Re: gpg changesets (was Re: Bits from the DPL: DSA and buildds and DAM, oh my!)

Fri, 23 Feb 2007 22:59:22 -0800 

Anthony Towns wrote:
> I was more meaning it as an optimisation so you could ignore "key
> add 0x7172daed" if there was a "key delete 0x7172daed" changeset
> later. Likewise a "uid add" followed by a "uid del" or whatever.

Ah, sure, as an optimisation it could be useful. However, I think that
letting the keyring build tool operate in incremental mode during
maintenance sessions (with one noninremental build at the end if
desired) will make it fast enough.

> How would you convert "gpg --refresh-keys" into changeset based
> operations, I wonder? Maybe you could do it by something like:

>     cp real-keyring.gpg tmpkeys.gpg
>     gpg --keyring tmpkeys.gpg --refresh-keys
>     for x in $(changed-keys); do
>       (
>       echo "Changed-By: me"
>       echo "Comment: new signatures/uids for key $x"
>       echo "Action: import --keyserver-options merge-only"
>       echo "Data:"
>       gpg --keyring tmpkeys.gpg --ascii --armour --export "$x" | sed -e 's/^/ 
>  /'
>       ) > changeset-refresh-$x
>     done
>     rm tmpkeys.gpg
>     echo "Now you just have to apply changeset-refresh-* to real-keyring.gpg 
> :)"

That's beautiful, if we can figure out what "changed-keys" is. :-)

BTW, I have a keyring-explode script that does similar for converting an
existing monlithic keyring into changesets. (attached)

-- 
see shy jo

#!/bin/sh
# Converts a keyring into a bunch of changesets, one per key.
# Only intended to be used for initial import of keyring.
set -e

if [ -z "$1" ] || [ -z "$2" ]; then
        echo "Usage: keyring-expode keyring changesetdir" >&2
        exit 1
fi

keyring=$(readlink -f "$1") # gpg works better with absolute keyring paths
changesetdir="$2"

basename=$(basename "$keyring")

mkdir -p "$changesetdir"
touch "$changesetdir/index"

for key in $(gpg --no-default-keyring --keyring "$keyring" --list-keys|grep 
'^pub' | sed -e 's!.*/!!' -e 's/ .*//'); do
        out="$changesetdir/add-$key"
        echo "$out"
        echo "Comment: extracted from $basename by keyring-explode" > "$out"
        echo "Action: import" >> "$out"
        echo "Data:" >> "$out"
        gpg --no-auto-check-trustdb --keyring "$keyring" -a --export "$key" |
                 sed 's/^/  /' >> "$out"
        echo "$(md5sum "$out" | cut -d " " -f 1)  add-$key" >> 
"$changesetdir/index"
done

Attachment: signature.asc
Description: Digital signature

Reply via email to