summaryrefslogtreecommitdiff
path: root/src/share/ma/setup
blob: 0cd92e0d8bc87134df43ec1d84dc5247805eebe2 (plain)
  1. # -*-shell-script-*-
  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
  3. # Monkeysphere authentication setup subcommand
  4. #
  5. # The monkeysphere scripts are written by:
  6. # Jameson Rollins <jrollins@finestructure.net>
  7. # Jamie McClelland <jm@mayfirst.org>
  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  9. #
  10. # They are Copyright 2009, and are all released under the GPL,
  11. # version 3 or later.
  12. setup() {
  13. # make all needed directories
  14. mkdir -p "${MADATADIR}"
  15. mkdir -p "${MATMPDIR}"
  16. mkdir -p "${GNUPGHOME_CORE}"
  17. chmod 700 "${GNUPGHOME_CORE}"
  18. mkdir -p "${GNUPGHOME_SPHERE}"
  19. chmod 700 "${GNUPGHOME_SPHERE}"
  20. mkdir -p "${MADATADIR}"/authorized_keys
  21. # deliberately replace the config files via truncation
  22. # FIXME: should we be dumping to tmp files and then moving atomically?
  23. cat >"${GNUPGHOME_CORE}"/gpg.conf <<EOF
  24. # Monkeysphere trust core GnuPG configuration
  25. # This file is maintained by the Monkeysphere software.
  26. # Edits will be overwritten.
  27. no-greeting
  28. list-options show-uid-validity
  29. EOF
  30. cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF
  31. # Monkeysphere trust sphere GnuPG configuration
  32. # This file is maintained by the Monkeysphere software.
  33. # Edits will be overwritten.
  34. no-greeting
  35. primary-keyring ${GNUPGHOME_SPHERE}/pubring.gpg
  36. list-options show-uid-validity
  37. EOF
  38. # make sure the monkeysphere user owns everything in the sphere
  39. # gnupghome
  40. chown -R "$MONKEYPSHERE_USER" "${GNUPGHOME_SPHERE}"
  41. chgrp -R "$MONKEYPSHERE_USER" "${GNUPGHOME_SPHERE}"
  42. # get fingerprint of core key. this should be empty on unconfigured systems.
  43. local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
  44. if [ -z "$CORE_FPR" ] ; then
  45. log info "Setting up Monkeysphere authentication trust core..."
  46. local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
  47. log debug "generating monkeysphere authentication trust core key ($CORE_KEYLENGTH bits)..."
  48. PEM2OPENPGP_USAGE_FLAGS=certify PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" | gpg_core --import || failure "Could not import new key for Monkeysphere authentication trust core"
  49. # get fingerprint of core key. should definitely not be empty at this point
  50. log debug "get core key fingerprint..."
  51. CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
  52. if [ -z "$CORE_FPR" ] ; then
  53. failure "Failed to create Monkeysphere authentication trust core!"
  54. fi
  55. else
  56. log verbose "This system has already set up the Monkeysphere authentication trust core."
  57. fi
  58. # ensure that the authentication sphere checker has absolute ownertrust on the expected key.
  59. log debug "set ultimate owner trust on core key in gpg_sphere..."
  60. printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust
  61. local ORIG_TRUST
  62. log debug "check gpg_sphere owner trust set properly..."
  63. if ORIG_TRUST=$(gpg_sphere --export-ownertrust | grep '^[^#]') ; then
  64. if [ "${CORE_FPR}:6:" != "$ORIG_TRUST" ] ; then
  65. failure "Monkeysphere authentication trust sphere should explicitly trust the core. It does not have proper ownertrust settings."
  66. fi
  67. else
  68. failure "Could not get monkeysphere-authentication trust guidelines."
  69. fi
  70. # ensure that we're using the extended trust model (1), and that
  71. # our preferences are reasonable (i.e. 3 marginal OR 1 fully
  72. # trusted certifications are sufficient to grant full validity.
  73. log debug "check trust level of core key..."
  74. local TRUST_LEVEL=$(gpg_sphere --with-colons --fixed-list-mode --list-keys \
  75. | head -n1 | grep "^tru:" | cut -d: -f3,6,7)
  76. log debug "trust level: $TRUST_LEVEL"
  77. if [ "$TRUST_LEVEL" != '1:3:1' ] ; then
  78. failure "monkeysphere-authentication does not have the expected trust model settings."
  79. fi
  80. }