From 9b47ae89c3840eb2af9a57a885e19ccbe36957d5 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 20 Feb 2009 01:39:29 -0500 Subject: [PATCH] trivial implementation of monkeysphere-host revoke-key: just prints ascii-armored revocation certificate to stdout, and admin is expected to know what to do with it. --- man/man8/monkeysphere-host.8 | 7 +++++-- src/share/mh/revoke_key | 28 ++++++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8 index 2b71807..2ccaaec 100644 --- a/man/man8/monkeysphere-host.8 +++ b/man/man8/monkeysphere-host.8 @@ -66,8 +66,11 @@ or by specifying `-` to load from stdin. `o' may be be used in place of `add-revoker'. .TP .B revoke-key -Revoke the host's OpenPGP key. `r' may be used in place of -`revoke-key'. +Revoke the host's OpenPGP key. This will ask you a series of +questions, and then generate a key revocation certificate on standard +out. If you publish this revocation certificate to the public +keyservers, your host key will be permanently revoked. `r' may be +used in place of `revoke-key'. .TP .B publish-key Publish the host's OpenPGP key to the keyserver. `p' may be used in diff --git a/src/share/mh/revoke_key b/src/share/mh/revoke_key index cccdc22..380236b 100644 --- a/src/share/mh/revoke_key +++ b/src/share/mh/revoke_key @@ -15,7 +15,31 @@ revoke_key() { -# FIXME: implement! -failure "not implemented yet!" +# Coming in here, we expect $HOST_FINGERPRINT to be set, and we +# believe that there is in fact a key. + # our current implementation is very simple: we just want to + # generate the revocation certificate on stdout. This provides + # for the two most likely (but hopefully not common) scenarios: + + # an admin wants a revocation certificate for the host which they + # can store securely offline. In this case, the admin can + # redirect stdout to a file, or can simply copy/paste or + # transcribe from the terminal. + + # Alternately, an admin might want to publish the revocation + # certificate immediately. here's a quick way to do this: + + + # tmp=$(mktemp -d) + # export GNUPGHOME="$tmp" + # gpg --import < /var/lib/monkeysphere/ssh_host_rsa_key.pub.gpg + # monkeysphere-host revoke-key | gpg --import + # gpg --keyserver pool.sks-keyservers.net --send $(hostname -f) + + + # note: we're not using the gpg_host function because we actually + # want to use gpg's UI in this case, so we want to omit --no-tty + + GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${HOST_FINGERPRINT}!" } -- 2.25.1