diff options
| author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2009-02-19 02:13:11 -0500 |
|---|---|---|
| committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2009-02-19 02:13:11 -0500 |
| commit | 7ab6793000d069c327e8d4923b9c89b13f60d3bd (patch) | |
| tree | d16838eff1dd469d42de9cd370a3694bca40b19d /src/transition_0.22_0.23 | |
| parent | a5b856642557d0a8463aa7ca26a6e3f898a8ac54 (diff) | |
adopting new transition script strategy
Diffstat (limited to 'src/transition_0.22_0.23')
| -rwxr-xr-x | src/transition_0.22_0.23 | 180 |
1 files changed, 0 insertions, 180 deletions
diff --git a/src/transition_0.22_0.23 b/src/transition_0.22_0.23 deleted file mode 100755 index e1c9e9e..0000000 --- a/src/transition_0.22_0.23 +++ /dev/null @@ -1,180 +0,0 @@ -#!/bin/bash - -# This is a post-install script for monkeysphere, to transition an old -# (<0.23) setup to the new (>=0.23) setup. - -# You should be able to run this script after any version >= 0.23 is -# installed. This script should be well-behaved, even if it is run -# repeatedly. - -# Written by -# Jameson Rollins <jrollins@finestructure.net> -# Daniel Kahn Gillmor <dkg@fifthhorseman.net> -# -# Copyright 2009, released under the GPL, version 3 or later - -# NOTE: the reverse operation (downgrading) is not directly supported, -# and MAY LOCK YOU OUT OF YOUR SYSTEM, depending on how you have -# configured the monkeysphere! - -# any unexpected errors should cause this script to bail: -set -e - -SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"} - -MADATADIR="${SYSDATADIR}/authentication" -MHDATADIR="${SYSDATADIR}/host" - -STASHDIR="${SYSDATADIR}/backup-from-0.23-transition" - - -log() { - printf "$@" >&2 -} - -# FIXME: implement this function better. here, we only care about -# dots, *and* about reversing the regexification of them. -gpg_unescape_and_unregex() { - sed 's/\\x5c\././g' -} - - -is_domain_name() { - printf "%s" "$1" | egrep -q '^[[:alnum:]][[:alnum:]-.]*[[:alnum:]]$' -} - -# run the authentication setup (this is also the first chance to bail -# if 0.23 is not fully-installed, because m-a did not exist before -# 0.23) -monkeysphere-authentication setup - -# before 0.23, the old gnupg-host data directory used to contain the -# trust core and the system's ssh host key. - -if [ -d "$SYSDATADIR"/gnupg-host ] ; then - -### transfer identity certifiers, if they don't already exist in the -### current setup: - - if [ monkeysphere-authentication list-identity-certifiers | \ - grep -q '^[A-F0-9]{40}:$' ] ; then - log 'There are already certifiers in the new system!\nNot transferring any certifiers.\n' - else - # get the old host keygrip (don't know why there would be more - # than one, but we'll transfer all tsigs made by any key that - # had been given ultimate ownertrust): - for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-ownertrust | \ - grep ':6:$' - sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do - - # we're assuming that old id certifiers were only added by old - # versions of m-s c+, which added certifiers by ltsigning - # entire keys. - - # so we'll walk the list of tsigs from the old host key, and - # add those keys as certifiers to the new system. - - # FIXME: if an admin has run "m-s add-id-certifier $foo" - # multiple times for the same $foo, we'll only transfer - # one of those certifications (even if later - # certifications had different parameters). - - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --fingerprint --with-colons --fixed-list-mode --check-sigs | \ - cut -f 1,2,5,8,9,10 -d: | \ - egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \ - while IFS=: read -r type validity grip trustparams trustdomain fpr ; do - case $type in - 'fpr') # this is a new key - keyfpr=$fpr - ;; - 'sig') # deal with all trust signatures, including - # regexes if present. - if [ "$keyfpr" ] ; then - trustdepth=${trustparams%% *} - trustlevel=${trustparams##* } - if [ "$trustlevel" -ge 120 ] ; then - truststring=full - elif [ "$trustlevel" -ge 60 ] ; then - truststring=marginal - else - # trust levels below marginal are ignored. - continue - fi - - finaldomain= - if [ "$trustdomain" ] ; then - # FIXME: deal with translating - # $trustdomain back to a domain. - if [ printf "%s" "$trustdomain" | egrep -q '^<\[\^>\]\+\[@\.\][^>]+>\$$' ] ; then - dpart=$(printf "%s" "$trustdomain" | sed -r 's/^<\[\^>\]\+\[@\.\]([^>]+)>\$$/\1/' | gpg_unescape_and_unregex) - if [ is_domain_name "$dpart" ]; then - finaldomain="--domain $dpart" - else - log "Does not seem to be a domain name (%s), not adding certifier\n" "$dpart" - continue - fi - else - log "Does not seem to be a standard gpg domain-based tsig (%s), not adding certifier\n" "$trustdomain" - continue - fi - fi - - CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX) - log "Adding identity certifier with fingerprint %s\n" "$keyfpr" - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export "0x$keyfpr" --export-clean >"$CERTKEY" - MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY" - rm -f "$CERTKEY" - # clear the fingerprint so that we don't - # make additional tsigs on it if more uids - # are present: - $keyfpr= - fi - ;; - esac - done - done - fi - -### transfer host key information (if present) into the new spot - - if [ -d "${MHDATADIR}" ] ; then - log "Not transferring host key info because host directory already exists.\n" - else - if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \ - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --with-colons --list-secret-keys | grep -q '^sec:' ; then - - # create host home - mkdir -p "${MHDATADIR}" - chmod 0700 "${MHDATADIR}" - - log "importing host key from old monkeysphere installation\n" - GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \ - GNUPGHOME="$MHDATADIR" gpg --import - - monkeysphere-host update-gpg-pub-file - else - log "No host key found in old monkeysphere install; not importing any host key.\n" - fi - fi - - -### get rid of this old stuff, since we've transferred it all: - - mkdir -p "$STASHDIR" - chmod 0700 "$STASHDIR" - mv "${SYSDATADIR}/gnupg-host" "$STASHDIR" -fi - - -# There is nothing in the old authentication directory that we should -# need to keep around, but it is not unreasonable to transfer keys to -# the new authentication keyring. -if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then - - GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --export | \ - monkeysphere-authentication gpg-cmd --import - - mkdir -p "$STASHDIR" - chmod 0700 "$STASHDIR" - mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR" -fi |