diff options
author | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-01-31 23:05:23 -0500 |
---|---|---|
committer | Jameson Graef Rollins <jrollins@finestructure.net> | 2009-01-31 23:06:56 -0500 |
commit | 33888714f26a775b3be54edb27d77de719d5939c (patch) | |
tree | 0eacf9b1424198458ec7f2641c9353f18640bd86 /src/share/ma/add_certifier | |
parent | abedd439e7b62428e1c76baf008f2d6b1afccc5a (diff) |
move src/subcommands to srv/share, and add common file to src/share (update Makefile as well)
Diffstat (limited to 'src/share/ma/add_certifier')
-rw-r--r-- | src/share/ma/add_certifier | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier new file mode 100644 index 0000000..0c3c647 --- /dev/null +++ b/src/share/ma/add_certifier @@ -0,0 +1,146 @@ +# -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) + +# Monkeysphere authentication add-certifier subcommand +# +# The monkeysphere scripts are written by: +# Jameson Rollins <jrollins@finestructure.net> +# Jamie McClelland <jm@mayfirst.org> +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# +# They are Copyright 2008-2009, and are all released under the GPL, +# version 3 or later. + +# retrieve key from web of trust, import it into the host keyring, and +# ltsign the key in the host keyring so that it may certify other keys + +add_certifier() { + +local domain +local trust +local depth +local keyID +local fingerprint +local ltsignCommand +local trustval + +# set default values for trust depth and domain +domain= +trust=full +depth=1 + +# get options +while true ; do + case "$1" in + -n|--domain) + domain="$2" + shift 2 + ;; + -t|--trust) + trust="$2" + shift 2 + ;; + -d|--depth) + depth="$2" + shift 2 + ;; + *) + if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then + failure "Unknown option '$1'. +Type '$PGRM help' for usage." + fi + break + ;; + esac +done + +keyID="$1" +if [ -z "$keyID" ] ; then + failure "You must specify the key ID of a key to add, or specify a file to read the key from." +fi +if [ -f "$keyID" ] ; then + echo "Reading key from file '$keyID':" + importinfo=$(gpg_sphere "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'" + # FIXME: if this is tried when the key database is not + # up-to-date, i got these errors (using set -x): + + # ++ su -m monkeysphere -c '\''gpg --import'\'' + # Warning: using insecure memory! + # gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported + # gpg: Total number processed: 1 + # gpg: imported: 1 (RSA: 1) + # gpg: can'\''t create `/var/monkeysphere/gnupg-host/pubring.gpg.tmp'\'': Permission denied + # gpg: failed to rebuild keyring cache: Permission denied + # gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + # gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: next trustdb check due at 2009-01-10' + # + failure 'could not read key from '\''/root/dkg.gpg'\''' + # + echo 'could not read key from '\''/root/dkg.gpg'\''' + + keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ ) + if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then + failure "Expected there to be a single gpg key in the file." + fi +else + # get the key from the key server + gpg_sphere "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver." +fi + +export keyID + +# get the full fingerprint of a key ID +fingerprint=$(gpg_sphere "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \ + grep '^fpr:' | grep "$keyID" | cut -d: -f10) + +if [ -z "$fingerprint" ] ; then + failure "Key '$keyID' not found." +fi + +echo +echo "key found:" +gpg_sphere "--fingerprint 0x${fingerprint}!" + +echo "Are you sure you want to add the above key as a" +read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N} +if [ "${OK/y/Y}" != 'Y' ] ; then + failure "Identity certifier not added." +fi + +# export the key to the host keyring +gpg_sphere "--export 0x${fingerprint}!" | gpg_core --import + +if [ "$trust" = marginal ]; then + trustval=1 +elif [ "$trust" = full ]; then + trustval=2 +else + failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)." +fi + +# ltsign command +# NOTE: *all* user IDs will be ltsigned +ltsignCommand=$(cat <<EOF +ltsign +y +$trustval +$depth +$domain +y +save +EOF + ) + +# ltsign the key +if echo "$ltsignCommand" | \ + gpg_core --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then + + # update the trustdb for the authentication keyring + gpg_sphere "--check-trustdb" + + echo + echo "Identity certifier added." +else + failure "Problem adding identify certifier." +fi + +} |