnt wrong."
else
echo "Key is ok"
fi
echo "Check for key expire stuff"
EXPIRE=$(gpg ${GPGOPTS} --with-colons --check-sigs "0x$KEYID" |awk -F : ' $1 == "sub" && $2 != "r" {print $7} ')
if [ -z "$EXPIRE" ]; then
echo "Key has no expiration date set, nothing to check."
else
echo "Key has an expiration date of "\"${EXPIRE}\""."
echo "Please check that its not in the past, AND that it is not too"
echo "near in the future to make adding this applicant pointless."
fi
}
make
cp debian-maintainers.gpg $TMPRING
KEYID=$(jetring-apply $TMPRING "$changeset" 2>&1 | grep -m 1 '^gpg: key' | sed 's/^gpg: key \([a-fA-F0-9]*\):.*/\1/')
if [ -z "$KEYID" ]; then
echo "Changeset failed to apply, or failed to parse key id from gpg output" >&2
rm -f $TMPRING*
exit 1
fi
make rsync-keys
echo "Checking key id $KEYID"
val=$(keycheck 2>&1 | sed -e 's/^$/./' -e 's/^/ /')
echo "Adding KeyCheck field to $changeset"
printf "" > "$changeset.new"
# Try to add it before the Data block.
added=
IFS="
"
for line in $(cat "$changeset"); do
if [ "$line" = "Action: import" ]; then
echo "KeyCheck:" >> "$changeset.new"
echo "$val" >> "$changeset.new"
added=1
fi
echo "$line" >> "$changeset.new"
done
if [ ! "$added" ]; then
echo "KeyCheck:" >> "$changeset.new"
echo "$val" >> "$changeset.new"
fi
mv -f "$changeset.new" "$changeset"
|
