[dak/master] generate-archive-key: use configuration file
---
config/debian-security/generate-archive-key.conf | 3 +++
config/debian/generate-archive-key.conf | 3 +++
scripts/debian/generate-archive-key | 33 ++++++++++++++++++++----
3 files changed, 34 insertions(+), 5 deletions(-)
create mode 100644 config/debian-security/generate-archive-key.conf
create mode 100644 config/debian/generate-archive-key.conf
diff --git a/config/debian-security/generate-archive-key.conf b/config/debian-security/generate-archive-key.conf
new file mode 100644
index 0000000..9d4c537
--- /dev/null
+++ b/config/debian-security/generate-archive-key.conf
@@ -0,0 +1,3 @@
+name_real="Debian Security Archive Automatic Signing Key"
+name_email="ftpmaster@debian.org"
+name_comment="9/stretch"
diff --git a/config/debian/generate-archive-key.conf b/config/debian/generate-archive-key.conf
new file mode 100644
index 0000000..da4be05
--- /dev/null
+++ b/config/debian/generate-archive-key.conf
@@ -0,0 +1,3 @@
+name_real="Debian Archive Automatic Signing Key"
+name_email="ftpmaster@debian.org"
+name_comment="9/stretch"
diff --git a/scripts/debian/generate-archive-key b/scripts/debian/generate-archive-key
index 7e5edd0..8cfb8bc 100755
--- a/scripts/debian/generate-archive-key
+++ b/scripts/debian/generate-archive-key
@@ -1,14 +1,18 @@
#! /bin/bash
#
-# usage: generate-archive-key <output-directory>
+# usage: generate-archive-key <configuration> <output-directory>
#
# generate a new archive key
+#
+# Required packages:
+# gnupg libgfshare-bin pinentry-tty
set -e
set -u
set -o pipefail
-output="${1}"
+conf="${1}"
+output="${2}"
# designated revokers
revokers=(
@@ -34,6 +38,25 @@ if [[ -f /srv/keyring.debian.org/keyrings/debian-keyring.gpg ]]; then
keyring=/srv/keyring.debian.org/keyrings/debian-keyring.gpg
fi
+if [[ ! -e ${conf} ]]; then
+ echo "Configuration file '${conf}' does not exist" >&2
+ exit 1
+fi
+
+. ${conf}
+
+for v in \
+ revokers \
+ revocation_holders revocation_shares \
+ backup_holders backup_shares \
+ name_real name_email \
+ ; do
+ if [[ ! -v ${v} ]]; then
+ echo "Option '${v}' is not set" >&2
+ exit 1
+ fi
+done
+
umask 077
show-file() {
@@ -104,9 +127,9 @@ cat > generate-key.conf <<EOF
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
-Name-Real: Debian Archive Automatic Signing Key
-Name-Email: ftpmaster@debian.org
-Name-Comment: 9.0/stretch
+Name-Real: ${name_real:?}
+Name-Email: ${name_email:?}
+Name-Comment: ${name_comment:-}
Expire-Date: 8y
EOF
--
2.1.4
Reply to: