X-Git-Url: https://git.distorted.org.uk/~mdw/ssh-ca/blobdiff_plain/a91e8fcb8d75260a28340c756894e9f507288fa3..e543e5cbc5dc9cfc4091e7a3a126ce08c46847e8:/bin/sign diff --git a/bin/sign b/bin/sign index e3ac0c9..32592be 100755 --- a/bin/sign +++ b/bin/sign @@ -2,6 +2,7 @@ set -e . lib/func.sh +orig_domain=$domain date=$(date +%Y-%m-%d) ## The key types are adorned with bit lengths. Work out the raw key type ## names. @@ -13,16 +14,20 @@ done ## Start a new output directory. rm -rf publish.new mkdir publish.new -mkdir publish.new/ssh-ca +exec 3publish.new/hosts.list 5>publish.new/known_hosts +echo ":certificate-authority" >&4 for kt in $rawkeytypes; do - cp ca/ca-$kt.pub publish.new/ssh-ca/ + cp ca/ca-$kt.pub publish.new/ read pub publish.new/ssh-ca/ca-$kt.entry + echo "@cert-authority $scope $pub" | + tee publish.new/ca-$kt.entry >&4 + ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4 done ## Sign the various host keys. -exec 3publish.new/ssh-ca/hosts.list last=%%% +idomain=$domain +echo >&5 "### BEGIN $idomain KEYS (generated $date)" while read line <&3; do ## Ignore comments and empty lines. @@ -34,49 +39,61 @@ while read line <&3; do ## Read the host line. set -- $line + case "$1" in + @domain) domain=$2; continue ;; + @*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;; + esac host=$1 names="" + nicks="" ## If this is a different host, then start a new section of the list. - case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac + case "$last" in + "$host") ;; + *) { echo; echo ":host $host"; } >&4 ;; + esac last=$host ## Build a list of names for the host. for n in "$@"; do - names=${names:+$names,}$n case "$n" in - *.* | *:*) ;; - *) names=${names:+$names,}$n.$domain ;; + .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;; + *.* | *:*) names=${names:+$names,}$n ;; + *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;; esac done ## Sign certificates. for kt in $rawkeytypes; do if [ ! -f host/$host-$kt.pub ]; then continue; fi - cp host/$host-$kt.pub publish.new/ssh-ca/ + cp host/$host-$kt.pub publish.new/ ssh-keygen -q -sca/ca-$kt \ -h -I"$cacomment:$host.$domain" -n$names \ -V$validity \ - publish.new/ssh-ca/$host-$kt.pub - mv publish.new/ssh-ca/$host-$kt-cert.pub \ - publish.new/ssh-ca/$host-$kt.cert - ssh-keygen -lv -fpublish.new/ssh-ca/$host-$kt.pub | sed 's,^,| ,' >&4 + publish.new/$host-$kt.pub + mv publish.new/$host-$kt-cert.pub \ + publish.new/$host-$kt.cert + for fd in 4 5; do + { printf "%s " $names; cat host/$host-$kt.pub; } >&$fd + done + ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4 done done -exec 3>&- 4>&- +echo >&5 "### END $idomain KEYS" +exec 3>&- 4>&- 5>&- ## Sign the list. -run_gpg --armor -o publish.new/ssh-ca/hosts.asc \ - --clearsign publish.new/ssh-ca/hosts.list -rm publish.new/ssh-ca/hosts.list +run_gpg --armor -o publish.new/hosts.asc \ + --clearsign publish.new/hosts.list +rm publish.new/hosts.list ## Include a copy of the public key. -run_gpg --export --armor -o publish.new/ssh-ca/ca-gnupg.asc - -## Include a copy of the complete archive. -(cd publish.new; tar czf ssh-ca.tar.gz ssh-ca/) -mv publish.new/ssh-ca.tar.gz publish.new/ssh-ca/ +run_gpg --export --armor -o publish.new/ca-gnupg.asc ## Done. -rm -rf publish +if [ -d publish ]; then + rm -rf publish.old + mv publish publish.old +fi mv publish.new publish +rm -rf publish.old