shtrom · April 26, 2025 06:24
diff --git a/gpg-use-primary.sh b/gpg-use-primary.sh
 #!/bin/bash -eux

 if [ ${#} -lt 1 ]; then
 	echo "usage: ${0} <KEY_FILE>" >&2
 	exit 1
 fi

 KEY="${1}"

 GPG=gpg
 GPGCONF=gpgconf
 SHELL=bash

 RED='\033[0;31m'
 NC='\033[0m'

 ${GPGCONF} --kill all

 GNUPGHOME="$(mktemp -d "$(basename "$0")".XXXXXX)"
 RC="$(mktemp "$(basename "$0")".rc.XXXXXX)"
 # shellcheck disable=SC2064
 trap "rm -rf ${GNUPGHOME} ${RC}" EXIT

 cat << EOF > "${GNUPGHOME}/dirmngr.conf"
 keyserver hkps://keys.openpgp.org
 EOF

 export GNUPGHOME
 if !  ${GPG} --import "${KEY}"; then
 	echo -e "${RED}Failed to import key${NC}" >&2
 	exit 1
 fi

 KEYID="$(${GPG} --list-secret-keys --keyid-format 0xlong \
 	| sed -n 's/^sec.*0x\([^ ]\+\).*$/\1/p')"

 cat << EOF > "${RC}"
 export PS1="${RED}${KEYID}${NC}${GNUPGHOME/$(basename "$0")}> "
 export GNUPGHOME=${GNUPGHOME}
 echo "gpg home is ${GNUPGHOME}"
 EOF

 # Get info from a card if present
 ${GPG} --card-status || true

 cat << EOF

 Key-renewal cheatsheet
 ----------------------

 * ssh to old hosts (host11, host12, host13) first
 * gpg --edit-key ${KEYID}
  * addcardkey
    * signature
    * authentication
 * gpg --export --armor ${KEYID} > ~/${KEYID}.pub.asc

 EOF

 ${SHELL} --rcfile "${RC}"

 cat << EOF

 Key-rotation cheatsheet
 -----------------------

 * gpg --import < ~/${KEYID}.pub.asc
 * gpg --send-key ${KEYID}
 * update ssh keys
  * deploy scripts
  * ssh-copy-id (host21, host22, host23)
  * https://github.com/settings/keys
  * https://meta.sr.ht/keys
 * cd ~/bordel/default-env; make delcred CRED=GPGSIGNID; make upgrade
 * cd ~/src/mebsite; rm key.pgp.asc; make key.pgp.asc

 EOF
	#!/bin/bash -eux

	if [ ${#} -lt 1 ]; then
	echo "usage: ${0} <KEY_FILE>" >&2
	exit 1
	fi

	KEY="${1}"

	GPG=gpg
	GPGCONF=gpgconf
	SHELL=bash

	RED='\033[0;31m'
	NC='\033[0m'

	${GPGCONF} --kill all

	GNUPGHOME="$(mktemp -d "$(basename "$0")".XXXXXX)"
	RC="$(mktemp "$(basename "$0")".rc.XXXXXX)"
	# shellcheck disable=SC2064
	trap "rm -rf ${GNUPGHOME} ${RC}" EXIT

	cat << EOF > "${GNUPGHOME}/dirmngr.conf"
	keyserver hkps://keys.openpgp.org
	EOF

	export GNUPGHOME
	if ! ${GPG} --import "${KEY}"; then
	echo -e "${RED}Failed to import key${NC}" >&2
	exit 1
	fi

	KEYID="$(${GPG} --list-secret-keys --keyid-format 0xlong \
	\| sed -n 's/^sec.0x\([^ ]\+\).$/\1/p')"

	cat << EOF > "${RC}"
	export PS1="${RED}${KEYID}${NC}${GNUPGHOME/$(basename "$0")}> "
	export GNUPGHOME=${GNUPGHOME}
	echo "gpg home is ${GNUPGHOME}"
	EOF

	# Get info from a card if present
	${GPG} --card-status \|\| true

	cat << EOF

	Key-renewal cheatsheet
	----------------------

	* ssh to old hosts (host11, host12, host13) first
	* gpg --edit-key ${KEYID}
	* addcardkey
	* signature
	* authentication
	* gpg --export --armor ${KEYID} > ~/${KEYID}.pub.asc

	EOF

	${SHELL} --rcfile "${RC}"

	cat << EOF

	Key-rotation cheatsheet
	-----------------------

	* gpg --import < ~/${KEYID}.pub.asc
	* gpg --send-key ${KEYID}
	* update ssh keys
	* deploy scripts
	* ssh-copy-id (host21, host22, host23)
	* https://github.com/settings/keys
	* https://meta.sr.ht/keys
	* cd ~/bordel/default-env; make delcred CRED=GPGSIGNID; make upgrade
	* cd ~/src/mebsite; rm key.pgp.asc; make key.pgp.asc

	EOF