diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2024-08-14 18:20:00 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2024-08-14 18:20:00 -0300 |
commit | 2c63ef7c7733571858ef2e0f1deb3d58cff4dc3d (patch) | |
tree | af2a7b0a65eb5bd77c5ae4e7ea29db28d7c036fb | |
parent | f3e53d130c16cf2314c4e6bf68d903ca699388f3 (diff) | |
download | utils-gpg-2c63ef7c7733571858ef2e0f1deb3d58cff4dc3d.tar.gz utils-gpg-2c63ef7c7733571858ef2e0f1deb3d58cff4dc3d.tar.bz2 |
-rwxr-xr-x | gpg-download-key | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/gpg-download-key b/gpg-download-key new file mode 100755 index 0000000..6f4e093 --- /dev/null +++ b/gpg-download-key @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# +# Helper script to properly download an OpenPGP key from a remote location. +# Inspired by https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/blob/main/scripts/get-tor-debian-key +# + +# Parameters +BASENAME="`basename $0`" +URL="$1" +FINGERPRINT="$2" +DEST="$3" +CANDIDATE="`mktemp`" + +# Ensure the candidate file is remove upon exit +trap "rm -rf $CANDIDATE" INT TERM EXIT + +# Check syntax +if [ -z "$3" ]; then + echo "usage: $BASENAME <url> <fingerprint> <dest-file>" + exit 1 +fi + +# Download the OpenPGP directly from a remote location. +# +# Advantage: handles any upstram updates in the key, like renewed expiration. +wget -qO- "$URL" | gpg --dearmor | tee "$CANDIDATE" > /dev/null || exit 1 + +# Get the actual fingerprint after downloading, since we cannot assume that the +# remote file has the correct fingerprint. +# +# Then we need to check the actual key fingerprint. +KEY_FPR="`cat $CANDIDATE | gpg --with-fingerprint --with-colons 2> /dev/null | grep '^fpr' | cut -d : -f 10 | head -1`" + +# Compare the actual fingerprint with the one we're looking for +if [ "$KEY_FPR" == "$FINGERPRINT" ]; then + echo "$BASENAME: downloaded $URL key matches the expected fingerprint $FINGERPRINT" + + if [ ! -z "$DEST" ]; then + echo "$BASENAME: saving key $FINGERPRINT on $DEST..." + touch "$DEST" || exit 1 + chmod 644 "$DEST" || exit 1 + cat "$CANDIDATE" > "$DEST" || exit 1 + else + echo "$BASENAME: saving key $FINGERPRINT on $FINGERPRINT.asc..." + cp "$CANDIDATE" "$FINGERPRINT.asc" + fi +else + echo "$BASENAME: error: downloaded $URL key does not matche the expected fingerprint $FINGERPRINT (got $KEY_FPR instead)" + exit 1 +fi |