pyllyukko · May 13, 2022 23:19
diff --git a/check_gpg_key.sh b/check_gpg_key.sh
 #!/bin/bash
 ################################################################################
 # check PGP secret key(s) expiration
 #
 # created:	17-06-2014
 ################################################################################
 if [ ${BASH_VERSINFO[0]} -ne 4 ]
 then
  echo -e "error: bash version != 4, this script might not work properly!" 1>&2
  echo    "       you can bypass this check by commenting out lines $[${LINENO}-2]-$[${LINENO}+2]." 1>&2
  exit 1
 fi
 export LANG=en_US
 export LC_ALL=C
 set -u
 for PROGRAM in \
  awk \
  cat \
  cp \
  date \
  gawk \
  grep \
  ln \
  mkdir \
  mktemp \
  mv \
  rm \
  sed \
  shred \
  stat \
  gpg2
 do
  if ! hash "${PROGRAM}" 2>/dev/null
  then
    printf "error: command not found in PATH: %s\n" "${PROGRAM}" >&2
    exit 1
  fi
 done
 unset PROGRAM

 declare -r RST="\033[0m"
 declare -r WRN="\033[1;31m"

 # from http://www.gossamer-threads.com/lists/gnupg/users/42445

 DATE_CURRENT=$(	date '+%s' )
 DAY_IN_SECS=$((	60*60*24 ))
 # warn days
 DAYS=30

 # for nagios
 nagioscmd="/var/nagios/rw/nagios.cmd"
 output=""
 code=0
 service="PGP key is not expiring"

 for mskeyid in $( gpg2 --with-colons --fixed-list-mode --list-secret-keys | grep "^sec:" | cut -d':' -f5 )
 do
  gpg2 --list-keys ${mskeyid} 1>/dev/null
  if [ ${?} -ne 0 ]
  then
    echo "error: key not found!" 1>&2
    continue
  fi
  while read
  do
    DATE_KEY_EXPIRES=$(	cut -d':' -f7 0<<<"${REPLY}" )
    keyid=$(		cut -d':' -f5 0<<<"${REPLY}" )
    revoked=$(		cut -d':' -f2 0<<<"${REPLY}" )
    # master signing key revoked? no need to check further...
    if [ "${keyid}" = "${mskeyid}" -a "${revoked}" = "r" ]
    then
      break
    fi
    if [ -z "${DATE_KEY_EXPIRES}" ]
    then
      echo -e "${WRN}WARNING${RST}: key ${keyid} does not expire!" 1>&2
    else
      # key has expired
      if [ ${DATE_KEY_EXPIRES} -lt ${DATE_CURRENT} ]
      then
        expired_in_sec=$(( DATE_CURRENT - DATE_KEY_EXPIRES ))
 	# warn if key has expired within $DAYS / 4
        if [ ${expired_in_sec} -le $(( DAYS * DAY_IN_SECS / 4 )) ]
        then
 	  echo -e "${WRN}WARNING${RST}: key ${keyid} expired $(( expired_in_sec / DAY_IN_SECS )) days ago!" 1>&2
          #date -d @${DATE_KEY_EXPIRES} | sed 's/^/         on /' 1>&2
 	fi
      else
        expires_in_sec=$(( DATE_KEY_EXPIRES - DATE_CURRENT ))
        # if the key is about to expire within $DAYS...
        if [ ${expires_in_sec} -le $(( DAYS * DAY_IN_SECS )) ]
        then
          output="key ${keyid} is about to expire in $(( expires_in_sec/DAY_IN_SECS )) days"
          echo -e "${WRN}WARNING${RST}: ${output}!" 1>&2
          date -d @${DATE_KEY_EXPIRES} | sed 's/^/         on /' 1>&2
          code=2
        fi
      fi
    fi
  done 0< <( gpg2 --with-colons --fixed-list-mode --list-keys ${mskeyid} | grep "^[ps]ub" )
 done
 if [ -p "${nagioscmd}" ]
 then
  echo "[$(date +%s)] PROCESS_SERVICE_CHECK_RESULT;localhost;${service};${code};${output}" 1>"${nagioscmd}"
 fi
	#!/bin/bash
	################################################################################
	# check PGP secret key(s) expiration
	#
	# created: 17-06-2014
	################################################################################
	if [ ${BASH_VERSINFO[0]} -ne 4 ]
	then
	echo -e "error: bash version != 4, this script might not work properly!" 1>&2
	echo " you can bypass this check by commenting out lines $[${LINENO}-2]-$[${LINENO}+2]." 1>&2
	exit 1
	fi
	export LANG=en_US
	export LC_ALL=C
	set -u
	for PROGRAM in \
	awk \
	cat \
	cp \
	date \
	gawk \
	grep \
	ln \
	mkdir \
	mktemp \
	mv \
	rm \
	sed \
	shred \
	stat \
	gpg2
	do
	if ! hash "${PROGRAM}" 2>/dev/null
	then
	printf "error: command not found in PATH: %s\n" "${PROGRAM}" >&2
	exit 1
	fi
	done
	unset PROGRAM

