Improving gpg key creation

This commit is contained in:
Bob Mottram 2015-11-30 11:14:11 +00:00
parent 1bf712abc3
commit f98c57dd89
1 changed files with 69 additions and 37 deletions

View File

@ -7413,6 +7413,25 @@ function create_gpg_subkey {
echo 'create_gpg_subkey' >> $COMPLETION_FILE echo 'create_gpg_subkey' >> $COMPLETION_FILE
} }
function gpg_key_exists {
key_owner_username=$1
key_search_text=$2
if [[ $key_owner_username != "root" ]]; then
KEY_EXISTS=$(su -c "gpg --list-keys \"${key_search_text}\"" - $key_owner_username)
else
KEY_EXISTS=$(gpg --list-keys "${key_search_text}")
fi
if [ ! $KEY_EXISTS ]; then
echo "no"
return
fi
if [ $KEY_EXISTS == *"error"* ]; then
echo "no"
return
fi
echo "yes"
}
function configure_gpg { function configure_gpg {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return return
@ -7422,52 +7441,62 @@ function configure_gpg {
fi fi
apt-get -y install gnupg apt-get -y install gnupg
gpg_dir=/home/$MY_USERNAME/.gnupg
# if gpg keys directory was previously imported from usb # if gpg keys directory was previously imported from usb
if [[ $GPG_KEYS_IMPORTED == "yes" && -d /home/$MY_USERNAME/.gnupg ]]; then if [[ $GPG_KEYS_IMPORTED == "yes" && -d $gpg_dir ]]; then
sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" /home/$MY_USERNAME/.gnupg/gpg.conf echo 'GPG keys were imported'
sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" $gpg_dir/gpg.conf
MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg chown -R $MY_USERNAME:$MY_USERNAME $gpg_dir
chmod 700 /home/$MY_USERNAME/.gnupg chmod 700 $gpg_dir
chmod 600 /home/$MY_USERNAME/.gnupg/* chmod 600 $gpg_dir/*
echo 'configure_gpg' >> $COMPLETION_FILE echo 'configure_gpg' >> $COMPLETION_FILE
return return
fi fi
if [ ! -d /home/$MY_USERNAME/.gnupg ]; then if [ ! -d $gpg_dir ]; then
mkdir /home/$MY_USERNAME/.gnupg mkdir $gpg_dir
echo "keyserver $GPG_KEYSERVER" >> /home/$MY_USERNAME/.gnupg/gpg.conf echo "keyserver $GPG_KEYSERVER" >> $gpg_dir/gpg.conf
echo 'keyserver-options auto-key-retrieve' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'keyserver-options auto-key-retrieve' >> $gpg_dir/gpg.conf
fi fi
sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" /home/$MY_USERNAME/.gnupg/gpg.conf sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" $gpg_dir/gpg.conf
if ! grep -q "# default preferences" /home/$MY_USERNAME/.gnupg/gpg.conf; then if ! grep -q "# default preferences" $gpg_dir/gpg.conf; then
echo '' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo '' >> $gpg_dir/gpg.conf
echo '# default preferences' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo '# default preferences' >> $gpg_dir/gpg.conf
echo 'personal-digest-preferences SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'personal-digest-preferences SHA256' >> $gpg_dir/gpg.conf
echo 'cert-digest-algo SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'cert-digest-algo SHA256' >> $gpg_dir/gpg.conf
echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> $gpg_dir/gpg.conf
fi fi
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg chown -R $MY_USERNAME:$MY_USERNAME $gpg_dir
chmod 700 /home/$MY_USERNAME/.gnupg chmod 700 $gpg_dir
chmod 600 /home/$MY_USERNAME/.gnupg/* chmod 600 $gpg_dir/*
if [[ $MY_GPG_PUBLIC_KEY && $MY_GPG_PRIVATE_KEY ]]; then if [[ $MY_GPG_PUBLIC_KEY && $MY_GPG_PRIVATE_KEY ]]; then
