summaryrefslogtreecommitdiff
path: root/src/keygen.sh
blob: 926d7cfb74770f20e7e6641c40866d6bbf85fd9d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/bin/sh

gpg_set_ultimate_trust()
{
	  local keygrip
    keygrip=$(gpg  -K --with-colons --with-fingerprint --with-fingerprint|sed -ne '/^sec/{n;p;q}'|cut -d: -f10)
    printf '%s:6:\n' "$keygrip" | gpg2 --import-ownertrust
}

add()
{
    kiki merge \
        --flow=sync \
        --home${2:+="$2"} \
        --create=rsa:4096 \
        --flow=spill,match="$1" \
        --type=pem \
        --access=secret \
        nil
}

init()
{
    local root="$1"

    if [ "$root" ]; then
        mkdir -m0600 -p "$root"/root/.gnupg
    fi

    kiki init   ${root:+--chroot "$root"}
    add encrypt ${root:+"$root/root/.gnupg"}
    add sign    ${root:+"$root/root/.gnupg"}

    (
        [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"
        gpg_set_ultimate_trust
    )
}

sync()
{
    local home1="$1"/root/.gnupg home2="$2"/root/.gnupg
    kiki sync-public \
        --homedir "$home1" \
        --passphrase-fd=0 \
        --import-if-authentic \
        --autosign \
        --keyrings "$home2"/pubring.gpg
    kiki sync-secret \
        --homedir "$home1" \
        --autosign --import
}

doublecheck()
{
    gpg2 --clearsign </dev/null | gpg2 --homedir "$1"/root/.gnupg --verify
    gpg2 --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 --verify
}

silent()
{
    exec 3>&1 4>&2
    exec >/dev/null 2>&1
}

noisy()
{
    exec >&3 2>&1
}

new_child()
{
    local root="$1"
    init "$root"

    sync "$root" ''
    sync '' "$root"

    gpg2 --check-trustdb
    gpg2 --check-trustdb --homedir "$root"/root/.gnupg

    doublecheck "$root"
}


child_dir=$1

set -e

[ "$(id -u)" = 0 ]
[ "$child_dir" ]
[ ! -d "$child_dir" ]

mkdir "$child_dir"
trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT
mount -t tmpfs -o mode=0700 tmpfs "$child_dir"

silent
init
new_child "$child_dir"
noisy

trap EXIT

# gpg2 -k
# gpg2 -k --homedir "$child_dir"/root/.gnupg