	declare -r RST="\033[0m"
	declare -r WRN="\033[1;31m"

	# from http://www.gossamer-threads.com/lists/gnupg/users/42445

	DATE_CURRENT=$( date '+%s' )
	DAY_IN_SECS=$(( 606024 ))
	# warn days
	DAYS=30

	# for nagios
	nagioscmd="/var/nagios/rw/nagios.cmd"
	output=""
	code=0
	service="PGP key is not expiring"

	for mskeyid in $( gpg2 --with-colons --fixed-list-mode --list-secret-keys \| grep "^sec:" \| cut -d':' -f5 )
	do
	gpg2 --list-keys ${mskeyid} 1>/dev/null
	if [ ${?} -ne 0 ]
	then
	echo "error: key not found!" 1>&2
	continue
	fi
	while read
	do
	DATE_KEY_EXPIRES=$( cut -d':' -f7 0<<<"${REPLY}" )
	keyid=$( cut -d':' -f5 0<<<"${REPLY}" )
	revoked=$( cut -d':' -f2 0<<<"${REPLY}" )
	# master signing key revoked? no need to check further...
	if [ "${keyid}" = "${mskeyid}" -a "${revoked}" = "r" ]
	then
	break
	fi
	if [ -z "${DATE_KEY_EXPIRES}" ]
	then
	echo -e "${WRN}WARNING${RST}: key ${keyid} does not expire!" 1>&2
	else
	# key has expired
	if [ ${DATE_KEY_EXPIRES} -lt ${DATE_CURRENT} ]
	then
	expired_in_sec=$(( DATE_CURRENT - DATE_KEY_EXPIRES ))
	# warn if key has expired within $DAYS / 4
	if [ ${expired_in_sec} -le $(( DAYS * DAY_IN_SECS / 4 )) ]
	then
	echo -e "${WRN}WARNING${RST}: key ${keyid} expired $(( expired_in_sec / DAY_IN_SECS )) days ago!" 1>&2
	#date -d @${DATE_KEY_EXPIRES} \| sed 's/^/ on /' 1>&2
	fi
	else
	expires_in_sec=$(( DATE_KEY_EXPIRES - DATE_CURRENT ))
	# if the key is about to expire within $DAYS...
	if [ ${expires_in_sec} -le $(( DAYS * DAY_IN_SECS )) ]
	then
	output="key ${keyid} is about to expire in $(( expires_in_sec/DAY_IN_SECS )) days"
	echo -e "${WRN}WARNING${RST}: ${output}!" 1>&2
	date -d @${DATE_KEY_EXPIRES} \| sed 's/^/ on /' 1>&2
	code=2
	fi
	fi
	fi
	done 0< <( gpg2 --with-colons --fixed-list-mode --list-keys ${mskeyid} \| grep "^[ps]ub" )
	done
	if [ -p "${nagioscmd}" ]
	then
	echo "[$(date +%s)] PROCESS_SERVICE_CHECK_RESULT;localhost;${service};${code};${output}" 1>"${nagioscmd}"
	fi