added some FIXMEs to transitions/0.23, concerning host keys that were originally...

[monkeysphere.git] / src / transitions / 0.23

diff --git a/src/transitions/0.23 b/src/transitions/0.23
index 6cbf99522317856677682730517559ea02c8d82c..dead78871926c9462844481303133ce625d99429 100755 (executable)
--- a/src/transitions/0.23
+++ b/src/transitions/0.23
@@ -121,7 +121,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then
 
                            CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX)
                            log "Adding identity certifier with fingerprint %s\n" "$keyfpr"
-                           GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export "0x$keyfpr" --export-clean >"$CERTKEY"
+                           GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export "0x$keyfpr" --export-options export-clean >"$CERTKEY"
                            MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY"
                            rm -f "$CERTKEY"
                            # clear the fingerprint so that we don't
@@ -143,13 +143,25 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then
        if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \
            GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --with-colons --list-secret-keys | grep -q '^sec:' ; then
            
+           FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' )
+           
        # create host home
            mkdir -p "${MHDATADIR}"
            chmod 0700 "${MHDATADIR}"
            
            log "importing host key from old monkeysphere installation\n"
-           GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export-secret-keys | \
-               GNUPGHOME="$MHDATADIR" gpg --import
+
+# export from the pubring as well as the that new (non-expired)
+# self-sigs are available, otherwise the secret key import may fail
+
+# FIXME: turns out the secret key import fails anyway, stupidly :(
+
+# FIXME: if all self-sigs are expired, then the secret key import may
+# fail anyway. How should we deal with that?
+           
+           (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export-secret-keys && \
+           GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --no-permission-warning --export $FPR) | \
+               GNUPGHOME="$MHDATADIR" gpg --quiet --no-tty --import
            
            monkeysphere-host update-gpg-pub-file
        else
@@ -171,7 +183,7 @@ fi
 # the new authentication keyring.
 if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then
 
-    GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --export | \
+    GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --no-permission-warning --export | \
        monkeysphere-authentication gpg-cmd --import
 
     mkdir -p "$STASHDIR"