bin/sign: Emit a `known_hosts' file in the correct form.

diff --git a/bin/sign b/bin/sign
index fbdadc6..f275355 100755 (executable)
--- a/bin/sign
+++ b/bin/sign
@@ -2,6 +2,7 @@
 
 set -e
 . lib/func.sh
+orig_domain=$domain date=$(date +%Y-%m-%d)
 
 ## The key types are adorned with bit lengths.  Work out the raw key type
 ## names.
@@ -13,7 +14,7 @@ done
 ## Start a new output directory.
 rm -rf publish.new
 mkdir publish.new
-exec 3<etc/hosts 4>publish.new/hosts.list
+exec 3<etc/hosts 4>publish.new/hosts.list 5>publish.new/known_hosts
 echo ":certificate-authority" >&4
 for kt in $rawkeytypes; do
   cp ca/ca-$kt.pub publish.new/
@@ -25,6 +26,7 @@ done
 
 ## Sign the various host keys.
 last=%%%
+echo >&5 "### BEGIN $domain KEYS (generated $date)"
 while read line <&3; do
 
   ## Ignore comments and empty lines.
@@ -70,11 +72,14 @@ while read line <&3; do
       publish.new/$host-$kt.pub
     mv publish.new/$host-$kt-cert.pub \
       publish.new/$host-$kt.cert
-    { printf "%s " $names; cat host/$host-$kt.pub; } >&4
+    for fd in 4 5; do
+      { printf "%s " $names; cat host/$host-$kt.pub; } >&$fd
+    done
     ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
   done
 done
-exec 3>&- 4>&-
+echo >&5 "### END $domain KEYS"
+exec 3>&- 4>&- 5>&-
 
 ## Sign the list.
 run_gpg --armor -o publish.new/hosts.asc \