Setting tag myplc-5.3-3
[myplc.git] / plc.d / gpg
1 #!/bin/bash
2 #
3 # priority: 400
4 #
5 # Generate GPG keys
6 #
7 # Mark Huang <mlhuang@cs.princeton.edu>
8 # Copyright (C) 2006 The Trustees of Princeton University
9 #
10
11 # Source function library and configuration
12 . /etc/plc.d/functions
13 . /etc/planetlab/plc_config
14
15 # Be verbose
16 set -x
17
18 case "$1" in
19     start)
20         # Make temporary GPG home directory
21         homedir=$(mktemp -d /tmp/gpg.XXXXXX)
22
23         # in case a previous gpg invocation failed in some weird way
24         # and left behind a zero length gpg key (pub or priv).
25         if [ -f $PLC_ROOT_GPG_KEY_PUB -a ! -s $PLC_ROOT_GPG_KEY_PUB ] ; then
26             rm -f $PLC_ROOT_GPG_KEY_PUB 
27         fi
28         if [ -f $PLC_ROOT_GPG_KEY -a ! -s $PLC_ROOT_GPG_KEY ] ; then
29             rm -f $PLC_ROOT_GPG_KEY
30         fi
31
32         if [ ! -f $PLC_ROOT_GPG_KEY_PUB -o ! -f $PLC_ROOT_GPG_KEY ] ; then
33             # Generate new GPG keyring
34             MESSAGE=$"Generating GPG keys"
35             dialog "$MESSAGE"
36
37             mkdir -p $(dirname $PLC_ROOT_GPG_KEY_PUB)
38             mkdir -p $(dirname $PLC_ROOT_GPG_KEY)
39
40             # Temporarily replace /dev/random with /dev/urandom to
41             # avoid running out of entropy.
42             # (1 9 is /dev/urandom, 1 8 is /dev/random)
43             #
44             # a former version of this was rm'ing /dev/random and re-creating it afterwards
45             # however in 1.0.4 libvirt won't allow the use of mknod at all, so let's work around that
46             # by moving things around instead
47             #
48             # if we find this file it's probably that a previous run has failed..
49             [ -f /dev/random.preserve ] && { echo "Unexpected file /dev/random.preserve - exiting" ; exit 1; }
50             mv -f /dev/random /dev/random.preserve
51             # doesn't hurt to check 
52             check
53             ln -s /dev/urandom /dev/random
54             # again 
55             check
56             gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
57                 --gen-key <<EOF
58 Key-Type: DSA
59 Key-Length: 1024
60 Subkey-Type: ELG-E
61 Subkey-Length: 1024
62 Name-Real: $PLC_NAME Central
63 Name-Comment: http://$PLC_WWW_HOST/
64 Name-Email: $PLC_MAIL_SUPPORT_ADDRESS
65 Expire-Date: 0
66 %pubring $PLC_ROOT_GPG_KEY_PUB
67 %secring $PLC_ROOT_GPG_KEY
68 %commit
69 EOF
70             check
71             mv -f /dev/random.preserve /dev/random
72             check
73         else
74             # Update GPG UID
75             MESSAGE=$"Updating GPG keys"
76             dialog "$MESSAGE"
77
78             # Get the current GPG fingerprint and comment
79             OLDIFS=$IFS
80             IFS=:
81             while read -a fields ; do
82                 if [ "${fields[0]}" = "pub" ] ; then
83                     fingerprint=${fields[4]}
84                     break
85                 fi
86             done < <(
87                 gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
88                     --no-default-keyring \
89                     --secret-keyring=$PLC_ROOT_GPG_KEY \
90                     --keyring=$PLC_ROOT_GPG_KEY_PUB \
91                     --list-public-keys --with-colons
92                 check
93             )
94             IFS=$OLDIFS
95
96             # Add a new UID if appropriate. GPG will detect and merge duplicates.
97             gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
98                 --no-default-keyring \
99                 --secret-keyring=$PLC_ROOT_GPG_KEY \
100                 --keyring=$PLC_ROOT_GPG_KEY_PUB \
101                 --command-fd 0 --status-fd 1 --edit-key $fingerprint <<EOF
102 adduid
103 $PLC_NAME Central
104 $PLC_MAIL_SUPPORT_ADDRESS
105 http://$PLC_WWW_HOST/
106 save
107 EOF
108             check
109         fi
110
111         # Install the key in the RPM database
112         mkdir -p /etc/pki/rpm-gpg
113         gpg --homedir=$homedir --no-permission-warning --batch --no-tty --yes \
114             --no-default-keyring \
115             --secret-keyring=$PLC_ROOT_GPG_KEY \
116             --keyring=$PLC_ROOT_GPG_KEY_PUB \
117             --export --armor >"/etc/pki/rpm-gpg/RPM-GPG-KEY-$PLC_NAME"
118         check
119         if rpm -q gpg-pubkey ; then
120             rpm --allmatches -e gpg-pubkey
121             check
122         fi
123         # starting with rpm-4.6, this fails when run a second time
124         # it would be complex to do this properly based on the filename, 
125         # as /etc/pki/rpm-gpg/ typically has many symlinks to the same file
126         # see also http://fedoranews.org/tchung/gpg/
127         # so just ignore the result
128         rpm --import /etc/pki/rpm-gpg/* || :
129         check
130
131         # Make GPG key readable by apache so that the API can sign peer requests
132         chown apache $PLC_ROOT_GPG_KEY
133         chmod 644 $PLC_ROOT_GPG_KEY_PUB
134         chmod 600 $PLC_ROOT_GPG_KEY
135         check
136
137         # Cleanup
138         rm -rf $homedir
139
140         result "$MESSAGE"
141         ;;
142 esac
143
144 exit $ERRORS