X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=plc.d%2Fgpg;h=9576c4093d222113f25e97cfc8ebc979cf0219d1;hb=facac6604dd7a4dd781fff92ebf6f9cc3315ac33;hp=48c643e4b67d80f90af52e77cff0964badd79ccd;hpb=c397708d9e9a3a2dbb80856630ace4da0af85e7a;p=myplc.git

diff --git a/plc.d/gpg b/plc.d/gpg
index 48c643e..9576c40 100755
--- a/plc.d/gpg
+++ b/plc.d/gpg
@@ -1,21 +1,34 @@
 #!/bin/bash
 #
-# priority: 500
+# priority: 400
 #
 # Generate GPG keys
 #
 # Mark Huang <mlhuang@cs.princeton.edu>
 # Copyright (C) 2006 The Trustees of Princeton University
 #
-# $Id: gpg,v 1.5 2006/05/17 22:52:09 mlhuang Exp $
-#
 
 # Source function library and configuration
 . /etc/plc.d/functions
 . /etc/planetlab/plc_config
 
+# Be verbose
+set -x
+
 case "$1" in
     start)
+	# Make temporary GPG home directory
+	homedir=$(mktemp -d /tmp/gpg.XXXXXX)
+
+	# in case a previous gpg invocation failed in some weird way
+	# and left behind a zero length gpg key (pub or priv).
+	if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
+	    rm -f $PLC_ROOT_GPG_KEY_PUB 
+	fi
+	if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
+	    rm -f $PLC_ROOT_GPG_KEY
+	fi
+
 	if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
 	    # Generate new GPG keyring
 	    MESSAGE=$"Generating GPG keys"
@@ -26,10 +39,22 @@ case "$1" in
 
 	    # Temporarily replace /dev/random with /dev/urandom to
 	    # avoid running out of entropy.
-	    rm -f /dev/random
-	    mknod /dev/random c 1 9
-	    gpg --homedir=/root --no-tty --yes \
-		--batch --gen-key <<EOF
+	    # (1 9 is /dev/urandom, 1 8 is /dev/random)
+	    #
+	    # a former version of this was rm'ing /dev/random and re-creating it afterwards
+	    # however in 1.0.4 libvirt won't allow the use of mknod at all, so let's work around that
+	    # by moving things around instead
+	    #
+	    # if we find this file it's probably that a previous run has failed..
+	    [ -f /dev/random.preserve ] && { echo "Unexpected file /dev/random.preserve - exiting" ; exit 1; }
+	    mv -f /dev/random /dev/random.preserve
+	    # doesn't hurt to check 
+	    check
+	    ln -s /dev/urandom /dev/random
+	    # again 
+	    check
+	    gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+		--gen-key <<EOF
 Key-Type: DSA
 Key-Length: 1024
 Subkey-Type: ELG-E
@@ -43,10 +68,8 @@ Expire-Date: 0
 %commit
 EOF
 	    check
-	    rm -f /dev/random
-	    mknod /dev/random c 1 8
-	    chmod 644 $PLC_ROOT_GPG_KEY_PUB
-	    chmod 600 $PLC_ROOT_GPG_KEY
+	    mv -f /dev/random.preserve /dev/random
+	    check
 	else
 	    # Update GPG UID
 	    MESSAGE=$"Updating GPG keys"
@@ -61,14 +84,20 @@ EOF
 		    break
 		fi
 	    done < <(
-		gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
+		gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+		    --no-default-keyring \
+		    --secret-keyring=$PLC_ROOT_GPG_KEY \
+		    --keyring=$PLC_ROOT_GPG_KEY_PUB \
 		    --list-public-keys --with-colons
 		check
 	    )
 	    IFS=$OLDIFS
 
 	    # Add a new UID if appropriate. GPG will detect and merge duplicates.
-	    gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
+	    gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+		--no-default-keyring \
+		--secret-keyring=$PLC_ROOT_GPG_KEY \
+		--keyring=$PLC_ROOT_GPG_KEY_PUB \
 		--command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
 adduid
 $PLC_NAME Central
@@ -81,16 +110,33 @@ EOF
 
 	# Install the key in the RPM database
 	mkdir -p /etc/pki/rpm-gpg
-	gpg --homedir=/etc/planetlab --no-permission-warning --no-tty --yes \
+	gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
+	    --no-default-keyring \
+	    --secret-keyring=$PLC_ROOT_GPG_KEY \
+	    --keyring=$PLC_ROOT_GPG_KEY_PUB \
 	    --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
 	check
 	if rpm -q gpg-pubkey ; then
 	    rpm --allmatches -e gpg-pubkey
 	    check
 	fi
-	rpm --import /etc/pki/rpm-gpg/*
+	# starting with rpm-4.6, this fails when run a second time
+	# it would be complex to do this properly based on the filename, 
+	# as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
+	# see also http://fedoranews.org/tchung/gpg/
+	# so just ignore the result
+	rpm --import /etc/pki/rpm-gpg/* || :
 	check
 
+	# Make GPG key readable by apache so that the API can sign peer requests
+	chown apache $PLC_ROOT_GPG_KEY
+	chmod 644 $PLC_ROOT_GPG_KEY_PUB
+	chmod 600 $PLC_ROOT_GPG_KEY
+	check
+
+	# Cleanup
+	rm -rf $homedir
+
 	result "$MESSAGE"
 	;;
 esac