blob: 42f0b087ebf4804652d3499c06f48216d0cf65e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
#!/bin/bash
# Export keys to keyrings
#
# TODO:
# - only run the export if there was really a change
# - requires keeping state to detect changes in keys, there is no usable mtime data in a key itself
OUTPUT_DIR=${1:-.}
# Ensure output is absolute
OUTPUT_DIR=$(readlink -f "${OUTPUT_DIR}")
BASEDIR="$(dirname "$0")"
# shellcheck source=./keyrings.inc.bash
source "${BASEDIR}"/keyrings.inc.bash
set -e
export_ldap_data_to_env
export -a COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") )
export -a NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") )
export -a RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") )
export -a SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") )
export -a INFRA_SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${INFRA_SYSTEM_RULE}") )
export -a KEYRINGS=( )
export_keys "${OUTPUT_DIR}"/keys/service-keys.gpg \
"${SYSTEM_KEYS[@]}" \
&& KEYRINGS+=( service-keys )
export_keys "${OUTPUT_DIR}"/keys/infra-service-keys.gpg \
"${INFRA_SYSTEM_KEYS[@]}" \
&& KEYRINGS+=( infra-service-keys )
export_keys "${OUTPUT_DIR}"/keys/committing-devs.gpg \
"${COMMITTING_DEVS[@]}" \
&& KEYRINGS+=( committing-devs )
export_keys "${OUTPUT_DIR}"/keys/active-devs.gpg \
"${COMMITTING_DEVS[@]}" \
"${NONCOMMITTING_DEVS[@]}" \
&& KEYRINGS+=( active-devs )
export_keys "${OUTPUT_DIR}"/keys/infra-devs.gpg \
"${INFRA_DEVS[@]}" \
&& KEYRINGS+=( infra-devs )
export_keys "${OUTPUT_DIR}"/keys/retired-devs.gpg \
"${RETIRED_DEVS[@]}" \
&& KEYRINGS+=( retired-devs )
# Everybody together now
export_keys "${OUTPUT_DIR}"/keys/all-devs.gpg \
"${SYSTEM_KEYS[@]}" \
"${INFRA_SYSTEM_KEYS[@]}" \
"${COMMITTING_DEVS[@]}" \
"${NONCOMMITTING_DEVS[@]}" \
"${INFRA_DEVS[@]}" \
"${RETIRED_DEVS[@]}" \
&& KEYRINGS+=( all-devs )
# TEMPORARY:
# Verify export-clean vs stock export options.
export GPG_EXPORT_OPTS=( --export-options export-clean )
export_keys "${OUTPUT_DIR}"/keys/service-keys.export-clean.gpg \
"${SYSTEM_KEYS[@]}" \
&& KEYRINGS+=( service-keys.export-clean )
export_keys "${OUTPUT_DIR}"/keys/infra-service-keys.export-clean.gpg \
"${INFRA_SYSTEM_KEYS[@]}" \
&& KEYRINGS+=( infra-service-keys.export-clean )
export_keys "${OUTPUT_DIR}"/keys/committing-devs.export-clean.gpg \
"${COMMITTING_DEVS[@]}" \
&& KEYRINGS+=( committing-devs.export-clean )
export_keys "${OUTPUT_DIR}"/keys/active-devs.export-clean.gpg \
"${COMMITTING_DEVS[@]}" \
"${NONCOMMITTING_DEVS[@]}" \
&& KEYRINGS+=( active-devs.export-clean )
export_keys "${OUTPUT_DIR}"/keys/infra-devs.export-clean.gpg \
"${INFRA_DEVS[@]}" \
&& KEYRINGS+=( infra-devs.export-clean )
export_keys "${OUTPUT_DIR}"/keys/retired-devs.export-clean.gpg \
"${RETIRED_DEVS[@]}" \
&& KEYRINGS+=( retired-devs.export-clean )
# Everybody together now
export_keys "${OUTPUT_DIR}"/keys/all-devs.export-clean.gpg \
"${SYSTEM_KEYS[@]}" \
"${INFRA_SYSTEM_KEYS[@]}" \
"${COMMITTING_DEVS[@]}" \
"${NONCOMMITTING_DEVS[@]}" \
"${INFRA_DEVS[@]}" \
"${RETIRED_DEVS[@]}" \
&& KEYRINGS+=( all-devs.export-clean )
unset GPG_EXPORT_OPTS
# END TEMPORARY
for key in "${KEYRINGS[@]}" ; do
if [[ ! -L "${OUTPUT_DIR}"/${key}.gpg ]] ; then
# Compatibility symlink
ln -sf "${OUTPUT_DIR}"/keys/${key}.gpg "${OUTPUT_DIR}"/${key}.gpg
fi
if [[ $(date -u +%A) == Monday ]] ; then
# We don't want to run on Mondays to avoid last/next week confusion
break
fi
timestamp=$(date -u +%Y%m%d-%A -d "last monday")
if [[ ${timestamp} != *-Monday ]] ; then
break
fi
timestamp=${timestamp/-Monday/}
# Don't clobber existing timestamped keys for this period (weekly)
# if we're running several times a day.
if [[ -f "${OUTPUT_DIR}"/keys/${key}-${timestamp}.gpg ]] ; then
continue
fi
mkdir -p "${OUTPUT_DIR}"/keys
cp "${OUTPUT_DIR}"/${key}.gpg "${OUTPUT_DIR}"/keys/${key}-${timestamp}.gpg
done
clean_tmp
|