child generation script: generates tmpfs containing child

author: Andrew Cady <d@jerkface.net> 2016-04-29 07:48:05 -0400
committer: Andrew Cady <d@jerkface.net> 2016-04-29 07:49:07 -0400
commit: d1836ad0ad5ff506522a63b715af3eaef46034e1 (patch)
tree: 5965191ddaf12bec80d74034fbeefdf27811ff68
parent: 5825072303098848e16ddd3c4a31b36506ed6430 (diff)
1 files changed, 74 insertions, 58 deletions
diff --git a/keygen.sh b/keygen.sh
index 005a5a4..716359b 100755
--- a/keygen.sh
+++ b/keygen.sh
@@ -2,22 +2,22 @@
 gpg_set_ultimate_trust()
 {
-        local keygrip
+    local keygrip
-        keygrip=$(gpg -K --with-colons|sed -ne '/^sec:/{p;q}'|cut -d: -f5)
+    keygrip=$(gpg -K --with-colons|sed -ne '/^sec:/{p;q}'|cut -d: -f5) || return
-        expect - -- "$keygrip" <<'END'
+    expect - -- "$keygrip" <<'END'
-                set keygrip "[lindex $argv 0]"
+        set keygrip "[lindex $argv 0]"
-                spawn gpg --edit-key "$keygrip" trust
+        spawn gpg --edit-key "$keygrip" trust
-                expect "Your decision?"
+        expect "Your decision?"
-                send -- "5\n"
+        send -- "5\n"
-                expect "Do you really want to set this key to ultimate trust?"
+        expect "Do you really want to set this key to ultimate trust?"
-                send -- "y\n"
+        send -- "y\n"
-                expect "gpg>"
+        expect "gpg>"
-                send -- "save\n"
+        send -- "save\n"
-                send_tty "\r"
+        send_tty "\r"
 END
 }
@@ -25,82 +25,98 @@ END
 add()
 {
    kiki merge \
-        --flow=sync \
+        --flow=sync \
-        --home${2:+="$2"} \
+        --home${2:+="$2"} \
-        --create=rsa:4096 \
+        --create=rsa:4096 \
-        --flow=spill,match="$1" \
+        --flow=spill,match="$1" \
-        --type=pem \
+        --type=pem \
-        --access=secret \
+        --access=secret \
-        nil
+        nil
 }
-silent() { "$@" >/dev/null 2>&1; }
 init()
 {
-        local root="$1"
+    local root="$1"
-        if [ "$root" ]; then
+    if [ "$root" ]; then
-                mkdir -m0600 -p "$root"/root/.gnupg
+        mkdir -m0600 -p "$root"/root/.gnupg
-        fi
+    fi
-        kiki init   ${root:+--chroot "$root"}
+    kiki init   ${root:+--chroot "$root"}
-        add encrypt ${root:+"$root/root/.gnupg"}
+    add encrypt ${root:+"$root/root/.gnupg"}
-        add sign    ${root:+"$root/root/.gnupg"}
+    add sign    ${root:+"$root/root/.gnupg"}
-        (
+    (
-                [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"
+        [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"
-                gpg_set_ultimate_trust
+        gpg_set_ultimate_trust
-        )
+    )
 }
 sync()
 {
-        local home1="$1"/root/.gnupg home2="$2"/root/.gnupg
+    local home1="$1"/root/.gnupg home2="$2"/root/.gnupg
-        kiki sync-public \
+    kiki sync-public \
-                --homedir "$home1" \
