To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos-keygen
- browse files at revision 78
- compare with another revision
- download diff
- download tarball
- view history from revision 78
- Committer: Teddy Hogeborn
- Date: 2008-08-16 03:29:08 UTC
- Revision ID: teddy@fukt.bsnet.se-20080816032908-ihw7c05r2mnyk389
Add feature to specify custom environment variables for plugins.
* plugin-runner.c (plugin): New members "environ" and "envc" to
contain possible custom environment.
(getplugin): Return NULL on failure instead of doing exit(); all
callers changed.
(add_to_char_array): New helper function for "add_argument" and
"add_environment".
(addargument): Renamed to "add_argument". Return bool. Call
"add_to_char_array" to actually do things.
(add_environment): New; analogous to "add_argument".
(addcustomargument): Renamed to "add_to_argv" to avoid confusion
with "add_argument".
(main): New options "--global-envs" and "--envs-for" to specify
custom environment for plugins. Print environment for
plugins in debug mode. Use asprintf instead of strcpy and
strcat. Use execve() for plugins with custom environments.
Free environment for plugin when freeing plugin list.
* plugin-runner.c (plugin): New members "environ" and "envc" to
contain possible custom environment.
(getplugin): Return NULL on failure instead of doing exit(); all
callers changed.
(add_to_char_array): New helper function for "add_argument" and
"add_environment".
(addargument): Renamed to "add_argument". Return bool. Call
"add_to_char_array" to actually do things.
(add_environment): New; analogous to "add_argument".
(addcustomargument): Renamed to "add_to_argv" to avoid confusion
with "add_argument".
(main): New options "--global-envs" and "--envs-for" to specify
custom environment for plugins. Print environment for
plugins in debug mode. Use asprintf instead of strcpy and
strcat. Use execve() for plugins with custom environments.
Free environment for plugin when freeing plugin list.
- files added:
- initramfs-tools-hook-conf
- files removed:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- debian/upstream
- network-hooks.d
- plugin-helpers
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- Makefile
added
removed
mandos-keygen
1
1
#!/bin/sh -e
2
2
#
3
# Mandos key generator - create new keys for a Mandos client
4
#
5
# Copyright © 2008-2018 Teddy Hogeborn
6
# Copyright © 2008-2018 Björn Påhlsson
7
#
8
# This file is part of Mandos.
9
#
10
# Mandos is free software: you can redistribute it and/or modify it
11
# under the terms of the GNU General Public License as published by
3
# Mandos key generator - create a new OpenPGP key for a Mandos client
4
#
5
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
6
#
7
# This program is free software: you can redistribute it and/or modify
8
# it under the terms of the GNU General Public License as published by
12
9
# the Free Software Foundation, either version 3 of the License, or
13
10
# (at your option) any later version.
14
11
#
15
# Mandos is distributed in the hope that it will be useful, but
16
# WITHOUT ANY WARRANTY; without even the implied warranty of
12
# This program is distributed in the hope that it will be useful,
13
# but WITHOUT ANY WARRANTY; without even the implied warranty of
17
14
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
15
# GNU General Public License for more details.
19
16
#
20
17
# You should have received a copy of the GNU General Public License
21
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
22
#
23
# Contact the authors at <mandos@recompile.se>.
24
#
25
26
VERSION="1.7.20"
27
28
KEYDIR="/etc/keys/mandos"
29
KEYTYPE=RSA
30
KEYLENGTH=4096
31
SUBKEYTYPE=RSA
32
SUBKEYLENGTH=4096
33
KEYNAME="`hostname --fqdn 2>/dev/null || hostname`"
