From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 69015138334 for ; Sat, 4 May 2019 03:22:32 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 765D0E0837; Sat, 4 May 2019 03:22:31 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E706CE0837 for ; Sat, 4 May 2019 03:22:30 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DBB17343452 for ; Sat, 4 May 2019 03:22:28 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9706B57F for ; Sat, 4 May 2019 03:22:26 +0000 (UTC) From: "Robin H. Johnson" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Robin H. Johnson" Message-ID: <1556940135.daec48a7895d7a4b04d55ddf35397fb07b48f68b.robbat2@gentoo> Subject: [gentoo-commits] proj/qa-scripts:master commit in: / X-VCS-Repository: proj/qa-scripts X-VCS-Files: create-dev-keyrings.bash keyrings-export-keys.gentoo.org.bash keyrings-import-keys.gentoo.org.bash keyrings-import-sks.bash keyrings.inc.bash X-VCS-Directories: / X-VCS-Committer: robbat2 X-VCS-Committer-Name: Robin H. Johnson X-VCS-Revision: daec48a7895d7a4b04d55ddf35397fb07b48f68b X-VCS-Branch: master Date: Sat, 4 May 2019 03:22:26 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: a935eb32-81f9-44e7-b814-27d2363492f1 X-Archives-Hash: e83b76f57a546f2f412f20b40f579bcb commit: daec48a7895d7a4b04d55ddf35397fb07b48f68b Author: Robin H. Johnson gentoo org> AuthorDate: Sat May 4 03:22:15 2019 +0000 Commit: Robin H. Johnson gentoo org> CommitDate: Sat May 4 03:22:15 2019 +0000 URL: https://gitweb.gentoo.org/proj/qa-scripts.git/commit/?id=daec48a7 keyrings: prepare to flip to new scripts Signed-off-by: Robin H. Johnson gentoo.org> create-dev-keyrings.bash | 5 +++++ keyrings-export-keys.gentoo.org.bash | 18 ++++++++++++++++++ keyrings-import-keys.gentoo.org.bash | 23 +++++++++++++++++++++++ keyrings-import-sks.bash | 23 +++++++++++++++++++++++ keyrings.inc.bash | 29 +++++++++++++++++++---------- 5 files changed, 88 insertions(+), 10 deletions(-) diff --git a/create-dev-keyrings.bash b/create-dev-keyrings.bash index 3f65550..f2772d8 100755 --- a/create-dev-keyrings.bash +++ b/create-dev-keyrings.bash @@ -11,6 +11,9 @@ source "${BASEDIR}"/keyrings.inc.bash set -e export_ldap_data_to_env +export KEYSERVERS=( "${KS_SKS}" "${KS_GENTOO}" ) +export KEYSERVER_TIMEOUT=20m + grab_keys "${SYSTEM_KEYS[@]}" export_keys "${OUTPUT_DIR}"/service-keys.gpg \ "${SYSTEM_KEYS[@]}" @@ -39,6 +42,8 @@ export_keys "${OUTPUT_DIR}"/all-devs.gpg \ "${RETIRED_DEVS[@]}" # Populate keys.gentoo.org with the keys we have, since they might have come from SKS +export KEYSERVERS=( "${KS_GENTOO}" ) +export KEYSERVER_TIMEOUT=20m push_keys "${SYSTEM_KEYS[@]}" push_keys "${COMMITTING_DEVS[@]}" push_keys "${NONCOMMITTING_DEVS[@]}" diff --git a/keyrings-export-keys.gentoo.org.bash b/keyrings-export-keys.gentoo.org.bash new file mode 100755 index 0000000..38a3478 --- /dev/null +++ b/keyrings-export-keys.gentoo.org.bash @@ -0,0 +1,18 @@ +#!/bin/bash +# Export key updates to Keyservers: keys.gentoo.org + +OUTPUT_DIR=${1:-.} +BASEDIR="$(dirname "$0")" +source "${BASEDIR}"/keyrings.inc.bash + +set -e +export_ldap_data_to_env + +export KEYSERVERS=( "${KS_GENTOO}" ) +export KEYSERVER_TIMEOUT=5m + +# Populate keys.gentoo.org with the keys we have, since they might have come from SKS +push_keys "${SYSTEM_KEYS[@]}" +push_keys "${COMMITTING_DEVS[@]}" +push_keys "${NONCOMMITTING_DEVS[@]}" +push_keys "${RETIRED_DEVS[@]}" diff --git a/keyrings-import-keys.gentoo.org.bash b/keyrings-import-keys.gentoo.org.bash new file mode 100755 index 0000000..3328e2c --- /dev/null +++ b/keyrings-import-keys.gentoo.org.bash @@ -0,0 +1,23 @@ +#!