1 |
commit: 99ceddc02672cbca6e530dbca4cd804e00e4b8d1 |
2 |
Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri May 3 18:26:39 2019 +0000 |
4 |
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri May 3 18:26:48 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/qa-scripts.git/commit/?id=99ceddc0 |
7 |
|
8 |
keyrings: prepare to split out keyring export for faster cycles |
9 |
|
10 |
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org> |
11 |
|
12 |
create-dev-keyrings.bash | 90 +++------------------------ |
13 |
keyrings-export.bash | 33 ++++++++++ |
14 |
create-dev-keyrings.bash => keyrings.inc.bash | 49 +++------------ |
15 |
3 files changed, 48 insertions(+), 124 deletions(-) |
16 |
|
17 |
diff --git a/create-dev-keyrings.bash b/create-dev-keyrings.bash |
18 |
index 1a9fd76..3f65550 100755 |
19 |
--- a/create-dev-keyrings.bash |
20 |
+++ b/create-dev-keyrings.bash |
21 |
@@ -1,91 +1,15 @@ |
22 |
#!/bin/bash |
23 |
+# Import key updates from Keyservers |
24 |
+# |
25 |
+# TODO: |
26 |
+# - Turn off export in this script |
27 |
|
28 |
OUTPUT_DIR=${1:-.} |
29 |
- |
30 |
-DEV_BASE='ou=devs,dc=gentoo,dc=org' |
31 |
-SYSTEM_BASE='ou=system,dc=gentoo,dc=org' |
32 |
- |
33 |
-COMMIT_RULE='(&(gentooAccess=git.gentoo.org/repo/gentoo.git)(gentooStatus=active))' |
34 |
-NONCOMMIT_RULE='(&(!(gentooAccess=git.gentoo.org/repo/gentoo.git))(gentooStatus=active))' |
35 |
-RETIRED_RULE='(!(gentooStatus=active))' |
36 |
- |
37 |
-KS_GENTOO=hkps://keys.gentoo.org/ |
38 |
-KS_SKS=hkps://hkps.pool.sks-keyservers.net/ |
39 |
- |
40 |
-GPG_TMPDIR=$(mktemp -d) |
41 |
-clean_tmp() { |
42 |
- rm -rf "$GPG_TMPDIR" |
43 |
-} |
44 |
- |
45 |
-# grab_ldap_fingerprints <ldap-rule> |
46 |
-grab_ldap_fingerprints() { |
47 |
- ldapsearch "${@}" -Z gpgfingerprint -LLL | |
48 |
- sed -n -e '/^gpgfingerprint: /{s/^.*://;s/ //g;p}' | |
49 |
- sort -u | |
50 |
- grep -v undefined |
51 |
-} |
52 |
- |
53 |
-# grab_keys <fingerprint>... |
54 |
-grab_keys() { |
55 |
- local retries=0 |
56 |
- local missing=() |
57 |
- local remaining=( "${@}" ) |
58 |
- |
59 |
- while :; do |
60 |
- timeout 5m gpg --keyserver $KS_GENTOO -q --recv-keys "${remaining[@]}" || : |
61 |
- timeout 20m gpg --keyserver $KS_SKS -q --recv-keys "${remaining[@]}" || : |
62 |
- missing=() |
63 |
- for key in "${remaining[@]}"; do |
64 |
- gpg --list-public "${key}" &>/dev/null || missing+=( "${key}" ) |
65 |
- done |
66 |
- |
67 |
- [[ ${#missing[@]} -ne 0 ]] || break |
68 |
- |
69 |
- # if we did not make progress, give it a few seconds and retry |
70 |
- if [[ ${#missing[@]} -eq ${#remaining[@]} ]]; then |
71 |
- if [[ $(( retries++ )) -gt 3 ]]; then |
72 |
- echo "Unable to fetch the following keys:" |
73 |
- printf '%s\n' "${missing[@]}" |
74 |
- break # if we hard-exit, the entire export will fail |
75 |
- fi |
76 |
- sleep 5 |
77 |
- fi |
78 |
- |
79 |
- remaining=( "${missing[@]}" ) |
80 |
- done |
81 |
-} |
82 |
- |
83 |
-# push_keys <fingerprint>... |
84 |
-push_keys() { |
85 |
- # Only send keys that we have |
86 |
- local remaining=( $(gpg --with-colon --list-public "${@}" | sed -n '/^pub/{n; /fpr/p }' |cut -d: -f10) ) |
87 |
- timeout 5m gpg --keyserver $KS_GENTOO -q --send-keys "${remaining[@]}" || : |
88 |
- #timeout 5m gpg --keyserver $KS_SKS -q --send-keys "${remaining[@]}" || : |
89 |
-} |
90 |
- |
91 |
-export_keys() { |
92 |
- DST="$1" |
93 |
- TMP="${GPG_TMPDIR}"/$(basename "${DST}") |
94 |
- # Must not exist, otherwise GPG will give error |
95 |
- [[ -f "${TMP}" ]] && rm -f "${TMP}" |
96 |
- # 'gpg --export' returns zero if there was no error with the command itself |
97 |
- # If there are no keys in the export set, then it ALSO does not write the destination file |
98 |
- # and prints 'gpg: WARNING: nothing exported' to stderr |
99 |
- if gpg --output "$TMP" --export "${@}" && test -s "${TMP}"; then |
100 |
- chmod a+r "${TMP}" |
101 |
- mv "${TMP}" "${DST}" |
102 |
- else |
103 |
- echo "Unable to export keys to $DST" |
104 |
- exit 1 |
105 |
- fi |
106 |
-} |
107 |
+BASEDIR="$(dirname "$0")" |
108 |
+source "${BASEDIR}"/keyrings.inc.bash |
109 |
|
110 |
set -e |
111 |
- |
112 |
-COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") ) |
113 |
-NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") ) |
114 |
-RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") ) |
115 |
-SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") ) |
116 |
+export_ldap_data_to_env |
117 |
|
118 |
grab_keys "${SYSTEM_KEYS[@]}" |
119 |
export_keys "${OUTPUT_DIR}"/service-keys.gpg \ |
120 |
|
121 |
diff --git a/keyrings-export.bash b/keyrings-export.bash |
122 |
new file mode 100755 |
123 |
index 0000000..06f5bab |
124 |
--- /dev/null |
125 |
+++ b/keyrings-export.bash |
126 |
@@ -0,0 +1,33 @@ |
127 |
+#!/bin/bash |
128 |
+# Export keys to keyrings |
129 |
+# |
130 |
+# TODO: |
131 |
+# - only run the export if there was really a change |
132 |
+# - requires keeping state to detect changes in keys, there is no usable mtime data in a key itself |
133 |
+ |
134 |
+OUTPUT_DIR=${1:-.} |
135 |
+BASEDIR="$(dirname "$0")" |
136 |
+source "${BASEDIR}"/keyrings.inc.bash |
137 |
+ |
138 |
+set -e |
139 |
+export_ldap_data_to_env |
140 |
+ |
141 |
+export_keys "${OUTPUT_DIR}"/service-keys.gpg \ |
142 |
+ "${SYSTEM_KEYS[@]}" |
143 |
+ |
144 |
+export_keys "${OUTPUT_DIR}"/committing-devs.gpg \ |
145 |
+ "${COMMITTING_DEVS[@]}" |
146 |
+ |
147 |
+export_keys "${OUTPUT_DIR}"/active-devs.gpg \ |
148 |
+ "${COMMITTING_DEVS[@]}" \ |
149 |
+ "${NONCOMMITTING_DEVS[@]}" |
150 |
+ |
151 |
+export_keys "${OUTPUT_DIR}"/retired-devs.gpg \ |
152 |
+ "${RETIRED_DEVS[@]}" |
153 |
+ |
154 |
+# Everybody together now |
155 |
+export_keys "${OUTPUT_DIR}"/all-devs.gpg \ |
156 |
+ "${SYSTEM_KEYS[@]}" \ |
157 |
