From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1087515-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id 6524B138334
for <garchives@archives.gentoo.org>; Fri, 3 May 2019 18:27:06 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 716CCE0101;
Fri, 3 May 2019 18:27:05 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 24ECAE0101
for <gentoo-commits@lists.gentoo.org>; Fri, 3 May 2019 18:27:04 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 6DC45343582
for <gentoo-commits@lists.gentoo.org>; Fri, 3 May 2019 18:27:03 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 1DE7C449
for <gentoo-commits@lists.gentoo.org>; Fri, 3 May 2019 18:27:01 +0000 (UTC)
From: "Robin H. Johnson" <robbat2@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Robin H. Johnson" <robbat2@gentoo.org>
Message-ID: <1556908008.99ceddc02672cbca6e530dbca4cd804e00e4b8d1.robbat2@gentoo>
Subject: [gentoo-commits] proj/qa-scripts:master commit in: /
X-VCS-Repository: proj/qa-scripts
X-VCS-Files: create-dev-keyrings.bash keyrings-export.bash keyrings.inc.bash
X-VCS-Directories: /
X-VCS-Committer: robbat2
X-VCS-Committer-Name: Robin H. Johnson
X-VCS-Revision: 99ceddc02672cbca6e530dbca4cd804e00e4b8d1
X-VCS-Branch: master
Date: Fri, 3 May 2019 18:27:01 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 08b05a3a-279a-4687-a168-0a0c0551680f
X-Archives-Hash: a0a2dacb003750e45c809950388ffb70
commit: 99ceddc02672cbca6e530dbca4cd804e00e4b8d1
Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
AuthorDate: Fri May 3 18:26:39 2019 +0000
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Fri May 3 18:26:48 2019 +0000
URL: https://gitweb.gentoo.org/proj/qa-scripts.git/commit/?id=99ceddc0
keyrings: prepare to split out keyring export for faster cycles
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
create-dev-keyrings.bash | 90 +++------------------------
keyrings-export.bash | 33 ++++++++++
create-dev-keyrings.bash => keyrings.inc.bash | 49 +++------------
3 files changed, 48 insertions(+), 124 deletions(-)
diff --git a/create-dev-keyrings.bash b/create-dev-keyrings.bash
index 1a9fd76..3f65550 100755
--- a/create-dev-keyrings.bash
+++ b/create-dev-keyrings.bash
@@ -1,91 +1,15 @@
#!/bin/bash
+# Import key updates from Keyservers
+#
+# TODO:
+# - Turn off export in this script
OUTPUT_DIR=${1:-.}
-
-DEV_BASE='ou=devs,dc=gentoo,dc=org'
-SYSTEM_BASE='ou=system,dc=gentoo,dc=org'
-
-COMMIT_RULE='(&(gentooAccess=git.gentoo.org/repo/gentoo.git)(gentooStatus=active))'
-NONCOMMIT_RULE='(&(!(gentooAccess=git.gentoo.org/repo/gentoo.git))(gentooStatus=active))'
-RETIRED_RULE='(!(gentooStatus=active))'
-
-KS_GENTOO=hkps://keys.gentoo.org/
-KS_SKS=hkps://hkps.pool.sks-keyservers.net/
-
-GPG_TMPDIR=$(mktemp -d)
-clean_tmp() {
- rm -rf "$GPG_TMPDIR"
-}
-
-# grab_ldap_fingerprints <ldap-rule>
-grab_ldap_fingerprints() {
- ldapsearch "${@}" -Z gpgfingerprint -LLL |
- sed -n -e '/^gpgfingerprint: /{s/^.*://;s/ //g;p}' |
- sort -u |
- grep -v undefined
-}
-
-# grab_keys <fingerprint>...
-grab_keys() {
- local retries=0
- local missing=()
- local remaining=( "${@}" )
-
- while :; do
- timeout 5m gpg --keyserver $KS_GENTOO -q --recv-keys "${remaining[@]}" || :
- timeout 20m gpg --keyserver $KS_SKS -q --recv-keys "${remaining[@]}" || :
- missing=()
- for key in "${remaining[@]}"; do
- gpg --list-public "${key}" &>/dev/null || missing+=( "${key}" )
- done
-
- [[ ${#missing[@]} -ne 0 ]] || break
-
- # if we did not make progress, give it a few seconds and retry
- if [[ ${#missing[@]} -eq ${#remaining[@]} ]]; then
- if [[ $(( retries++ )) -gt 3 ]]; then
- echo "Unable to fetch the following keys:"
- printf '%s\n' "${missing[@]}"
- break # if we hard-exit, the entire export will fail
- fi
- sleep 5
- fi
-
- remaining=( "${missing[@]}" )
- done
-}
-
-# push_keys <fingerprint>...
