7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
11 # Source function library and configuration
12 . /etc/plc.d/functions
13 . /etc/planetlab/plc_config
20 # Make temporary GPG home directory
21 homedir=$(mktemp -d /tmp/gpg.XXXXXX)
23 # in case a previous gpg invocation failed in some weird way
24 # and left behind a zero length gpg key (pub or priv).
25 if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
26 rm -f $PLC_ROOT_GPG_KEY_PUB
28 if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
29 rm -f $PLC_ROOT_GPG_KEY
32 if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
33 # Generate new GPG keyring
34 MESSAGE=$"Generating GPG keys"
37 mkdir -p $(dirname $PLC_ROOT_GPG_KEY_PUB)
38 mkdir -p $(dirname $PLC_ROOT_GPG_KEY)
40 # Temporarily replace /dev/random with /dev/urandom to
41 # avoid running out of entropy.
44 mknod /dev/random c 1 9
45 # sometimes mknod fails within an improperly setup vserver
47 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
53 Name-Real: $PLC_NAME Central
54 Name-Comment: http://$PLC_WWW_HOST/
55 Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
57 %pubring $PLC_ROOT_GPG_KEY_PUB
58 %secring $PLC_ROOT_GPG_KEY
63 mknod /dev/random c 1 8
66 MESSAGE=$"Updating GPG keys"
69 # Get the current GPG fingerprint and comment
72 while read -a fields ; do
73 if [ "${fields[0]}" = "pub" ] ; then
74 fingerprint=${fields[4]}
78 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
79 --no-default-keyring \
80 --secret-keyring=$PLC_ROOT_GPG_KEY \
81 --keyring=$PLC_ROOT_GPG_KEY_PUB \
82 --list-public-keys --with-colons
87 # Add a new UID if appropriate. GPG will detect and merge duplicates.
88 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
89 --no-default-keyring \
90 --secret-keyring=$PLC_ROOT_GPG_KEY \
91 --keyring=$PLC_ROOT_GPG_KEY_PUB \
92 --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
95 $PLC_MAIL_SUPPORT_ADDRESS
102 # Install the key in the RPM database
103 mkdir -p /etc/pki/rpm-gpg
104 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
105 --no-default-keyring \
106 --secret-keyring=$PLC_ROOT_GPG_KEY \
107 --keyring=$PLC_ROOT_GPG_KEY_PUB \
108 --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
110 if rpm -q gpg-pubkey ; then
111 rpm --allmatches -e gpg-pubkey
114 # starting with rpm-4.6, this fails when run a second time
115 # it would be complex to do this properly based on the filename,
116 # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
117 # see also http://fedoranews.org/tchung/gpg/
118 # so just ignore the result
119 rpm --import /etc/pki/rpm-gpg/* || :
122 # Make GPG key readable by apache so that the API can sign peer requests
123 chown apache $PLC_ROOT_GPG_KEY
124 chmod 644 $PLC_ROOT_GPG_KEY_PUB
125 chmod 600 $PLC_ROOT_GPG_KEY