Verified Commit 5283d339 authored by Vojtech Myslivec's avatar Vojtech Myslivec
Browse files

gitsig: GPG keyring is managed via Ansible

parent b99618d3
......@@ -45,32 +45,3 @@ Signed tip
This script simply terminates successfully if the tip of the current branch is
signed by a trusted key and fails if it is not. It is expected to be run before
any code from any repository is used.
gen-gpg
-------
This is a maintainance script. It imports the keys and trust settings from
files in this directory (trusted_keys.gpg and trust.txt) and creates the
$HOME/.git-gpg.
Adding a new key
----------------
On some desktop:
export GNUPGHOME=$HOME/.git-gpg
./gen-gpg
gpg --recv-keys <THE_KEY> # Hopefully already signed by other trusted key.
gpg --export --armor >trusted_keys.gpg
# If the key wasn't trusted and should be, set trust by gpg --edit-key <THE_KEY> and then:
gpg --export-ownertrust >trust.txt
export GNUPGHOME=
git commit -a
git push
On each and every of the build machines (as the user `beast`):
cd misc
git pull
git show # Check the git hash matches the one on the desktop
./gen-gpg
#!/bin/bash
# Copyright (c) 2015, CZ.NIC, z.s.p.o. (http://www.nic.cz/)
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the CZ.NIC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL CZ.NIC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
set -e
export GNUPGHOME=$HOME/.git-gpg
mkdir -p $GNUPGHOME
chmod 0700 $GNUPGHOME
gpg --batch --import trusted_keys.gpg
gpg --batch --import-ownertrust <trust.txt
./gpg-refresh
gpg --batch --check-trustdb
echo "****************************************"
echo "* Check the following output manually! *"
echo "****************************************"
gpg -k
# List of assigned trustvalues, created Pá 9. červen 2017, 12:46:07 CEST
# (Use "gpg --import-ownertrust" to restore them)
EB7F8CD1A01B184215D86E0FEFFA16C329C1DDB2:2:
460B4CF5E995864B71D719B78CB80BB7F8233AEA:6:
A3959D13D54C81ABBFA33A76B2AA30A894729FB3:6:
2B1F70F95F1B48DA2265A7FAA6BC8B8CEB31659B:6:
C8ADDC80E7F3FB97D636B2233DE1EFB5C2D2A6EA:6:
C7DA437FD7C9101AD5DD592D60244CCEFB39E584:6:
This diff is collapsed.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment