diff options
| -rw-r--r-- | Changelog | 7 | ||||
| -rw-r--r-- | man/man8/monkeysphere-authentication.8 | 5 | ||||
| -rw-r--r-- | man/man8/monkeysphere-host.8 | 8 | ||||
| -rw-r--r-- | src/share/ma/setup | 10 | ||||
| -rw-r--r-- | src/share/mh/publish_key | 9 |
5 files changed, 36 insertions, 3 deletions
@@ -1,3 +1,10 @@ +monkeysphere (0.31~pre) UNRELEASED; urgency=low + + * support x509 anchors for monkeysphere-host, allow shared anchor + between m-h and m-a (closes MS #2288) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 May 2010 11:23:38 -0400 + monkeysphere (0.30) unstable; urgency=low * changing tarball creation and packaging strategies diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8 index ea9debd..7c12673 100644 --- a/man/man8/monkeysphere-authentication.8 +++ b/man/man8/monkeysphere-authentication.8 @@ -177,10 +177,13 @@ false may expose users to abuse by other users on the system. (true) /etc/monkeysphere/monkeysphere\-authentication.conf System monkeysphere-authentication config file. .TP -/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt +/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt or\p \ +/etc/monkeysphere/monkeysphere\-x509\-anchors.crt If monkeysphere-authentication is configured to query an hkps keyserver, it will use X.509 Certificate Authority certificates in this file to validate any X.509 certificates used by the keyserver. +If the monkeysphere-authentication-x509 file is present, the +monkeysphere-x509 file will be ignored. .TP /var/lib/monkeysphere/authorized_keys/USER Monkeysphere-generated user authorized_keys files. diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 00ea777..f3e0d43 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -222,6 +222,14 @@ Monkeysphere\-enabled services on the host. /var/lib/monkeysphere/host/ A locked directory (readable only by the superuser) containing copies of all imported secret keys (this is the host's GNUPGHOME directory). +.TP +/etc/monkeysphere/monkeysphere\-host\-x509\-anchors.crt or\p \ +/etc/monkeysphere/monkeysphere\-x509\-anchors.crt +If monkeysphere-host is configured to query an hkps keyserver for +publish-keys, it will use X.509 Certificate Authority certificates in +this file to validate any X.509 certificates used by the keyserver. +If the monkeysphere-host-x509 file is present, the monkeysphere-x509 +file will be ignored. .SH AUTHOR diff --git a/src/share/ma/setup b/src/share/ma/setup index f965487..3c82c45 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -36,6 +36,14 @@ setup() { no-greeting EOF + KEYSERVER_OPTIONS="" + for anchorfile in "${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do + if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then + KEYSERVER_OPTIONS="keyserver-options ca-cert-file=$anchorfile" + log debug "using $anchorfile for keyserver X.509 anchor" + fi + done + log debug "writing sphere gpg.conf..." cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF # Monkeysphere trust sphere GnuPG configuration @@ -43,7 +51,7 @@ EOF # Edits will be overwritten. no-greeting list-options show-uid-validity -keyserver-options ca-cert-file=${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt +${KEYSERVER_OPTIONS} EOF # make sure the monkeysphere user owns everything in the sphere diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key index f1c1723..72d2693 100644 --- a/src/share/mh/publish_key +++ b/src/share/mh/publish_key @@ -40,9 +40,16 @@ trap "rm -rf $GNUPGHOME" EXIT su_monkeysphere_user \ "gpg --quiet --import" <"$HOST_KEY_FILE" +KEYSERVER_OPTIONS="" +for anchorfile in "${SYSCONFIGDIR}/monkeysphere-host-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do + if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then + KEYSERVER_OPTIONS="--keyserver-options 'ca-cert-file=$anchorfile'" + fi +done + # publish key su_monkeysphere_user \ - "gpg --keyserver $KEYSERVER --send-keys '0x${keyID}!'" + "gpg --keyserver $KEYSERVER $KEYSERVER_OPTIONS --send-keys '0x${keyID}!'" # remove the tmp file trap - EXIT |