summaryrefslogtreecommitdiff
path: root/bin
diff options
context:
space:
mode:
Diffstat (limited to 'bin')
-rwxr-xr-xbin/last-git-login40
-rwxr-xr-xbin/pacman-make-keyring51
2 files changed, 71 insertions, 20 deletions
diff --git a/bin/last-git-login b/bin/last-git-login
new file mode 100755
index 0000000..c23307a
--- /dev/null
+++ b/bin/last-git-login
@@ -0,0 +1,40 @@
+# ASSERT: this script must be executed with effective group membership in one of:
+# [ adm systemd-journal wheel ]
+
+
+readonly HACKERS_LIB_DIR=/usr/lib/parabola-hackers
+
+
+FindHackerBySshSha() # (hacker_ssh_sha)
+{
+ local hacker_ssh_sha=$1
+ local hacker_login
+
+ for hacker_login in $(${HACKERS_LIB_DIR}/meta-cat --group git | cut -d ',' -f 2)
+ do ${HACKERS_LIB_DIR}/ssh-list-authorized-keys ${hacker_login} | \
+ while read ssh_key
+ do ssh_sha=$(ssh-keygen -l -E sha256 -f - <<<${ssh_key} | cut -d ' ' -f 2)
+
+ [[ "${ssh_sha}" == "${hacker_ssh_sha}" ]] && echo ${hacker_login} && break
+ done && break
+ done
+}
+
+LastHackerLogin()
+{
+ local last_ssh_sha="$(journalctl --unit=sshd.service --since=-24h 2> /dev/null | \
+ grep 'Accepted publickey for git from ' | \
+ tail -n 1 | \
+ sed 's|.*ssh2: .* \(SHA256:.*\)$|\1|' )"
+ local hacker_login=$(FindHackerBySshSha ${last_ssh_sha})
+
+ if [[ -n "${hacker_login}" ]]
+ then echo ${hacker_login}
+ else echo "can not determine the last hacker login" >&2
+ fi
+
+ [[ -n "${this_hacker_login}" ]]
+}
+
+
+LastHackerLogin
diff --git a/bin/pacman-make-keyring b/bin/pacman-make-keyring
index 6f98d2c..39f8942 100755
--- a/bin/pacman-make-keyring
+++ b/bin/pacman-make-keyring
@@ -1,7 +1,9 @@
-#!/usr/bin/make -rRf
-# Usage: pacman-make-keyring V=$(date -u +%Y%m%d)
+#!/usr/bin/env -S make -j1 -rRf
-# Copyright 2014, 2016 Luke Shumaker <lukeshu@sbcglobal.net>.
+# Usage: pacman-make-keyring V=$(date -u +%Y%m%d) [ keyserver=<HKP_URL> ]
+
+# Copyright 2014,2016 Luke Shumaker <lukeshu@sbcglobal.net>
+# Copyright 2021-2022 bill-auger <bill-auger@programmer.net>
#
# This is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -17,21 +19,28 @@
# License along with this manual; if not, see
# <http://www.gnu.org/licenses/>.
+
+# apply config
+KEYRING_NAME = parabola
+bin := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST))))
+yamldir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['yamldir']")
+keyserver := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_keyserver']")
+cachedir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_cachedir']")
+outputdir = $(cachedir)/$(KEYRING_NAME)-keyring-$(V)
+
+# sanity checks
ifeq ($(origin V),undefined)
-$(info Usage: pacman-make-keyring V=$$(date -u +%Y%m%d))
-$(error You must set V= on the command line)
+ $(info Usage: pacman-make-keyring V=$$(date -u +%Y%m%d) [ keyserver=<HKP_URL> ]) $(info)
+ $(error V= must be set in the environment, on the command line, etc)
+endif
+ifneq ($(findstring hkp://,${keyserver}),hkp://)
+ $(error keyserver must be a valid hkp:// URL)
endif
-
-bin := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST))))
-yamldir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['yamldir']")
-cachedir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_cachedir']")
-outputdir = $(cachedir)/$(KEYRING_NAME)-keyring-$(V)
-KEYRING_NAME = parabola
all: $(KEYRING_NAME)-keyring-$(V).tar.gz
.PHONY: all
-
+
export SHELL = /bin/bash -o pipefail
.PHONY: FORCE
.SECONDARY:
@@ -60,7 +69,7 @@ $(cachedir)/var.%: FORCE | $(cachedir)
$(cachedir)/txt.%: $(cachedir)/var.%
sed 's|^#||' < $< > $@
var=$(cachedir)/var.
