publish-key (p) publish server's host key to keyserver
add-identity-certifier (a) KEYID import and tsign a certification key
- -n|--domain DOMAIN domain of certifier ()
- -t|--trust TRUST trust level of certifier (2)
+ -n|--domain DOMAIN limit ID certifications to IDs in DOMAIN ()
+ -t|--trust TRUST trust level of certifier (full)
-d|--depth DEPTH trust depth for certifier (1)
remove-identity-certifier (r) KEYID remove a certification key
list-identity-certifiers (l) list certification keys
- gpg-authentication-cmd execute a gpg command to the
- authentication keyring as the
- monkeysphere user
+ gpg-authentication-cmd CMD gnupg-authentication command
help (h,?) this help
fingerprint=$(gpg_host --list-key --with-colons --with-fingerprint "=${userID}" | \
grep '^fpr:' | head -1 | cut -d: -f10)
+ # export host ownertrust to authentication keyring
+ log "setting ultimate owner trust for server key..."
+ echo "${fingerprint}:6:" | gpg_authentication "--import-ownertrust"
+
# translate the private key to ssh format, and export to a file
# for sshs usage.
# NOTE: assumes that the primary key is the proper key to use
# publish server key to keyserver
publish_server_key() {
- read -p "really publish key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
+ read -p "Really publish key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
if [ ${OK/y/Y} != 'Y' ] ; then
failure "aborting."
fi
# FIXME: need to figure out better way to identify host key
# dummy command so as not to publish fakes keys during testing
# eventually:
- #gpg_authentication "--keyring $GNUPGHOME_HOST/pubring.gpg --keyserver $KEYSERVER --send-keys $(hostname -f)"
- failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)."
+ #gpg_authentication "--keyserver $KEYSERVER --send-keys $(hostname -f)"
+ echo "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development)."
+ echo "The following command should publish the key:"
+ echo "monkeysphere-server gpg-authentication-cmd '--keyserver $KEYSERVER --send-keys $(hostname -f)'"
+ exit 255
}
# retrieve key from web of trust, import it into the host keyring, and
local keyID
local fingerprint
local ltsignCommand
+ local trustval
# set default values for trust depth and domain
domain=
- trust=2
+ trust=full
depth=1
# get options
done
keyID="$1"
+ if [ -z "$keyID" ] ; then
+ failure "You must specify the key ID of a key to add."
+ fi
export keyID
- # export host ownertrust to authentication keyring
- gpg_host --export-ownertrust | gpg_authentication "--import-ownertrust"
-
# get the key from the key server
gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'"
echo "key found:"
gpg_authentication "--fingerprint $fingerprint"
- read -p "Are you sure you want to add this key as a certifier of users on this system? (y/N) " OK; OK=${OK:-N}
+ echo "Are you sure you want to add this key as a certifier of"
+ read -p "users on this system? (y/N) " OK; OK=${OK:-N}
if [ "${OK/y/Y}" != 'Y' ] ; then
failure "aborting."
fi
# export the key to the host keyring
gpg_authentication "--export $keyID" | gpg_host --import
+ if [ "$trust" == marginal ]; then
+ trustval=1
+ elif [ "$trust" == full ]; then
+ trustval=2
+ else
+ failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)"
+ fi
+
# ltsign command
# NOTE: *all* user IDs will be ltsigned
ltsignCommand=$(cat <<EOF
ltsign
y
-$trust
+$trustval
$depth
$domain
y
save
EOF
-)
+ )
# ltsign the key
echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "$fingerprint"
local fingerprint
keyID="$1"
+ if [ -z "$keyID" ] ; then
+ failure "You must specify the key ID of a key to remove."
+ fi
# delete the requested key (with prompting)
gpg_host --delete-key "$keyID"
;;
'add-identity-certifier'|'add-certifier'|'a')
- if [ -z "$1" ] ; then
- failure "You must specify a key ID."
- fi
add_certifier "$1"
;;
'remove-identity-certifier'|'remove-certifier'|'r')
- if [ -z "$1" ] ; then
- failure "You must specify a key ID."
- fi
remove_certifier "$1"
;;
projects / monkeysphere.git / blobdiff