#!/bin/bash
-# $Id$
-# $URL$
#
# priority: 400
#
. /etc/plc.d/functions
. /etc/planetlab/plc_config
+### IMPORTANT NOTE 2020 - feb
+# when moving to fedora31 I run into this
+# https://fedoraproject.org/wiki/Changes/GnuPG2_as_default_GPG_implementation
+# which breaks the whole system for us because
+# * gnupg2 key generation function won't work as expected
+# * but with much wider impact, it turns out that private keys
+# are now stored in a completely different way, and this will affect
+# the way that particular location (typically /etc/planetlab/secring.gpg)
+# is both
+# * configured (as $PLC_ROOT_GPG_KEY)
+# * and passed around (see the PLC.GPG module and its gpg_sign() function)
+#
+# so for now it looks MUCH EASIER to just get fedora to install gnupg1
+# instead of (or on top of) gnupg, and use gpg1 when available
+# below is a leftover of the beginning of a code adaptation
+# to gnupg2, that should work fine (took some time to get right actually)
+# but this is currently unused
+
+# for now we run only with gpg1, but on recent systems it means
+# we need to invoke explicitly gpg1
+type gpg1 >& /dev/null && GPG=gpg1 || GPG=gpg
+
+# this is more for when we support both
+# the default gpg command is version 1 up to f29, version 2 starts with f31
+GPG_MAJOR_VERSION=$($GPG --version | grep '^gpg' | cut -d' ' -f 3 | cut -d. -f1)
+
+function generate_key_v1() {
+ local homedir=$1
+ $GPG --homedir=$homedir --no-permission-warning --batch --no-tty --yes --gen-key << EOF
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: $PLC_NAME Central
+Name-Comment: http://$PLC_WWW_HOST/
+Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
+Expire-Date: 0
+%pubring $PLC_ROOT_GPG_KEY_PUB
+%secring $PLC_ROOT_GPG_KEY
+%commit
+EOF
+}
+
+# this code should work allright as far as key generation, but as explained above
+# moving to gnupg2 requires a lot more work all over the place...
+function generate_key_v2() {
+ >&2 echo "it appears you have GPGv2 installed, myPLC is not ready for that !"
+ return 1
+
+ local homedir=$1
+ $GPG --homedir=$homedir --generate-key --batch << EOF
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: $PLC_NAME Central
+Name-Comment: http://$PLC_WWW_HOST/
+Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
+Expire-Date: 0
+%pubring $PLC_ROOT_GPG_KEY_PUB
+%no-protection
+%commit
+EOF
+}
+
# Be verbose
set -x
# Temporarily replace /dev/random with /dev/urandom to
# avoid running out of entropy.
- rm -f /dev/random
- # 1 9 is /dev/urandom
- mknod /dev/random c 1 9
- # sometimes mknod fails within an improperly setup vserver
+ # (1 9 is /dev/urandom, 1 8 is /dev/random)
+ #
+ # a former version of this was rm'ing /dev/random and re-creating it afterwards
+ # however in 1.0.4 libvirt won't allow the use of mknod at all, so let's work around that
+ # by moving things around instead
+ #
+ # if we find this file it's probably that a previous run has failed..
+ [ -f /dev/random.preserve ] && { echo "Unexpected file /dev/random.preserve - exiting" ; exit 1; }
+ mv -f /dev/random /dev/random.preserve
+ # doesn't hurt to check
check
- gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
- --gen-key <<EOF
-Key-Type: DSA
-Key-Length: 1024
-Subkey-Type: ELG-E
-Subkey-Length: 1024
-Name-Real: $PLC_NAME Central
-Name-Comment: http://$PLC_WWW_HOST/
-Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
-Expire-Date: 0
-%pubring $PLC_ROOT_GPG_KEY_PUB
-%secring $PLC_ROOT_GPG_KEY
-%commit
-EOF
+ ln -s /dev/urandom /dev/random
+ # again
+ check
+ if [ "$GPG_MAJOR_VERSION" == 1 ]; then
+ generate_key_v1 $homedir
+ else
+ generate_key_v2 $homedir
+ fi
+ check
+ mv -f /dev/random.preserve /dev/random
check
- rm -f /dev/random
- mknod /dev/random c 1 8
else
# Update GPG UID
MESSAGE=$"Updating GPG keys"
break
fi
done < <(
- gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ $GPG --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
--no-default-keyring \
--secret-keyring=$PLC_ROOT_GPG_KEY \
--keyring=$PLC_ROOT_GPG_KEY_PUB \
IFS=$OLDIFS
# Add a new UID if appropriate. GPG will detect and merge duplicates.
- gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ $GPG --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
--no-default-keyring \
--secret-keyring=$PLC_ROOT_GPG_KEY \
--keyring=$PLC_ROOT_GPG_KEY_PUB \
# Install the key in the RPM database
mkdir -p /etc/pki/rpm-gpg
- gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+ $GPG --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
--no-default-keyring \
--secret-keyring=$PLC_ROOT_GPG_KEY \
--keyring=$PLC_ROOT_GPG_KEY_PUB \
git://git.onelab.eu / myplc.git / blobdiff