logo

dotfiles

My dotfiles, one branch per machine, rebased on base git clone https://anongit.hacktivis.me/git/dotfiles.git/

minisign-rotate (1471B)


  1. #!/bin/sh
  2. set -e
  3. reldir="/srv/web/hacktivis.me/releases/signify/"
  4. path_key="${HOME}/.minisign/minisign.key"
  5. path_pub="${HOME}/.minisign/minisign.pub"
  6. path_old_key="$(realpath "${path_key}")"
  7. date_old_key="$(basename "${path_old_key%.key}")"
  8. path_old_pub="$(realpath "${path_pub}")"
  9. date_old_pub="$(basename "${path_old_pub%.pub}")"
  10. if [ "${date_old_key}" != "${date_old_pub}" ]; then
  11. echo "Date mismatch between private-key(${date_old_key}) and public-key(${date_old_pub}), exiting..."
  12. exit 1
  13. fi
  14. date_old="${date_old_key}"
  15. # Only generate once to be sure, releases at new year can happen
  16. date_new="$(date +%Y)"
  17. path_new_key="${HOME}/.minisign/${date_new}.key"
  18. path_new_pub="${HOME}/.minisign/${date_new}.pub"
  19. path_new_pub_sig="${HOME}/.minisign/${date_new}.pub.${date_old}.sig"
  20. if [ "${path_new_key}" = "${path_old_key}" ]; then
  21. echo "Signify key is up-to-date"
  22. else
  23. echo "${PS4}${path_new_key} != ${path_old_key}"
  24. echo "Updating signify key, press enter to continue"
  25. set -x
  26. read foo
  27. # Generate new keyset (password needs to be inserted twice for confirmation)
  28. (pass show minisign; pass show minisign) | minisign -G -p "${path_new_pub}" -s "${path_new_key}"
  29. # Sign new pubkey with still current old key
  30. pass show minisign | minisign -S -x "${path_new_pub_sig}" -m "${path_new_pub}"
  31. # Update keys
  32. ln -sf "${path_new_key}" "${path_key}"
  33. ln -sf "${path_new_pub}" "${path_pub}"
  34. # Publish
  35. cp "${path_new_pub}" "${path_new_pub_sig}" "${reldir}"
  36. fi