diff options
author | Andrew Cady <d@jerkface.net> | 2016-04-29 07:48:05 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2016-04-29 07:49:07 -0400 |
commit | d1836ad0ad5ff506522a63b715af3eaef46034e1 (patch) | |
tree | 5965191ddaf12bec80d74034fbeefdf27811ff68 | |
parent | 5825072303098848e16ddd3c4a31b36506ed6430 (diff) |
child generation script: generates tmpfs containing child
-rwxr-xr-x | keygen.sh | 132 |
1 files changed, 74 insertions, 58 deletions
@@ -2,22 +2,22 @@ | |||
2 | 2 | ||
3 | gpg_set_ultimate_trust() | 3 | gpg_set_ultimate_trust() |
4 | { | 4 | { |
5 | local keygrip | 5 | local keygrip |
6 | keygrip=$(gpg -K --with-colons|sed -ne '/^sec:/{p;q}'|cut -d: -f5) | 6 | keygrip=$(gpg -K --with-colons|sed -ne '/^sec:/{p;q}'|cut -d: -f5) || return |
7 | 7 | ||
8 | expect - -- "$keygrip" <<'END' | 8 | expect - -- "$keygrip" <<'END' |
9 | 9 | ||
10 | set keygrip "[lindex $argv 0]" | 10 | set keygrip "[lindex $argv 0]" |
11 | 11 | ||
12 | spawn gpg --edit-key "$keygrip" trust | 12 | spawn gpg --edit-key "$keygrip" trust |
13 | 13 | ||
14 | expect "Your decision?" | 14 | expect "Your decision?" |
15 | send -- "5\n" | 15 | send -- "5\n" |
16 | expect "Do you really want to set this key to ultimate trust?" | 16 | expect "Do you really want to set this key to ultimate trust?" |
17 | send -- "y\n" | 17 | send -- "y\n" |
18 | expect "gpg>" | 18 | expect "gpg>" |
19 | send -- "save\n" | 19 | send -- "save\n" |
20 | send_tty "\r" | 20 | send_tty "\r" |
21 | 21 | ||
22 | END | 22 | END |
23 | } | 23 | } |
@@ -25,82 +25,98 @@ END | |||
25 | add() | 25 | add() |
26 | { | 26 | { |
27 | kiki merge \ | 27 | kiki merge \ |
28 | --flow=sync \ | 28 | --flow=sync \ |
29 | --home${2:+="$2"} \ | 29 | --home${2:+="$2"} \ |
30 | --create=rsa:4096 \ | 30 | --create=rsa:4096 \ |
31 | --flow=spill,match="$1" \ | 31 | --flow=spill,match="$1" \ |
32 | --type=pem \ | 32 | --type=pem \ |
33 | --access=secret \ | 33 | --access=secret \ |
34 | nil | 34 | nil |
35 | } | 35 | } |
36 | 36 | ||
37 | silent() { "$@" >/dev/null 2>&1; } | ||
38 | |||
39 | init() | 37 | init() |
40 | { | 38 | { |
41 | local root="$1" | 39 | local root="$1" |
42 | 40 | ||
43 | if [ "$root" ]; then | 41 | if [ "$root" ]; then |
44 | mkdir -m0600 -p "$root"/root/.gnupg | 42 | mkdir -m0600 -p "$root"/root/.gnupg |
45 | fi | 43 | fi |
46 | 44 | ||
47 | kiki init ${root:+--chroot "$root"} | 45 | kiki init ${root:+--chroot "$root"} |
48 | add encrypt ${root:+"$root/root/.gnupg"} | 46 | add encrypt ${root:+"$root/root/.gnupg"} |
49 | add sign ${root:+"$root/root/.gnupg"} | 47 | add sign ${root:+"$root/root/.gnupg"} |
50 | 48 | ||
51 | ( | 49 | ( |
52 | [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/" | 50 | [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/" |
53 | gpg_set_ultimate_trust | 51 | gpg_set_ultimate_trust |
54 | ) | 52 | ) |
55 | } | 53 | } |
56 | 54 | ||
57 | sync() | 55 | sync() |
58 | { | 56 | { |
59 | local home1="$1"/root/.gnupg home2="$2"/root/.gnupg | 57 | local home1="$1"/root/.gnupg home2="$2"/root/.gnupg |
60 | kiki sync-public \ | 58 | kiki sync-public \ |
61 | --homedir "$home1" \ | 59 | --homedir "$home1" \ |
62 | --passphrase-fd=0 \ | 60 | --passphrase-fd=0 \ |
63 | --import-if-authentic \ | 61 | --import-if-authentic \ |
64 | --autosign \ | 62 | --autosign \ |
65 | --keyrings "$home2"/pubring.gpg | 63 | --keyrings "$home2"/pubring.gpg |
66 | kiki sync-secret \ | 64 | kiki sync-secret \ |
67 | --homedir "$home1" \ | 65 | --homedir "$home1" \ |
68 | --autosign --import | 66 | --autosign --import |
69 | } | 67 | } |
70 | 68 | ||
71 | doublecheck() | 69 | doublecheck() |
72 | { | 70 | { |
73 | gpg2 --clearsign </dev/null | gpg2 --homedir "$1"/root/.gnupg --verify | 71 | gpg2 --clearsign </dev/null | gpg2 --homedir "$1"/root/.gnupg --verify |
74 | gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 --verify | 72 | gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 --verify |
75 | } | 73 | } |
76 | 74 | ||
77 | silent() | 75 | silent() |
78 | { | 76 | { |
79 | exec 3>&1 4>&2 | 77 | exec 3>&1 4>&2 |
80 | exec >/dev/null 2>&1 | 78 | exec >/dev/null 2>&1 |
81 | } | 79 | } |
82 | 80 | ||
83 | noisy() | 81 | noisy() |
84 | { | 82 | { |
85 | exec >&3 2>&1 | 83 | exec >&3 2>&1 |
86 | } | 84 | } |
87 | 85 | ||
88 | set -e | 86 | new_child() |
87 | { | ||
88 | local root="$1" | ||
89 | init "$root" | ||
89 | 90 | ||
90 | silent | 91 | sync "$root" '' |
92 | sync '' "$root" | ||
91 | 93 | ||
92 | init | 94 | gpg2 --check-trustdb |
93 | init child | 95 | gpg2 --check-trustdb --homedir "$root"/root/.gnupg |
94 | 96 | ||
95 | sync child '' | 97 | doublecheck "$root" |
96 | sync '' child | 98 | } |
97 | 99 | ||
98 | gpg2 --check-trustdb | ||
99 | gpg2 --check-trustdb --homedir child/root/.gnupg | ||
100 | 100 | ||
101 | doublecheck child | 101 | child_dir=$1 |
102 | 102 | ||
103 | set -e | ||
104 | |||
105 | [ "$(id -u)" = 0 ] | ||
106 | [ "$child_dir" ] | ||
107 | [ ! -d "$child_dir" ] | ||
108 | which expect >/dev/null | ||
109 | |||
110 | mkdir "$child_dir" | ||
111 | trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT | ||
112 | mount -t tmpfs -o mode=0700 tmpfs "$child_dir" | ||
113 | |||
114 | silent | ||
115 | init | ||
116 | new_child "$child_dir" | ||
103 | noisy | 117 | noisy |
104 | 118 | ||
105 | gpg2 -k | 119 | trap EXIT |
106 | gpg2 -k --homedir child/root/.gnupg | 120 | |
121 | # gpg2 -k | ||
122 | # gpg2 -k --homedir "$child_dir"/root/.gnupg | ||