From d1836ad0ad5ff506522a63b715af3eaef46034e1 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Fri, 29 Apr 2016 07:48:05 -0400 Subject: child generation script: generates tmpfs containing child --- keygen.sh | 132 +++++++++++++++++++++++++++++++++++--------------------------- 1 file changed, 74 insertions(+), 58 deletions(-) diff --git a/keygen.sh b/keygen.sh index 005a5a4..716359b 100755 --- a/keygen.sh +++ b/keygen.sh @@ -2,22 +2,22 @@ gpg_set_ultimate_trust() { - local keygrip - keygrip=$(gpg -K --with-colons|sed -ne '/^sec:/{p;q}'|cut -d: -f5) + local keygrip + keygrip=$(gpg -K --with-colons|sed -ne '/^sec:/{p;q}'|cut -d: -f5) || return - expect - -- "$keygrip" <<'END' + expect - -- "$keygrip" <<'END' - set keygrip "[lindex $argv 0]" + set keygrip "[lindex $argv 0]" - spawn gpg --edit-key "$keygrip" trust + spawn gpg --edit-key "$keygrip" trust - expect "Your decision?" - send -- "5\n" - expect "Do you really want to set this key to ultimate trust?" - send -- "y\n" - expect "gpg>" - send -- "save\n" - send_tty "\r" + expect "Your decision?" + send -- "5\n" + expect "Do you really want to set this key to ultimate trust?" + send -- "y\n" + expect "gpg>" + send -- "save\n" + send_tty "\r" END } @@ -25,82 +25,98 @@ END add() { kiki merge \ - --flow=sync \ - --home${2:+="$2"} \ - --create=rsa:4096 \ - --flow=spill,match="$1" \ - --type=pem \ - --access=secret \ - nil + --flow=sync \ + --home${2:+="$2"} \ + --create=rsa:4096 \ + --flow=spill,match="$1" \ + --type=pem \ + --access=secret \ + nil } -silent() { "$@" >/dev/null 2>&1; } - init() { - local root="$1" + local root="$1" - if [ "$root" ]; then - mkdir -m0600 -p "$root"/root/.gnupg - fi + if [ "$root" ]; then + mkdir -m0600 -p "$root"/root/.gnupg + fi - kiki init ${root:+--chroot "$root"} - add encrypt ${root:+"$root/root/.gnupg"} - add sign ${root:+"$root/root/.gnupg"} + kiki init ${root:+--chroot "$root"} + add encrypt ${root:+"$root/root/.gnupg"} + add sign ${root:+"$root/root/.gnupg"} - ( - [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/" - gpg_set_ultimate_trust - ) + ( + [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/" + gpg_set_ultimate_trust + ) } sync() { - local home1="$1"/root/.gnupg home2="$2"/root/.gnupg - kiki sync-public \ - --homedir "$home1" \ - --passphrase-fd=0 \ - --import-if-authentic \ - --autosign \ - --keyrings "$home2"/pubring.gpg - kiki sync-secret \ - --homedir "$home1" \ - --autosign --import + local home1="$1"/root/.gnupg home2="$2"/root/.gnupg + kiki sync-public \ + --homedir "$home1" \ + --passphrase-fd=0 \ + --import-if-authentic \ + --autosign \ + --keyrings "$home2"/pubring.gpg + kiki sync-secret \ + --homedir "$home1" \ + --autosign --import } doublecheck() { - gpg2 --clearsign &1 4>&2 - exec >/dev/null 2>&1 + exec 3>&1 4>&2 + exec >/dev/null 2>&1 } noisy() { - exec >&3 2>&1 + exec >&3 2>&1 } -set -e +new_child() +{ + local root="$1" + init "$root" -silent + sync "$root" '' + sync '' "$root" - init - init child + gpg2 --check-trustdb + gpg2 --check-trustdb --homedir "$root"/root/.gnupg - sync child '' - sync '' child + doublecheck "$root" +} - gpg2 --check-trustdb - gpg2 --check-trustdb --homedir child/root/.gnupg - doublecheck child +child_dir=$1 +set -e + +[ "$(id -u)" = 0 ] +[ "$child_dir" ] +[ ! -d "$child_dir" ] +which expect >/dev/null + +mkdir "$child_dir" +trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT +mount -t tmpfs -o mode=0700 tmpfs "$child_dir" + +silent +init +new_child "$child_dir" noisy -gpg2 -k -gpg2 -k --homedir child/root/.gnupg +trap EXIT + +# gpg2 -k +# gpg2 -k --homedir "$child_dir"/root/.gnupg -- cgit v1.2.3