logo

dotfiles

My dotfiles, one branch per machine, rebased on base git clone https://anongit.hacktivis.me/git/dotfiles.git/

minisign-rotate (2054B)

    

  1. #!/bin/sh
  2. set -u
  3. set -o pipefail
  4. set -e
  6. getpass() {
  7. 	# gpg --decrypt /home/haelwenn/.password-store/minisign.gpg
  8. 	hiq -d -Fpassword host=minisign password!
  9. }
  11. path_key="${HOME}/.minisign/minisign.sec"
  12. path_pub="${HOME}/.minisign/minisign.pub"
  14. path_real_key="$(realpath "${path_key}")"
  15. date_real_key="$(basename "${path_key%.sec}")"
  16. path_real_pub="$(realpath "${path_pub}")"
  17. date_real_pub="$(basename "${path_pub%.pub}")"
  19. if [ "${date_real_key}" != "${date_real_pub}" ]; then
  20. 	echo "minisign-rotate: Date mismatch between private-key(${date_real_key}) and public-key(${date_real_pub}), exiting..." >&2
  21. 	exit 1
  22. fi
  23. date_real="${date_real_key}"
  25. date_cur="$(date +%Y)"
  26. path_cur_key="${HOME}/.minisign/${date_cur}.sec"
  27. path_cur_pub="${HOME}/.minisign/${date_cur}.pub"
  28. path_cur_pub_sig="${HOME}/.minisign/${date_cur}.pub.${date_real}.sig"
  30. if [ "${path_cur_key}" = "${path_real_key}" ]; then
  31. 	echo "minisign-rotate: Signify current key symlink is up-to-date"
  32. else
  33. 	echo "minisign-rotate: Updating signify key symlinks"
  35. 	set -x
  37. 	# Update key symlinks
  38. 	ln -sf "${path_cur_key}" "${path_key}"
  39. 	ln -sf "${path_cur_pub}" "${path_pub}"
  40. fi
  42. # Only generate once to be sure, releases at new year can happen
  43. date_next="$((date_cur+1))"
  44. path_next_key="${HOME}/.minisign/${date_next}.sec"
  45. path_next_pub="${HOME}/.minisign/${date_next}.pub"
  46. path_next_pub_sig="${HOME}/.minisign/${date_next}.pub.${date_cur}.sig"
  48. if [ -e "${path_next_key}" ]; then
  49. 	echo "minisign-rotate: Next year key seems to be present"
  50. else
  51. 	echo "minisign-rotate: Need to generate key for next year, press enter to continue"
  53. 	set -x
  55. 	read foo
  57. 	# Generate new key (password needs to be inserted twice for confirmation)
  58. 	( getpass ; getpass ) | signify -G -c "Public key for year ${date_next} of Haelwenn (lanodan) Monnier" -p "${path_next_pub}" -s "${path_next_key}"
  60. 	# Sign next pubkey with still current key
  61. 	getpass | signify -S -x "${path_next_pub_sig}" -s "${path_cur_key}" -m "${path_next_pub}"
  63. 	# Publish
  64. 	publish-release --subdir=signify "${path_next_pub}" "${path_next_pub_sig}"
  65. fi