3 # this script should run without any errors.
6 # This is a post-install script for monkeysphere, to transition an old
7 # (<0.23) setup to the new (>=0.23) setup
9 SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
11 MADATADIR="${SYSDATADIR}/authentication"
12 MHDATADIR="${SYSDATADIR}/host"
14 STASHDIR="${SYSDATADIR}/backup-from-0.23-transition"
21 # FIXME: implement this function better. here, we only care about
22 # dots, *and* about reversing the regexification of them.
23 gpg_unescape_and_unregex() {
29 printf "%s" "$1" | egrep -q '^[[:alnum:]][[:alnum:]-.]*[[:alnum:]]$'
32 # run the authentication setup
33 monkeysphere-authentication setup
35 # before 0.23, the old gnupg-host data directory used to contain the
36 # trust core and the system's ssh host key.
38 if [ -d "$SYSDATADIR"/gnupg-host ] ; then
40 ### transfer identity certifiers, if they don't already exist in the
43 if [ monkeysphere-authentication list-identity-certifiers | \
44 grep -q '^[A-F0-9]{40}:$' ] ; then
45 log 'There are already certifiers in the new system!\nNot transferring any certifiers.\n'
47 # get the old host keygrip (don't know why there would be more
48 # than one, but we'll transfer all tsigs made by any key that
49 # had been given ultimate ownertrust):
50 for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-ownertrust | \
52 sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do
54 # we're assuming that old id certifiers were only added by old
55 # versions of m-s c+, which added certifiers by ltsigning
58 # so we'll walk the list of tsigs from the old host key, and
59 # add those keys as certifiers to the new system.
61 # FIXME: if an admin has run "m-s add-id-certifier $foo"
62 # multiple times for the same $foo, we'll only transfer
63 # one of those certifications (even if later
64 # certifications had different parameters).
66 GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --fingerprint --with-colons --fixed-list-mode --check-sigs | \
67 cut -f 1,2,5,8,9,10 -d: | \
68 egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
69 while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
71 'fpr') # this is a new key
74 'sig') # deal with all trust signatures, including
76 if [ "$keyfpr" ] ; then
77 trustdepth=${trustparams%% *}
78 trustlevel=${trustparams##* }
79 if [ "$trustlevel" -ge 120 ] ; then
81 elif [ "$trustlevel" -ge 60 ] ; then
84 # trust levels below marginal are ignored.
89 if [ "$trustdomain" ] ; then
90 # FIXME: deal with translating
91 # $trustdomain back to a domain.
92 if [ printf "%s" "$trustdomain" | egrep -q '^<\[\^>\]\+\[@\.\][^>]+>\$$' ] ; then
93 dpart=$(printf "%s" "$trustdomain" | sed -r 's/^<\[\^>\]\+\[@\.\]([^>]+)>\$$/\1/' | gpg_unescape_and_unregex)
94 if [ is_domain_name "$dpart" ]; then
95 finaldomain="--domain $dpart"
97 log "Does not seem to be a domain name (%s), not adding certifier\n" "$dpart"
101 log "Does not seem to be a standard gpg domain-based tsig (%s), not adding certifier\n" "$trustdomain"
106 CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX)
107 log "Adding identity certifier with fingerprint %s\n" "$keyfpr"
108 GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export "0x$keyfpr" --export-clean >"$CERTKEY"
109 MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY"
111 # clear the fingerprint so that we don't
112 # make additional tsigs on it if more uids
122 ### transfer host key information (if present) into the new spot
124 if [ -d "${MHDATADIR}" ] ; then
125 log "Not transferring host key info because host directory already exists.\n"
127 if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \
128 GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --with-colons --list-secret-keys | grep -q '^sec:' ; then
131 mkdir -p "${MHDATADIR}"
132 chmod 0700 "${MHDATADIR}"
134 log "importing host key from old monkeysphere installation\n"
135 GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \
136 GNUPGHOME="$MHDATADIR" gpg --import
138 monkeysphere-host update-gpg-pub-file
140 log "No host key found in old monkeysphere install; not importing any host key.\n"
145 ### get rid of this old stuff, since we've transferred it all:
148 chmod 0700 "$STASHDIR"
149 mv "${SYSDATADIR}/gnupg-host" "$STASHDIR"
153 # There is nothing in the old authentication directory that we should
154 # need to keep around, but it is not unreasonable to transfer keys to
155 # the new authentication keyring.
156 if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then
158 GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --export | \
159 monkeysphere-authentication gpg-cmd --import
162 chmod 0700 "$STASHDIR"
163 mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR"