bin/sign: Read fingerprint from master rather than publish directory.

[ssh-ca] / bin / sign

diff --git a/bin/sign b/bin/sign
index 17d7d22..dd60a9b 100755 (executable)
--- a/bin/sign
+++ b/bin/sign
@@ -35,6 +35,7 @@ while read line <&3; do
   set -- $line
   host=$1
   names=""
+  nicks=""
 
   ## If this is a different host, then start a new section of the list.
   case "$last" in
@@ -46,10 +47,10 @@ while read line <&3; do
 
   ## Build a list of names for the host.
   for n in "$@"; do
-    names=${names:+$names,}$n
     case "$n" in
-      *.* | *:*) ;;
-      *) names=${names:+$names,}$n.$domain ;;
+      .*) for h in $nicks; do names=${names:+$names,}$h$n,$h$n.$domain; done ;;
+      *.* | *:*) names=${names:+$names,}$n ;;
+      *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n,$n.$domain ;;
     esac
   done
 
@@ -63,7 +64,7 @@ while read line <&3; do
       publish.new/$host-$kt.pub
     mv publish.new/$host-$kt-cert.pub \
       publish.new/$host-$kt.cert
-    ssh-keygen -lv -fpublish.new/$host-$kt.pub | sed 's,^,| ,' >&4
+    ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
   done
 done
 exec 3>&- 4>&-