logo

dotfiles

My dotfiles, one branch per machine, rebased on base git clone https://hacktivis.me/git/dotfiles.git

minisign-rotate (1471B)

    

  1. #!/bin/sh
  2. set -e
  4. reldir="/srv/web/hacktivis.me/releases/signify/"
  6. path_key="${HOME}/.minisign/minisign.key"
  7. path_pub="${HOME}/.minisign/minisign.pub"
  9. path_old_key="$(realpath "${path_key}")"
  10. date_old_key="$(basename "${path_old_key%.key}")"
  11. path_old_pub="$(realpath "${path_pub}")"
  12. date_old_pub="$(basename "${path_old_pub%.pub}")"
  14. if [ "${date_old_key}" != "${date_old_pub}" ]; then
  15. 	echo "Date mismatch between private-key(${date_old_key}) and public-key(${date_old_pub}), exiting..."
  16. 	exit 1
  17. fi
  18. date_old="${date_old_key}"
  20. # Only generate once to be sure, releases at new year can happen
  21. date_new="$(date +%Y)"
  22. path_new_key="${HOME}/.minisign/${date_new}.key"
  23. path_new_pub="${HOME}/.minisign/${date_new}.pub"
  24. path_new_pub_sig="${HOME}/.minisign/${date_new}.pub.${date_old}.sig"
  27. if [ "${path_new_key}" = "${path_old_key}" ]; then
  28. 	echo "Signify key is up-to-date"
  29. else
  30. 	echo "${PS4}${path_new_key} != ${path_old_key}"
  31. 	echo "Updating signify key, press enter to continue"
  33. 	set -x
  35. 	read foo
  37. 	# Generate new keyset (password needs to be inserted twice for confirmation)
  38. 	(pass show minisign; pass show minisign) | minisign -G -p "${path_new_pub}" -s "${path_new_key}"
  40. 	# Sign new pubkey with still current old key
  41. 	pass show minisign | minisign -S -x "${path_new_pub_sig}" -m "${path_new_pub}"
  43. 	# Update keys
  44. 	ln -sf "${path_new_key}" "${path_key}"
  45. 	ln -sf "${path_new_pub}" "${path_pub}"
  47. 	# Publish
  48. 	cp "${path_new_pub}" "${path_new_pub_sig}" "${reldir}"
  49. fi