plc.d/gpg

   1 #!/bin/bash
   2 #
   3 # priority: 500
   4 #
   5 # Generate GPG keys
   6 #
   7 # Mark Huang <mlhuang@cs.princeton.edu>
   8 # Copyright (C) 2006 The Trustees of Princeton University
   9 #
  10 # $Id$
  11 #
  12
  13 # Source function library and configuration
  14 . /etc/plc.d/functions
  15 . /etc/planetlab/plc_config
  16
  17 # Be verbose
  18 set -x
  19
  20 case "$1" in
  21     start)
  22         # Make temporary GPG home directory
  23         homedir=$(mktemp -d /tmp/gpg.XXXXXX)
  24
  25         # in case a previous gpg invocation failed in some weird way
  26         # and left behind a zero length gpg key (pub or priv).
  27         if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
  28             rm -f $PLC_ROOT_GPG_KEY_PUB
  29         fi
  30         if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
  31             rm -f $PLC_ROOT_GPG_KEY
  32         fi
  33
  34         if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
  35             # Generate new GPG keyring
  36             MESSAGE=$"Generating GPG keys"
  37             dialog "$MESSAGE"
  38
  39             mkdir -p $(dirname $PLC_ROOT_GPG_KEY_PUB)
  40             mkdir -p $(dirname $PLC_ROOT_GPG_KEY)
  41
  42             # Temporarily replace /dev/random with /dev/urandom to
  43             # avoid running out of entropy.
  44             rm -f /dev/random
  45             # 1 9 is /dev/urandom
  46             mknod /dev/random c 1 9
  47             # sometimes mknod fails within an improperly setup vserver
  48             check
  49             gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  50                 --gen-key <<EOF
  51 Key-Type: DSA
  52 Key-Length: 1024
  53 Subkey-Type: ELG-E
  54 Subkey-Length: 1024
  55 Name-Real: $PLC_NAME Central
  56 Name-Comment: http://$PLC_WWW_HOST/
  57 Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
  58 Expire-Date: 0
  59 %pubring $PLC_ROOT_GPG_KEY_PUB
  60 %secring $PLC_ROOT_GPG_KEY
  61 %commit
  62 EOF
  63             check
  64             rm -f /dev/random
  65             mknod /dev/random c 1 8
  66         else
  67             # Update GPG UID
  68             MESSAGE=$"Updating GPG keys"
  69             dialog "$MESSAGE"
  70
  71             # Get the current GPG fingerprint and comment
  72             OLDIFS=$IFS
  73             IFS=:
  74             while read -a fields ; do
  75                 if [ "${fields[0]}" = "pub" ] ; then
  76                     fingerprint=${fields[4]}
  77                     break
  78                 fi
  79             done < <(
  80                 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  81                     --no-default-keyring \
  82                     --secret-keyring=$PLC_ROOT_GPG_KEY \
  83                     --keyring=$PLC_ROOT_GPG_KEY_PUB \
  84                     --list-public-keys --with-colons
  85                 check
  86             )
  87             IFS=$OLDIFS
  88
  89
  90             # Add a new UID if appropriate. GPG (v1) will detect and
  91             # merge duplicates but this is considered as a bug in GPG2
  92             # and we need to check for existence.
  93             gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  94                 --list-keys \
  95                 --no-default-keyring \
  96                 --secret-keyring=/etc/planetlab/secring.gpg \
  97                 --keyring=/etc/planetlab/pubring.gpg \
  98                 | grep "$PLC_NAME Central" \
  99                 | grep "$PLC_MAIL_SUPPORT_ADDRESS" \
 100                 | grep "http://$PLC_WWW_HOST/"
 101
 102             if [ $? -ne 1 ]; then
 103                 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
 104                     --no-default-keyring \
 105                     --secret-keyring=$PLC_ROOT_GPG_KEY \
 106                     --keyring=$PLC_ROOT_GPG_KEY_PUB \
 107                     --Command-Fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
 108 adduid
 109 $PLC_NAME Central
 110 $PLC_MAIL_SUPPORT_ADDRESS
 111 http://$PLC_WWW_HOST/
 112 save
 113 EOF
 114             check
 115             fi
 116
 117         fi
 118
 119         # Install the key in the RPM database
 120         mkdir -p /etc/pki/rpm-gpg
 121         gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
 122             --no-default-keyring \
 123             --secret-keyring=$PLC_ROOT_GPG_KEY \
 124             --keyring=$PLC_ROOT_GPG_KEY_PUB \
 125             --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
 126         check
 127         if rpm -q gpg-pubkey ; then
 128             rpm --allmatches -e gpg-pubkey
 129             check
 130         fi
 131         # starting with rpm-4.6, this fails when run a second time
 132         # it would be complex to do this properly based on the filename,
 133         # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
 134         # see also http://fedoranews.org/tchung/gpg/
 135         # so just ignore the result
 136         rpm --import /etc/pki/rpm-gpg/* || :
 137         check
 138
 139         # Make GPG key readable by apache so that the API can sign peer requests
 140         chown apache $PLC_ROOT_GPG_KEY
 141         chmod 644 $PLC_ROOT_GPG_KEY_PUB
 142         chmod 600 $PLC_ROOT_GPG_KEY
 143         check
 144
 145         # Cleanup
 146         rm -rf $homedir
 147
 148         result "$MESSAGE"
 149         ;;
 150 esac
 151
 152 exit $ERRORS