# working dir!
install: all installman
mkdir -p $(DESTDIR)$(PREFIX)/bin $(DESTDIR)$(PREFIX)/sbin
- mkdir -p $(DESTDIR)$(PREFIX)/share/monkeysphere/m $(DESTDIR)$(PREFIX)/share/monkeysphere/mh $(DESTDIR)$(PREFIX)/share/monkeysphere/ma
+ mkdir -p $(DESTDIR)$(PREFIX)/share/monkeysphere/m $(DESTDIR)$(PREFIX)/share/monkeysphere/mh $(DESTDIR)$(PREFIX)/share/monkeysphere/ma $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions
mkdir -p $(DESTDIR)$(ETCPREFIX)/etc/monkeysphere
mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
install src/monkeysphere src/keytrans/openpgp2ssh src/keytrans/pem2openpgp $(DESTDIR)$(PREFIX)/bin
install src/monkeysphere-host src/monkeysphere-authentication $(DESTDIR)$(PREFIX)/sbin
install -m 0644 src/share/common $(DESTDIR)$(PREFIX)/share/monkeysphere
- install -m 0644 src/share/transition* $(DESTDIR)$(PREFIX)/share/monkeysphere
+ install -m 0644 src/transitions/* $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions
install -m 0644 src/share/m/* $(DESTDIR)$(PREFIX)/share/monkeysphere/m
install -m 0644 src/share/mh/* $(DESTDIR)$(PREFIX)/share/monkeysphere/mh
install -m 0644 src/share/ma/* $(DESTDIR)$(PREFIX)/share/monkeysphere/ma
+++ /dev/null
-#!/bin/bash
-
-# This is a post-install script for monkeysphere, to transition an old
-# (<0.23) setup to the new (>=0.23) setup.
-
-# You should be able to run this script after any version >= 0.23 is
-# installed. This script should be well-behaved, even if it is run
-# repeatedly.
-
-# Written by
-# Jameson Rollins <jrollins@finestructure.net>
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-#
-# Copyright 2009, released under the GPL, version 3 or later
-
-# NOTE: the reverse operation (downgrading) is not directly supported,
-# and MAY LOCK YOU OUT OF YOUR SYSTEM, depending on how you have
-# configured the monkeysphere!
-
-# any unexpected errors should cause this script to bail:
-set -e
-
-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
-
-MADATADIR="${SYSDATADIR}/authentication"
-MHDATADIR="${SYSDATADIR}/host"
-
-STASHDIR="${SYSDATADIR}/backup-from-0.23-transition"
-
-
-log() {
- printf "$@" >&2
-}
-
-# FIXME: implement this function better. here, we only care about
-# dots, *and* about reversing the regexification of them.
-gpg_unescape_and_unregex() {
- sed 's/\\x5c\././g'
-}
-
-
-is_domain_name() {
- printf "%s" "$1" | egrep -q '^[[:alnum:]][[:alnum:]-.]*[[:alnum:]]$'
-}
-
-# run the authentication setup (this is also the first chance to bail
-# if 0.23 is not fully-installed, because m-a did not exist before
-# 0.23)
-monkeysphere-authentication setup
-
-# before 0.23, the old gnupg-host data directory used to contain the
-# trust core and the system's ssh host key.
-
-if [ -d "$SYSDATADIR"/gnupg-host ] ; then
-
-### transfer identity certifiers, if they don't already exist in the
-### current setup:
-
- if [ monkeysphere-authentication list-identity-certifiers | \
- grep -q '^[A-F0-9]{40}:$' ] ; then
- log 'There are already certifiers in the new system!\nNot transferring any certifiers.\n'
- else
- # get the old host keygrip (don't know why there would be more
- # than one, but we'll transfer all tsigs made by any key that
- # had been given ultimate ownertrust):
- for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-ownertrust | \
- grep ':6:$'
- sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do
-
- # we're assuming that old id certifiers were only added by old
- # versions of m-s c+, which added certifiers by ltsigning
- # entire keys.
-
- # so we'll walk the list of tsigs from the old host key, and
- # add those keys as certifiers to the new system.
-
- # FIXME: if an admin has run "m-s add-id-certifier $foo"
- # multiple times for the same $foo, we'll only transfer
- # one of those certifications (even if later
- # certifications had different parameters).
-
- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --fingerprint --with-colons --fixed-list-mode --check-sigs | \
- cut -f 1,2,5,8,9,10 -d: | \
- egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
- while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
- case $type in
- 'fpr') # this is a new key
- keyfpr=$fpr
- ;;
- 'sig') # deal with all trust signatures, including
- # regexes if present.
