X-Git-Url: https://git.distorted.org.uk/~mdw/ssh-ca/blobdiff_plain/a91e8fcb8d75260a28340c756894e9f507288fa3..fcacefc921209902c8c18cf0797250b7b0839d87:/bin/sign

diff --git a/bin/sign b/bin/sign
index e3ac0c9..5d1380f 100755
--- a/bin/sign
+++ b/bin/sign
@@ -13,15 +13,14 @@ done
 ## Start a new output directory.
 rm -rf publish.new
 mkdir publish.new
-mkdir publish.new/ssh-ca
 for kt in $rawkeytypes; do
-  cp ca/ca-$kt.pub publish.new/ssh-ca/
+  cp ca/ca-$kt.pub publish.new/
   read pub <ca/ca-$kt.pub
-  echo "$@cert-authority $scope $pub" >publish.new/ssh-ca/ca-$kt.entry
+  echo "$@cert-authority $scope $pub" >publish.new/ca-$kt.entry
 done
 
 ## Sign the various host keys.
-exec 3<etc/hosts 4>publish.new/ssh-ca/hosts.list
+exec 3<etc/hosts 4>publish.new/hosts.list
 last=%%%
 while read line <&3; do
 
@@ -38,7 +37,11 @@ while read line <&3; do
   names=""
 
   ## If this is a different host, then start a new section of the list.
-  case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac
+  case "$last" in
+    "%%%") echo "$host" >&4 ;;
+    "$host") ;;
+    *) { echo; echo "$host"; } >&4 ;;
+  esac
   last=$host
 
   ## Build a list of names for the host.
@@ -53,30 +56,30 @@ while read line <&3; do
   ## Sign certificates.
   for kt in $rawkeytypes; do
     if [ ! -f host/$host-$kt.pub ]; then continue; fi
-    cp host/$host-$kt.pub publish.new/ssh-ca/
-    ssh-keygen -q -sca/ca-$kt \
+    cp host/$host-$kt.pub publish.new/
+    ssh-keygen -q -tv00 -sca/ca-$kt \
       -h -I"$cacomment:$host.$domain" -n$names \
       -V$validity \
-      publish.new/ssh-ca/$host-$kt.pub
-    mv publish.new/ssh-ca/$host-$kt-cert.pub \
-      publish.new/ssh-ca/$host-$kt.cert
-    ssh-keygen -lv -fpublish.new/ssh-ca/$host-$kt.pub | sed 's,^,| ,' >&4
+      publish.new/$host-$kt.pub
+    mv publish.new/$host-$kt-cert.pub \
+      publish.new/$host-$kt.cert
+    ssh-keygen -lv -fpublish.new/$host-$kt.pub | sed 's,^,| ,' >&4
   done
 done
 exec 3>&- 4>&-
 
 ## Sign the list.
-run_gpg --armor -o publish.new/ssh-ca/hosts.asc \
-  --clearsign publish.new/ssh-ca/hosts.list
-rm publish.new/ssh-ca/hosts.list
+run_gpg --armor -o publish.new/hosts.asc \
+  --clearsign publish.new/hosts.list
+rm publish.new/hosts.list
 
 ## Include a copy of the public key.
-run_gpg --export --armor -o publish.new/ssh-ca/ca-gnupg.asc
-
-## Include a copy of the complete archive.
-(cd publish.new; tar czf ssh-ca.tar.gz ssh-ca/)
-mv publish.new/ssh-ca.tar.gz publish.new/ssh-ca/
+run_gpg --export --armor -o publish.new/ca-gnupg.asc
 
 ## Done.
-rm -rf publish
+if [ -d publish ]; then
+  rm -rf publish.old
+  mv publish publish.old
+fi
 mv publish.new publish
+rm -rf publish.old