-push_keys() {
- # Only send keys that we have
- local remaining=( $(gpg --with-colon --list-public "${@}" | sed -n '/^pub/{n; /fpr/p }' |cut -d: -f10) )
- timeout 5m gpg --keyserver $KS_GENTOO -q --send-keys "${remaining[@]}" || :
- #timeout 5m gpg --keyserver $KS_SKS -q --send-keys "${remaining[@]}" || :
-}
-
-export_keys() {
- DST="$1"
- TMP="${GPG_TMPDIR}"/$(basename "${DST}")
- # Must not exist, otherwise GPG will give error
- [[ -f "${TMP}" ]] && rm -f "${TMP}"
- # 'gpg --export' returns zero if there was no error with the command itself
- # If there are no keys in the export set, then it ALSO does not write the destination file
- # and prints 'gpg: WARNING: nothing exported' to stderr
- if gpg --output "$TMP" --export "${@}" && test -s "${TMP}"; then
- chmod a+r "${TMP}"
- mv "${TMP}" "${DST}"
- else
- echo "Unable to export keys to $DST"
- exit 1
- fi
-}
+BASEDIR="$(dirname "$0")"
+source "${BASEDIR}"/keyrings.inc.bash
set -e
-
-COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") )
-NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") )
-RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") )
-SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") )
+export_ldap_data_to_env
grab_keys "${SYSTEM_KEYS[@]}"
export_keys "${OUTPUT_DIR}"/service-keys.gpg \
diff --git a/keyrings-export.bash b/keyrings-export.bash
new file mode 100755
index 0000000..06f5bab
--- /dev/null
+++ b/keyrings-export.bash
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Export keys to keyrings
+#
+# TODO:
+# - only run the export if there was really a change
+# - requires keeping state to detect changes in keys, there is no usable mtime data in a key itself
+
+OUTPUT_DIR=${1:-.}
+BASEDIR="$(dirname "$0")"
+source "${BASEDIR}"/keyrings.inc.bash
+
+set -e
+export_ldap_data_to_env
+
+export_keys "${OUTPUT_DIR}"/service-keys.gpg \
+ "${SYSTEM_KEYS[@]}"
+
+export_keys "${OUTPUT_DIR}"/committing-devs.gpg \
+ "${COMMITTING_DEVS[@]}"
+
+export_keys "${OUTPUT_DIR}"/active-devs.gpg \
+ "${COMMITTING_DEVS[@]}" \
+ "${NONCOMMITTING_DEVS[@]}"
+
+export_keys "${OUTPUT_DIR}"/retired-devs.gpg \
+ "${RETIRED_DEVS[@]}"
+
+# Everybody together now
+export_keys "${OUTPUT_DIR}"/all-devs.gpg \
+ "${SYSTEM_KEYS[@]}" \
+ "${COMMITTING_DEVS[@]}" \
+ "${NONCOMMITTING_DEVS[@]}" \
+ "${RETIRED_DEVS[@]}"
diff --git a/create-dev-keyrings.bash b/keyrings.inc.bash
old mode 100755
new mode 100644
similarity index 63%
copy from create-dev-keyrings.bash
copy to keyrings.inc.bash
index 1a9fd76..052550d
--- a/create-dev-keyrings.bash
+++ b/keyrings.inc.bash
@@ -1,7 +1,5 @@
#!/bin/bash
-OUTPUT_DIR=${1:-.}
-
DEV_BASE='ou=devs,dc=gentoo,dc=org'
SYSTEM_BASE='ou=system,dc=gentoo,dc=org'
@@ -16,6 +14,7 @@ GPG_TMPDIR=$(mktemp -d)
clean_tmp() {
rm -rf "$GPG_TMPDIR"
}
+trap clean_tmp EXIT
# grab_ldap_fingerprints <ldap-rule>
grab_ldap_fingerprints() {
@@ -80,42 +79,10 @@ export_keys() {
fi
}
-set -e
-
-COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") )
-NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") )
-RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") )
-SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") )
-
-grab_keys "${SYSTEM_KEYS[@]}"
-export_keys "${OUTPUT_DIR}"/service-keys.gpg \
- "${SYSTEM_KEYS[@]}"
-
-grab_keys "${COMMITTING_DEVS[@]}"
-export_keys "${OUTPUT_DIR}"/committing-devs.gpg \
- "${COMMITTING_DEVS[@]}"
-
-grab_keys "${NONCOMMITTING_DEVS[@]}"
-export_keys "${OUTPUT_DIR}"/active-devs.gpg \
- "${COMMITTING_DEVS[@]}" \
- "${NONCOMMITTING_DEVS[@]}"
-
-# -- not all are on keyservers
-# -- and are unlikely to turn up now
-# -- this needs to fetch from some archive instead
-#grab_keys "${RETIRED_DEVS[@]}"
-export_keys "${OUTPUT_DIR}"/retired-devs.gpg \
- "${RETIRED_DEVS[@]}"
-
-# Everybody together now
-export_keys "${OUTPUT_DIR}"/all-devs.gpg \
- "${SYSTEM_KEYS[@]}" \
- "${COMMITTING_DEVS[@]}" \
- "${NONCOMMITTING_DEVS[@]}" \
- "${RETIRED_DEVS[@]}"
-
-# Populate keys.gentoo.org with the keys we have, since they might have come from SKS
-push_keys "${SYSTEM_KEYS[@]}"
-push_keys "${COMMITTING_DEVS[@]}"
-push_keys "${NONCOMMITTING_DEVS[@]}"
-push_keys "${RETIRED_DEVS[@]}"
+# populate common variables
+export_ldap_data_to_env() {
+ export COMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${COMMIT_RULE}") )
+ export NONCOMMITTING_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${NONCOMMIT_RULE}") )
+ export RETIRED_DEVS=( $(grab_ldap_fingerprints -b "${DEV_BASE}" "${RETIRED_RULE}") )
+ export SYSTEM_KEYS=( $(grab_ldap_fingerprints -b "${SYSTEM_BASE}" "${NONCOMMIT_RULE}") )
+}