- if [ "$keyfpr" ] ; then
- trustdepth=${trustparams%% *}
- trustlevel=${trustparams##* }
- if [ "$trustlevel" -ge 120 ] ; then
- truststring=full
- elif [ "$trustlevel" -ge 60 ] ; then
- truststring=marginal
- else
- # trust levels below marginal are ignored.
- continue
- fi
-
- finaldomain=
- if [ "$trustdomain" ] ; then
- # FIXME: deal with translating
- # $trustdomain back to a domain.
- if [ printf "%s" "$trustdomain" | egrep -q '^<\[\^>\]\+\[@\.\][^>]+>\$$' ] ; then
- dpart=$(printf "%s" "$trustdomain" | sed -r 's/^<\[\^>\]\+\[@\.\]([^>]+)>\$$/\1/' | gpg_unescape_and_unregex)
- if [ is_domain_name "$dpart" ]; then
- finaldomain="--domain $dpart"
- else
- log "Does not seem to be a domain name (%s), not adding certifier\n" "$dpart"
- continue
- fi
- else
- log "Does not seem to be a standard gpg domain-based tsig (%s), not adding certifier\n" "$trustdomain"
- continue
- fi
- fi
-
- CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX)
- log "Adding identity certifier with fingerprint %s\n" "$keyfpr"
- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export "0x$keyfpr" --export-clean >"$CERTKEY"
- MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY"
- rm -f "$CERTKEY"
- # clear the fingerprint so that we don't
- # make additional tsigs on it if more uids
- # are present:
- $keyfpr=
- fi
- ;;
- esac
- done
- done
- fi
-
-### transfer host key information (if present) into the new spot
-
- if [ -d "${MHDATADIR}" ] ; then
- log "Not transferring host key info because host directory already exists.\n"
- else
- if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \
- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --with-colons --list-secret-keys | grep -q '^sec:' ; then
-
- # create host home
- mkdir -p "${MHDATADIR}"
- chmod 0700 "${MHDATADIR}"
-
- log "importing host key from old monkeysphere installation\n"
- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \
- GNUPGHOME="$MHDATADIR" gpg --import
-
- monkeysphere-host update-gpg-pub-file
- else
- log "No host key found in old monkeysphere install; not importing any host key.\n"
- fi
- fi
-
-
-### get rid of this old stuff, since we've transferred it all:
-
- mkdir -p "$STASHDIR"
- chmod 0700 "$STASHDIR"
- mv "${SYSDATADIR}/gnupg-host" "$STASHDIR"
-fi
-
-
-# There is nothing in the old authentication directory that we should
-# need to keep around, but it is not unreasonable to transfer keys to
-# the new authentication keyring.
-if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then
-
- GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --export | \
- monkeysphere-authentication gpg-cmd --import
-
- mkdir -p "$STASHDIR"
- chmod 0700 "$STASHDIR"
- mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR"
-fi
--- /dev/null
+#!/bin/bash
+
+# This is a post-install script for monkeysphere, to transition an old
+# (<0.23) setup to the new (>=0.23) setup.
+
+# You should be able to run this script after any version >= 0.23 is
+# installed. This script should be well-behaved, even if it is run
+# repeatedly.
+
+# Written by
+# Jameson Rollins <jrollins@finestructure.net>
+# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+#
+# Copyright 2009, released under the GPL, version 3 or later
+
+# NOTE: the reverse operation (downgrading) is not directly supported,
+# and MAY LOCK YOU OUT OF YOUR SYSTEM, depending on how you have
+# configured the monkeysphere!
+
+# any unexpected errors should cause this script to bail:
+set -e
+
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+
+MADATADIR="${SYSDATADIR}/authentication"
+MHDATADIR="${SYSDATADIR}/host"
+
+STASHDIR="${SYSDATADIR}/backup-from-0.23-transition"
+
+
+log() {
+ printf "$@" >&2
+}
+
+# FIXME: implement this function better. here, we only care about
+# dots, *and* about reversing the regexification of them.
+gpg_unescape_and_unregex() {
+ sed 's/\\x5c\././g'
+}
+
+
+is_domain_name() {
+ printf "%s" "$1" | egrep -q '^[[:alnum:]][[:alnum:]-.]*[[:alnum:]]$'
+}
+
+# run the authentication setup (this is also the first chance to bail
+# if 0.23 is not fully-installed, because m-a did not exist before
+# 0.23)
+monkeysphere-authentication setup
+
+# before 0.23, the old gnupg-host data directory used to contain the
+# trust core and the system's ssh host key.
