diff options
author | bill-auger <mr.j.spam.me@gmail.com> | 2019-02-08 05:52:47 -0500 |
---|---|---|
committer | Andreas Grapentin <andreas@grapentin.org> | 2022-01-18 17:31:52 +0100 |
commit | 3e130a7abe443b768c97bf7707ef082bd5fb14cc (patch) | |
tree | 28c944d6d045b4be6084eb05582d3b3d5584090a | |
parent | 6064ca4670590b7018f2e23b7d8df232d26bf29e (diff) |
[parabola-keys]: initial script
-rwxr-xr-x | src/maintenance-tools/parabola-keys | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/src/maintenance-tools/parabola-keys b/src/maintenance-tools/parabola-keys new file mode 100755 index 0000000..45ebe22 --- /dev/null +++ b/src/maintenance-tools/parabola-keys @@ -0,0 +1,100 @@ +#!/bin/bash + +readonly KEYS_FILE=/usr/share/pacman/keyrings/parabola-trusted +readonly WARNING_N_DAYS=30 +readonly AUTOBUILDER_KEY='D3EAD7F9D076EB9AF650149DA170D6A0B669E21A' + +readonly SHOULD_SHOW_ALL=$( [[ "$1" == '--all' ]] && echo 1 || echo 0 ) +readonly KEYS=$(cat $KEYS_FILE) +readonly JOIN_CHAR='~' +# readonly EMAIL_REGEX='.*key \([^ ,]*\), .*' +# readonly KEY_REGEX='.*key \([^ ,]*\), .*' +readonly EXPIRY_REGEX='.* expires: \([0-9-]*\).*' +readonly NOW=$(date +%s) +readonly WARNING_DURATION=$(( 86400 * ${WARNING_N_DAYS} )) + +declare -A all_keys +declare -A warning_keys +declare -A valid_keys +declare -A expired_keys +declare -A revoked_keys + + +FetchKey() # (fingerprint) +{ + gpg --batch --search-keys $1 2> /dev/null | tr "\n" "${JOIN_CHAR}" | sed -E 's|^\([0-9+]\)\s+||' +} + +ParseExpiry() # (key_data) +{ + expiry=$(echo $1 | grep 'expires:' | sed "s|.*${EXPIRY_REGEX}|\1|") + + [ "${expiry} " ] && echo ${expiry} || echo 'EXPIRY_INFINITE' +} + +IsValid() # (key_data) +{ + echo $1 | grep -Ev '(expired)|(revoked)' > /dev/null +} + +IsExpired() # (key_data) +{ + echo $1 | grep -E '(expired)' > /dev/null +} + +IsRevoked() # (key_data) +{ + echo $1 | grep -E '(revoked)' > /dev/null +} + + +# collect results +echo -n "($(echo $KEYS | wc -w)) keys to consider " +for key in ${KEYS} +do [[ "${key%%:*}" != ${AUTOBUILDER_KEY} ]] && echo -n '.' || continue + + # fetch and parse key data + key=${key%%:*} + key_data="$(FetchKey ${key})" + + # detect expiry warning period + expiry=$(ParseExpiry "${key_data}") + expiry_ts=$(date --date ${expiry} +%s 2> /dev/null) + expiry_duration=$(( ${expiry_ts} - $NOW )) + (( ${expiry_duration} <= ${WARNING_DURATION} )) && \ + (( ${expiry_duration} > 0 )) && should_warn=1 || \ + should_warn=0 + + # cache key data (mutually exclusive states) + all_keys[${key}]="${key_data}" + (( ${should_warn} )) && warning_keys[${key}]="${expiry}" && continue + IsValid "${key_data}" && valid_keys[${key}]="${expiry}" && continue + IsExpired "${key_data}" && expired_keys[${key}]="${expiry}" && continue + IsRevoked "${key_data}" && revoked_keys[${key}]="${expiry}" && continue +done ; echo ; + +# display results +if (( ${#valid_keys[@]} * ${SHOULD_SHOW_ALL} )) +then echo -e "\n== valid_keys ==\n" + for key in "${!valid_keys[@]}" + do echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n" + done +fi +if (( ${#warning_keys[@]} )) +then echo -e "\n== warning_keys ==\n" + for key in "${!warning_keys[@]}" + do echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n" + done +fi +if (( ${#expired_keys[@]} )) +then echo -e "\n== expired_keys ==\n" + for key in "${!expired_keys[@]}" + do echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n" + done +fi +if (( ${#revoked_keys[@]} )) +then echo -e "\n== revoked_keys ==\n" + for key in "${!revoked_keys[@]}" + do echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n" + done +fi |