18
# along with this program. If not, see <http://www.gnu.org/licenses/>.
19
#
20
# Contact the authors at <mandos@fukt.bsnet.se>.
21
#
22
23
VERSION="1.0"
24
25
KEYDIR="/etc/mandos"
26
KEYTYPE=DSA
27
KEYLENGTH=1024
28
KEYNAME="`hostname --fqdn`"
34
29
KEYEMAIL=""
35
KEYCOMMENT=""
30
KEYCOMMENT="Mandos client key"
36
31
KEYEXPIRE=0
37
TLS_KEYTYPE=ed25519
38
32
FORCE=no
39
SSH=yes
40
33
KEYCOMMENT_ORIG="$KEYCOMMENT"
41
mode=keygen
42
43
if [ ! -d "$KEYDIR" ]; then
44
KEYDIR="/etc/mandos/keys"
45
fi
46
34
47
35
# Parse options
48
TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \
49
--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \
36
TEMP=`getopt --options vhd:t:l:n:e:c:x:f \
37
--longoptions version,help,dir:,type:,length:,name:,email:,comment:,expire:,force \
50
38
--name "$0" -- "$@"`
51
39
52
40
help(){
53
basename="`basename "$0"`"
54
41
cat <<EOF
55
Usage: $basename [ -v | --version ]
56
$basename [ -h | --help ]
57
Key creation:
58
$basename [ OPTIONS ]
59
Encrypted password creation:
60
$basename { -p | --password } [ --name NAME ] [ --dir DIR]
61
$basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR]
42
Usage: `basename $0` [options]
62
43
63
Key creation options:
44
Options:
64
45
-v, --version Show program's version number and exit
65
46
-h, --help Show this help message and exit
66
47
-d DIR, --dir DIR Target directory for key files
67
-t TYPE, --type TYPE OpenPGP key type. Default is RSA.
48
-t TYPE, --type TYPE Key type. Default is DSA.
68
49
-l BITS, --length BITS
69
OpenPGP key length in bits. Default is 4096.
70
-s TYPE, --subtype TYPE
71
OpenPGP subkey type. Default is RSA.
72
-L BITS, --sublength BITS
73
OpenPGP subkey length in bits. Default 4096.
50
Key length in bits. Default is 1024.
74
51
-n NAME, --name NAME Name of key. Default is the FQDN.
75
-e ADDRESS, --email ADDRESS
76
Email address of OpenPGP key. Default empty.
77
-c TEXT, --comment TEXT
78
Comment field for OpenPGP key. Default empty.
52
-e EMAIL, --email EMAIL
53
Email address of key. Default is empty.
54
-c COMMENT, --comment COMMENT
55
Comment field for key. The default value is
56
"Mandos client key".
79
57
-x TIME, --expire TIME
80
OpenPGP key expire time. Default is none.
58
Key expire time. Default is no expiration.
81
59
See gpg(1) for syntax.
82
-T TYPE, --tls-keytype TYPE
83
TLS key type. Default is ed25519.
84
-f, --force Force overwriting old key files.
85
86
Password creation options:
87
-p, --password Create an encrypted password using the key in
88
the key directory. All options other than
89
--dir and --name are ignored.
90
-F FILE, --passfile FILE
91
Encrypt a password from FILE using the key in
92
the key directory. All options other than
93
--dir and --name are ignored.
94
-S, --no-ssh Don't get SSH key or set "checker" option.
60
-f, --force Force overwriting old keys.
95
61
EOF
96
62
}
97
63
98
64
eval set -- "$TEMP"
99
65
while :; do
100
66
case "$1" in
101
-p|--password) mode=password; shift;;
102
-F|--passfile) mode=password; PASSFILE="$2"; shift 2;;
103
67
-d|--dir) KEYDIR="$2"; shift 2;;
104
68
-t|--type) KEYTYPE="$2"; shift 2;;
105
-s|--subtype) SUBKEYTYPE="$2"; shift 2;;
106
69
-l|--length) KEYLENGTH="$2"; shift 2;;
107
-L|--sublength) SUBKEYLENGTH="$2"; shift 2;;
108
70
-n|--name) KEYNAME="$2"; shift 2;;
109
71
-e|--email) KEYEMAIL="$2"; shift 2;;
110
72
-c|--comment) KEYCOMMENT="$2"; shift 2;;
111
-x|--expire) KEYEXPIRE="$2"; shift 2;;
112
-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;
73
-x|--expire) KEYCOMMENT="$2"; shift 2;;
113
74
-f|--force) FORCE=yes; shift;;
114
-S|--no-ssh) SSH=no; shift;;
115
75
-v|--version) echo "$0 $VERSION"; exit;;
116
76
-h|--help) help; exit;;
117
77
--) shift; break;;
119
79
esac
120
80
done
121
81
if [ "$#" -gt 0 ]; then
122
echo "Unknown arguments: '$*'" >&2
82
echo "Unknown arguments: '$@'" >&2
123
83
exit 1
124
84
fi
125
85
126
86
SECKEYFILE="$KEYDIR/seckey.txt"
127
87
PUBKEYFILE="$KEYDIR/pubkey.txt"
128
TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"
129
TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"
130
88
131
89
# Check for some invalid values
132
