commit: 7f098689c4c90ed2be20463be5c1b9fae28ad2f7 parent ad757143a327c335e38e4809eb1865206145149a Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me> Date: Mon, 3 Feb 2025 03:27:10 +0100 minisign-rotate: generate next year keyDiffstat:
| M | .local/bin/minisign-rotate | 69 | +++++++++++++++++++++++++++++++++++++++++++-------------------------- |
1 file changed, 43 insertions(+), 26 deletions(-)diff --git a/.local/bin/minisign-rotate b/.local/bin/minisign-rotate@@ -1,49 +1,66 @@ #!/bin/sh +set -u +set -o pipefail set -e +getpass() { + gpg --decrypt /home/haelwenn/.password-store/minisign.gpg +} + reldir="/srv/web/hacktivis.me/releases/signify/" -path_key="${HOME}/.minisign/minisign.key" +path_key="${HOME}/.minisign/minisign.sec" path_pub="${HOME}/.minisign/minisign.pub" -path_old_key="$(realpath "${path_key}")" -date_old_key="$(basename "${path_old_key%.key}")" -path_old_pub="$(realpath "${path_pub}")" -date_old_pub="$(basename "${path_old_pub%.pub}")" +path_real_key="$(realpath "${path_key}")" +date_real_key="$(basename "${path_prev_key%.sec}")" +path_real_pub="$(realpath "${path_pub}")" +date_real_pub="$(basename "${path_prev_pub%.pub}")" -if [ "${date_old_key}" != "${date_old_pub}" ]; then - echo "Date mismatch between private-key(${date_old_key}) and public-key(${date_old_pub}), exiting..." +if [ "${date_real_key}" != "${date_real_pub}" ]; then + echo "minisign-rotate: Date mismatch between private-key(${date_real_key}) and public-key(${date_real_pub}), exiting..." >&2 exit 1 fi -date_old="${date_old_key}" +date_real="${date_real_key}" -# Only generate once to be sure, releases at new year can happen -date_new="$(date +%Y)" -path_new_key="${HOME}/.minisign/${date_new}.key" -path_new_pub="${HOME}/.minisign/${date_new}.pub" -path_new_pub_sig="${HOME}/.minisign/${date_new}.pub.${date_old}.sig" +date_cur="$(date +%Y)" +path_cur_key="${HOME}/.minisign/${date_cur}.sec" +path_cur_pub="${HOME}/.minisign/${date_cur}.pub" +path_cur_pub_sig="${HOME}/.minisign/${date_cur}.pub.${date_real}.sig" + +if [ "${path_cur_key}" = "${path_real_key}" ]; then + echo "minisign-rotate: Signify current key symlink is up-to-date" +else + echo "minisign-rotate: Updating signify key symlinks" + + set -x + # Update key symlinks + ln -sf "${path_cur_key}" "${path_key}" + ln -sf "${path_cur_pub}" "${path_pub}" +fi -if [ "${path_new_key}" = "${path_old_key}" ]; then - echo "Signify key is up-to-date" +# Only generate once to be sure, releases at new year can happen +date_next="$((date_cur+1))" +path_next_key="${HOME}/.minisign/${date_next}.sec" +path_next_pub="${HOME}/.minisign/${date_next}.pub" +path_next_pub_sig="${HOME}/.minisign/${date_next}.pub.${date_cur}.sig" + +if [ -e "${path_next_key}" ]; then + echo "minisign-rotate: Next year key seems to be present" else - echo "${PS4}${path_new_key} != ${path_old_key}" - echo "Updating signify key, press enter to continue" + echo "minisign-rotate: Need to generate key for next year, press enter to continue" set -x read foo - # Generate new keyset (password needs to be inserted twice for confirmation) - (pass show minisign; pass show minisign) | minisign -G -p "${path_new_pub}" -s "${path_new_key}" - - # Sign new pubkey with still current old key - pass show minisign | minisign -S -x "${path_new_pub_sig}" -m "${path_new_pub}" + # Generate new key (password needs to be inserted twice for confirmation) + ( getpass ; getpass ) | signify -G -p "${path_next_pub}" -s "${path_next_key}" - # Update keys - ln -sf "${path_new_key}" "${path_key}" - ln -sf "${path_new_pub}" "${path_pub}" + # Sign next pubkey with still current key + getpass | signify -S -x "${path_next_pub_sig}" -s "${path_cur_key}" -m "${path_next_pub}" # Publish - cp "${path_new_pub}" "${path_new_pub_sig}" "${reldir}" + cp "${path_next_pub}" "${path_next_pub_sig}" "${reldir}" fi