scripts/make-signatures.sh

   1 #!/usr/bin/env bash
   2
   3 cat <<EOT > signatures.txt
   4 ---
   5 ---
   6 LEDE Public Keys
   7 ================
   8
   9 == LEDE Public Keys
  10
  11 This page lists the fingerprints of all public keys in use by the LEDE project
  12 and is automatically generated from the developer keys present in the
  13 https://git.lede-project.org/?p=keyring.git[keyring.git] repository.
  14
  15 Refer to our link:signing.html[signing documentation page] to learn more about
  16 file verification and key generation.
  17
  18 EOT
  19
  20 mkdir -p "tmp.$$/gpg" || {
  21         echo "Canot create temporary directory." >&2
  22         exit 1
  23 }
  24
  25 trap "rm -fr tmp.$$" INT TERM
  26 git clone https://git.lede-project.org/keyring.git "tmp.$$/git"
  27
  28
  29 cat <<EOT >> signatures.txt
  30 === GnuPG key fingerprints
  31
  32 GnuPG keys are mainly used to verify the integrity of firmware image downloads.
  33
  34 Signature verification ensures that image downloads have not been tampered with
  35 and that the third-party download mirrors serve genuine content.
  36
  37 EOT
  38
  39 format_key() {
  40         output=""
  41
  42         while read field rest; do
  43                 case $field in
  44                         uid)
  45                                 output="User ID: $(echo "$rest" | sed -e 's/([^()]*) //; s/@/ -at- /; s/^\(.*\) </*\1* </') +\n$output"
  46                         ;;
  47                         pub|sub)
  48                                 oIFS="$IFS"; IFS=" /]"; set -- $rest; IFS="$oIFS"
  49                                 type="$1"; keyid="$2"; created="$3"; expires="$5"
  50
  51                                 case $field in
  52                                         pub) output="${output}Public Key: " ;;
  53                                         sub) output="${output}Signing Subkey: " ;;
  54                                 esac
  55
  56                                 output="${output}*0x$keyid* ("
  57
  58                                 case $type in
  59                                         *[rR]) output="${output}${type%[rR]} Bit RSA" ;;
  60                                         *[dD]) output="${output}${type%[dD]} Bit DSA" ;;
  61                                         *[gG]) output="${output}${type%[gG]} Bit ElGamal" ;;
  62                                 esac
  63
  64                                 output="${output}, created $created${expires:+, expires $expires}) +\n";
  65                         ;;
  66                         Key)
  67                                 fingerprint="${rest##* = }"
  68                                 output="${output}Fingerprint: +$fingerprint+ +\n"
  69                         ;;
  70                 esac
  71         done
  72
  73         printf "$output"
  74 }
  75
  76 grep -rE "^Comment: " "tmp.$$/git/gpg"/*.asc | \
  77 sed -e 's!^\([^:]*\):Comment: \(.*\)$!\2|\1!' | \
  78 sort | \
  79 while read line; do
  80         keyfile="${line##*|}"
  81         comment="${line%|*}"
  82
  83         keyid=$(gpg --status-fd 1 --homedir "tmp.$$/gpg" --import "$keyfile" 2>/dev/null | \
  84                 sed -ne 's!^.* IMPORTED \([A-F0-9]\+\) .*$!\1!p')
  85
  86         relfile="gpg/${keyfile##*/gpg/}"
  87         modtime="$(cd "tmp.$$/git/"; git log -1 --format="%ci" -- "$relfile")"
  88
  89         {
  90                 cat <<-EOT
  91                         ---
  92
  93                         ==== $comment
  94                         $(gpg --homedir "tmp.$$/gpg" --fingerprint --fingerprint "$keyid" 2>/dev/null | format_key)
  95
  96                         [small]#https://git.lede-project.org/?p=keyring.git;a=history;f=$relfile[Last change: $modtime] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=$relfile[Download]#
  97
  98                 EOT
  99         } >> signatures.txt
 100 done
 101
 102 cat <<EOT >> signatures.txt
 103 === _usign_ public keys
 104
 105 The _usign_ EC keys are used to sign repository indexes in order to ensure that
 106 packages fetched and installed via _opkg_ are unmodified and genuine.
 107
 108 Those keys are usually installed by default and bundled as
 109 https://git.lede-project.org/?p=source.git;a=tree;f=package/system/lede-keyring[lede-keyring]
 110 package.
 111
 112 EOT
 113
 114 grep -rE "^untrusted comment: " "tmp.$$/git/usign"/[a-f0-9]* | \
 115 sed -e 's!^\([^:]*\):untrusted comment: \(.*\)$!\2|\1!' | \
 116 sort | \
 117 while read line; do
 118         keyfile="${line##*|}"
 119         comment="${line%|*}"
 120
 121         relfile="usign/${keyfile##*/usign/}"
 122         modtime="$(cd "tmp.$$/git/"; git log -1 --format="%ci" -- "$relfile")"
 123
 124         {
 125                 cat <<-EOT
 126                         ---
 127
 128                         ==== $comment
 129                          * Key-ID: +${keyfile##*/}+
 130                          * Key-Data: +$(grep -vE "^untrusted comment: " "$keyfile")+
 131
 132                         [small]#https://git.lede-project.org/?p=keyring.git;a=history;f=$relfile[Last change: $modtime] | https://git.lede-project.org/?p=keyring.git;a=blob_plain;f=$relfile[Download]#
 133
 134                 EOT
 135         } >> signatures.txt
 136 done
 137
 138 rm -fr "tmp.$$"