7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
13 # Source function library and configuration
14 . /etc/plc.d/functions
15 . /etc/planetlab/plc_config
22 # Make temporary GPG home directory
23 homedir=$(mktemp -d /tmp/gpg.XXXXXX)
25 # in case a previous gpg invocation failed in some weird way
26 # and left behind a zero length gpg key (pub or priv).
27 if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
28 rm -f $PLC_ROOT_GPG_KEY_PUB
30 if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
31 rm -f $PLC_ROOT_GPG_KEY
34 if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
35 # Generate new GPG keyring
36 MESSAGE=$"Generating GPG keys"
39 mkdir -p $(dirname $PLC_ROOT_GPG_KEY_PUB)
40 mkdir -p $(dirname $PLC_ROOT_GPG_KEY)
42 # Temporarily replace /dev/random with /dev/urandom to
43 # avoid running out of entropy.
46 mknod /dev/random c 1 9
47 # sometimes mknod fails within an improperly setup vserver
49 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
55 Name-Real: $PLC_NAME Central
56 Name-Comment: http://$PLC_WWW_HOST/
57 Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
59 %pubring $PLC_ROOT_GPG_KEY_PUB
60 %secring $PLC_ROOT_GPG_KEY
65 mknod /dev/random c 1 8
68 MESSAGE=$"Updating GPG keys"
71 # Get the current GPG fingerprint and comment
74 while read -a fields ; do
75 if [ "${fields[0]}" = "pub" ] ; then
76 fingerprint=${fields[4]}
80 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
81 --no-default-keyring \
82 --secret-keyring=$PLC_ROOT_GPG_KEY \
83 --keyring=$PLC_ROOT_GPG_KEY_PUB \
84 --list-public-keys --with-colons
90 # Add a new UID if appropriate. GPG (v1) will detect and
91 # merge duplicates but this is considered as a bug in GPG2
92 # and we need to check for existence.
93 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
95 --no-default-keyring \
96 --secret-keyring=/etc/planetlab/secring.gpg \
97 --keyring=/etc/planetlab/pubring.gpg \
98 | grep "$PLC_NAME Central" \
99 | grep "$PLC_MAIL_SUPPORT_ADDRESS" \
100 | grep "http://$PLC_WWW_HOST/"
102 if [ $? -ne 0 ]; then
103 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
104 --no-default-keyring \
105 --secret-keyring=$PLC_ROOT_GPG_KEY \
106 --keyring=$PLC_ROOT_GPG_KEY_PUB \
107 --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
110 $PLC_MAIL_SUPPORT_ADDRESS
111 http://$PLC_WWW_HOST/
119 # Install the key in the RPM database
120 mkdir -p /etc/pki/rpm-gpg
121 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
122 --no-default-keyring \
123 --secret-keyring=$PLC_ROOT_GPG_KEY \
124 --keyring=$PLC_ROOT_GPG_KEY_PUB \
125 --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
127 if rpm -q gpg-pubkey ; then
128 rpm --allmatches -e gpg-pubkey
131 # starting with rpm-4.6, this fails when run a second time
132 # it would be complex to do this properly based on the filename,
133 # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
134 # see also http://fedoranews.org/tchung/gpg/
135 # so just ignore the result
136 rpm --import /etc/pki/rpm-gpg/* || :
139 # Make GPG key readable by apache so that the API can sign peer requests
140 chown apache $PLC_ROOT_GPG_KEY
141 chmod 644 $PLC_ROOT_GPG_KEY_PUB
142 chmod 600 $PLC_ROOT_GPG_KEY