src/maintenance-tools/parabola-keys


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

#!/bin/bash

readonly KEYS_FILE=/usr/share/pacman/keyrings/parabola-trusted
readonly WARNING_N_DAYS=30
readonly AUTOBUILDER_KEY='D3EAD7F9D076EB9AF650149DA170D6A0B669E21A'

readonly SHOULD_SHOW_ALL=$( [[ "$1" == '--all'    ]] && echo 1 || echo 0 )
readonly CHROOT=$(          [[ "$1" == '--chroot' ]] && echo $2          )
readonly KEYS=$(cat $KEYS_FILE)
readonly JOIN_CHAR='~'
# readonly EMAIL_REGEX='.*key \([^ ,]*\), .*'
# readonly KEY_REGEX='.*key \([^ ,]*\), .*'
readonly EXPIRY_REGEX='.* expires: \([0-9-]*\).*'
readonly NOW=$(date +%s)
readonly WARNING_DURATION=$(( 86400 * ${WARNING_N_DAYS} ))

declare -A all_keys
declare -A warning_keys
declare -A valid_keys
declare -A expired_keys
declare -A revoked_keys


FetchKey() # (fingerprint)
{
  gpg --batch --search-keys $1 2> /dev/null | tr "\n" "${JOIN_CHAR}" | sed -E 's|^\([0-9+]\)\s+||'
}

ParseExpiry() # (key_data)
{
  expiry=$(echo $1 | grep 'expires:' | sed "s|.*${EXPIRY_REGEX}|\1|")

  [ "${expiry} " ] && echo ${expiry} || echo 'EXPIRY_INFINITE'
}

IsValid() # (key_data)
{
  echo $1 | grep -Ev '(expired)|(revoked)' > /dev/null
}

IsExpired() # (key_data)
{
  echo $1 | grep -E '(expired)' > /dev/null
}

IsRevoked() # (key_data)
{
  echo $1 | grep -E '(revoked)' > /dev/null
}

# run in chroot
if   [[ -d "$CHROOT" ]]
then sudo cp ${BASH_SOURCE} $CHROOT/
     sudo chroot $CHROOT/ ./$(basename ${BASH_SOURCE})
     exit
fi

# collect results
echo -n "($(echo $KEYS | wc -w)) keys to consider "
for key in ${KEYS}
do  [[ "${key%%:*}" != ${AUTOBUILDER_KEY} ]] && echo -n '.' || continue

    # fetch and parse key data
    key=${key%%:*}
    key_data="$(FetchKey ${key})"

    # detect expiry warning period
    expiry=$(ParseExpiry "${key_data}")
    expiry_ts=$(date --date ${expiry} +%s 2> /dev/null)
    expiry_duration=$(( ${expiry_ts} - $NOW ))
    (( ${expiry_duration} <= ${WARNING_DURATION} )) &&                  \
    (( ${expiry_duration} > 0                    )) && should_warn=1 || \
                                                       should_warn=0

    # cache key data (mutually exclusive states)
    all_keys[${key}]="${key_data}"
    (( ${should_warn}    )) && warning_keys[${key}]="${expiry}" && continue
    IsValid   "${key_data}" && valid_keys[${key}]="${expiry}"   && continue
    IsExpired "${key_data}" && expired_keys[${key}]="${expiry}" && continue
    IsRevoked "${key_data}" && revoked_keys[${key}]="${expiry}" && continue
done ; echo ;

# display results
if   (( ${#valid_keys[@]} * ${SHOULD_SHOW_ALL} ))
then echo -e "\n== valid_keys ==\n"
     for key in "${!valid_keys[@]}"
     do  echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n"
     done
fi
if   (( ${#warning_keys[@]} ))
then echo -e "\n== warning_keys ==\n"
     for key in "${!warning_keys[@]}"
     do  echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n"
     done
fi
if   (( ${#expired_keys[@]} ))
then echo -e "\n== expired_keys ==\n"
     for key in "${!expired_keys[@]}"
     do  echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n"
     done
fi
if   (( ${#revoked_keys[@]} ))
then echo -e "\n== revoked_keys ==\n"
     for key in "${!revoked_keys[@]}"
     do  echo ${all_keys[${key}]} | tr "${JOIN_CHAR}" "\n"
     done
fi