mv keyfunc.sh.new keyfunc.sh
## Commands.
-dist_pkglib_SCRIPTS += keys.archive
dist_pkglib_SCRIPTS += keys.conceal
dist_pkglib_SCRIPTS += keys.keeper-cards
dist_pkglib_SCRIPTS += keys.keeper-nub
dist_profile_DATA += profile.d/01seccure
## Commands.
+dist_pkglib_SCRIPTS += cryptop.archive
dist_pkglib_SCRIPTS += cryptop.genkey
dist_pkglib_SCRIPTS += cryptop.list
dist_pkglib_SCRIPTS += cryptop.delkey
. "$KEYSLIB"/keyfunc.sh
defhelp <<HELP
-LABEL KEY
+LABEL KEY | tar xf -
Write a publishable archive of the key-management state.
-The archive is written to LABEL.tar.gz; a signature is written to
-LABEL.KEY.sig.
+The archive is written to stdout as a tar archive containing two files:
+LABEL.tar.gz contains the actual archive, and LABEL.KEY.sig contains a
+signature.
The archive doesn't contain any unecrypted secrets. You'll probably need
-a keeper set to get anything useful.
+a keeper set to get anything useful out of it.
HELP
case $# in 2) ;; *) usage_err ;; esac
-label=$1 key=$2
-checkword "archive label" "$label"
+arch=$1 key=$2
+checkword "archive label" "$arch"
mktmp
prepare "$key" archive
-( cd $tmp
- mkdir $label
- ln -s $ETC $label/config
- mkdir $label/data
- ln -s $KEYS/* $label/data/
- rm -f $label/data/nub
- tar cf - $label/config/* $label/data/*/* ) | gzip -9c >$label.tar.gz.new
-c_sign $kdir $knub <$label.tar.gz.new >$label.sig.new
-for i in sig tar.gz; do mv $label.$i.new $label.$i; done
+cd $tmp
+mkdir $arch
+ln -s $ETC $arch/config
+mkdir $arch/data
+ln -s $KEYS/* $arch/data/
+rm -f $arch/data/nub
+tar cf - $arch/config/* $arch/data/*/* | gzip -9c >$arch.tar.gz
+c_sign $kdir $knub <$arch.tar.gz >$arch.sig
+tar cf - $arch.tar.gz $arch.sig
###----- That's all, folks --------------------------------------------------