Refactor secrets handling

1 files changed, 5 insertions, 7 deletions

diff --git a/nixops/scripts/setup b/nixops/scripts/setup
index 9bdb8df..db0f353 100755
--- a/nixops/scripts/setup
+++ b/nixops/scripts/setup
@@ -44,23 +44,21 @@ if [ "$(git config --get include.path)" != "../.gitconfig" ]; then
   fi
 fi
 
-gpg_keys=$(pass ls Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
-for key in $gpg_keys; do
-  content=$(pass show Nixops/GPGKeys/$key)
-  fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
+for key in public_keys/*; do
+  fpr=$(cat "$key" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
   gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
   # /usr/share/doc/gnupg/DETAILS field 2
-  (echo "$content" | gpg --import-options show-only --import --with-colons |
+  (cat "$key" | gpg --import-options show-only --import --with-colons |
       grep -E '^pub:' |
       cut -d':' -f2 |
       grep -q '[fu]') && signed=yes || signed=no
   if [ "$signed" = no -o "$imported" = no ] ; then
     echo "The key for $key needs to be imported and signed (a local signature is enough)"
-    echo "$content" | gpg --import-options show-only --import
+    cat "$key" | gpg --import-options show-only --import
     echo "Continue? [y/N]"
     read y
     if [ "$y" = "y" -o "$y" = "Y" ]; then
-      echo "$content" | gpg --import
+      cat "$key" | gpg --import
       gpg --expert --edit-key "$fpr" lsign quit
     else
       echo "Aborting"