echo "Public key: $MY_GPG_PUBLIC_KEY" echo $'Importing GPG keys from file'
echo "Private key: $MY_GPG_PRIVATE_KEY" echo $"Public key: $MY_GPG_PUBLIC_KEY"
echo $"Private key: $MY_GPG_PRIVATE_KEY"
# use your existing GPG keys which were exported # use your existing GPG keys which were exported
if [ ! -f $MY_GPG_PUBLIC_KEY ]; then if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
echo "GPG public key file $MY_GPG_PUBLIC_KEY was not found" echo $"GPG public key file $MY_GPG_PUBLIC_KEY was not found"
exit 5 exit 2483
fi fi
if [ ! -f $MY_GPG_PRIVATE_KEY ]; then if [ ! -f $MY_GPG_PRIVATE_KEY ]; then
echo "GPG private key file $MY_GPG_PRIVATE_KEY was not found" echo $"GPG private key file $MY_GPG_PRIVATE_KEY was not found"
exit 6 exit 5383
fi fi
su -c "gpg --import $MY_GPG_PUBLIC_KEY" - $MY_USERNAME su -c "gpg --import $MY_GPG_PUBLIC_KEY" - $MY_USERNAME
su -c "gpg --allow-secret-key-import --import $MY_GPG_PRIVATE_KEY" - $MY_USERNAME su -c "gpg --allow-secret-key-import --import $MY_GPG_PRIVATE_KEY" - $MY_USERNAME
KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS")
if [[ $KEY_EXISTS == "no" ]]; then
echo $"The GPG key for $MY_EMAIL_ADDRESS could not be imported"
exit 13821
fi
# for security ensure that the private key file doesn't linger around # for security ensure that the private key file doesn't linger around
shred -zu $MY_GPG_PRIVATE_KEY shred -zu $MY_GPG_PRIVATE_KEY
MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
@ -7481,7 +7510,13 @@ function configure_gpg {
echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
echo $'Generating a new GPG key'
su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS")
if [[ $KEY_EXISTS == "no" ]]; then
echo $"A GPG key for $MY_EMAIL_ADDRESS could not be created"
exit 6362
fi
shred -zu /home/$MY_USERNAME/gpg-genkey.conf shred -zu /home/$MY_USERNAME/gpg-genkey.conf
MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg
@ -7533,19 +7568,14 @@ function configure_backup_key {
fi fi
apt-get -y install gnupg apt-get -y install gnupg
BACKUP_KEY_EXISTS=$(gpg --list-keys "$MY_NAME (backup key)") BACKUP_KEY_EXISTS=$(gpg_key_exists "root" "$MY_NAME (backup key)")
if [ $BACKUP_KEY_EXISTS ]; then if [[ $BACKUP_KEY_EXISTS == "yes" ]]; then
if [ $BACKUP_KEY_EXISTS != *"error"* ]; then
return return
fi fi
fi
# Generate a GPG key for backups # Generate a GPG key for backups
BACKUP_KEY_EXISTS=$(su -c "gpg --list-keys \"$MY_NAME (backup key)\"" - $MY_USERNAME) BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
if [ ! $BACKUP_KEY_EXISTS ]; then if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
BACKUP_KEY_EXISTS='error'
fi
if [ $BACKUP_KEY_EXISTS == *"error"* ]; then
echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf
@ -7555,10 +7585,12 @@ function configure_backup_key {
echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
echo 'Backup key does not exist. Creating it.'
su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
shred -zu /home/$MY_USERNAME/gpg-genkey.conf shred -zu /home/$MY_USERNAME/gpg-genkey.conf
BACKUP_KEY_EXISTS=$(su -c "gpg --list-keys \"$MY_NAME (backup key)\"" - $MY_USERNAME) echo 'Checking that the Backup key was created'
if [ ! "$?" = "0" ]; then BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
echo 'Backup key could not be created' echo 'Backup key could not be created'
exit 43382 exit 43382
fi fi