summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--man/man8/monkeysphere-host.87
-rw-r--r--src/share/mh/revoke_key28
2 files changed, 31 insertions, 4 deletions
diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
index 2b71807..2ccaaec 100644
--- a/man/man8/monkeysphere-host.8
+++ b/man/man8/monkeysphere-host.8
@@ -66,8 +66,11 @@ or by specifying `-` to load from stdin. `o' may be be used in place
of `add-revoker'.
.TP
.B revoke-key
-Revoke the host's OpenPGP key. `r' may be used in place of
-`revoke-key'.
+Revoke the host's OpenPGP key. This will ask you a series of
+questions, and then generate a key revocation certificate on standard
+out. If you publish this revocation certificate to the public
+keyservers, your host key will be permanently revoked. `r' may be
+used in place of `revoke-key'.
.TP
.B publish-key
Publish the host's OpenPGP key to the keyserver. `p' may be used in
diff --git a/src/share/mh/revoke_key b/src/share/mh/revoke_key
index cccdc22..380236b 100644
--- a/src/share/mh/revoke_key
+++ b/src/share/mh/revoke_key
@@ -15,7 +15,31 @@
revoke_key() {
-# FIXME: implement!
-failure "not implemented yet!"
+# Coming in here, we expect $HOST_FINGERPRINT to be set, and we
+# believe that there is in fact a key.
+ # our current implementation is very simple: we just want to
+ # generate the revocation certificate on stdout. This provides
+ # for the two most likely (but hopefully not common) scenarios:
+
+ # an admin wants a revocation certificate for the host which they
+ # can store securely offline. In this case, the admin can
+ # redirect stdout to a file, or can simply copy/paste or
+ # transcribe from the terminal.
+
+ # Alternately, an admin might want to publish the revocation
+ # certificate immediately. here's a quick way to do this:
+
+
+ # tmp=$(mktemp -d)
+ # export GNUPGHOME="$tmp"
+ # gpg --import < /var/lib/monkeysphere/ssh_host_rsa_key.pub.gpg
+ # monkeysphere-host revoke-key | gpg --import
+ # gpg --keyserver pool.sks-keyservers.net --send $(hostname -f)
+
+
+ # note: we're not using the gpg_host function because we actually
+ # want to use gpg's UI in this case, so we want to omit --no-tty
+
+ GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!"
}