7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
11 # Source function library and configuration
12 . /etc/plc.d/functions
13 . /etc/planetlab/plc_config
20 # Make temporary GPG home directory
21 homedir=$(mktemp -d /tmp/gpg.XXXXXX)
23 # in case a previous gpg invocation failed in some weird way
24 # and left behind a zero length gpg key (pub or priv).
25 if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
26 rm -f $PLC_ROOT_GPG_KEY_PUB
28 if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
29 rm -f $PLC_ROOT_GPG_KEY
32 if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
33 # Generate new GPG keyring
34 MESSAGE=$"Generating GPG keys"
37 mkdir -p $(dirname $PLC_ROOT_GPG_KEY_PUB)
38 mkdir -p $(dirname $PLC_ROOT_GPG_KEY)
40 # Temporarily replace /dev/random with /dev/urandom to
41 # avoid running out of entropy.
42 # (1 9 is /dev/urandom, 1 8 is /dev/random)
44 # a former version of this was rm'ing /dev/random and re-creating it afterwards
45 # however in 1.0.4 libvirt won't allow the use of mknod at all, so let's work around that
46 # by moving things around instead
48 # if we find this file it's probably that a previous run has failed..
49 [ -f /dev/random.preserve ] && { echo "Unexpected file /dev/random.preserve - exiting" ; exit 1; }
50 mv -f /dev/random /dev/random.preserve
51 # doesn't hurt to check
53 ln -s /dev/urandom /dev/random
56 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
62 Name-Real: $PLC_NAME Central
63 Name-Comment: http://$PLC_WWW_HOST/
64 Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
66 %pubring $PLC_ROOT_GPG_KEY_PUB
67 %secring $PLC_ROOT_GPG_KEY
71 mv -f /dev/random.preserve /dev/random
75 MESSAGE=$"Updating GPG keys"
78 # Get the current GPG fingerprint and comment
81 while read -a fields ; do
82 if [ "${fields[0]}" = "pub" ] ; then
83 fingerprint=${fields[4]}
87 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
88 --no-default-keyring \
89 --secret-keyring=$PLC_ROOT_GPG_KEY \
90 --keyring=$PLC_ROOT_GPG_KEY_PUB \
91 --list-public-keys --with-colons
96 # Add a new UID if appropriate. GPG will detect and merge duplicates.
97 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
98 --no-default-keyring \
99 --secret-keyring=$PLC_ROOT_GPG_KEY \
100 --keyring=$PLC_ROOT_GPG_KEY_PUB \
101 --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
104 $PLC_MAIL_SUPPORT_ADDRESS
105 http://$PLC_WWW_HOST/
111 # Install the key in the RPM database
112 mkdir -p /etc/pki/rpm-gpg
113 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
114 --no-default-keyring \
115 --secret-keyring=$PLC_ROOT_GPG_KEY \
116 --keyring=$PLC_ROOT_GPG_KEY_PUB \
117 --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
119 if rpm -q gpg-pubkey ; then
120 rpm --allmatches -e gpg-pubkey
123 # starting with rpm-4.6, this fails when run a second time
124 # it would be complex to do this properly based on the filename,
125 # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
126 # see also http://fedoranews.org/tchung/gpg/
127 # so just ignore the result
128 rpm --import /etc/pki/rpm-gpg/* || :
131 # Make GPG key readable by apache so that the API can sign peer requests
132 chown apache $PLC_ROOT_GPG_KEY
133 chmod 644 $PLC_ROOT_GPG_KEY_PUB
134 chmod 600 $PLC_ROOT_GPG_KEY