summaryrefslogtreecommitdiff
path: root/src/share/ma/setup
blob: 944bb4d8cf139273ecab799380b1781ab0863269 (plain)
  1. # -*-shell-script-*-
  2. # This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
  3. # Monkeysphere authentication setup subcommand
  4. #
  5. # The monkeysphere scripts are written by:
  6. # Jameson Rollins <jrollins@finestructure.net>
  7. # Jamie McClelland <jm@mayfirst.org>
  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  9. #
  10. # They are Copyright 2009, and are all released under the GPL,
  11. # version 3 or later.
  12. setup() {
  13. # make the core and the sphere:
  14. mkdir -p ${SYSDATADIR}/authentication
  15. mkdir -p ${GNUPGHOME_SPHERE}
  16. mkdir -p ${GNUPGHOME_CORE}
  17. # deliberately replace the config files via truncation
  18. # FIXME: should we be dumping to tmp files and then moving atomically?
  19. cat >${GNUPGHOME_CORE}/gpg.conf <<EOF
  20. # Monkeysphere trust core GnuPG configuration
  21. # This file is maintained by the Monkeysphere software.
  22. # Edits will be overwritten.
  23. no-greeting
  24. list-options show-uid-validity
  25. EOF
  26. cat >${GNUPGHOME_SPHERE}/gpg.conf <<EOF
  27. # Monkeysphere trust sphere GnuPG configuration
  28. # This file is maintained by the Monkeysphere software.
  29. # Edits will be overwritten.
  30. no-greeting
  31. primary-keyring ${GNUPGHOME_SPHERE}/pubring.gpg
  32. keyring ${GNUPGHOME_CORE}/pubring.gpg
  33. list-options show-uid-validity
  34. EOF
  35. local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
  36. if [ -z "$CORE_FPR" ] ; then
  37. log info "Setting up Monkeysphere authentication trust core"
  38. local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
  39. if gpg_core --gen-key --batch <<EOF
  40. Key-Type: RSA
  41. Key-Length: 2048
  42. Key-Usage: certify
  43. Name-Real: $CORE_UID
  44. %commit
  45. %echo done
  46. EOF
  47. then
  48. CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
  49. if [ -z "$CORE_FPR" ] ; then
  50. failure "Failed to find fingerprint of Monkeysphere authentication trust core!"
  51. fi
  52. else
  53. failure "Failed to create Monkeysphere authentication trust core!"
  54. fi
  55. else
  56. log verbose "This system has already set up the Monkeysphere authentication trust core"
  57. fi
  58. # ensure that the authentication sphere checker has absolute ownertrust on the expected key.
  59. printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust
  60. local ORIG_TRUST
  61. if ORIG_TRUST=$(gpg_sphere --export-ownertrust | grep '^[^#]') ; then
  62. if [ "$CORE_FPR:6:" != "$ORIG_TRUST" ] ; then
  63. failure "Monkeysphere authentication trust sphere should explicitly trust the core. It does not have proper ownertrust settings."
  64. fi
  65. else
  66. failure "Could not get monkeysphere-authentication trust guidleines."
  67. fi
  68. # ensure that we're using the extended trust model (1), and that
  69. # our preferences are reasonable (i.e. 3 marginal OR 1 fully
  70. # trusted certifications are sufficient to grant full validity.
  71. if [ "1:3:1" != $(gpg_sphere --with-colons --fixed-list-mode --list-keys | head -n1 | grep ^tru: cut -f3,6,7 -d:) ] ; then
  72. failure "monkeysphere-preference does not have the expected trust model settings"
  73. fi
  74. }