+
+if [ -d "$SYSDATADIR"/gnupg-host ] ; then
+
+### transfer identity certifiers, if they don't already exist in the
+### current setup:
+
+ if [ monkeysphere-authentication list-identity-certifiers | \
+ grep -q '^[A-F0-9]{40}:$' ] ; then
+ log 'There are already certifiers in the new system!\nNot transferring any certifiers.\n'
+ else
+ # get the old host keygrip (don't know why there would be more
+ # than one, but we'll transfer all tsigs made by any key that
+ # had been given ultimate ownertrust):
+ for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-ownertrust | \
+ grep ':6:$'
+ sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do
+
+ # we're assuming that old id certifiers were only added by old
+ # versions of m-s c+, which added certifiers by ltsigning
+ # entire keys.
+
+ # so we'll walk the list of tsigs from the old host key, and
+ # add those keys as certifiers to the new system.
+
+ # FIXME: if an admin has run "m-s add-id-certifier $foo"
+ # multiple times for the same $foo, we'll only transfer
+ # one of those certifications (even if later
+ # certifications had different parameters).
+
+ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --fingerprint --with-colons --fixed-list-mode --check-sigs | \
+ cut -f 1,2,5,8,9,10 -d: | \
+ egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
+ while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
+ case $type in
+ 'fpr') # this is a new key
+ keyfpr=$fpr
+ ;;
+ 'sig') # deal with all trust signatures, including
+ # regexes if present.
+ if [ "$keyfpr" ] ; then
+ trustdepth=${trustparams%% *}
+ trustlevel=${trustparams##* }
+ if [ "$trustlevel" -ge 120 ] ; then
+ truststring=full
+ elif [ "$trustlevel" -ge 60 ] ; then
+ truststring=marginal
+ else
+ # trust levels below marginal are ignored.
+ continue
+ fi
+
+ finaldomain=
+ if [ "$trustdomain" ] ; then
+ # FIXME: deal with translating
+ # $trustdomain back to a domain.
+ if [ printf "%s" "$trustdomain" | egrep -q '^<\[\^>\]\+\[@\.\][^>]+>\$$' ] ; then
+ dpart=$(printf "%s" "$trustdomain" | sed -r 's/^<\[\^>\]\+\[@\.\]([^>]+)>\$$/\1/' | gpg_unescape_and_unregex)
+ if [ is_domain_name "$dpart" ]; then
+ finaldomain="--domain $dpart"
+ else
+ log "Does not seem to be a domain name (%s), not adding certifier\n" "$dpart"
+ continue
+ fi
+ else
+ log "Does not seem to be a standard gpg domain-based tsig (%s), not adding certifier\n" "$trustdomain"
+ continue
+ fi
+ fi
+
+ CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX)
+ log "Adding identity certifier with fingerprint %s\n" "$keyfpr"
+ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export "0x$keyfpr" --export-clean >"$CERTKEY"
+ MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY"
+ rm -f "$CERTKEY"
+ # clear the fingerprint so that we don't
+ # make additional tsigs on it if more uids
+ # are present:
+ $keyfpr=
+ fi
+ ;;
+ esac
+ done
+ done
+ fi
+
+### transfer host key information (if present) into the new spot
+
+ if [ -d "${MHDATADIR}" ] ; then
+ log "Not transferring host key info because host directory already exists.\n"
+ else
+ if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \
+ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --with-colons --list-secret-keys | grep -q '^sec:' ; then
+
+ # create host home
+ mkdir -p "${MHDATADIR}"
+ chmod 0700 "${MHDATADIR}"
+
+ log "importing host key from old monkeysphere installation\n"
+ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \
+ GNUPGHOME="$MHDATADIR" gpg --import
+
+ monkeysphere-host update-gpg-pub-file
+ else
+ log "No host key found in old monkeysphere install; not importing any host key.\n"
+ fi
+ fi
+
+
+### get rid of this old stuff, since we've transferred it all:
+
+ mkdir -p "$STASHDIR"
+ chmod 0700 "$STASHDIR"
+ mv "${SYSDATADIR}/gnupg-host" "$STASHDIR"
+fi
+
+
+# There is nothing in the old authentication directory that we should
+# need to keep around, but it is not unreasonable to transfer keys to
+# the new authentication keyring.
+if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then
+
+ GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --export | \
+ monkeysphere-authentication gpg-cmd --import
+
+ mkdir -p "$STASHDIR"
+ chmod 0700 "$STASHDIR"
+ mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR"
+fi
--- /dev/null
+This directory contains transition scripts for major changes to
+monkeysphere infrastructure.
+
+They are expected to be run immediately after upgrading to the named
+version or later.
+
+For example: you upgrade to from version 0.8 to version 0.15, and the
+directory contains 0.6, 0.12 and 0.15, you should run 0.12 followed by
+0.15.
+
+The scripts are supposed to be cleverly-written enough that you can
+run them repeatedly, and they should only make their intended changes
+once. If they do not behave that way, this is a bug. Please report
+it!
+
+ https://labs.riseup.net/code/projects/monkeysphere/
projects / monkeysphere.git / commitdiff