Re: gpg changesets (was Re: Bits from the DPL: DSA and buildds and DAM, oh my!)

[Anthony Towns <aj@azure.humbug.org.au>]

On Sat, Feb 24, 2007 at 01:59:07AM -0500, Joey Hess wrote:
> > How would you convert "gpg --refresh-keys" into changeset based
> > operations, I wonder? Maybe you could do it by something like: [...]
> That's beautiful, if we can figure out what "changed-keys" is. :-)

Two ways: either parse the output of gpg as it's running:

   gpg: requesting key CA57AD7C from ldap server keyserver.pgp.com
   gpg: key CA57AD7C: "PGP Global Directory Verification Key" not changed
   gpg: Total number processed: 1
   gpg:              unchanged: 1
   gpg: requesting key DDD11D8A from hkp server subkeys.pgp.net
   gpg: key DDD11D8A: "Ted Percival (midg3t) <ted@midg3t.net>" 74 new signatures
   gpg: Total number processed: 1
   gpg:         new signatures: 74

or run gpg --list-keys --verbose on the old and new keyring, and see
what differences you find.

I guess we need something that'll do that anyway, though. How about the attached
as a proof of concept?

] $ ./diffring.pl ./debian-keyring.list ./debian-keyring-aj.list
] Updated uid 1024D/788A3F4C-Joey Hess <joey@kitenet.net> (sigs: +0, -181)
] Updated uid 1024D/788A3F4C-Joey Hess <joey@mooix.net> (sigs: +0, -86)
] Updated uid 1024D/788A3F4C-Joey Hess <joeyh@debian.org> (sigs: +0, -191)
] Removed uid 1024D/788A3F4C-Joey Hess <joeyh@master.debian.org> (sigs: 173)

or

] $ ./diffring.pl ./debian-keyring-aj.list ./debian-keyring.list
] Updated uid 1024D/788A3F4C-Joey Hess <joey@kitenet.net> (sigs: +181, -0)
] Updated uid 1024D/788A3F4C-Joey Hess <joey@mooix.net> (sigs: +86, -0)
] Updated uid 1024D/788A3F4C-Joey Hess <joeyh@debian.org> (sigs: +191, -0)
] Added uid 1024D/788A3F4C-Joey Hess <joeyh@master.debian.org> (sigs: 173)

It works on the output of `gpg --verbose --list-sigs', which is a bit
slow on a full keyring. Oh well.

On Sat, Feb 24, 2007 at 03:04:57AM -0500, Joey Hess wrote:
> joey@kodama:~>ls jetring

May Manoj's typos live forever :)

> joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>head emeritus-keyring/add-001B3BA1 
> Comment: extracted from emeritus-keyring.pgp by keyring-explode
> Action: import
> Data:
>   -----BEGIN PGP PUBLIC KEY BLOCK-----

No import date?

> Ok, no significant changes, only id rearrangement and dup removal.

diffring.pl should deal with those fwiw. Doesn't deal with revocations, and
may not deal well with subkeys.

Cheers,
aj

#!/usr/bin/perl -w

# Copyright (c) 2007 Anthony Towns
# GNU GPL; v2 or later
# Gives an overview of what changed between two keyrings

use strict;

my $l = parse_keyring($ARGV[0]);
my $r = parse_keyring($ARGV[1]);

foreach my $ku (sort keys %{$l}) {
    if (not defined $r->{$ku}) {
        my $n = @{$l->{$ku}};
        print "Removed uid $ku (sigs: $n)\n";
    } else {
        my $a = $l->{$ku};
        my $b = $r->{$ku};
        my ($i, $j) = (0,0);
        my ($del, $add) = (0,0);
        while() {
            my $A = $a->[$i] || "G";
            my $B = $b->[$j] || "G";

            # avoid dupes:
            if ($i > 0 && $A ne "G" && $A eq $a->[$i-1]) { $i++; next; }
            if ($j > 0 && $B ne "G" && $B eq $b->[$j-1]) { $j++; next; }

            # compare:
            my $x = $A cmp $B;
            if ($A eq "G" and $B eq "G") { last; }
            if ($x == 0) { $i++; $j++; next; }
            if ($x > 0) { $add++; $j++; next; }
            if ($x < 0) { $del++; $i++; next; }
        }
        if ($add or $del) { 
            print "Updated uid $ku (sigs: +$add, -$del)\n";
        }
    }
}
foreach my $ku (sort keys %{$r}) {
    if (not defined $l->{$ku}) {
        my $n = @{$r->{$ku}};
        print "Added uid $ku (sigs: $n)\n";
    }
}

sub parse_keyring {
    my $k = shift;
    my $fd;

#    open $fd, "gpg --no-default-keyring --no-auto-check-trustdb --keyring $k --verbose --list-sigs |" or die "couldn't open keyring $k: $!";
    open $fd, "< $k" or die "couldn't open gpg--list-sigs-output $k: $!";

    my $x = build_key_hash($fd);

    close($fd);
    return $x;
}

sub build_key_hash {
    my $f = shift;

    my $keys = {};

    my ($k, $u);
    while (<$f>) {
        chomp;
        if (m/^\s*$/) {
            # skip
        } elsif (m/^pub/) {
            $k = substr($_,6); 
            $k =~ s/\s.*//;
            $u = undef;
        } elsif (defined $k && m/^sub/) {
            $u = substr($_,6); 
            $u =~ s/\s.*//;
            $keys->{"$k-$u"} = [];
        } elsif (defined $k && m/^uid/) {
            $u = substr($_,21);
            $keys->{"$k-$u"} = [];
        } elsif (defined $k && m/^rev/) {
            # skip
        } elsif (defined $k && defined $u && m/^sig/) { 
            push @{$keys->{"$k-$u"}}, substr($_, 13, 19); 
        } else {
            #print "XXX: $_\n";
        }
    }
    foreach my $ku (keys %{$keys}) {
        $keys->{$ku} = [ sort( @{$keys->{$ku}} ) ];
    }

    return $keys;
}

Attachment: signature.asc
Description: Digital signature