+ "${COMMITTING_DEVS[@]}" \ |
158 |
+ "${NONCOMMITTING_DEVS[@]}" \ |
159 |
+ "${RETIRED_DEVS[@]}" |
160 |
|
161 |
diff --git a/create-dev-keyrings.bash b/keyrings.inc.bash |
162 |
old mode 100755 |
163 |
new mode 100644 |
164 |
similarity index 63% |
165 |
copy from create-dev-keyrings.bash |
166 |
copy to keyrings.inc.bash |
167 |
index 1a9fd76..052550d |
168 |
--- a/create-dev-keyrings.bash |
169 |
+++ b/keyrings.inc.bash |
170 |
@@ -1,7 +1,5 @@ |
171 |
#!/bin/bash |
172 |
|
173 |
-OUTPUT_DIR=${1:-.} |
174 |
- |
175 |
DEV_BASE='ou=devs,dc=gentoo,dc=org' |
176 |
SYSTEM_BASE='ou=system,dc=gentoo,dc=org' |
177 |
|
178 |
@@ -16,6 +14,7 @@ GPG_TMPDIR=$(mktemp -d) |
179 |
clean_tmp() { |
180 |
rm -rf "$GPG_TMPDIR" |
181 |
} |
182 |
+trap clean_tmp EXIT |
183 |
|
184 |
# grab_ldap_fingerprints <ldap-rule> |
185 |
grab_ldap_fingerprints() { |
186 |
@@ -80,42 +79,10 @@ export_keys() { |
187 |
fi |
188 |
} |
189 |
|
190 |
-set -e |
191 |
- |
192 |
-COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") ) |
193 |
-NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") ) |
194 |
-RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") ) |
195 |
-SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") ) |
196 |
- |
197 |
-grab_keys "${SYSTEM_KEYS[@]}" |
198 |
-export_keys "${OUTPUT_DIR}"/service-keys.gpg \ |
199 |
- "${SYSTEM_KEYS[@]}" |
200 |
- |
201 |
-grab_keys "${COMMITTING_DEVS[@]}" |
202 |
-export_keys "${OUTPUT_DIR}"/committing-devs.gpg \ |
203 |
- "${COMMITTING_DEVS[@]}" |
204 |
- |
205 |
-grab_keys "${NONCOMMITTING_DEVS[@]}" |
206 |
-export_keys "${OUTPUT_DIR}"/active-devs.gpg \ |
207 |
- "${COMMITTING_DEVS[@]}" \ |
208 |
- "${NONCOMMITTING_DEVS[@]}" |
209 |
- |
210 |
-# -- not all are on keyservers |
211 |
-# -- and are unlikely to turn up now |
212 |
-# -- this needs to fetch from some archive instead |
213 |
-#grab_keys "${RETIRED_DEVS[@]}" |
214 |
-export_keys "${OUTPUT_DIR}"/retired-devs.gpg \ |
215 |
- "${RETIRED_DEVS[@]}" |
216 |
- |
217 |
-# Everybody together now |
218 |
-export_keys "${OUTPUT_DIR}"/all-devs.gpg \ |
219 |
- "${SYSTEM_KEYS[@]}" \ |
220 |
- "${COMMITTING_DEVS[@]}" \ |
221 |
- "${NONCOMMITTING_DEVS[@]}" \ |
222 |
- "${RETIRED_DEVS[@]}" |
223 |
- |
224 |
-# Populate keys.gentoo.org with the keys we have, since they might have come from SKS |
225 |
-push_keys "${SYSTEM_KEYS[@]}" |
226 |
-push_keys "${COMMITTING_DEVS[@]}" |
227 |
-push_keys "${NONCOMMITTING_DEVS[@]}" |
228 |
-push_keys "${RETIRED_DEVS[@]}" |
229 |
+# populate common variables |
230 |
+export_ldap_data_to_env() { |
231 |
+ export COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") ) |
232 |
+ export NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") ) |
233 |
+ export RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") ) |
234 |
+ export SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") ) |
235 |
+} |