diff options
-rwxr-xr-x | lib/keyringer/actions/check | 15 | ||||
-rwxr-xr-x | lib/keyringer/functions | 50 |
2 files changed, 56 insertions, 9 deletions
diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 669b994..14eb30b 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -7,20 +7,23 @@ # - git://lair.fifthhorseman.net/~mjgoins/cur # - https://gitorious.org/key-report # - https://github.com/ilf/gpg-maintenance.git +# - https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ # -# This script can run from a crontab, client of server side to check +# This script can run from a crontab, client or server side to check # keyringer health status. # Load functions LIB="`dirname $0`/../functions" source "$LIB" || exit 1 -# TODO: Automatically fetch absent keys from all recipients. -# TODO: Automatically pull a repository. +# The following should run automatically from keyringer_check_recipients: +# +# TODO: Pull the keyring repository. +# TODO: Fetch absent keys from all recipients. # TODO: Check if keys in all recipients files are about to expire. # TODO: Time to expire can be configured via repository options. # TODO: Users can be alerted by mail if configured by user preferences. -# TODO: Check canaries' timestamps, warning by mail if configured by user preferences. # TODO: Outgoing emails can be encrypted. -echo "Not implemented :(" -exit 1 + +# This should be done here: +# TODO: Check canaries' timestamps, warning by mail if configured by user preferences. diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 475514d..4746859 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -514,11 +514,23 @@ function keyringer_usage { } # Check recipients +# TODO: break in smaller pieces function keyringer_check_recipients { + # Shall we check recipients? if [ "$KEYRINGER_CHECK_RECIPIENTS" == "false" ]; then return fi + # Local variables + local processed=":" + + # Sync the repository + if [ "$BASENAME" == "check" ]; then + echo "Syncing git repository..." + keyringer_exec git "$BASEDIR" pull + echo "" + fi + # Check if recipients file is empty. if [ "`grep -vE "^#|^$" "$RECIPIENTS"/* | wc -l`" == 0 ] && [ "$SUBCOMMAND" != "edit" ]; then echo "Fatal: no recipients configured for this keyring." @@ -538,6 +550,13 @@ function keyringer_check_recipients { fi for recipient in $(cat "$RECIPIENTS"/* | grep -v '^#' | awk '{ print $2 }'); do + # Process a recipient just once + if echo $processed | grep -q "$recipient:"; then + continue + else + processed="$processed$recipient:" + fi + size=$(echo "$recipient" | wc -c) if (( $size < 41 )); then echo "Fatal: please set the full GPG signature hash for key ID $recipient:" @@ -561,9 +580,32 @@ EOF else gpg --list-key "$recipient" &> /dev/null if [ "$?" != "0" ]; then - echo "Fatal: no such key $recipient on your GPG keyring." - echo "Please check for this key or fix the recipient file." - exit 1 + if [ "$BASENAME" == "check" ]; then + # TODO: gpg-maintenance trickery + # TODO: should be controlled by user preference + refresh="no" + echo "Trying to receive missing key $recipient..." + gpg --batch --recv-keys "$recipient" + echo "" + if [ "$?" != 0 ]; then + echo "Error fetching $recipient from keyservers." + continue + fi + else + echo "Fatal: no such key $recipient on your GPG keyring." + echo "Please check for this key or fix the recipient file." + + exit 1 + fi + fi + + # Refresh keys + if [ "$BASENAME" == "check" ] && [ "$refresh" != "no" ]; then + # TODO: gpg-maintenance trickery + # TODO: should be controlled by user preference + echo "Trying to refresh key $recipient..." + gpg --batch --refresh-keys "$recipient" + echo "" fi # Current date @@ -573,6 +615,7 @@ EOF expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`" # Check if key is expired + # TODO: check if key is about to expire if [ ! -z "$expiry" ] && [[ "$seconds" -gt "$expiry" ]]; then echo "Fatal: primary key for $recipient expired on `date --date="@$expiry"`" exit 1 @@ -580,6 +623,7 @@ EOF # Check the subkeys for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do if [[ "$seconds" -lt "$expiry" ]]; then + # TODO: check if subkey is about to expire not_expired="1" fi |