+        --homedir "$home1" \
-                --passphrase-fd=0 \
+        --passphrase-fd=0 \
-                --import-if-authentic \
+        --import-if-authentic \
-                --autosign \
+        --autosign \
-                --keyrings "$home2"/pubring.gpg
+        --keyrings "$home2"/pubring.gpg
-        kiki sync-secret \
+    kiki sync-secret \
-                --homedir "$home1" \
+        --homedir "$home1" \
-                --autosign --import
+        --autosign --import
 }
 doublecheck()
 {
-        gpg2 --clearsign </dev/null | gpg2 --homedir "$1"/root/.gnupg --verify
+    gpg2 --clearsign </dev/null | gpg2 --homedir "$1"/root/.gnupg --verify
-        gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 --verify
+    gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 --verify
 }
 silent()
 {
-        exec 3>&1 4>&2
+    exec 3>&1 4>&2
-        exec >/dev/null 2>&1
+    exec >/dev/null 2>&1
 }
 noisy()
 {
-        exec >&3 2>&1
+    exec >&3 2>&1
 }
-set -e
+new_child()
+{
+    local root="$1"
+    init "$root"
-silent
+    sync "$root" ''
+    sync '' "$root"
-        init
+    gpg2 --check-trustdb
-        init child
+    gpg2 --check-trustdb --homedir "$root"/root/.gnupg
-        sync child ''
+    doublecheck "$root"
-        sync '' child
+}
-        gpg2 --check-trustdb
-        gpg2 --check-trustdb --homedir child/root/.gnupg
-        doublecheck child
+child_dir=$1
+set -e
+[ "$(id -u)" = 0 ]
+[ "$child_dir" ]
+[ ! -d "$child_dir" ]
+which expect >/dev/null
+mkdir "$child_dir"
+trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT
+mount -t tmpfs -o mode=0700 tmpfs "$child_dir"
+silent
+init
+new_child "$child_dir"
 noisy
-gpg2 -k
+trap EXIT
-gpg2 -k --homedir child/root/.gnupg
+# gpg2 -k
+# gpg2 -k --homedir "$child_dir"/root/.gnupg
author	Andrew Cady <d@jerkface.net>	2016-04-29 07:48:05 -0400
committer	Andrew Cady <d@jerkface.net>	2016-04-29 07:49:07 -0400
commit	d1836ad0ad5ff506522a63b715af3eaef46034e1 (patch)
tree	5965191ddaf12bec80d74034fbeefdf27811ff68
parent	5825072303098848e16ddd3c4a31b36506ed6430 (diff)

diff --git a/keygen.sh b/keygen.sh index 005a5a4..716359b 100755 --- a/keygen.sh +++ b/keygen.sh
@@ -2,22 +2,22 @@
2		2
3	gpg_set_ultimate_trust()	3	gpg_set_ultimate_trust()
4	{	4	{
5	local keygrip	5	local keygrip
6	keygrip=$(gpg -K --with-colons\|sed -ne '/^sec:/{p;q}'\|cut -d: -f5)	6	keygrip=$(gpg -K --with-colons\|sed -ne '/^sec:/{p;q}'\|cut -d: -f5) \|\| return
7		7
8	expect - -- "$keygrip" <<'END'	8	expect - -- "$keygrip" <<'END'
9		9
10	set keygrip "[lindex $argv 0]"	10	set keygrip "[lindex $argv 0]"
11		11
12	spawn gpg --edit-key "$keygrip" trust	12	spawn gpg --edit-key "$keygrip" trust
13		13
14	expect "Your decision?"	14	expect "Your decision?"
15	send -- "5\n"	15	send -- "5\n"
16	expect "Do you really want to set this key to ultimate trust?"	16	expect "Do you really want to set this key to ultimate trust?"
