diff options
Diffstat (limited to 'gpg-download-key')
| -rwxr-xr-x | gpg-download-key | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/gpg-download-key b/gpg-download-key new file mode 100755 index 0000000..6f4e093 --- /dev/null +++ b/gpg-download-key @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# +# Helper script to properly download an OpenPGP key from a remote location. +# Inspired by https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/blob/main/scripts/get-tor-debian-key +# + +# Parameters +BASENAME="`basename $0`" +URL="$1" +FINGERPRINT="$2" +DEST="$3" +CANDIDATE="`mktemp`" + +# Ensure the candidate file is remove upon exit +trap "rm -rf $CANDIDATE" INT TERM EXIT + +# Check syntax +if [ -z "$3" ]; then + echo "usage: $BASENAME <url> <fingerprint> <dest-file>" + exit 1 +fi + +# Download the OpenPGP directly from a remote location. +# +# Advantage: handles any upstram updates in the key, like renewed expiration. +wget -qO- "$URL" | gpg --dearmor | tee "$CANDIDATE" > /dev/null || exit 1 + +# Get the actual fingerprint after downloading, since we cannot assume that the +# remote file has the correct fingerprint. +# +# Then we need to check the actual key fingerprint. +KEY_FPR="`cat $CANDIDATE | gpg --with-fingerprint --with-colons 2> /dev/null | grep '^fpr' | cut -d : -f 10 | head -1`" + +# Compare the actual fingerprint with the one we're looking for +if [ "$KEY_FPR" == "$FINGERPRINT" ]; then + echo "$BASENAME: downloaded $URL key matches the expected fingerprint $FINGERPRINT" + + if [ ! -z "$DEST" ]; then + echo "$BASENAME: saving key $FINGERPRINT on $DEST..." + touch "$DEST" || exit 1 + chmod 644 "$DEST" || exit 1 + cat "$CANDIDATE" > "$DEST" || exit 1 + else + echo "$BASENAME: saving key $FINGERPRINT on $FINGERPRINT.asc..." + cp "$CANDIDATE" "$FINGERPRINT.asc" + fi +else + echo "$BASENAME: error: downloaded $URL key does not matche the expected fingerprint $FINGERPRINT (got $KEY_FPR instead)" + exit 1 +fi |