#!/bin/bash
+# $Id$
+# $URL$
#
-# priority: 500
+# priority: 400
#
# Generate GPG keys
#
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id: gpg,v 1.4 2006/05/17 20:47:59 mlhuang Exp $
-#
# Source function library and configuration
. /etc/plc.d/functions
. /etc/planetlab/plc_config
+# Be verbose
+set -x
+
case "$1" in
start)
+ # Make temporary GPG home directory
+ homedir=$(mktemp -d /tmp/gpg.XXXXXX)
+
+ # in case a previous gpg invocation failed in some weird way
+ # and left behind a zero length gpg key (pub or priv).
+ if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
+ rm -f $PLC_ROOT_GPG_KEY_PUB
+ fi
+ if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
+ rm -f $PLC_ROOT_GPG_KEY
+ fi
+
if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
# Generate new GPG keyring
MESSAGE=$"Generating GPG keys"
# Temporarily replace /dev/random with /dev/urandom to
# avoid running out of entropy.
rm -f /dev/random
+ # 1 9 is /dev/urandom
mknod /dev/random c 1 9
- gpg --homedir=/root --no-tty --yes \
- --batch --gen-key <<EOF
+ # sometimes mknod fails within an improperly setup vserver
+ check
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --gen-key <<EOF
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
check
rm -f /dev/random
mknod /dev/random c 1 8
- chmod 644 $PLC_ROOT_GPG_KEY_PUB
- chmod 600 $PLC_ROOT_GPG_KEY
else
# Update GPG UID
MESSAGE=$"Updating GPG keys"
while read -a fields ; do
if [ "${fields[0]}" = "pub" ] ; then
fingerprint=${fields[4]}
- IFS=$OLDIFS
- comment=${fields[9]/\x3a/:}
break
fi
done < <(
- gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
--list-public-keys --with-colons
check
)
IFS=$OLDIFS
- # Add a new UID if appropriate
- if [ "$comment" != "$PLC_NAME Central (http://$PLC_WWW_HOST/) <$PLC_MAIL_SUPPORT_ADDRESS>" ] ; then
- gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
- --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
+ # Add a new UID if appropriate. GPG will detect and merge duplicates.
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
+ --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
adduid
$PLC_NAME Central
$PLC_MAIL_SUPPORT_ADDRESS
http://$PLC_WWW_HOST/
save
EOF
- check
- fi
+ check
fi
# Install the key in the RPM database
mkdir -p /etc/pki/rpm-gpg
- gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
--export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
check
if rpm -q gpg-pubkey ; then
rpm --allmatches -e gpg-pubkey
check
fi
- rpm --import /etc/pki/rpm-gpg/*
+ # starting with rpm-4.6, this fails when run a second time
+ # it would be complex to do this properly based on the filename,
+ # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
+ # see also http://fedoranews.org/tchung/gpg/
+ # so just ignore the result
+ rpm --import /etc/pki/rpm-gpg/* || :
check
+ # Make GPG key readable by apache so that the API can sign peer requests
+ chown apache $PLC_ROOT_GPG_KEY
+ chmod 644 $PLC_ROOT_GPG_KEY_PUB
+ chmod 600 $PLC_ROOT_GPG_KEY
+ check
+
+ # Cleanup
+ rm -rf $homedir
+
result "$MESSAGE"
;;
esac