blob: 76aa22184a453521d67e28ba271f4aac117a266a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
#!/bin/bash
readonly KEYS_FILE=/usr/share/pacman/keyrings/parabola-trusted
readonly WARNING_N_DAYS=30
readonly AUTOBUILDER_KEY='D3EAD7F9D076EB9AF650149DA170D6A0B669E21A'
readonly SHOULD_SHOW_ALL=$( [[ "$1" == '--all' ]] && echo 1 || echo 0 )
readonly CHROOT=$( [[ "$1" == '--chroot' ]] && echo $2 )
readonly KEYS=$(cat $KEYS_FILE)
readonly JOIN_CHAR='~'
# readonly EMAIL_REGEX='.*key \([^ ,]*\), .*'
# readonly KEY_REGEX='.*key \([^ ,]*\), .*'
readonly EXPIRY_REGEX='.* expires: \([0-9-]*\).*'
readonly NOW=$(date +%s)
readonly WARNING_DURATION=$(( 86400 * ${WARNING_N_DAYS} ))
declare -A all_keys
declare -A warning_keys
declare -A valid_keys
declare -A expired_keys
declare -A revoked_keys
FetchKey() # (fingerprint)
{
gpg --batch --search-keys $1 2> /dev/null | tr "\n" "${JOIN_CHAR}" | sed -E 's|^\([0-9+]\)\s+||'
}
ParseExpiry() # (key_data)
{
expiry=$(echo $1 | grep 'expires:' | sed "s|.*${EXPIRY_REGEX}|\1|")
[ "${expiry} " ] && echo ${expiry} || echo 'EXPIRY_INFINITE'
}
IsValid() # (key_data)
{
echo $1 | grep -Ev '(expired)|(revoked)' > /dev/null
}
IsExpired() # (key_data)
{
echo $1 | grep -E '(expired)' > /dev/null
}
IsRevoked() # (key_data)
{
echo $1 | grep -E '(revoked)' > /dev/null
}
# run in chroot
if [[ -d "$CHROOT" ]]
then sudo cp ${BASH_SOURCE} $CHROOT/
sudo chroot $CHROOT/ ./$(basename ${BASH_SOURCE})
exit
fi
# collect results
echo -n "($(echo $KEYS | wc -w)) keys to consider "
for key in ${KEYS}
do [[ "${key%%:*}" != ${AUTOBUILDER_KEY} ]] && echo -n '.' || continue
# fetch and parse key data
key=${key%%:*}
key_data="$(FetchKey ${key})"
# detect expiry warning period
expiry=$(ParseExpiry "${key_data}")
expiry_ts=$(date --date ${expiry} +%s 2> /dev/null)
expiry_duration=$(( ${expiry_ts} - $NOW ))
(( ${expiry_duration} <= ${WARNING_DURATION} )) && \
(( ${expiry_duration} > 0 )) && should_warn=1 || \
should_warn=0
# cache key data (mutually exclusive states)
all_keys[${key}]="${key_data}"
(( ${should_warn} )) && warning_keys[${key}]="${expiry}" && continue
IsValid "${key_data}" && valid_keys[${key}]="${expiry}" && continue
IsExpired "${key_data}" && expired_keys[${key}]="${expiry}" && continue
IsRevoked "${key_data}" && revoked_keys[${key}]="${expiry}" && continue
done ; echo ;
# display results
if (( ${#valid_keys[@]} * ${SHOULD_SHOW_ALL} ))
then echo -e "\n== valid_keys ==\n"
for key in "${!valid_keys[@]}"
do echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n"
done
fi
if (( ${#warning_keys[@]} ))
then echo -e "\n== warning_keys ==\n"
for key in "${!warning_keys[@]}"
do echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n"
done
fi
if (( ${#expired_keys[@]} ))
then echo -e "\n== expired_keys ==\n"
for key in "${!expired_keys[@]}"
do echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n"
done
fi
if (( ${#revoked_keys[@]} ))
then echo -e "\n== revoked_keys ==\n"
for key in "${!revoked_keys[@]}"
do echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n"
done
fi
|