blob: 926d7cfb74770f20e7e6641c40866d6bbf85fd9d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
#!/bin/sh
gpg_set_ultimate_trust()
{
local keygrip
keygrip=$(gpg -K --with-colons --with-fingerprint --with-fingerprint|sed -ne '/^sec/{n;p;q}'|cut -d: -f10)
printf '%s:6:\n' "$keygrip" | gpg2 --import-ownertrust
}
add()
{
kiki merge \
--flow=sync \
--home${2:+="$2"} \
--create=rsa:4096 \
--flow=spill,match="$1" \
--type=pem \
--access=secret \
nil
}
init()
{
local root="$1"
if [ "$root" ]; then
mkdir -m0600 -p "$root"/root/.gnupg
fi
kiki init ${root:+--chroot "$root"}
add encrypt ${root:+"$root/root/.gnupg"}
add sign ${root:+"$root/root/.gnupg"}
(
[ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"
gpg_set_ultimate_trust
)
}
sync()
{
local home1="$1"/root/.gnupg home2="$2"/root/.gnupg
kiki sync-public \
--homedir "$home1" \
--passphrase-fd=0 \
--import-if-authentic \
--autosign \
--keyrings "$home2"/pubring.gpg
kiki sync-secret \
--homedir "$home1" \
--autosign --import
}
doublecheck()
{
gpg2 --clearsign </dev/null | gpg2 --homedir "$1"/root/.gnupg --verify
gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 --verify
}
silent()
{
exec 3>&1 4>&2
exec >/dev/null 2>&1
}
noisy()
{
exec >&3 2>&1
}
new_child()
{
local root="$1"
init "$root"
sync "$root" ''
sync '' "$root"
gpg2 --check-trustdb
gpg2 --check-trustdb --homedir "$root"/root/.gnupg
doublecheck "$root"
}
child_dir=$1
set -e
[ "$(id -u)" = 0 ]
[ "$child_dir" ]
[ ! -d "$child_dir" ]
mkdir "$child_dir"
trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT
mount -t tmpfs -o mode=0700 tmpfs "$child_dir"
silent
init
new_child "$child_dir"
noisy
trap EXIT
# gpg2 -k
# gpg2 -k --homedir "$child_dir"/root/.gnupg
|