-if [ ! -f /etc/ssh/ssh_rsa_key_nixops ]; then
- cat <<EOF
-The key to access private git repositories (websites hosted by the
-server) needs to be accessible to nix builders. It will be put in
-/etc/ssh/ssh_rsa_key_nixops (sudo right is needed for that)
-> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey | sudo tee /etc/ssh/ssh_rsa_key_nixops > /dev/null
-> pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/NixSshKey.pub | sudo tee /etc/ssh/ssh_rsa_key_nixops.pub > /dev/null
-> sudo chmod u=r,go-rwx /etc/ssh/ssh_rsa_key_nixops
-> sudo chown nixbld1:nixbld /etc/ssh/ssh_rsa_key_nixops /etc/ssh/ssh_rsa_key_nixops.pub
-Continue? [y/N]
-EOF
- read y
- if [ "$y" = "y" -o "$y" = "Y" ]; then
- if ! id -u nixbld1 2>/dev/null >/dev/null; then
- echo "User nixbld1 seems inexistant, did you install nix?"
+# Repull it before adding keys, just in case
+make -C $MAKEFILE_DIR pull_environment
+
+gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
+for key in $gpg_keys; do
+ content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
+ fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
+ gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
+ # /usr/share/doc/gnupg/DETAILS field 2
+ (echo "$content" | gpg --import-options show-only --import --with-colons |
+ grep -E '^pub:' |
+ cut -d':' -f2 |
+ grep -q '[fu]') && signed=yes || signed=no
+ if [ "$signed" = no -o "$imported" = no ] ; then
+ echo "The key for $key needs to be imported and signed (a local signature is enough)"
+ echo "$content" | gpg --import-options show-only --import
+ echo "Continue? [y/N]"
+ read y
+ if [ "$y" = "y" -o "$y" = "Y" ]; then
+ echo "$content" | gpg --import
+ gpg --expert --edit-key "$fpr" lsign quit
+ else
+ echo "Aborting"