pentoo-core: update and validate keyring

2026-04-30 10:41:01 +02:00 · 2024-04-02 20:49:24 -04:00 · 2024-04-02 20:49:24 -04:00 · 7f3ea1c890
commit 7f3ea1c890
parent 5063ff53fc
3 changed files with 58 additions and 23 deletions
--- a/pentoo/pentoo-core/files/pentoo-keyring.asc
+++ b/pentoo/pentoo-core/files/pentoo-keyring.asc
@ -224,19 +224,30 @@ iPUttxCVC4BTYpuvnTQnT/Vn7SMY8oDtjKjCv7vZLR+e0yVu/klZYCj6JINLePRP
 /FfebXZ0GTiuwawdD993gCGk4mVcw+AaaFMn0VHPVwmWXDbseGmuHbKG3GVh2XBm
 QiQS0ueItFFZ3v7muKeE3j/MKj91R4iiv4Jrkoltq0QtRYy7BolkZvrFncJxLHqk
 A5Q0TCoimdMldwBp656NlNJIfs411QYLc7dMiZrfj9NaSeEwxbXp2cCgWG7PNrMl
-+VcanoUfzzPhXxrBPbT+0AHZjOPxXPNMIhQnsxqEgCrBLdIBXq3a9+Z+lknbmQEN
-BFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQtax15O
-klctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrTSQzv
-YjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ7Fy4
-+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPabuXC
-DscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3vyWgG
-qNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAG0NUdpdEh1YiAod2ViLWZsb3cg
-Y29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+iQEoBBMBCAAcBQJZ
-lGhBCRBK7hj4Ov3rIwIbAwUJDBJ3/wIZAQAA0O4IAJd0k8M+urETyMvTqNTj/U6n
-bqyOdKE4V93uUj5G7sNTfno7wod/Qjj6Zv5KodvA93HmEdQqsmVq5YJ5KGiwcmGC
-pd/GqJRPaYSY0hSUSBqYHiHLusCJkPBpQTBhcEMtfVCB2J6fVeoX2DV0K1xfCGbl
-rSVB0viAxUMnmL5C55RuvbYZsTu8szXhkvIR96CtWbJ8QGaEf1/KSpWz8eptY/om
-f3UPfvdOjnsxc8jVEqPNaR9xC6Q6t53rBa/XgMY6IYyesnyYnc5O6JuexUFaVjyk
-RFtAiYfDaMARpXOmgMm0lhoBRKb/uMUaN3CSYTmE4pZweJcUi7eWgmoQljX2ut4=
-=dNA/
+VcanoUfzzPhXxrBPbT+0AHZjOPxXPNMIhQnsxqEgCrBLdIBXq3a9+Z+lknbmQIN
+BGWmxXYBEACyN+4viFQM6QQoKr0A2W0rGdMobTJwOZso2QPpewbyBsuL3rNW5OmH
+rWwXAhPKNqUIyOzdq8MoSxoTTuqLksoahixEL/X2nyhOBxR9GkYz/oI9R3nYcLRa
+FQoSJoVfOt61opkLUzbWAehpbgT8EKln8JsENq0+0nDlWQi0h2Q9oGmqlgVzskwm
+VZ8Leyv4Mg7hN6swyZ7moZfkkpD5+U7Z2XVurCzkSSfg4zb2lMRLJos2eCAc749E
+CsX0t7OBftF+YqgjIXixXsm2RrUqvU47OkOtZeAhvAYenbC3pr9Fha5NxoBUEa+1
+1MK9W6OcRhwvxVCUrMUR6FTSZyC//VpXTTtrRlOqpU5wGMbP3zpn9geqOXCl8rF7
+1gAPG/o+QFQTBsVEruwi4JWogiQuQyOwAIlFe/7dvaxWZGpv/yW2+L3guL7xaHK
+FVGsayhlitQQ5Xa+P1iSgKSXDyReCbWotfqAempPySI25LHh3ScXI6NgdHSrSBaF
+ojwAfgxbPTEQ6adIsKHCQofrnLrNa3UOeGDGiOOK0aYV3jiEDGAouatkNf2q85Eo
+sj1f9laCqAH3YLJD7dcSne1iChK5qRTByMvIyeSD0NbNnVMFOGpXySyWtKb2ldpu
+8AWBQJsJs9FmYBcWAGBA2pp+IxaCn6rBIHIsUVFRN8OVZKsEsBkWywARAQABtBtH
+aXRIdWIgPG5vcmVwbHlAZ2l0aHViLmNvbT6JAk4EEwEKADgWIQSWhHmhr/kn430a
+Vmu1aQ7uu5UhlAUCZabFdgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC1
+aQ7uu5UhlIMuEAClvVwC+Neoiq0AdixJZsagKHpx1QrMJWrtMRi4eXVTTaeX+P1u
+nhC/AmSO4Xxd3uRoejHvfWh4F0gitUJ8XKgiejnmuGcq7Dbt5OoO1JuXGlW2BQ+M
+iGoYVw2B0sOhWDNrIBWOO/WL4LykcGnAtrRXwoS0Wx4MCydztXQY5lcnCWaW8rvu
+7WmduoOikH4HI97rqN5896dc4iBKSx8LZf+46DRCCD/5SfACplBz4hs5zen8TL8z
+d+zxjFrXbzota0jSDEGK9WGO4z55S2xScC6zv6v3Bj1OR8Bs5aodGtmamHZ7sE9w
+0RJoCfNx+9cR/rE82SrOaBpVU7urLe4lg7zaaNhqDdNV8ymuXGmIJarDgrmeiB5b
+HS+dLFzLUkTgot4RFlPa9bFiJuJN6Tc9tMu5RJQ9l/zKmxDHIKWsAle5R65uzEq0
+4LugTQBdEorGxfQCsF2ga9ncKTDMiAThWTvZpOP3NJ/athZRmOBpG4B9iR6rpRU8
+F/+MokG4fIMwnvtOhWQFiEzdTkJ7U5JAkPtTAmT3/mznwtPEU7DrFWSGAdqgIMOl
+xNCBeGvjwLR0qGH7cB9qHDGNoDLkjaUFpu5tPv4/ivkQaHlHJxjT0ILM6jetCAzK
+pKh48rm65tmrJX6KVpj0r2kKMscFf7s7XaPlCNCFds/YA+0puPbzJKWKfA==
+=36Jb
 -----END PGP PUBLIC KEY BLOCK-----
--- a/pentoo/pentoo-core/pentoo-core-2024.1-r1.ebuild
+++ b/pentoo/pentoo-core/pentoo-core-2024.1-r1.ebuild
--- a/scripts/update-pentoo-keyring
+++ b/scripts/update-pentoo-keyring
@ -1,8 +1,8 @@
 #!/bin/sh
 set -exu
-zero="A5DD1427DD11F94A"
-blshkv="273E3E90D1A6294F"
-github="4AEE18F83AFDEB23"
+zero="537C5937C779CE2772F33029A5DD1427DD11F94A"
+blshkv="3BB0530E6D96E8C6E93F2090273E3E90D1A6294F"
+github="968479A1AFF927E37D1A566BB5690EEEBB952194"

