commit: 40fee2c7946a80f6912372574d16b63f5087bfad parent 3924f50ed897e02a0450e741368fe785517cb8ef Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me> Date: Mon, 25 Sep 2023 20:09:34 +0200 .local/bin/minisign-rotate: NewDiffstat:
A | .local/bin/minisign-rotate | 49 | +++++++++++++++++++++++++++++++++++++++++++++++++ |
1 file changed, 49 insertions(+), 0 deletions(-)diff --git a/.local/bin/minisign-rotate b/.local/bin/minisign-rotate
@@ -0,0 +1,49 @@ +#!/bin/sh +set -e + +reldir="/srv/web/hacktivis.me/releases/signify/" + +path_key="${HOME}/.minisign/minisign.key" +path_pub="${HOME}/.minisign/minisign.pub" + +path_old_key="$(realpath "${path_key}")" +date_old_key="$(basename "${path_old_key%.key}")" +path_old_pub="$(realpath "${path_pub}")" +date_old_pub="$(basename "${path_old_pub%.pub}")" + +if [ "${date_old_key}" != "${date_old_pub}" ]; then + echo "Date mismatch between private-key(${date_old_key}) and public-key(${date_old_pub}), exiting..." + exit 1 +fi +date_old="${date_old_key}" + +# Only generate once to be sure, releases at new year can happen +date_new="$(date +%Y)" +path_new_key="${HOME}/.minisign/${date_new}.key" +path_new_pub="${HOME}/.minisign/${date_new}.pub" +path_new_pub_sig="${HOME}/.minisign/${date_new}.pub.${date_old}.sig" + + +if [ "${path_new_key}" = "${path_old_key}" ]; then + echo "Signify key is up-to-date" +else + echo "${PS4}${path_new_key} != ${path_old_key}" + echo "Updating signify key, press enter to continue" + + set -x + + read foo + + # Generate new keyset (password needs to be inserted twice for confirmation) + (pass show minisign; pass show minisign) | minisign -G -p "${path_new_pub}" -s "${path_new_key}" + + # Sign new pubkey with still current old key + pass show minisign | minisign -S -x "${path_new_pub_sig}" -m "${path_new_pub}" + + # Update keys + ln -sf "${path_new_key}" "${path_key}" + ln -sf "${path_new_pub}" "${path_pub}" + + # Publish + cp "${path_new_pub}" "${path_new_pub_sig}" "${reldir}" +fi