# Monkeysphere authentication list-certifiers subcommand
#
# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@fifthhorseman.net>
+# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
local keys
local key
+local authfpr
+local keyfpr
+local uid
+local printedfpr
# find trusted keys in sphere keychain
log debug "finding trusted keys..."
-# NOTE: looking for only 'f' keys here (used to be '(u|f)'), since the
-# only key that should be 'u' is the core key, which is not
-# technically a certifier in the sense we're worried about. Is this
-# not correct? Should we be sorting out the certifier keys in a
-# different way?
-keys=$(gpg_sphere "--list-keys --with-colons --fingerprint" | \
- grep ^pub: | cut -d: -f2,5 | egrep '^f:' | cut -d: -f2)
-
-# output keys
-for key in $keys ; do
- gpg_sphere "--list-key --fingerprint 0x${key}!"
+# FIXME: this assumes that the keygrip (16 hex chars) is unique; we're
+# only searching by keygrip at the moment.
+
+authgrip=$(core_fingerprint | cut -b 25-40)
+
+# We're walking the list of known signatures, and extracting all trust
+# signatures made by the core fingerprint and known to the sphere
+# keyring.
+
+# for each one of these, we're printing (colon-delimited): the
+# fingerprint, the trust depth, the trust level (60 == marginal, 120
+# == full), and the domain regex (if any):
+
+gpg_sphere "--fingerprint --with-colons --fixed-list-mode --check-sigs" | \
+ cut -f 1,2,5,8,9,10 -d: | \
+ egrep '^(fpr:::::|uat:|uid:|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
+ while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
+ case $type in
+ 'fpr') # this is a new key
+ keyfpr=$fpr
+ uid=
+ printedfpr=no
+ ;;
+ 'uid') # here comes a user id (if we don't have a key, or the
+ # uid has no calculated validity, we will not bother
+ # with it):
+ if [ "$keyfpr" ] && [ "$validity" = 'f' ] ; then
+ uid="$fpr"
+ else
+ uid=
+ fi
+ ;;
+ 'uat') # this is a user attribute. DETAILS.gz states that the
+ # 10th field is the number of user attribute
+ # subpackets, followed by the total number of bytes of
+ # the subpackets:
+ if [ "$keyfpr" ] && [ "$validity" = 'f' ] ; then
+ uid=$(printf "%d JPEG(?) image(s), total %d bytes" \
+ "${fpr%% *}" "${fpr##* }")
+ else
+ uid=
+ fi
+ ;;
+ 'sig') # print all trust signatures, including regexes if
+ # present, assuming that
+ if [ "$keyfpr" ] && [ "$uid" ] ; then
+ trustdepth=${trustparams%% *}
+ trustlevel=${trustparams##* }
+ if [ "$printedfpr" = no ] ; then
+ printf "%s:\n" "$keyfpr"
+ printedfpr=yes
+ fi
+
+ # FIXME: this is clumsy and not human-friendly. we should
+ # print out more human-readable information, if possible.
+ printf " :%s:%d:%d:%s\n" "$uid" "$trustdepth" "$trustlevel" "$trustdomain"
+ fi
+ ;;
+ esac
done
}