summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xlib/keyringer/actions/check15
-rwxr-xr-xlib/keyringer/functions50
2 files changed, 56 insertions, 9 deletions
diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check
index 669b994..14eb30b 100755
--- a/lib/keyringer/actions/check
+++ b/lib/keyringer/actions/check
@@ -7,20 +7,23 @@
# - git://lair.fifthhorseman.net/~mjgoins/cur
# - https://gitorious.org/key-report
# - https://github.com/ilf/gpg-maintenance.git
+# - https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
#
-# This script can run from a crontab, client of server side to check
+# This script can run from a crontab, client or server side to check
# keyringer health status.
# Load functions
LIB="`dirname $0`/../functions"
source "$LIB" || exit 1
-# TODO: Automatically fetch absent keys from all recipients.
-# TODO: Automatically pull a repository.
+# The following should run automatically from keyringer_check_recipients:
+#
+# TODO: Pull the keyring repository.
+# TODO: Fetch absent keys from all recipients.
# TODO: Check if keys in all recipients files are about to expire.
# TODO: Time to expire can be configured via repository options.
# TODO: Users can be alerted by mail if configured by user preferences.
-# TODO: Check canaries' timestamps, warning by mail if configured by user preferences.
# TODO: Outgoing emails can be encrypted.
-echo "Not implemented :("
-exit 1
+
+# This should be done here:
+# TODO: Check canaries' timestamps, warning by mail if configured by user preferences.
diff --git a/lib/keyringer/functions b/lib/keyringer/functions
index 475514d..4746859 100755
--- a/lib/keyringer/functions
+++ b/lib/keyringer/functions
@@ -514,11 +514,23 @@ function keyringer_usage {
}
# Check recipients
+# TODO: break in smaller pieces
function keyringer_check_recipients {
+ # Shall we check recipients?
if [ "$KEYRINGER_CHECK_RECIPIENTS" == "false" ]; then
return
fi
+ # Local variables
+ local processed=":"
+
+ # Sync the repository
+ if [ "$BASENAME" == "check" ]; then
+ echo "Syncing git repository..."
+ keyringer_exec git "$BASEDIR" pull
+ echo ""
+ fi
+
# Check if recipients file is empty.
if [ "`grep -vE "^#|^$" "$RECIPIENTS"/* | wc -l`" == 0 ] && [ "$SUBCOMMAND" != "edit" ]; then
echo "Fatal: no recipients configured for this keyring."
@@ -538,6 +550,13 @@ function keyringer_check_recipients {
fi
for recipient in $(cat "$RECIPIENTS"/* | grep -v '^#' | awk '{ print $2 }'); do
+ # Process a recipient just once
+ if echo $processed | grep -q "$recipient:"; then
+ continue
+ else
+ processed="$processed$recipient:"
+ fi
+
size=$(echo "$recipient" | wc -c)
if (( $size < 41 )); then
echo "Fatal: please set the full GPG signature hash for key ID $recipient:"
@@ -561,9 +580,32 @@ EOF
else
gpg --list-key "$recipient" &> /dev/null
if [ "$?" != "0" ]; then
- echo "Fatal: no such key $recipient on your GPG keyring."
- echo "Please check for this key or fix the recipient file."
- exit 1
+ if [ "$BASENAME" == "check" ]; then
+ # TODO: gpg-maintenance trickery
+ # TODO: should be controlled by user preference
+ refresh="no"
+ echo "Trying to receive missing key $recipient..."
+ gpg --batch --recv-keys "$recipient"
+ echo ""
+ if [ "$?" != 0 ]; then
+ echo "Error fetching $recipient from keyservers."
+ continue
+ fi
+ else
+ echo "Fatal: no such key $recipient on your GPG keyring."
+ echo "Please check for this key or fix the recipient file."
+
+ exit 1
+ fi
+ fi
+
+ # Refresh keys
+ if [ "$BASENAME" == "check" ] && [ "$refresh" != "no" ]; then
+ # TODO: gpg-maintenance trickery
+ # TODO: should be controlled by user preference
+ echo "Trying to refresh key $recipient..."
+ gpg --batch --refresh-keys "$recipient"
+ echo ""
fi
# Current date
@@ -573,6 +615,7 @@ EOF
expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`"
# Check if key is expired
+ # TODO: check if key is about to expire
if [ ! -z "$expiry" ] && [[ "$seconds" -gt "$expiry" ]]; then
echo "Fatal: primary key for $recipient expired on `date --date="@$expiry"`"
exit 1
@@ -580,6 +623,7 @@ EOF
# Check the subkeys
for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do
if [[ "$seconds" -lt "$expiry" ]]; then
+ # TODO: check if subkey is about to expire
not_expired="1"
fi