 GNUPGHOME="$(mktemp -d)"
 tmpkeyring="$(mktemp)"
@ -11,17 +11,41 @@ export tmpkeyring

 gpg --no-default-keyring --keyring "${tmpkeyring}" --keyserver keyserver.ubuntu.com --recv-keys "${zero}" "${blshkv}"

-#we shouldn't need to refresh the keys if we are getting them clean
-#gpg --refresh-keys
-
 #this key causes errors if pulls from the keyserver :-(
 curl https://github.com/web-flow.gpg | gpg --no-default-keyring --keyring "${tmpkeyring}" --import

+#Remove the old expired/revoked github key so our check passes
+gpg --no-default-keyring --keyring "${tmpkeyring}" --batch --delete-key 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
+
+#we shouldn't need to refresh the keys if we are getting them clean
+#gpg --no-default-keyring --keyring "${tmpkeyring}" --refresh-keys
+
+if gpg --no-default-keyring --keyring "${tmpkeyring}" --list-keys | grep -q expired; then
+  printf "Someone's key has expired!\n"
+  gpg --no-default-keyring --keyring "${tmpkeyring}" --list-keys
+  exit 1
+fi
+curr_date="$(date -u +%s)"
+for key in $(gpg --no-default-keyring --keyring "${tmpkeyring}" --list-keys | grep 'expires:' | cut -f2 -d ':' | cut -f1 -d']' | cut -f2 -d' '); do
+  expiry="$(date --date=${key} -u +%s)"
+  until_expiry="$((expiry - curr_date))"
+  if [ "${until_expiry}" -lt 7776000 ]; then
+    printf "Someone's key expires in <90 days...\n"
+    gpg --no-default-keyring --keyring "${tmpkeyring}" --list-keys
+    exit 1
+  fi
+done
+#git verify-commit HEAD
+
+#https://github.com/projg2/glep63-check/issues/6
+#cd /usr/share/pentoo || exit 1
+#glep63-check --keyring "${tmpkeyring}"
+
 #trust isn't exported
 #printf "5\ny\n" | gpg --no-default-keyring --keyring "${tmpkeyring}" --command-fd 0 --edit-key "${github}" trust
 gpg --no-default-keyring --keyring "${tmpkeyring}" --armor --export "${zero}" "${blshkv}" "${github}" > ../pentoo/pentoo-core/files/pentoo-keyring.asc
-pkill -f "dirmngr --daemon --homedir ${GNUPGHOME}"
-pkill -f "gpg-agent --homedir ${GNUPGHOME}"
+pkill -f "dirmngr --daemon --homedir ${GNUPGHOME}" || true
+pkill -f "gpg-agent --homedir ${GNUPGHOME}" || true
 rm -f "${tmpkeyring}"
 rm -rf "${GNUPGHOME}"
 unset GNUPGHOME