plc.d/gpg

   1 #!/bin/bash
   2 #
   3 # priority: 400
   4 #
   5 # Generate GPG keys
   6 #
   7 # Mark Huang <mlhuang@cs.princeton.edu>
   8 # Copyright (C) 2006 The Trustees of Princeton University
   9 #
  10
  11 # Source function library and configuration
  12 . /etc/plc.d/functions
  13 . /etc/planetlab/plc_config
  14
  15 # Be verbose
  16 set -x
  17
  18 case "$1" in
  19     start)
  20         # Make temporary GPG home directory
  21         homedir=$(mktemp -d /tmp/gpg.XXXXXX)
  22
  23         # in case a previous gpg invocation failed in some weird way
  24         # and left behind a zero length gpg key (pub or priv).
  25         if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
  26             rm -f $PLC_ROOT_GPG_KEY_PUB
  27         fi
  28         if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
  29             rm -f $PLC_ROOT_GPG_KEY
  30         fi
  31
  32         if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
  33             # Generate new GPG keyring
  34             MESSAGE=$"Generating GPG keys"
  35             dialog "$MESSAGE"
  36
  37             mkdir -p $(dirname $PLC_ROOT_GPG_KEY_PUB)
  38             mkdir -p $(dirname $PLC_ROOT_GPG_KEY)
  39
  40             # Temporarily replace /dev/random with /dev/urandom to
  41             # avoid running out of entropy.
  42             # (1 9 is /dev/urandom, 1 8 is /dev/random)
  43             #
  44             # a former version of this was rm'ing /dev/random and re-creating it afterwards
  45             # however in 1.0.4 libvirt won't allow the use of mknod at all, so let's work around that
  46             # by moving things around instead
  47             #
  48             # if we find this file it's probably that a previous run has failed..
  49             [ -f /dev/random.preserve ] && { echo "Unexpected file /dev/random.preserve - exiting" ; exit 1; }
  50             mv -f /dev/random /dev/random.preserve
  51             # doesn't hurt to check
  52             check
  53             ln -s /dev/urandom /dev/random
  54             # again
  55             check
  56             gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  57                 --gen-key <<EOF
  58 Key-Type: DSA
  59 Key-Length: 1024
  60 Subkey-Type: ELG-E
  61 Subkey-Length: 1024
  62 Name-Real: $PLC_NAME Central
  63 Name-Comment: http://$PLC_WWW_HOST/
  64 Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
  65 Expire-Date: 0
  66 %pubring $PLC_ROOT_GPG_KEY_PUB
  67 %secring $PLC_ROOT_GPG_KEY
  68 %commit
  69 EOF
  70             check
  71             mv -f /dev/random.preserve /dev/random
  72             check
  73         else
  74             # Update GPG UID
  75             MESSAGE=$"Updating GPG keys"
  76             dialog "$MESSAGE"
  77
  78             # Get the current GPG fingerprint and comment
  79             OLDIFS=$IFS
  80             IFS=:
  81             while read -a fields ; do
  82                 if [ "${fields[0]}" = "pub" ] ; then
  83                     fingerprint=${fields[4]}
  84                     break
  85                 fi
  86             done < <(
  87                 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  88                     --no-default-keyring \
  89                     --secret-keyring=$PLC_ROOT_GPG_KEY \
  90                     --keyring=$PLC_ROOT_GPG_KEY_PUB \
  91                     --list-public-keys --with-colons
  92                 check
  93             )
  94             IFS=$OLDIFS
  95
  96             # Add a new UID if appropriate. GPG will detect and merge duplicates.
  97             gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
  98                 --no-default-keyring \
  99                 --secret-keyring=$PLC_ROOT_GPG_KEY \
 100                 --keyring=$PLC_ROOT_GPG_KEY_PUB \
 101                 --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
 102 adduid
 103 $PLC_NAME Central
 104 $PLC_MAIL_SUPPORT_ADDRESS
 105 http://$PLC_WWW_HOST/
 106 save
 107 EOF
 108             check
 109         fi
 110
 111         # Install the key in the RPM database
 112         mkdir -p /etc/pki/rpm-gpg
 113         gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
 114             --no-default-keyring \
 115             --secret-keyring=$PLC_ROOT_GPG_KEY \
 116             --keyring=$PLC_ROOT_GPG_KEY_PUB \
 117             --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
 118         check
 119         if rpm -q gpg-pubkey ; then
 120             rpm --allmatches -e gpg-pubkey
 121             check
 122         fi
 123         # starting with rpm-4.6, this fails when run a second time
 124         # it would be complex to do this properly based on the filename,
 125         # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
 126         # see also http://fedoranews.org/tchung/gpg/
 127         # so just ignore the result
 128         rpm --import /etc/pki/rpm-gpg/* || :
 129         check
 130
 131         # Make GPG key readable by apache so that the API can sign peer requests
 132         chown apache $PLC_ROOT_GPG_KEY
 133         chmod 644 $PLC_ROOT_GPG_KEY_PUB
 134         chmod 600 $PLC_ROOT_GPG_KEY
 135         check
 136
 137         # Cleanup
 138         rm -rf $homedir
 139
 140         result "$MESSAGE"
 141         ;;
 142 esac
 143
 144 exit $ERRORS