summaryrefslogtreecommitdiff
path: root/src/subcommands/ma/add-certifier
blob: 3bd800c25cd6ee8cd4f2c6a0899ead07e738bb60 (plain)
  1. #!/usr/bin/env bash
  2. # Monkeysphere authentication add-certifier subcommand
  3. #
  4. # The monkeysphere scripts are written by:
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. # Jamie McClelland <jm@mayfirst.org>
  7. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  8. #
  9. # They are Copyright 2008, and are all released under the GPL, version 3
  10. # or later.
  11. # retrieve key from web of trust, import it into the host keyring, and
  12. # ltsign the key in the host keyring so that it may certify other keys
  13. local domain
  14. local trust
  15. local depth
  16. local keyID
  17. local fingerprint
  18. local ltsignCommand
  19. local trustval
  20. # set default values for trust depth and domain
  21. domain=
  22. trust=full
  23. depth=1
  24. # get options
  25. while true ; do
  26. case "$1" in
  27. -n|--domain)
  28. domain="$2"
  29. shift 2
  30. ;;
  31. -t|--trust)
  32. trust="$2"
  33. shift 2
  34. ;;
  35. -d|--depth)
  36. depth="$2"
  37. shift 2
  38. ;;
  39. *)
  40. if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
  41. failure "Unknown option '$1'.
  42. Type '$PGRM help' for usage."
  43. fi
  44. break
  45. ;;
  46. esac
  47. done
  48. keyID="$1"
  49. if [ -z "$keyID" ] ; then
  50. failure "You must specify the key ID of a key to add, or specify a file to read the key from."
  51. fi
  52. if [ -f "$keyID" ] ; then
  53. echo "Reading key from file '$keyID':"
  54. importinfo=$(gpg_authentication "--import" < "$keyID" 2>&1) || failure "could not read key from '$keyID'"
  55. # FIXME: if this is tried when the key database is not
  56. # up-to-date, i got these errors (using set -x):
  57. # ++ su -m monkeysphere -c '\''gpg --import'\''
  58. # Warning: using insecure memory!
  59. # gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
  60. # gpg: Total number processed: 1
  61. # gpg: imported: 1 (RSA: 1)
  62. # gpg: can'\''t create `/var/monkeysphere/gnupg-host/pubring.gpg.tmp'\'': Permission denied
  63. # gpg: failed to rebuild keyring cache: Permission denied
  64. # gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  65. # gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
  66. # gpg: next trustdb check due at 2009-01-10'
  67. # + failure 'could not read key from '\''/root/dkg.gpg'\'''
  68. # + echo 'could not read key from '\''/root/dkg.gpg'\'''
  69. keyID=$(echo "$importinfo" | grep '^gpg: key ' | cut -f2 -d: | cut -f3 -d\ )
  70. if [ -z "$keyID" ] || [ $(echo "$keyID" | wc -l) -ne 1 ] ; then
  71. failure "Expected there to be a single gpg key in the file."
  72. fi
  73. else
  74. # get the key from the key server
  75. gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver."
  76. fi
  77. export keyID
  78. # get the full fingerprint of a key ID
  79. fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \
  80. grep '^fpr:' | grep "$keyID" | cut -d: -f10)
  81. if [ -z "$fingerprint" ] ; then
  82. failure "Key '$keyID' not found."
  83. fi
  84. echo
  85. echo "key found:"
  86. gpg_authentication "--fingerprint 0x${fingerprint}!"
  87. echo "Are you sure you want to add the above key as a"
  88. read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N}
  89. if [ "${OK/y/Y}" != 'Y' ] ; then
  90. failure "Identity certifier not added."
  91. fi
  92. # export the key to the host keyring
  93. gpg_authentication "--export 0x${fingerprint}!" | gpg_host --import
  94. if [ "$trust" = marginal ]; then
  95. trustval=1
  96. elif [ "$trust" = full ]; then
  97. trustval=2
  98. else
  99. failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)."
  100. fi
  101. # ltsign command
  102. # NOTE: *all* user IDs will be ltsigned
  103. ltsignCommand=$(cat <<EOF
  104. ltsign
  105. y
  106. $trustval
  107. $depth
  108. $domain
  109. y
  110. save
  111. EOF
  112. )
  113. # ltsign the key
  114. if echo "$ltsignCommand" | \
  115. gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
  116. # update the trustdb for the authentication keyring
  117. gpg_authentication "--check-trustdb"
  118. echo
  119. echo "Identity certifier added."
  120. else
  121. failure "Problem adding identify certifier."
  122. fi