# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id: gpg,v 1.6 2006/05/18 17:34:10 mlhuang Exp $
+# $Id$
#
# Source function library and configuration
case "$1" in
start)
+ # Make temporary GPG home directory
+ homedir=$(mktemp -d /tmp/gpg.XXXXXX)
+
+ # in case a previous gpg invocation failed in some weird way
+ # and left behind a zero length gpg key (pub or priv).
+ if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
+ rm -f $PLC_ROOT_GPG_KEY_PUB
+ fi
+ if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
+ rm -f $PLC_ROOT_GPG_KEY
+ fi
+
if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
# Generate new GPG keyring
MESSAGE=$"Generating GPG keys"
# Temporarily replace /dev/random with /dev/urandom to
# avoid running out of entropy.
rm -f /dev/random
+ # 1 9 is /dev/urandom
mknod /dev/random c 1 9
- gpg --homedir=/root --no-tty --yes \
- --batch --gen-key <<EOF
+ # sometimes mknod fails within an improperly setup vserver
+ check
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --gen-key <<EOF
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
check
rm -f /dev/random
mknod /dev/random c 1 8
- chmod 644 $PLC_ROOT_GPG_KEY_PUB
- chmod 600 $PLC_ROOT_GPG_KEY
else
# Update GPG UID
MESSAGE=$"Updating GPG keys"
break
fi
done < <(
- gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
--list-public-keys --with-colons
check
)
IFS=$OLDIFS
- # Add a new UID if appropriate. GPG will detect and merge duplicates.
- gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
- --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
+
+ # Add a new UID if appropriate. GPG (v1) will detect and
+ # merge duplicates but this is considered as a bug in GPG2
+ # and we need to check for existence.
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --list-keys \
+ --no-default-keyring \
+ --secret-keyring=/etc/planetlab/secring.gpg \
+ --keyring=/etc/planetlab/pubring.gpg \
+ | grep "$PLC_NAME Central" \
+ | grep "$PLC_MAIL_SUPPORT_ADDRESS" \
+ | grep "http://$PLC_WWW_HOST/"
+
+ if [ $? -ne 1 ]; then
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
+ --Command-Fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
adduid
$PLC_NAME Central
$PLC_MAIL_SUPPORT_ADDRESS
save
EOF
check
+ fi
+
fi
# Install the key in the RPM database
mkdir -p /etc/pki/rpm-gpg
- gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
--export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
check
if rpm -q gpg-pubkey ; then
rpm --allmatches -e gpg-pubkey
check
fi
- rpm --import /etc/pki/rpm-gpg/*
+ # starting with rpm-4.6, this fails when run a second time
+ # it would be complex to do this properly based on the filename,
+ # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
+ # see also http://fedoranews.org/tchung/gpg/
+ # so just ignore the result
+ rpm --import /etc/pki/rpm-gpg/* || :
check
+ # Make GPG key readable by apache so that the API can sign peer requests
+ chown apache $PLC_ROOT_GPG_KEY
+ chmod 644 $PLC_ROOT_GPG_KEY_PUB
+ chmod 600 $PLC_ROOT_GPG_KEY
+ check
+
+ # Cleanup
+ rm -rf $homedir
+
result "$MESSAGE"
;;
esac
git://git.onelab.eu / myplc.git / blobdiff