yawn/encrypt.sh

## encrypt.sh
#!/bin/bash
set -euo pipefail

keys=$(sed -n 's/^Encryption: //p' security.txt)
declare -a receivers

for key in $keys
do
	# fetch key manually (we can't using --auto-key-locate clear,local,wkd --locate-key since the recipients might be different from the security email address)
	t=$(mktemp)
	$(curl -sLo $t $key)

	# get id of first public key
	id=$(gpg --with-fingerprint --with-colons $t | sed -rn 's/fpr:::::::::(.*):/\1/p')

	# import key
	$(gpg --import $t)

	# populate recipient list using key ids
	receivers+=("--recipient=$id")

	# remove downloaded key
	$(rm $t)
done

gpg --armor --trust-model always --encrypt ${receivers[@]}
	#!/bin/bash
	set -euo pipefail

	keys=$(sed -n 's/^Encryption: //p' security.txt)
	declare -a receivers

	for key in $keys
	do
	# fetch key manually (we can't using --auto-key-locate clear,local,wkd --locate-key since the recipients might be different from the security email address)
	t=$(mktemp)
	$(curl -sLo $t $key)

	# get id of first public key
	id=$(gpg --with-fingerprint --with-colons $t \| sed -rn 's/fpr:::::::::(.*):/\1/p')

	# import key
	$(gpg --import $t)

	# populate recipient list using key ids
	receivers+=("--recipient=$id")

	# remove downloaded key
	$(rm $t)
	done

	gpg --armor --trust-model always --encrypt ${receivers[@]}