summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>2010-05-06 11:24:55 -0400
committerDaniel Kahn Gillmor <dkg@fifthhorseman.net>2010-05-06 12:21:25 -0400
commite6a41995792ee8b7a3dbce1e763e40447e45755f (patch)
tree76c9c2a3ad3854b4e356a59de6252a752bc68e5a /src
parent8a0467b81b7ec01dcfffc2de40dc078a3caef7e3 (diff)
support x509 anchors for monkeysphere-host, allow shared anchors between m-a and mh (closes MS #2288)
Diffstat (limited to 'src')
-rw-r--r--src/share/ma/setup10
-rw-r--r--src/share/mh/publish_key9
2 files changed, 17 insertions, 2 deletions
diff --git a/src/share/ma/setup b/src/share/ma/setup
index f965487..3c82c45 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -36,6 +36,14 @@ setup() {
no-greeting
EOF
+ KEYSERVER_OPTIONS=""
+ for anchorfile in "${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do
+ if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then
+ KEYSERVER_OPTIONS="keyserver-options ca-cert-file=$anchorfile"
+ log debug "using $anchorfile for keyserver X.509 anchor"
+ fi
+ done
+
log debug "writing sphere gpg.conf..."
cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF
# Monkeysphere trust sphere GnuPG configuration
@@ -43,7 +51,7 @@ EOF
# Edits will be overwritten.
no-greeting
list-options show-uid-validity
-keyserver-options ca-cert-file=${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt
+${KEYSERVER_OPTIONS}
EOF
# make sure the monkeysphere user owns everything in the sphere
diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key
index f1c1723..72d2693 100644
--- a/src/share/mh/publish_key
+++ b/src/share/mh/publish_key
@@ -40,9 +40,16 @@ trap "rm -rf $GNUPGHOME" EXIT
su_monkeysphere_user \
"gpg --quiet --import" <"$HOST_KEY_FILE"
+KEYSERVER_OPTIONS=""
+for anchorfile in "${SYSCONFIGDIR}/monkeysphere-host-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do
+ if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then
+ KEYSERVER_OPTIONS="--keyserver-options 'ca-cert-file=$anchorfile'"
+ fi
+done
+
# publish key
su_monkeysphere_user \
- "gpg --keyserver $KEYSERVER --send-keys '0x${keyID}!'"
+ "gpg --keyserver $KEYSERVER $KEYSERVER_OPTIONS --send-keys '0x${keyID}!'"
# remove the tmp file
trap - EXIT