Add GPG keys importing from password store

1 files changed, 26 insertions, 1 deletions

diff --git a/nixops/scripts/setup b/nixops/scripts/setup
index 38cee65..81ba8aa 100755
--- a/nixops/scripts/setup
+++ b/nixops/scripts/setup
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -euxo pipefail
+set -euo pipefail
 
 RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
 DeploymentUuid="cef694f3-081d-11e9-b31f-0242ec186adf"
@@ -52,6 +52,31 @@ if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
   fi
 fi
 
+gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
+for key in $gpg_keys; do
+  content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
+  fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
+  gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
+  # /usr/share/doc/gnupg/DETAILS field 2
+  (echo "$content" | gpg --import-options show-only --import --with-colons |
+      grep -E '^pub:' |
+      cut -d':' -f2 |
+      grep -q '[fu]') && signed=yes || signed=no
+  if [ "$signed" = no -o "$imported" = no ] ; then
+    echo "The key for $key needs to be imported and signed (a local signature is enough)"
+    echo "$content" | gpg --import-options show-only --import
+    echo "Continue? [y/N]"
+    read y
+    if [ "$y" = "y" -o "$y" = "Y" ]; then
+      echo "$content" | gpg --import
+      gpg --expert --edit-key "$fpr" lsign quit
+    else
+      echo "Aborting"
+      exit 1
+    fi
+  fi
+done
+
 nix_group=$(stat -c %G /nix/store)
 if [ "$nix_group" = "nixbld" ]; then
   nix_user="nixbld1"