dotfiles

minisign-rotate (1951B)

#!/bin/sh
set -u
set -o pipefail
set -e
getpass() {
	gpg --decrypt /home/haelwenn/.password-store/minisign.gpg
}
path_key="${HOME}/.minisign/minisign.sec"
path_pub="${HOME}/.minisign/minisign.pub"
path_real_key="$(realpath "${path_key}")"
date_real_key="$(basename "${path_prev_key%.sec}")"
path_real_pub="$(realpath "${path_pub}")"
date_real_pub="$(basename "${path_prev_pub%.pub}")"
if [ "${date_real_key}" != "${date_real_pub}" ]; then
	echo "minisign-rotate: Date mismatch between private-key(${date_real_key}) and public-key(${date_real_pub}), exiting..." >&2
	exit 1
fi
date_real="${date_real_key}"
date_cur="$(date +%Y)"
path_cur_key="${HOME}/.minisign/${date_cur}.sec"
path_cur_pub="${HOME}/.minisign/${date_cur}.pub"
path_cur_pub_sig="${HOME}/.minisign/${date_cur}.pub.${date_real}.sig"
if [ "${path_cur_key}" = "${path_real_key}" ]; then
	echo "minisign-rotate: Signify current key symlink is up-to-date"
else
	echo "minisign-rotate: Updating signify key symlinks"
	set -x
	# Update key symlinks
	ln -sf "${path_cur_key}" "${path_key}"
	ln -sf "${path_cur_pub}" "${path_pub}"
fi
# Only generate once to be sure, releases at new year can happen
date_next="$((date_cur+1))"
path_next_key="${HOME}/.minisign/${date_next}.sec"
path_next_pub="${HOME}/.minisign/${date_next}.pub"
path_next_pub_sig="${HOME}/.minisign/${date_next}.pub.${date_cur}.sig"
if [ -e "${path_next_key}" ]; then
	echo "minisign-rotate: Next year key seems to be present"
else
	echo "minisign-rotate: Need to generate key for next year, press enter to continue"
	set -x
	read foo
	# Generate new key (password needs to be inserted twice for confirmation)
	( getpass ; getpass ) | signify -G -p "${path_next_pub}" -s "${path_next_key}"
	# Sign next pubkey with still current key
	getpass | signify -S -x "${path_next_pub_sig}" -s "${path_cur_key}" -m "${path_next_pub}"
	# Publish
	publish-release --subdir=signify "${path_next_pub}" "${path_next_pub_sig}"
fi