plc.d/gpg

   1 #!/bin/bash
   2 #
   3 # priority: 500
   4 #
   5 # Generate GPG keys
   6 #
   7 # Mark Huang <mlhuang@cs.princeton.edu>
   8 # Copyright (C) 2006 The Trustees of Princeton University
   9 #
  10 # $Id: gpg,v 1.8 2006/12/15 20:16:16 mlhuang Exp $
  11 #
  12
  13 # Source function library and configuration
  14 . /etc/plc.d/functions
  15 . /etc/planetlab/plc_config
  16
  17 # Be verbose
  18 set -x
  19
  20 case "$1" in
  21     start)
  22         # Make temporary GPG home directory
  23         homedir=$(mktemp -d /tmp/gpg.XXXXXX)
  24
  25         if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
  26             # Generate new GPG keyring
  27             MESSAGE=$"Generating GPG keys"
  28             dialog "$MESSAGE"
  29
  30             mkdir -p $(dirname $PLC_ROOT_GPG_KEY_PUB)
  31             mkdir -p $(dirname $PLC_ROOT_GPG_KEY)
  32
  33             # Temporarily replace /dev/random with /dev/urandom to
  34             # avoid running out of entropy.
  35             rm -f /dev/random
  36             mknod /dev/random c 1 9
  37             gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  38                 --gen-key <<EOF
  39 Key-Type: DSA
  40 Key-Length: 1024
  41 Subkey-Type: ELG-E
  42 Subkey-Length: 1024
  43 Name-Real: $PLC_NAME Central
  44 Name-Comment: http://$PLC_WWW_HOST/
  45 Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
  46 Expire-Date: 0
  47 %pubring $PLC_ROOT_GPG_KEY_PUB
  48 %secring $PLC_ROOT_GPG_KEY
  49 %commit
  50 EOF
  51             check
  52             rm -f /dev/random
  53             mknod /dev/random c 1 8
  54         else
  55             # Update GPG UID
  56             MESSAGE=$"Updating GPG keys"
  57             dialog "$MESSAGE"
  58
  59             # Get the current GPG fingerprint and comment
  60             OLDIFS=$IFS
  61             IFS=:
  62             while read -a fields ; do
  63                 if [ "${fields[0]}" = "pub" ] ; then
  64                     fingerprint=${fields[4]}
  65                     break
  66                 fi
  67             done < <(
  68                 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  69                     --no-default-keyring \
  70                     --secret-keyring=$PLC_ROOT_GPG_KEY \
  71                     --keyring=$PLC_ROOT_GPG_KEY_PUB \
  72                     --list-public-keys --with-colons
  73                 check
  74             )
  75             IFS=$OLDIFS
  76
  77             # Add a new UID if appropriate. GPG will detect and merge duplicates.
  78             gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  79                 --no-default-keyring \
  80                 --secret-keyring=$PLC_ROOT_GPG_KEY \
  81                 --keyring=$PLC_ROOT_GPG_KEY_PUB \
  82                 --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
  83 adduid
  84 $PLC_NAME Central
  85 $PLC_MAIL_SUPPORT_ADDRESS
  86 http://$PLC_WWW_HOST/
  87 save
  88 EOF
  89             check
  90         fi
  91
  92         # Install the key in the RPM database
  93         mkdir -p /etc/pki/rpm-gpg
  94         gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  95             --no-default-keyring \
  96             --secret-keyring=$PLC_ROOT_GPG_KEY \
  97             --keyring=$PLC_ROOT_GPG_KEY_PUB \
  98             --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
  99         check
 100         if rpm -q gpg-pubkey ; then
 101             rpm --allmatches -e gpg-pubkey
 102             check
 103         fi
 104         rpm --import /etc/pki/rpm-gpg/*
 105         check
 106
 107         # Make GPG key readable by apache so that the API can sign peer requests
 108         chown apache $PLC_ROOT_GPG_KEY
 109         chmod 644 $PLC_ROOT_GPG_KEY_PUB
 110         chmod 600 $PLC_ROOT_GPG_KEY
 111         check
 112
 113         # Cleanup
 114         rm -rf $homedir
 115
 116         result "$MESSAGE"
 117         ;;
 118 esac
 119
 120 exit $ERRORS