diff options
Diffstat (limited to 'keyrings-export.bash')
| -rwxr-xr-x | keyrings-export.bash | 113 |
1 files changed, 103 insertions, 10 deletions
diff --git a/keyrings-export.bash b/keyrings-export.bash index 143cda2..42f0b08 100755 --- a/keyrings-export.bash +++ b/keyrings-export.bash @@ -6,6 +6,8 @@ # - requires keeping state to detect changes in keys, there is no usable mtime data in a key itself OUTPUT_DIR=${1:-.} +# Ensure output is absolute +OUTPUT_DIR=$(readlink -f "${OUTPUT_DIR}") BASEDIR="$(dirname "$0")" # shellcheck source=./keyrings.inc.bash source "${BASEDIR}"/keyrings.inc.bash @@ -16,23 +18,114 @@ export -a COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_ export -a NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") ) export -a RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") ) export -a SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") ) +export -a INFRA_SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${INFRA_SYSTEM_RULE}") ) +export -a KEYRINGS=( ) -export_keys "${OUTPUT_DIR}"/service-keys.gpg \ - "${SYSTEM_KEYS[@]}" +export_keys "${OUTPUT_DIR}"/keys/service-keys.gpg \ + "${SYSTEM_KEYS[@]}" \ +&& KEYRINGS+=( service-keys ) + +export_keys "${OUTPUT_DIR}"/keys/infra-service-keys.gpg \ + "${INFRA_SYSTEM_KEYS[@]}" \ +&& KEYRINGS+=( infra-service-keys ) -export_keys "${OUTPUT_DIR}"/committing-devs.gpg \ - "${COMMITTING_DEVS[@]}" +export_keys "${OUTPUT_DIR}"/keys/committing-devs.gpg \ + "${COMMITTING_DEVS[@]}" \ +&& KEYRINGS+=( committing-devs ) -export_keys "${OUTPUT_DIR}"/active-devs.gpg \ +export_keys "${OUTPUT_DIR}"/keys/active-devs.gpg \ "${COMMITTING_DEVS[@]}" \ - "${NONCOMMITTING_DEVS[@]}" + "${NONCOMMITTING_DEVS[@]}" \ +&& KEYRINGS+=( active-devs ) -export_keys "${OUTPUT_DIR}"/retired-devs.gpg \ - "${RETIRED_DEVS[@]}" +export_keys "${OUTPUT_DIR}"/keys/infra-devs.gpg \ + "${INFRA_DEVS[@]}" \ +&& KEYRINGS+=( infra-devs ) + +export_keys "${OUTPUT_DIR}"/keys/retired-devs.gpg \ + "${RETIRED_DEVS[@]}" \ +&& KEYRINGS+=( retired-devs ) # Everybody together now -export_keys "${OUTPUT_DIR}"/all-devs.gpg \ +export_keys "${OUTPUT_DIR}"/keys/all-devs.gpg \ + "${SYSTEM_KEYS[@]}" \ + "${INFRA_SYSTEM_KEYS[@]}" \ + "${COMMITTING_DEVS[@]}" \ + "${NONCOMMITTING_DEVS[@]}" \ + "${INFRA_DEVS[@]}" \ + "${RETIRED_DEVS[@]}" \ +&& KEYRINGS+=( all-devs ) + +# TEMPORARY: +# Verify export-clean vs stock export options. +export GPG_EXPORT_OPTS=( --export-options export-clean ) + +export_keys "${OUTPUT_DIR}"/keys/service-keys.export-clean.gpg \ "${SYSTEM_KEYS[@]}" \ +&& KEYRINGS+=( service-keys.export-clean ) + +export_keys "${OUTPUT_DIR}"/keys/infra-service-keys.export-clean.gpg \ + "${INFRA_SYSTEM_KEYS[@]}" \ +&& KEYRINGS+=( infra-service-keys.export-clean ) + +export_keys "${OUTPUT_DIR}"/keys/committing-devs.export-clean.gpg \ + "${COMMITTING_DEVS[@]}" \ +&& KEYRINGS+=( committing-devs.export-clean ) + +export_keys "${OUTPUT_DIR}"/keys/active-devs.export-clean.gpg \ "${COMMITTING_DEVS[@]}" \ "${NONCOMMITTING_DEVS[@]}" \ - "${RETIRED_DEVS[@]}" +&& KEYRINGS+=( active-devs.export-clean ) + +export_keys "${OUTPUT_DIR}"/keys/infra-devs.export-clean.gpg \ + "${INFRA_DEVS[@]}" \ +&& KEYRINGS+=( infra-devs.export-clean ) + +export_keys "${OUTPUT_DIR}"/keys/retired-devs.export-clean.gpg \ + "${RETIRED_DEVS[@]}" \ +&& KEYRINGS+=( retired-devs.export-clean ) + +# Everybody together now +export_keys "${OUTPUT_DIR}"/keys/all-devs.export-clean.gpg \ + "${SYSTEM_KEYS[@]}" \ + "${INFRA_SYSTEM_KEYS[@]}" \ + "${COMMITTING_DEVS[@]}" \ + "${NONCOMMITTING_DEVS[@]}" \ + "${INFRA_DEVS[@]}" \ + "${RETIRED_DEVS[@]}" \ +&& KEYRINGS+=( all-devs.export-clean ) + +unset GPG_EXPORT_OPTS +# END TEMPORARY + +for key in "${KEYRINGS[@]}" ; do + if [[ ! -L "${OUTPUT_DIR}"/${key}.gpg ]] ; then + # Compatibility symlink + ln -sf "${OUTPUT_DIR}"/keys/${key}.gpg "${OUTPUT_DIR}"/${key}.gpg + fi + + if [[ $(date -u +%A) == Monday ]] ; then + # We don't want to run on Mondays to avoid last/next week confusion + break + fi + + timestamp=$(date -u +%Y%m%d-%A -d "last monday") + + if [[ ${timestamp} != *-Monday ]] ; then + break + fi + + timestamp=${timestamp/-Monday/} + + # Don't clobber existing timestamped keys for this period (weekly) + # if we're running several times a day. + if [[ -f "${OUTPUT_DIR}"/keys/${key}-${timestamp}.gpg ]] ; then + continue + fi + + mkdir -p "${OUTPUT_DIR}"/keys + + cp "${OUTPUT_DIR}"/${key}.gpg "${OUTPUT_DIR}"/keys/${key}-${timestamp}.gpg +done + +clean_tmp |