Last active
January 31, 2020 00:39
-
-
Save philpennock/e8a621484efb4e89eb9c03c3e0d8a4cf to your computer and use it in GitHub Desktop.
Two versions of "how to refresh PGP keys with gpg via WKD/external"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -eu | |
| # Warning: we assume that the input of the list of domains to refresh is | |
| # trusted, and free from abusive characters. So the only adjustments for using | |
| # within a PCRE regexp we apply is "escape the dots to be literal". | |
| progname="$(basename "$0" .sh)" | |
| die() { printf >&2 '%s: %s\n' "$progname" "$*"; exit 1; } | |
| usage() { | |
| local ev="${1:-1}" | |
| [[ $ev == 0 ]] || exec >&2 | |
| cat <<EOUSAGE | |
| Usage: $progname [-cw] [-m <mechanism>] [-G <gpgargs> ... --] <DOMAIN> [...] | |
| -c Support also using mechanisms from configs | |
| -m <mechanism> GnuPG external lookup mechanism [$opt_mechanism] | |
| -w Use --allow-weak-digest-algos for all gpg invocations | |
| -G <gpgargs...> From -G through to -- are options passed to gpg for retrieval | |
| NB: mechanism can be a comma-separated list | |
| NB: -G is used for the retrieval, not for finding the uids | |
| EOUSAGE | |
| exit $ev | |
| } | |
| opt_only_local_mech='clear,nodefault,' | |
| opt_mechanism=wkd | |
| opt_gpg_list_args=() | |
| opt_gpg_retrieve_args=() | |
| while getopts ':chm:wG:' arg; do | |
| case "$arg" in | |
| h) usage 0 ;; | |
| c) opt_only_local_mech='' ;; | |
| m) opt_mechanism="$OPTARG" ;; | |
| w) | |
| opt_gpg_list_args+=(--allow-weak-digest-algos) | |
| opt_gpg_retrieve_args+=(--allow-weak-digest-algos) | |
| ;; | |
| G) # gpg(1) args from here until -- | |
| shift $((OPTIND - 2)) | |
| while [[ $# -gt 0 ]] && [[ "$1" != "--" ]]; do | |
| opt_gpg_retrieve_args+=("$1") | |
| shift | |
| done | |
| if [[ $# -gt 0 ]]; then | |
| OPTIND=2 | |
| else | |
| OPTIND=1 | |
| fi | |
| break | |
| ;; | |
| :) die "missing required option for -$OPTARG; see -h for help" ;; | |
| \?) die "unknown option -$OPTARG; see -h for help" ;; | |
| *) die "unhandled option -$arg; CODE BUG" ;; | |
| esac | |
| done | |
| shift $((OPTIND - 1)) | |
| unset OPTIND | |
| # Might validate $opt_mechanism here? | |
| [[ $# -gt 0 ]] || die "need at least one domain to refresh" | |
| oIFS="$IFS" | |
| IFS='|' | |
| regexp="$*" | |
| IFS="$oIFS" | |
| regexp="<([^@]+@(?:${regexp//./\\.}))>:" | |
| gpg "${opt_gpg_retrieve_args[@]}" --auto-key-locate "$opt_only_local_mech$opt_mechanism" --locate-external-keys $( | |
| gpg "${opt_gpg_list_args[@]}" --with-colons --list-keys "$@" | pcregrep -o1 "$regexp" | sort -u | |
| ) | |
| # vim: set sw=2 et : |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -eu | |
| oIFS="$IFS" | |
| IFS='|' | |
| regexp="$*" | |
| IFS="$oIFS" | |
| regexp="<([^@]+@(?:${regexp//./\\.}))>:" | |
| gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys $( | |
| gpg --with-colons --list-keys "$@" | pcregrep -o1 "$regexp" | sort -u | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Darn it, I had the wkd one first when uploading, to try to show the "simple" variant first. Gist re-orders to alphabetical.