From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BC041138334 for ; Mon, 12 Nov 2018 22:11:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C296FE0BAF; Mon, 12 Nov 2018 22:11:27 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8596DE0BAF for ; Mon, 12 Nov 2018 22:11:27 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id AD0C4335CFA for ; Mon, 12 Nov 2018 22:11:25 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E3A303CF for ; Mon, 12 Nov 2018 22:11:22 +0000 (UTC) From: "Robin H. Johnson" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Robin H. Johnson" Message-ID: <1542060543.f037307d91669bbc1221c27d7e6893ead8fce97a.robbat2@gentoo> Subject: [gentoo-commits] proj/qa-scripts:master commit in: / X-VCS-Repository: proj/qa-scripts X-VCS-Files: create-dev-keyrings.bash X-VCS-Directories: / X-VCS-Committer: robbat2 X-VCS-Committer-Name: Robin H. Johnson X-VCS-Revision: f037307d91669bbc1221c27d7e6893ead8fce97a X-VCS-Branch: master Date: Mon, 12 Nov 2018 22:11:22 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 2fb36c76-f4c4-4da3-88ae-97c1a8874442 X-Archives-Hash: 2dd5f9ca609ce233fcb184f9e488dbce commit: f037307d91669bbc1221c27d7e6893ead8fce97a Author: Robin H. Johnson gentoo org> AuthorDate: Mon Nov 12 22:09:03 2018 +0000 Commit: Robin H. Johnson gentoo org> CommitDate: Mon Nov 12 22:09:03 2018 +0000 URL: https://gitweb.gentoo.org/proj/qa-scripts.git/commit/?id=f037307d create-dev-keyrings: export improvements - Place new keyrings atomicly. - Export system/committing/active/retired/all in seperate batches Signed-off-by: Robin H. Johnson gentoo.org> create-dev-keyrings.bash | 55 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/create-dev-keyrings.bash b/create-dev-keyrings.bash index 9bc2fde..01f15b2 100755 --- a/create-dev-keyrings.bash +++ b/create-dev-keyrings.bash @@ -9,6 +9,11 @@ COMMIT_RULE='(&(gentooAccess=git.gentoo.org/repo/gentoo.git)(gentooStatus=active NONCOMMIT_RULE='(&(!(gentooAccess=git.gentoo.org/repo/gentoo.git))(gentooStatus=active))' RETIRED_RULE='(!(gentooStatus=active))' +GPG_TMPDIR=$(mktemp -d) +clean_tmp() { + rm -rf "$GPG_TMPDIR" +} + # grab_ldap_fingerprints grab_ldap_fingerprints() { ldapsearch "${@}" -Z gpgfingerprint -LLL | @@ -37,7 +42,7 @@ grab_keys() { if [[ $(( retries++ )) -gt 3 ]]; then echo "Unable to fetch the following keys:" printf '%s\n' "${missing[@]}" - exit 0 # if we exit non-zero, the entire export will fail + break # if we hard-exit, the entire export will fail fi sleep 5 fi @@ -46,17 +51,53 @@ grab_keys() { done } +export_keys() { + DST="$1" + TMP="${GPG_TMPDIR}"/$(basename "${DST}") + # Must not exist, otherwise GPG will give error + [[ -f "${TMP}" ]] && rm -f "${TMP}" + # 'gpg --export' returns zero if there was no error with the command itself + # If there are no keys in the export set, then it ALSO does not write the destination file + # and prints 'gpg: WARNING: nothing exported' to stderr + if gpg --output "$TMP" --export "${@}" && test -s "${TMP}"; then + chmod a+r "${DST}" + mv "${TMP}" "${DST}" + else + echo "Unable to export keys to $DST" + exit 1 + fi +} + set -e COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") ) NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") ) -#RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") ) +RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") ) SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") ) -grab_keys "${COMMITTING_DEVS[@]}" "${NONCOMMITTING_DEVS[@]}" "${SYSTEM_KEYS[@]}" -gpg --export "${COMMITTING_DEVS[@]}" > "${OUTPUT_DIR}"/committing-devs.gpg -gpg --export "${COMMITTING_DEVS[@]}" "${NONCOMMITTING_DEVS[@]}" > "${OUTPUT_DIR}"/active-devs.gpg -gpg --export "${SYSTEM_KEYS[@]}" > "${OUTPUT_DIR}"/service-keys.gpg +grab_keys "${SYSTEM_KEYS[@]}" +export_keys "${OUTPUT_DIR}"/service_keys.gpg \ + "${SYSTEM_KEYS[@]}" + +grab_keys "${COMMITTING_DEVS[@]}" +export_keys "${OUTPUT_DIR}"/committing-devs.gpg \ + "${COMMITTING_DEVS[@]}" + +grab_keys "${NONCOMMITTING_DEVS[@]}" +export_keys "${OUTPUT_DIR}"/active-devs.gpg \ + "${COMMITTING_DEVS[@]}" \ + "${NONCOMMITTING_DEVS[@]}" + # -- not all are on keyservers +# -- and are unlikely to turn up now +# -- this needs to fetch from some archive instead #grab_keys "${RETIRED_DEVS[@]}" -#gpg --export > "${OUTPUT_DIR}"/all-devs.gpg +export_keys "${OUTPUT_DIR}"/retired-devs.gpg \ + "${RETIRED_DEVS[@]}" + +# Everybody together now +export_keys "${OUTPUT_DIR}"/all-devs.gpg \ + "${SYSTEM_KEYS[@]}" \ + "${COMMITTING_DEVS[@]}" \ + "${NONCOMMITTING_DEVS[@]}" \ + "${RETIRED_DEVS[@]}"