#!/bin/bash
#
-# priority: 500
+# priority: 400
#
# Generate GPG keys
#
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id$
-#
# Source function library and configuration
. /etc/plc.d/functions
. /etc/planetlab/plc_config
+### IMPORTANT NOTE 2020 - feb
+# when moving to fedora31 I run into this
+# https://fedoraproject.org/wiki/Changes/GnuPG2_as_default_GPG_implementation
+# which breaks the whole system for us because
+# * gnupg2 key generation function won't work as expected
+# * but with much wider impact, it turns out that private keys
+# are now stored in a completely different way, and this will affect
+# the way that particular location (typically /etc/planetlab/secring.gpg)
+# is both
+# * configured (as $PLC_ROOT_GPG_KEY)
+# * and passed around (see the PLC.GPG module and its gpg_sign() function)
+#
+# so for now it looks MUCH EASIER to just get fedora to install gnupg1
+# instead of (or on top of) gnupg, and use gpg1 when available
+# below is a leftover of the beginning of a code adaptation
+# to gnupg2, that should work fine (took some time to get right actually)
+# but this is currently unused
+
+# the default gpg command is version 1 up to f29, version 2 starts with f31
+# that could be more for when we support both
+GPG_MAJOR_VERSION=$(gpg --version | grep '^gpg' | cut -d' ' -f 3 | cut -d. -f1)
+
+function generate_key_v1() {
+ local homedir=$1
+ gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes --gen-key << EOF
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: $PLC_NAME Central
+Name-Comment: http://$PLC_WWW_HOST/
+Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
+Expire-Date: 0
+%pubring $PLC_ROOT_GPG_KEY_PUB
+%secring $PLC_ROOT_GPG_KEY
+%commit
+EOF
+}
+
+# this code should work allright as far as key generation, but as explained above
+# moving to gnupg2 requires a lot more work all over the place...
+function generate_key_v2() {
+ >&2 echo "it appears you have GPGv2 installed, myPLC is not ready for that !"
+ return 1
+
+ local homedir=$1
+ gpg --homedir=$homedir --generate-key --batch << EOF
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: $PLC_NAME Central
+Name-Comment: http://$PLC_WWW_HOST/
+Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
+Expire-Date: 0
+%pubring $PLC_ROOT_GPG_KEY_PUB
+%no-protection
+%commit
+EOF
+}
+
# Be verbose
set -x
# Make temporary GPG home directory
homedir=$(mktemp -d /tmp/gpg.XXXXXX)
+ # in case a previous gpg invocation failed in some weird way
+ # and left behind a zero length gpg key (pub or priv).
+ if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
+ rm -f $PLC_ROOT_GPG_KEY_PUB
+ fi
+ if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
+ rm -f $PLC_ROOT_GPG_KEY
+ fi
+
if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
# Generate new GPG keyring
MESSAGE=$"Generating GPG keys"
# Temporarily replace /dev/random with /dev/urandom to
# avoid running out of entropy.
- rm -f /dev/random
- mknod /dev/random c 1 9
- gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
- --gen-key <<EOF
-Key-Type: DSA
-Key-Length: 1024
-Subkey-Type: ELG-E
-Subkey-Length: 1024
-Name-Real: $PLC_NAME Central
-Name-Comment: http://$PLC_WWW_HOST/
-Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
-Expire-Date: 0
-%pubring $PLC_ROOT_GPG_KEY_PUB
-%secring $PLC_ROOT_GPG_KEY
-%commit
-EOF
+ # (1 9 is /dev/urandom, 1 8 is /dev/random)
+ #
+ # a former version of this was rm'ing /dev/random and re-creating it afterwards
+ # however in 1.0.4 libvirt won't allow the use of mknod at all, so let's work around that
+ # by moving things around instead
+ #
+ # if we find this file it's probably that a previous run has failed..
+ [ -f /dev/random.preserve ] && { echo "Unexpected file /dev/random.preserve - exiting" ; exit 1; }
+ mv -f /dev/random /dev/random.preserve
+ # doesn't hurt to check
+ check
+ ln -s /dev/urandom /dev/random
+ # again
+ check
+ if [ "$GPG_MAJOR_VERSION" == 1 ]; then
+ generate_key_v1 $homedir
+ else
+ generate_key_v2 $homedir
+ fi
+ check
+ mv -f /dev/random.preserve /dev/random
check
- rm -f /dev/random
- mknod /dev/random c 1 8
else
# Update GPG UID
MESSAGE=$"Updating GPG keys"
rpm --allmatches -e gpg-pubkey
check
fi
- rpm --import /etc/pki/rpm-gpg/*
+ # starting with rpm-4.6, this fails when run a second time
+ # it would be complex to do this properly based on the filename,
+ # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
+ # see also http://fedoranews.org/tchung/gpg/
+ # so just ignore the result
+ rpm --import /etc/pki/rpm-gpg/* || :
check
# Make GPG key readable by apache so that the API can sign peer requests