It uses user keys, and the archives are public. It doesn't make sense
to restrict it to administrators only. Also, it wrote its output to the
wrong place. Since the output is in two pieces, this is fiddly: use a
tarball.
mv keyfunc.sh.new keyfunc.sh
## Commands.
mv keyfunc.sh.new keyfunc.sh
## Commands.
-dist_pkglib_SCRIPTS += keys.archive
dist_pkglib_SCRIPTS += keys.conceal
dist_pkglib_SCRIPTS += keys.keeper-cards
dist_pkglib_SCRIPTS += keys.keeper-nub
dist_pkglib_SCRIPTS += keys.conceal
dist_pkglib_SCRIPTS += keys.keeper-cards
dist_pkglib_SCRIPTS += keys.keeper-nub
dist_profile_DATA += profile.d/01seccure
## Commands.
dist_profile_DATA += profile.d/01seccure
## Commands.
+dist_pkglib_SCRIPTS += cryptop.archive
dist_pkglib_SCRIPTS += cryptop.genkey
dist_pkglib_SCRIPTS += cryptop.list
dist_pkglib_SCRIPTS += cryptop.delkey
dist_pkglib_SCRIPTS += cryptop.genkey
dist_pkglib_SCRIPTS += cryptop.list
dist_pkglib_SCRIPTS += cryptop.delkey
. "$KEYSLIB"/keyfunc.sh
defhelp <<HELP
. "$KEYSLIB"/keyfunc.sh
defhelp <<HELP
Write a publishable archive of the key-management state.
Write a publishable archive of the key-management state.
-The archive is written to LABEL.tar.gz; a signature is written to
-LABEL.KEY.sig.
+The archive is written to stdout as a tar archive containing two files:
+LABEL.tar.gz contains the actual archive, and LABEL.KEY.sig contains a
+signature.
The archive doesn't contain any unecrypted secrets. You'll probably need
The archive doesn't contain any unecrypted secrets. You'll probably need
-a keeper set to get anything useful.
+a keeper set to get anything useful out of it.
HELP
case $# in 2) ;; *) usage_err ;; esac
HELP
case $# in 2) ;; *) usage_err ;; esac
-label=$1 key=$2
-checkword "archive label" "$label"
+arch=$1 key=$2
+checkword "archive label" "$arch"
mktmp
prepare "$key" archive
mktmp
prepare "$key" archive
-( cd $tmp
- mkdir $label
- ln -s $ETC $label/config
- mkdir $label/data
- ln -s $KEYS/* $label/data/
- rm -f $label/data/nub
- tar cf - $label/config/* $label/data/*/* ) | gzip -9c >$label.tar.gz.new
-c_sign $kdir $knub <$label.tar.gz.new >$label.sig.new
-for i in sig tar.gz; do mv $label.$i.new $label.$i; done
+cd $tmp
+mkdir $arch
+ln -s $ETC $arch/config
+mkdir $arch/data
+ln -s $KEYS/* $arch/data/
+rm -f $arch/data/nub
+tar cf - $arch/config/* $arch/data/*/* | gzip -9c >$arch.tar.gz
+c_sign $kdir $knub <$arch.tar.gz >$arch.sig
+tar cf - $arch.tar.gz $arch.sig
###----- That's all, folks --------------------------------------------------
###----- That's all, folks --------------------------------------------------