17	send -- "y\n"	17	send -- "y\n"
18	expect "gpg>"	18	expect "gpg>"
19	send -- "save\n"	19	send -- "save\n"
20	send_tty "\r"	20	send_tty "\r"
21		21
22	END	22	END
23	}	23	}
@@ -25,82 +25,98 @@ END
25	add()	25	add()
26	{	26	{
27	kiki merge \	27	kiki merge \
28	--flow=sync \	28	--flow=sync \
29	--home${2:+="$2"} \	29	--home${2:+="$2"} \
30	--create=rsa:4096 \	30	--create=rsa:4096 \
31	--flow=spill,match="$1" \	31	--flow=spill,match="$1" \
32	--type=pem \	32	--type=pem \
33	--access=secret \	33	--access=secret \
34	nil	34	nil
35	}	35	}
36		36
37	silent() { "$@" >/dev/null 2>&1; }
38
39	init()	37	init()
40	{	38	{
41	local root="$1"	39	local root="$1"
42		40
43	if [ "$root" ]; then	41	if [ "$root" ]; then
44	mkdir -m0600 -p "$root"/root/.gnupg	42	mkdir -m0600 -p "$root"/root/.gnupg
45	fi	43	fi
46		44
47	kiki init ${root:+--chroot "$root"}	45	kiki init ${root:+--chroot "$root"}
48	add encrypt ${root:+"$root/root/.gnupg"}	46	add encrypt ${root:+"$root/root/.gnupg"}
49	add sign ${root:+"$root/root/.gnupg"}	47	add sign ${root:+"$root/root/.gnupg"}
50		48
51	(	49	(
52	[ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"	50	[ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"
53	gpg_set_ultimate_trust	51	gpg_set_ultimate_trust
54	)	52	)
55	}	53	}
56		54
57	sync()	55	sync()
58	{	56	{
59	local home1="$1"/root/.gnupg home2="$2"/root/.gnupg	57	local home1="$1"/root/.gnupg home2="$2"/root/.gnupg
60	kiki sync-public \	58	kiki sync-public \
61	--homedir "$home1" \	59	--homedir "$home1" \
62	--passphrase-fd=0 \	60	--passphrase-fd=0 \
63	--import-if-authentic \	61	--import-if-authentic \
64	--autosign \	62	--autosign \
65	--keyrings "$home2"/pubring.gpg	63	--keyrings "$home2"/pubring.gpg
66	kiki sync-secret \	64	kiki sync-secret \
67	--homedir "$home1" \	65	--homedir "$home1" \
68	--autosign --import	66	--autosign --import
69	}	67	}
70		68
71	doublecheck()	69	doublecheck()
72	{	70	{
73	gpg2 --clearsign </dev/null \| gpg2 --homedir "$1"/root/.gnupg --verify	71	gpg2 --clearsign </dev/null \| gpg2 --homedir "$1"/root/.gnupg --verify
74	gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null \| gpg2 --verify	72	gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null \| gpg2 --verify
75	}	73	}
76		74
77	silent()	75	silent()
78	{	76	{
79	exec 3>&1 4>&2	77	exec 3>&1 4>&2
80	exec >/dev/null 2>&1	78	exec >/dev/null 2>&1
81	}	79	}
82		80
83	noisy()	81	noisy()
84	{	82	{
85	exec >&3 2>&1	83	exec >&3 2>&1
86	}	84	}
87		85
88	set -e	86	new_child()
		87	{
		88	local root="$1"
		89	init "$root"
89		90
90	silent	91	sync "$root" ''
		92	sync '' "$root"
91		93
92	init	94	gpg2 --check-trustdb
93	init child	95	gpg2 --check-trustdb --homedir "$root"/root/.gnupg
94		96
95	sync child ''	97	doublecheck "$root"
96	sync '' child	98	}
97		99
98	gpg2 --check-trustdb
99	gpg2 --check-trustdb --homedir child/root/.gnupg
100		100
101	doublecheck child	101	child_dir=$1
102		102
		103	set -e
		104
		105	[ "$(id -u)" = 0 ]
		106	[ "$child_dir" ]
		107	[ ! -d "$child_dir" ]
		108	which expect >/dev/null
		109
		110	mkdir "$child_dir"
		111	trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT
		112	mount -t tmpfs -o mode=0700 tmpfs "$child_dir"
		113
		114	silent
		115	init
		116	new_child "$child_dir"
103	noisy	117	noisy
104		118
105	gpg2 -k	119	trap EXIT
106	gpg2 -k --homedir child/root/.gnupg	120
		121	# gpg2 -k
		122	# gpg2 -k --homedir "$child_dir"/root/.gnupg