summaryrefslogtreecommitdiff
path: root/src/transition_0.22_0.23
blob: 12ef1d2d6dc959f14fb2a720c493b3d49e7df4ad (plain)
  1. #!/bin/bash
  2. # this script should run without any errors.
  3. set -e
  4. # This is a post-install script for monkeysphere, to transition an old
  5. # (<0.23) setup to the new (>=0.23) setup
  6. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
  7. MADATADIR="${SYSDATADIR}/authentication"
  8. MHDATADIR="${SYSDATADIR}/host"
  9. STASHDIR="${SYSDATADIR}/backup-from-0.23-transition"
  10. log() {
  11. printf "$@" >&2
  12. }
  13. # FIXME: implement this function better. here, we only care about
  14. # dots, *and* about reversing the regexification of them.
  15. gpg_unescape_and_unregex() {
  16. sed 's/\\x5c\././g'
  17. }
  18. is_domain_name() {
  19. printf "%s" "$1" | egrep -q '^[[:alnum:]][[:alnum:]-.]*[[:alnum:]]$'
  20. }
  21. # run the authentication setup
  22. monkeysphere-authentication setup
  23. # before 0.23, the old gnupg-host data directory used to contain the
  24. # trust core and the system's ssh host key.
  25. if [ -d "$SYSDATADIR"/gnupg-host ] ; then
  26. ### transfer identity certifiers, if they don't already exist in the
  27. ### current setup:
  28. if [ monkeysphere-authentication list-identity-certifiers | \
  29. grep -q '^[A-F0-9]{40}:$' ] ; then
  30. log 'There are already certifiers in the new system!\nNot transferring any certifiers.\n'
  31. else
  32. # get the old host keygrip (don't know why there would be more
  33. # than one, but we'll transfer all tsigs made by any key that
  34. # had been given ultimate ownertrust):
  35. for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-ownertrust | \
  36. grep ':6:$'
  37. sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do
  38. # we're assuming that old id certifiers were only added by old
  39. # versions of m-s c+, which added certifiers by ltsigning
  40. # entire keys.
  41. # so we'll walk the list of tsigs from the old host key, and
  42. # add those keys as certifiers to the new system.
  43. # FIXME: if an admin has run "m-s add-id-certifier $foo"
  44. # multiple times for the same $foo, we'll only transfer
  45. # one of those certifications (even if later
  46. # certifications had different parameters).
  47. GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --fingerprint --with-colons --fixed-list-mode --check-sigs | \
  48. cut -f 1,2,5,8,9,10 -d: | \
  49. egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
  50. while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
  51. case $type in
  52. 'fpr') # this is a new key
  53. keyfpr=$fpr
  54. ;;
  55. 'sig') # deal with all trust signatures, including
  56. # regexes if present.
  57. if [ "$keyfpr" ] ; then
  58. trustdepth=${trustparams%% *}
  59. trustlevel=${trustparams##* }
  60. if [ "$trustlevel" -ge 120 ] ; then
  61. truststring=full
  62. elif [ "$trustlevel" -ge 60 ] ; then
  63. truststring=marginal
  64. else
  65. # trust levels below marginal are ignored.
  66. continue
  67. fi
  68. finaldomain=
  69. if [ "$trustdomain" ] ; then
  70. # FIXME: deal with translating
  71. # $trustdomain back to a domain.
  72. if [ printf "%s" "$trustdomain" | egrep -q '^<\[\^>\]\+\[@\.\][^>]+>\$$' ] ; then
  73. dpart=$(printf "%s" "$trustdomain" | sed -r 's/^<\[\^>\]\+\[@\.\]([^>]+)>\$$/\1/' | gpg_unescape_and_unregex)
  74. if [ is_domain_name "$dpart" ]; then
  75. finaldomain="--domain $dpart"
  76. else
  77. log "Does not seem to be a domain name (%s), not adding certifier\n" "$dpart"
  78. continue
  79. fi
  80. else
  81. log "Does not seem to be a standard gpg domain-based tsig (%s), not adding certifier\n" "$trustdomain"
  82. continue
  83. fi
  84. fi
  85. CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX)
  86. log "Adding identity certifier with fingerprint %s\n" "$keyfpr"
  87. GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export "0x$keyfpr" --export-clean >"$CERTKEY"
  88. MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY"
  89. rm -f "$CERTKEY"
  90. # clear the fingerprint so that we don't
  91. # make additional tsigs on it if more uids
  92. # are present:
  93. $keyfpr=
  94. fi
  95. ;;
  96. esac
  97. done
  98. done
  99. fi
  100. ### transfer host key information (if present) into the new spot
  101. if [ -d "${MHDATADIR}" ] ; then
  102. log "Not transferring host key info because host directory already exists.\n"
  103. else
  104. if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \
  105. GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --with-colons --list-secret-keys | grep -q '^sec:' ; then
  106. # create host home
  107. mkdir -p "${MHDATADIR}"
  108. chmod 0700 "${MHDATADIR}"
  109. log "importing host key from old monkeysphere installation\n"
  110. GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \
  111. GNUPGHOME="$MHDATADIR" gpg --import
  112. monkeysphere-host update-gpg-pub-file
  113. else
  114. log "No host key found in old monkeysphere install; not importing any host key.\n"
  115. fi
  116. fi
  117. ### get rid of this old stuff, since we've transferred it all:
  118. mkdir -p "$STASHDIR"
  119. chmod 0700 "$STASHDIR"
  120. mv "${SYSDATADIR}/gnupg-host" "$STASHDIR"
  121. fi
  122. # There is nothing in the old authentication directory that we should
  123. # need to keep around, but it is not unreasonable to transfer keys to
  124. # the new authentication keyring.
  125. if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then
  126. GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --export | \
  127. monkeysphere-authentication gpg-cmd --import
  128. mkdir -p "$STASHDIR"
  129. chmod 0700 "$STASHDIR"
  130. mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR"
  131. fi