if [ ! -d "$KEYDIR" ]; then
90
if [ -d "$KEYDIR" ]; then :; else
133
91
echo "$KEYDIR not a directory" >&2
134
92
exit 1
135
93
fi
136
if [ ! -r "$KEYDIR" ]; then
137
echo "Directory $KEYDIR not readable" >&2
138
exit 1
139
fi
140
141
if [ "$mode" = keygen ]; then
142
if [ ! -w "$KEYDIR" ]; then
143
echo "Directory $KEYDIR not writeable" >&2
144
exit 1
145
fi
146
if [ -z "$KEYTYPE" ]; then
147
echo "Empty key type" >&2
148
exit 1
149
fi
150
151
if [ -z "$KEYNAME" ]; then
152
echo "Empty key name" >&2
153
exit 1
154
fi
155
156
if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
157
echo "Invalid key length" >&2
158
exit 1
159
fi
160
161
if [ -z "$KEYEXPIRE" ]; then
162
echo "Empty key expiration" >&2
163
exit 1
164
fi
165
166
# Make FORCE be 0 or 1
167
case "$FORCE" in
168
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
169
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
170
esac
171
172
if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \
173
|| [ -e "$TLS_PRIVKEYFILE" ] \
174
|| [ -e "$TLS_PUBKEYFILE" ]; } \
175
&& [ "$FORCE" -eq 0 ]; then
176
echo "Refusing to overwrite old key files; use --force" >&2
177
exit 1
178
fi
179
180
# Set lines for GnuPG batch file
181
if [ -n "$KEYCOMMENT" ]; then
182
KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
183
fi
184
if [ -n "$KEYEMAIL" ]; then
185
KEYEMAILLINE="Name-Email: $KEYEMAIL"
186
fi
187
188
# Create temporary gpg batch file
189
BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"
190
fi
191
192
if [ "$mode" = password ]; then
193
# Create temporary encrypted password file
194
SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`"
195
fi
196
197
# Create temporary key ring directory
198
RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`"
94
if [ -w "$KEYDIR" ]; then :; else
95
echo "Directory $KEYDIR not writeable" >&2
96
exit 1
97
fi
98
99
if [ -z "$KEYTYPE" ]; then
100
echo "Empty key type" >&2
101
exit 1
102
fi
103
104
if [ -z "$KEYNAME" ]; then
105
echo "Empty key name" >&2
106
exit 1
107
fi
108
109
if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
110
echo "Invalid key length" >&2
111
exit 1
112
fi
113
114
if [ -z "$KEYEXPIRE" ]; then
115
echo "Empty key expiration" >&2
116
exit 1
117
fi
118
119
# Make FORCE be 0 or 1
120
case "$FORCE" in
121
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
122
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
123
esac
124
125
if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \
126
&& [ "$FORCE" -eq 0 ]; then
127
echo "Refusing to overwrite old key files; use --force" >&2
128
exit 1
129
fi
130
131
# Set lines for GnuPG batch file
132
if [ -n "$KEYCOMMENT" ]; then
133
KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
134
fi
135
if [ -n "$KEYEMAIL" ]; then
136
KEYEMAILLINE="Name-Email: $KEYEMAIL"
137
fi
138
139
# Create temp files
140
BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`"
141
SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`"
142
PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`"
199
143
200
144
# Remove temporary files on exit
201
trap "
202
set +e; \
203
test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \
204
shred --remove \"$RINGDIR\"/sec* 2>/dev/null;
205
test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \
206
rm --recursive --force \"$RINGDIR\";
207
tty --quiet && stty echo; \
208
" EXIT
209
210
set -e
211
212
umask 077
213
214
if [ "$mode" = keygen ]; then
215
# Create batch file for GnuPG
216
cat >"$BATCHFILE" <<-EOF
217
Key-Type: $KEYTYPE
218
Key-Length: $KEYLENGTH
219
Key-Usage: sign,auth
220
Subkey-Type: $SUBKEYTYPE
221
Subkey-Length: $SUBKEYLENGTH
222
Subkey-Usage: encrypt
223
Name-Real: $KEYNAME
224
$KEYCOMMENTLINE
225
$KEYEMAILLINE
226
Expire-Date: $KEYEXPIRE
227
#Preferences: <string>
228
#Handle: <no-spaces>
229
#%pubring pubring.gpg
230
#%secring secring.gpg
231
%no-protection
232
%commit
233
EOF
234
235
if tty --quiet; then
236
cat <<-EOF
237
Note: Due to entropy requirements, key generation could take
238
anything from a few minutes to SEVERAL HOURS. Please be
239
patient and/or supply the system with more entropy if needed.
