[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpg changesets (was Re: Bits from the DPL: DSA and buildds and DAM, oh my!)

Anthony Towns wrote:
> I was more meaning it as an optimisation so you could ignore "key
> add 0x7172daed" if there was a "key delete 0x7172daed" changeset
> later. Likewise a "uid add" followed by a "uid del" or whatever.

Ah, sure, as an optimisation it could be useful. However, I think that
letting the keyring build tool operate in incremental mode during
maintenance sessions (with one noninremental build at the end if
desired) will make it fast enough.

> How would you convert "gpg --refresh-keys" into changeset based
> operations, I wonder? Maybe you could do it by something like:

>     cp real-keyring.gpg tmpkeys.gpg
>     gpg --keyring tmpkeys.gpg --refresh-keys
>     for x in $(changed-keys); do
>       (
>       echo "Changed-By: me"
>       echo "Comment: new signatures/uids for key $x"
>       echo "Action: import --keyserver-options merge-only"
>       echo "Data:"
>       gpg --keyring tmpkeys.gpg --ascii --armour --export "$x" | sed -e 's/^/  /'
>       ) > changeset-refresh-$x
>     done
>     rm tmpkeys.gpg
>     echo "Now you just have to apply changeset-refresh-* to real-keyring.gpg :)"

That's beautiful, if we can figure out what "changed-keys" is. :-)

BTW, I have a keyring-explode script that does similar for converting an
existing monlithic keyring into changesets. (attached)

see shy jo
# Converts a keyring into a bunch of changesets, one per key.
# Only intended to be used for initial import of keyring.
set -e

if [ -z "$1" ] || [ -z "$2" ]; then
	echo "Usage: keyring-expode keyring changesetdir" >&2
	exit 1

keyring=$(readlink -f "$1") # gpg works better with absolute keyring paths

basename=$(basename "$keyring")

mkdir -p "$changesetdir"
touch "$changesetdir/index"

for key in $(gpg --no-default-keyring --keyring "$keyring" --list-keys|grep '^pub' | sed -e 's!.*/!!' -e 's/ .*//'); do
	echo "$out"
	echo "Comment: extracted from $basename by keyring-explode" > "$out"
	echo "Action: import" >> "$out"
	echo "Data:" >> "$out"
	gpg --no-auto-check-trustdb --keyring "$keyring" -a --export "$key" |
		 sed 's/^/  /' >> "$out"
	echo "$(md5sum "$out" | cut -d " " -f 1)  add-$key" >> "$changesetdir/index"

Attachment: signature.asc
Description: Digital signature

Reply to: