+# stand in for dkg's gpg2ssh program
+gpg2ssh() {
+ mode="$1"
+ keyid="$2"
+ if [ "$mode" = '--authorized_keys' -o "$mode" = '-a' ] ; then
+ gpgkey2ssh "$keyid" | sed -e "s/COMMENT/$userid/"
+ elif [ "$mode" = '--known_hosts' -o "$mode" = '-k' ] ; then
+ echo -n "$userid "; gpgkey2ssh "$keyid" | sed -e 's/ COMMENT//'
+ fi
+}
+
+# expects global variables
+# mode REQUIRED_KEY_CAPABILITY ids_file key_dir
+process_keys() {
+ local nlines
+ local n
+ local userid
+ local userid_hash
+ local return
+ local pub_info
+ local key_trust
+ local key_capability
+ local gen_key
+ unset gen_key
+
+ # find number of user ids in auth_user_ids file
+ nlines=$(meat "$ids_file" | wc -l)
+
+ # make sure gpg home exists with proper permissions
+ mkdir -p -m 0700 "$GNUPGHOME"
+
+ # clean out keys file and remake keys directory
+ rm -rf "$key_dir"
+ mkdir -p "$key_dir"
+
+ # loop through all user ids, and generate ssh keys
+ for n in $(seq 1 $nlines) ; do
+
+ # get id
+ userid=$(meat "$ids_file" | cutline "$n" )
+ userid_hash=$(echo "$userid" | sha1sum | awk '{ print $1 }')
+
+ # search for key on keyserver
+ log "validating: '$userid'"
+ return=$(echo 1 | gpg --quiet --batch --command-fd 0 --with-colons --keyserver "$KEYSERVER" --search ="$userid")
+
+ # if the key was found...
+ if [ "$return" ] ; then
+ echo " key found."
+
+ # checking key attributes
+ # see /usr/share/doc/gnupg/DETAILS.gz
+
+ pub_info=$(gpg --fixed-list-mode --with-colons --list-keys --with-fingerprint ="$userid" | grep '^pub:')
+ if [ -z "$pub_info" ] ; then
+ echo " error getting pub info -> SKIPPING"
+ continue
+ fi
+
+ # extract needed fields
+ key_trust=$(echo "$pub_info" | cut -d: -f2)
+ keyid=$(echo "$pub_info" | cut -d: -f5)
+ key_capability=$(echo "$pub_info" | cut -d: -f12)
+
+ # check if key disabled
+ if echo "$key_capability" | grep -q '[D]' ; then
+ echo " key disabled -> SKIPPING"
+ continue
+ fi
+
+ # check key capability
+ if echo "$key_capability" | grep -q '[$REQUIRED_KEY_CAPABILITY]' ; then
+ echo " key capability verified ('$key_capability')."
+ else
+ echo " unacceptable key capability ('$key_capability') -> SKIPPING"
+ continue
+ fi
+
+ # if key is not fully trusted exit
+ # (this includes not revoked or expired)
+ # determine trust
+ echo -n " key "
+ case "$key_trust" in
+ 'i')
+ echo -n "invalid" ;;
+ 'r')
+ echo -n "revoked" ;;
+ 'e')
+ echo -n "expired" ;;
+ '-'|'q'|'n'|'m')
+ echo -n "has unacceptable trust" ;;
+ 'f'|'u')
+ echo -n "fully trusted"
+ gen_key=true
+ ;;
+ *)
+ echo -n "has unknown trust" ;;
+ esac
+
+ if [ "$gen_key" ] ; then
+ # convert pgp key to ssh key, and write to cache file
+ echo -n " -> generating ssh key... "
+ gpg2ssh "$mode" "$keyid" > "$key_dir"/"$userid_hash"
+ echo "done."
+ else
+ echo ". -> SKIPPING"
+ fi
+
+ else
+ echo " key not found."
+ fi
+ done
+}
+
+########################################################################
+# MAIN
+########################################################################