#!/bin/bash
#
-# priority: 500
+# priority: 400
#
# Generate GPG keys
#
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id: gpg,v 1.3 2006/05/08 18:16:33 mlhuang Exp $
-#
# Source function library and configuration
. /etc/plc.d/functions
. /etc/planetlab/plc_config
+# Be verbose
+set -x
+
case "$1" in
start)
+ # Make temporary GPG home directory
+ homedir=$(mktemp -d /tmp/gpg.XXXXXX)
+
+ # in case a previous gpg invocation failed in some weird way
+ # and left behind a zero length gpg key (pub or priv).
+ if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
+ rm -f $PLC_ROOT_GPG_KEY_PUB
+ fi
+ if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
+ rm -f $PLC_ROOT_GPG_KEY
+ fi
+
if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
# Generate new GPG keyring
MESSAGE=$"Generating GPG keys"
# Temporarily replace /dev/random with /dev/urandom to
# avoid running out of entropy.
rm -f /dev/random
+ # 1 9 is /dev/urandom
mknod /dev/random c 1 9
- gpg --homedir=/root --no-tty --yes \
- --batch --gen-key <<EOF
+ # sometimes mknod fails within an improperly setup vserver
+ check
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --gen-key <<EOF
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
check
rm -f /dev/random
mknod /dev/random c 1 8
- chmod 644 $PLC_ROOT_GPG_KEY_PUB
- chmod 600 $PLC_ROOT_GPG_KEY
-
- result "$MESSAGE"
else
# Update GPG UID
MESSAGE=$"Updating GPG keys"
dialog "$MESSAGE"
- # Get the current GPG fingerprint
- fingerprint=$PLC_MAIL_SUPPORT_ADDRESS
- (
- IFS=:
- while read -a fields ; do
- if [ "${fields[0]}" = "pub" ] ; then
- fingerprint=${fields[4]}
- break
- fi
- done < <(
- gpg --homedir=/root --no-tty --yes \
- --no-default-keyring --keyring $PLC_ROOT_GPG_KEY_PUB --secret-keyring $PLC_ROOT_GPG_KEY \
- --list-public-keys --with-colons
- check
- )
+ # Get the current GPG fingerprint and comment
+ OLDIFS=$IFS
+ IFS=:
+ while read -a fields ; do
+ if [ "${fields[0]}" = "pub" ] ; then
+ fingerprint=${fields[4]}
+ break
+ fi
+ done < <(
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
+ --list-public-keys --with-colons
+ check
)
+ IFS=$OLDIFS
- # GPG UIDs cannot and should not normally be changed, but
- # since we do not certify signatures, we can effectively
- # change it by adding a new one and deleting the old one.
- gpg --homedir=/root --no-tty --yes \
- --no-default-keyring --keyring $PLC_ROOT_GPG_KEY_PUB --secret-keyring $PLC_ROOT_GPG_KEY \
+ # Add a new UID if appropriate. GPG will detect and merge duplicates.
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
--command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
adduid
$PLC_NAME Central
$PLC_MAIL_SUPPORT_ADDRESS
http://$PLC_WWW_HOST/
-uid 1
-deluid
-y
save
EOF
check
+ fi
- result "$MESSAGE"
+ # Install the key in the RPM database
+ mkdir -p /etc/pki/rpm-gpg
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ --no-default-keyring \
+ --secret-keyring=$PLC_ROOT_GPG_KEY \
+ --keyring=$PLC_ROOT_GPG_KEY_PUB \
+ --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
+ check
+ if rpm -q gpg-pubkey ; then
+ rpm --allmatches -e gpg-pubkey
+ check
fi
+ # starting with rpm-4.6, this fails when run a second time
+ # it would be complex to do this properly based on the filename,
+ # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
+ # see also http://fedoranews.org/tchung/gpg/
+ # so just ignore the result
+ rpm --import /etc/pki/rpm-gpg/* || :
+ check
+
+ # Make GPG key readable by apache so that the API can sign peer requests
+ chown apache $PLC_ROOT_GPG_KEY
+ chmod 644 $PLC_ROOT_GPG_KEY_PUB
+ chmod 600 $PLC_ROOT_GPG_KEY
+ check
+
+ # Cleanup
+ rm -rf $homedir
+
+ result "$MESSAGE"
;;
esac