240
EOF
241
echo -n "Started: "
242
date
243
fi
244
245
# Backup any old key files
246
if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \
247
2>/dev/null; then
248
shred --remove "$TLS_PRIVKEYFILE"
249
fi
250
if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \
251
2>/dev/null; then
252
rm --force "$TLS_PUBKEYFILE"
253
fi
254
255
## Generate TLS private key
256
257
# First try certtool from GnuTLS
258
if ! certtool --generate-privkey --password='' \
259
--outfile "$TLS_PRIVKEYFILE" --sec-param ultra \
260
--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then
261
# Otherwise try OpenSSL
262
if ! openssl genpkey -algorithm X25519 -out \
263
/etc/keys/mandos/tls-privkey.pem; then
264
rm --force /etc/keys/mandos/tls-privkey.pem
265
# None of the commands succeded; give up
266
return 1
267
fi
268
fi
269
270
## TLS public key
271
272
# First try certtool from GnuTLS
273
if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \
274
--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \
275
2>/dev/null; then
276
# Otherwise try OpenSSL
277
if ! openssl pkey -in "$TLS_PRIVKEYFILE" \
278
-out "$TLS_PUBKEYFILE" -pubout; then
279
rm --force "$TLS_PUBKEYFILE"
280
# None of the commands succeded; give up
281
return 1
282
fi
283
fi
284
285
# Make sure trustdb.gpg exists;
286
# this is a workaround for Debian bug #737128
287
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
288
--homedir "$RINGDIR" \
289
--import-ownertrust < /dev/null
290
# Generate a new key in the key rings
291
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
292
--homedir "$RINGDIR" --trust-model always \
293
--gen-key "$BATCHFILE"
294
rm --force "$BATCHFILE"
295
296
if tty --quiet; then
297
echo -n "Finished: "
298
date
299
fi
300
301
# Backup any old key files
302
if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
303
2>/dev/null; then
304
shred --remove "$SECKEYFILE"
305
fi
306
if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
307
2>/dev/null; then
308
rm --force "$PUBKEYFILE"
309
fi
310
311
FILECOMMENT="Mandos client key for $KEYNAME"
312
if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
313
FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
314
fi
315
316
if [ -n "$KEYEMAIL" ]; then
317
FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
318
fi
319
320
# Export key from key rings to key files
321
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
322
--homedir "$RINGDIR" --armor --export-options export-minimal \
323
--comment "$FILECOMMENT" --output "$SECKEYFILE" \
324
--export-secret-keys
325
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
326
--homedir "$RINGDIR" --armor --export-options export-minimal \
327
--comment "$FILECOMMENT" --output "$PUBKEYFILE" --export
328
fi
329
330
if [ "$mode" = password ]; then
331
332
# Make SSH be 0 or 1
333
case "$SSH" in
334
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;
335
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;
336
esac
337
338
if [ $SSH -eq 1 ]; then
339
for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do
340
set +e
341
ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`"
342
err=$?
