5 orig_domain
=$domain date=$
(date +%Y-
%m-
%d
)
7 ## The key types are adorned with bit lengths. Work out the raw key type
10 for kt
in $keytypes; do
11 rawkeytypes
="$rawkeytypes ${kt%:*}"
14 ## Start a new output directory.
17 exec 3<etc
/hosts
4>publish.new
/hosts.list
5>publish.new
/known_hosts
18 echo ":certificate-authority" >&4
19 for kt
in $rawkeytypes; do
20 cp ca
/ca-
$kt.pub publish.new
/
21 read pub
<ca
/ca-
$kt.pub
22 echo "@cert-authority $scope $pub" |
23 tee publish.new
/ca-
$kt.entry
>&4
24 ssh-keygen
-lv
-fca
/ca-
$kt.pub |
sed 's,^,| ,' >&4
27 ## Sign the various host keys.
30 echo >&5 "### BEGIN $idomain KEYS (generated $date)"
31 while read line
<&3; do
33 ## Ignore comments and empty lines.
35 "#"* |
"") continue ;;
40 ## Read the host line.
43 @domain
) domain
=$2; continue ;;
44 @
*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
50 ## If this is a different host, then start a new section of the list.
53 *) { echo; echo ":host $host"; } >&4 ;;
57 ## Build a list of names for the host.
60 .
*) for h
in $nicks; do names
=${names:+$names,}$h$n.
$domain; done ;;
61 *.
* |
*:*) names
=${names:+$names,}$n ;;
62 *) nicks
=${nicks:+$nicks }$n names
=${names:+$names,}$n.
$domain ;;
67 for kt
in $rawkeytypes; do
68 if [ ! -f
host/$host-$kt.pub
]; then continue; fi
69 cp host/$host-$kt.pub publish.new
/
70 ssh-keygen
-q
-tv00
-sca
/ca-
$kt \
71 -h
-I
"$cacomment:$host.$domain" -n
$names \
73 publish.new
/$host-$kt.pub
74 mv publish.new
/$host-$kt-cert.pub \
75 publish.new
/$host-$kt.cert
77 { printf "%s " $names; cat host/$host-$kt.pub
; } >&$fd
79 ssh-keygen
-lv
-fhost
/$host-$kt.pub |
sed 's,^,| ,' >&4
82 echo >&5 "### END $idomain KEYS"
86 run_gpg
--armor
-o publish.new
/hosts.asc \
87 --clearsign publish.new
/hosts.list
88 rm publish.new
/hosts.list
90 ## Include a copy of the public key.
91 run_gpg
--export --armor
-o publish.new
/ca-gnupg.asc
94 if [ -d publish
]; then
96 mv publish publish.old
98 mv publish.new publish