-/!\ This will modify your password store to add and import a subtree
-with the specific passwords files. Choose a path that doesn’t exist
-yet in your password store.
-> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
-> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
-Later, you can use pull_environment and push_environment scripts to
-update the passwords when needed
-Continue? [y/N]
-EOF
- read y
- if [ "$y" = "y" -o "$y" = "Y" ]; then
- pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
- pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
- else
- echo "Aborting"
- exit 1
+ Nix store outside of /nix/store is not supported
+ EOF
+ exit 1
+fi
+
+gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
+for key in $gpg_keys; do
+ content=$(pass show Nixops/GPGKeys/$key)
+ fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
+ gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
+ # /usr/share/doc/gnupg/DETAILS field 2
+ (echo "$content" | gpg --import-options show-only --import --with-colons |
+ grep -E '^pub:' |
+ cut -d':' -f2 |
+ grep -q '[fu]') && signed=yes || signed=no
+ if [ "$signed" = no -o "$imported" = no ] ; then
+ echo "The key for $key needs to be imported and signed (a local signature is enough)"
+ echo "$content" | gpg --import-options show-only --import
+ echo "Continue? [y/N]"
+ read y
+ if [ "$y" = "y" -o "$y" = "Y" ]; then
+ echo "$content" | gpg --import
+ gpg --expert --edit-key "$fpr" lsign quit
+ else
+ echo "Aborting"
+ exit 1
+ fi