343
set -e
344
if [ $err -ne 0 ]; then
345
ssh_fingerprint=""
346
continue
347
fi
348
if [ -n "$ssh_fingerprint" ]; then
349
ssh_fingerprint="${ssh_fingerprint#localhost }"
350
break
351
fi
352
done
353
fi
354
355
# Import key into temporary key rings
356
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
357
--homedir "$RINGDIR" --trust-model always --armor \
358
--import "$SECKEYFILE"
359
gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
360
--homedir "$RINGDIR" --trust-model always --armor \
361
--import "$PUBKEYFILE"
362
363
# Get fingerprint of key
364
FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \
365
--enable-dsa2 --homedir "$RINGDIR" --trust-model always \
366
--fingerprint --with-colons \
367
| sed --quiet \
368
--expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`"
369
370
test -n "$FINGERPRINT"
371
372
KEY_ID="$(certtool --key-id --hash=sha256 \
373
--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"
374
375
if [ -z "$KEY_ID" ]; then
376
KEY_ID=$(openssl pkey -pubin -in /tmp/tls-pubkey.pem \
377
-outform der \
378
| openssl sha256 \
379
| sed --expression='s/^.*[^[:xdigit:]]//')
380
fi
381
test -n "$KEY_ID"
382
383
FILECOMMENT="Encrypted password for a Mandos client"
384
385
while [ ! -s "$SECFILE" ]; do
386
if [ -n "$PASSFILE" ]; then
387
cat "$PASSFILE"
388
else
389
tty --quiet && stty -echo
390
echo -n "Enter passphrase: " >/dev/tty
391
read -r first
392
tty --quiet && echo >&2
393
echo -n "Repeat passphrase: " >/dev/tty
394
read -r second
395
if tty --quiet; then
396
echo >&2
397
stty echo
398
fi
399
if [ "$first" != "$second" ]; then
400
echo "Passphrase mismatch" >&2
401
touch "$RINGDIR"/mismatch
402
else
403
echo -n "$first"
404
fi
405
fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
406
--homedir "$RINGDIR" --trust-model always --armor \
407
--encrypt --sign --recipient "$FINGERPRINT" --comment \
408
"$FILECOMMENT" > "$SECFILE"
409
if [ -e "$RINGDIR"/mismatch ]; then
410
rm --force "$RINGDIR"/mismatch
411
if tty --quiet; then
412
> "$SECFILE"
413
else
414
exit 1
415
fi
416
fi
417
done
418
419
cat <<-EOF
420
[$KEYNAME]
421
host = $KEYNAME
422
key_id = $KEY_ID
423
fingerprint = $FINGERPRINT
424
secret =
425
EOF
426
sed --quiet --expression='
427
/^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{
428
/^$/,${
429
# Remove 24-bit Radix-64 checksum
430
s/=....$//
431
# Indent four spaces
432
/^[^-]/s/^/ /p
433
}
434
}' < "$SECFILE"
435
if [ -n "$ssh_fingerprint" ]; then
436
echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"'
437
echo "ssh_fingerprint = ${ssh_fingerprint}"
438
fi
439
fi
145
trap "rm --force $PUBRING $BATCHFILE; shred --remove $SECRING" EXIT
146
147
# Create batch file for GnuPG
148
cat >"$BATCHFILE" <<EOF
149
Key-Type: $KEYTYPE
150
Key-Length: $KEYLENGTH
151
#Key-Usage: encrypt,sign,auth
152
Name-Real: $KEYNAME
153
$KEYCOMMENTLINE
154
$KEYEMAILLINE
155
Expire-Date: $KEYEXPIRE
156
%pubring $PUBRING
157
%secring $SECRING
158
%commit
159
EOF
160
161
umask 027
162
163
# Generate a new key in the key rings
164
gpg --no-random-seed-file --quiet --batch --no-tty \
165
--no-default-keyring --no-options --batch \
166
--secret-keyring "$SECRING" --keyring "$PUBRING" \
167
--gen-key "$BATCHFILE"
168
rm --force "$BATCHFILE"
169
170
# Backup any old key files
171
if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
172
2>/dev/null; then
173
shred --remove "$SECKEYFILE"
174
fi
175
if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
176
2>/dev/null; then
177
rm --force "$PUBKEYFILE"
178
fi
179
180
FILECOMMENT="Mandos client key for $KEYNAME"
181
if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
182
FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
183
fi
184
185
if [ -n "$KEYEMAIL" ]; then
186
FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
187
fi
188
189
# Export keys from key rings to key files
190
gpg --no-random-seed-file --quiet --batch --no-tty --armor \
191
--no-default-keyring --secret-keyring "$SECRING" \
192
--keyring "$PUBRING" --export-options export-minimal \
193
--comment "$FILECOMMENT" --output "$SECKEYFILE" \
194
--export-secret-keys
195
gpg --no-random-seed-file --quiet --batch --no-tty --armor \
196
--no-default-keyring --secret-keyring "$SECRING" \
197
--keyring "$PUBRING" --export-options export-minimal \
198
--comment "$FILECOMMENT" --output "$PUBKEYFILE" \
199
--export
440
200
441
201
trap - EXIT
442
202
443
set +e
444
# Remove the password file, if any
445
if [ -n "$SECFILE" ]; then
446
shred --remove "$SECFILE"
447
fi
448
203
# Remove the key rings
449
shred --remove "$RINGDIR"/sec* 2>/dev/null
450
rm --recursive --force "$RINGDIR"
204
shred --remove "$SECRING"
205
rm --force "$PUBRING"
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0