-
+
keyring-files = \
$(outputdir)/Makefile \
$(outputdir)/${KEYRING_NAME}.gpg \
@@ -90,7 +99,7 @@ endef
$(outputdir)/Makefile: $(cachedir)/txt.Makefile.in $(var)V $(var)KEYRING_NAME | $(outputdir)
sed $(foreach v,$(patsubst $(var)%,%,$(filter $(var)%,$^)), -e 's|@$v@|$($v)|' ) < $< > $@
-
+
users := $(sort $(shell find $(yamldir))) $(var)users
# Assemble the list of .asc files needed to generate the keyring
@@ -110,9 +119,11 @@ $(cachedir)/deps.mk: ${users} $(var)outputdir $(var)cachedir $(var)KEYRING_NAME|
export LANG=C
-KEYSERVER = hkp://pool.sks-keyservers.net
-
-GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir $(cachedir)/gpghome
+# NOTE: Key fetches tend to fail if fired-off too rapidly,
+# (even 2 seconds intervals). 5 seconds intervals has not yet failed.
+FETCH_IVL = 5
+KEYSERVER = ${keyserver}
+GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir $(cachedir)/gpghome
define gpg-init
%echo Generating Parabola Keyring keychain master key...
@@ -138,7 +149,7 @@ keyid=$(keyid.$(patsubst %.asc,%,$(notdir $@)))
$(outputdir)/${KEYRING_NAME}-trusted: ${users} | $(outputdir)
$(bin)/pgp-list-keyids | sed -rn 's|^trusted/\S+ (\S+)|\1:4:|p' > $@
$(cachedir)/keys/trusted/%.asc : $(cachedir)/stamp.gpg-init | $(cachedir)/keys/trusted
- ${GPG} --recv-keys ${keyid}
+ sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid}
printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
printf 'y\ny\n' | ${GPG} --command-fd 0 --lsign-key ${keyid}
${GPG} --armor --no-emit-version --export ${keyid} > $@
@@ -149,7 +160,7 @@ $(cachedir)/stamp.ownertrust: $(outputdir)/${KEYRING_NAME}-trusted $(cachedir)/d
# In 'update-keys', this is the 'packager-keyids' loop
$(cachedir)/keys/secondary/%.asc: $(cachedir)/stamp.ownertrust | $(cachedir)/keys/secondary
- ${GPG} --recv-keys ${keyid}
+ sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid}
printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --list-keys --with-colons ${keyid} | grep -q '^pub:f:' # make sure it is trusted
${GPG} --armor --no-emit-version --export ${keyid} > $@
@@ -158,7 +169,7 @@ $(cachedir)/keys/secondary/%.asc: $(cachedir)/stamp.ownertrust | $(cachedir)/key
$(outputdir)/${KEYRING_NAME}-revoked: ${users} | $(outputdir)
$(bin)/pgp-list-keyids | sed -rn 's|^revoked/\S+ ||p' > $@
$(cachedir)/keys/revoked/%.asc : $(cachedir)/stamp.ownertrust | $(cachedir)/keys/revoked
- ${GPG} --recv-keys ${keyid}
+ sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid}
printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
! ${GPG} --list-keys --with-colons ${keyid} | grep -q '^pub:f:' # make sure it isn't trusted
${GPG} --armor --no-emit-version --export ${keyid} > $@
generated by cgit v1.2.2 (git 2.25.0) at 2024-05-04 06:54:53 +0000