diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2019-05-03 11:26:39 -0700 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2019-05-03 11:26:48 -0700 |
| commit | 99ceddc02672cbca6e530dbca4cd804e00e4b8d1 (patch) | |
| tree | def89a328909149c33bd6f115b9c9aadd37fde9f /keyrings.inc.bash | |
| parent | Update copyright date on index page (diff) | |
| download | qa-scripts-99ceddc02672cbca6e530dbca4cd804e00e4b8d1.tar.gz qa-scripts-99ceddc02672cbca6e530dbca4cd804e00e4b8d1.tar.bz2 qa-scripts-99ceddc02672cbca6e530dbca4cd804e00e4b8d1.zip | |
keyrings: prepare to split out keyring export for faster cycles
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Diffstat (limited to 'keyrings.inc.bash')
| -rw-r--r-- | keyrings.inc.bash | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/keyrings.inc.bash b/keyrings.inc.bash new file mode 100644 index 0000000..052550d --- /dev/null +++ b/keyrings.inc.bash @@ -0,0 +1,88 @@ +#!/bin/bash + +DEV_BASE='ou=devs,dc=gentoo,dc=org' +SYSTEM_BASE='ou=system,dc=gentoo,dc=org' + +COMMIT_RULE='(&(gentooAccess=git.gentoo.org/repo/gentoo.git)(gentooStatus=active))' +NONCOMMIT_RULE='(&(!(gentooAccess=git.gentoo.org/repo/gentoo.git))(gentooStatus=active))' +RETIRED_RULE='(!(gentooStatus=active))' + +KS_GENTOO=hkps://keys.gentoo.org/ +KS_SKS=hkps://hkps.pool.sks-keyservers.net/ + +GPG_TMPDIR=$(mktemp -d) +clean_tmp() { + rm -rf "$GPG_TMPDIR" +} +trap clean_tmp EXIT + +# grab_ldap_fingerprints <ldap-rule> +grab_ldap_fingerprints() { + ldapsearch "${@}" -Z gpgfingerprint -LLL | + sed -n -e '/^gpgfingerprint: /{s/^.*://;s/ //g;p}' | + sort -u | + grep -v undefined +} + +# grab_keys <fingerprint>... +grab_keys() { + local retries=0 + local missing=() + local remaining=( "${@}" ) + + while :; do + timeout 5m gpg --keyserver $KS_GENTOO -q --recv-keys "${remaining[@]}" || : + timeout 20m gpg --keyserver $KS_SKS -q --recv-keys "${remaining[@]}" || : + missing=() + for key in "${remaining[@]}"; do + gpg --list-public "${key}" &>/dev/null || missing+=( "${key}" ) + done + + [[ ${#missing[@]} -ne 0 ]] || break + + # if we did not make progress, give it a few seconds and retry + if [[ ${#missing[@]} -eq ${#remaining[@]} ]]; then + if [[ $(( retries++ )) -gt 3 ]]; then + echo "Unable to fetch the following keys:" + printf '%s\n' "${missing[@]}" + break # if we hard-exit, the entire export will fail + fi + sleep 5 + fi + + remaining=( "${missing[@]}" ) + done +} + +# push_keys <fingerprint>... +push_keys() { + # Only send keys that we have + local remaining=( $(gpg --with-colon --list-public "${@}" | sed -n '/^pub/{n; /fpr/p }' |cut -d: -f10) ) + timeout 5m gpg --keyserver $KS_GENTOO -q --send-keys "${remaining[@]}" || : + #timeout 5m gpg --keyserver $KS_SKS -q --send-keys "${remaining[@]}" || : +} + +export_keys() { + DST="$1" + TMP="${GPG_TMPDIR}"/$(basename "${DST}") + # Must not exist, otherwise GPG will give error + [[ -f "${TMP}" ]] && rm -f "${TMP}" + # 'gpg --export' returns zero if there was no error with the command itself + # If there are no keys in the export set, then it ALSO does not write the destination file + # and prints 'gpg: WARNING: nothing exported' to stderr + if gpg --output "$TMP" --export "${@}" && test -s "${TMP}"; then + chmod a+r "${TMP}" + mv "${TMP}" "${DST}" + else + echo "Unable to export keys to $DST" + exit 1 + fi +} + +# populate common variables +export_ldap_data_to_env() { + export COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") ) + export NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") ) + export RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") ) + export SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") ) +} |