bin/sign: Include `known_hosts' entries in the signed bundle.

[ssh-ca] / bin / sign

diff --git a/bin/sign b/bin/sign
index 17d7d22..ecd139e 100755 (executable)
--- a/bin/sign
+++ b/bin/sign
@@ -13,14 +13,17 @@ done
 ## Start a new output directory.
 rm -rf publish.new
 mkdir publish.new
+exec 3<etc/hosts 4>publish.new/hosts.list
+echo ":certificate-authority" >&4
 for kt in $rawkeytypes; do
   cp ca/ca-$kt.pub publish.new/
   read pub <ca/ca-$kt.pub
-  echo "@cert-authority $scope $pub" >publish.new/ca-$kt.entry
+  echo "@cert-authority $scope $pub" |
+       tee publish.new/ca-$kt.entry >&4
+  ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4
 done
 
 ## Sign the various host keys.
-exec 3<etc/hosts 4>publish.new/hosts.list
 last=%%%
 while read line <&3; do
 
@@ -35,21 +38,21 @@ while read line <&3; do
   set -- $line
   host=$1
   names=""
+  nicks=""
 
   ## If this is a different host, then start a new section of the list.
   case "$last" in
-    "%%%") echo "$host" >&4 ;;
     "$host") ;;
-    *) { echo; echo "$host"; } >&4 ;;
+    *) { echo; echo ":host $host"; } >&4 ;;
   esac
   last=$host
 
   ## Build a list of names for the host.
   for n in "$@"; do
-    names=${names:+$names,}$n
     case "$n" in
-      *.* | *:*) ;;
-      *) names=${names:+$names,}$n.$domain ;;
+      .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
+      *.* | *:*) names=${names:+$names,}$n ;;
+      *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
     esac
   done
 
@@ -63,7 +66,8 @@ while read line <&3; do
       publish.new/$host-$kt.pub
     mv publish.new/$host-$kt-cert.pub \
       publish.new/$host-$kt.cert
-    ssh-keygen -lv -fpublish.new/$host-$kt.pub | sed 's,^,| ,' >&4
+    { printf "%s " $names; cat host/$host-$kt.pub; } >&4
+    ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
   done
 done
 exec 3>&- 4>&-