/bin/bash +# Import key updates from Keyservers: keys.gentoo.org +# +# TODO: +# - Turn off export in this script + +OUTPUT_DIR=${1:-.} +BASEDIR="$(dirname "$0")" +source "${BASEDIR}"/keyrings.inc.bash + +set -e +export_ldap_data_to_env + +export KEYSERVERS=( "${KS_GENTOO}" ) +export KEYSERVER_TIMEOUT=5m + +grab_keys "${SYSTEM_KEYS[@]}" +grab_keys "${COMMITTING_DEVS[@]}" +grab_keys "${NONCOMMITTING_DEVS[@]}" +# -- not all are on keyservers +# -- and are unlikely to turn up now +# -- this needs to fetch from some archive instead +grab_keys "${RETIRED_DEVS[@]}" diff --git a/keyrings-import-sks.bash b/keyrings-import-sks.bash new file mode 100755 index 0000000..3d04ebc --- /dev/null +++ b/keyrings-import-sks.bash @@ -0,0 +1,23 @@ +#!/bin/bash +# Import key updates from Keyservers +# +# TODO: +# - Turn off export in this script + +OUTPUT_DIR=${1:-.} +BASEDIR="$(dirname "$0")" +source "${BASEDIR}"/keyrings.inc.bash + +set -e +export_ldap_data_to_env + +export KEYSERVER=( ${KS_SKS} ) +export KEYSERVER_TIMEOUT=20m + +grab_keys "${SYSTEM_KEYS[@]}" +grab_keys "${COMMITTING_DEVS[@]}" +grab_keys "${NONCOMMITTING_DEVS[@]}" +# -- not all are on keyservers +# -- and are unlikely to turn up now +# -- this needs to fetch from some archive instead +#grab_keys "${RETIRED_DEVS[@]}" diff --git a/keyrings.inc.bash b/keyrings.inc.bash index 052550d..427a6f2 100644 --- a/keyrings.inc.bash +++ b/keyrings.inc.bash @@ -9,12 +9,7 @@ RETIRED_RULE='(!(gentooStatus=active))' KS_GENTOO=hkps://keys.gentoo.org/ KS_SKS=hkps://hkps.pool.sks-keyservers.net/ - -GPG_TMPDIR=$(mktemp -d) -clean_tmp() { - rm -rf "$GPG_TMPDIR" -} -trap clean_tmp EXIT +KEYSERVERS=( ) # empty by default # grab_ldap_fingerprints grab_ldap_fingerprints() { @@ -30,9 +25,11 @@ grab_keys() { local missing=() local remaining=( "${@}" ) + KEYSERVER_TIMEOUT=${KEYSERVER_TIMEOUT:=1m} while :; do - timeout 5m gpg --keyserver $KS_GENTOO -q --recv-keys "${remaining[@]}" || : - timeout 20m gpg --keyserver $KS_SKS -q --recv-keys "${remaining[@]}" || : + for ks in "${KEYSERVERS[@]}" ; do + timeout ${KEYSERVER_TIMEOUT} gpg --keyserver "$ks" -q --recv-keys "${remaining[@]}" || : + done missing=() for key in "${remaining[@]}"; do gpg --list-public "${key}" &>/dev/null || missing+=( "${key}" ) @@ -58,12 +55,24 @@ grab_keys() { push_keys() { # Only send keys that we have local remaining=( $(gpg --with-colon --list-public "${@}" | sed -n '/^pub/{n; /fpr/p }' |cut -d: -f10) ) - timeout 5m gpg --keyserver $KS_GENTOO -q --send-keys "${remaining[@]}" || : - #timeout 5m gpg --keyserver $KS_SKS -q --send-keys "${remaining[@]}" || : + KEYSERVER_TIMEOUT=${KEYSERVER_TIMEOUT:=1m} + for ks in "${KEYSERVERS[@]}" ; do + timeout 5m ${KEYSERVER_TIMEOUT} g --keyserver "$ks" -q --send-keys "${remaining[@]}" || : + done +} + + +clean_tmp() { + [ -n "$GPG_TMPDIR" ] && [ -d "$GPG_TMPDIR" ] && rm -rf "$GPG_TMPDIR" +} +setup_tmp() { + export GPG_TMPDIR=$(mktemp -d) + trap clean_tmp EXIT } export_keys() { DST="$1" + setup_tmp TMP="${GPG_TMPDIR}"/$(basename "${DST}") # Must not exist, otherwise GPG will give error [[ -f "${TMP}" ]] && rm -f "${TMP}"