init
This commit is contained in:
65
scripts/gen-gpg-key.sh
Executable file
65
scripts/gen-gpg-key.sh
Executable file
@@ -0,0 +1,65 @@
|
||||
#!/bin/sh
|
||||
# gen-gpg-key.sh — Generate a passwordless GPG key and export to overlay/.
|
||||
# Run this BEFORE alpine-make-vm-image on the build host.
|
||||
set -eu
|
||||
|
||||
KEY_FILE="./bot-gpg-key.asc"
|
||||
KEY_NAME=${KEY_NAME:-"VM Builder"}
|
||||
KEY_EMAIL=${KEY_EMAIL:-"builder@localhost"}
|
||||
echo "Gnerating GPG key on behalf of $KEY_NAME ($KEY_EMAIL)"
|
||||
if ! command -v gpg >/dev/null 2>&1; then
|
||||
echo "ERROR: gpg (gnupg) is required on the build host" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Use an isolated temporary GNUPGHOME so the host keyring is never touched.
|
||||
GNUPGHOME="$(mktemp -d /tmp/gpg-tmphome.XXXXXX)"
|
||||
export GNUPGHOME
|
||||
cleanup_home() { rm -rf "$GNUPGHOME"; }
|
||||
trap cleanup_home EXIT
|
||||
|
||||
# Ensure the target directory exists
|
||||
mkdir -p "$(dirname "$KEY_FILE")"
|
||||
|
||||
# Only generate if the key file doesn't already exist
|
||||
if [ -f "$KEY_FILE" ]; then
|
||||
echo "GPG key already exists: $KEY_FILE"
|
||||
echo "Remove it first if you want to regenerate."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "=== Generating passwordless RSA 4096 GPG key ==="
|
||||
|
||||
# Create a batch specification for unattended key generation.
|
||||
# %no-protection means no passphrase.
|
||||
BATCH_FILE="$(mktemp /tmp/gpg-batch.XXXXXX)"
|
||||
cat > "$BATCH_FILE" <<'GPGBATCH'
|
||||
%echo Generating RSA 4096 key...
|
||||
Key-Type: RSA
|
||||
Key-Length: 4096
|
||||
Subkey-Type: RSA
|
||||
Subkey-Length: 4096
|
||||
Name-Real: KEY_NAME
|
||||
Name-Email: KEY_EMAIL
|
||||
Expire-Date: 0
|
||||
%no-protection
|
||||
%commit
|
||||
%echo Done
|
||||
GPGBATCH
|
||||
|
||||
sed -i "s/KEY_NAME/$KEY_NAME/g" "$BATCH_FILE"
|
||||
sed -i "s/KEY_EMAIL/$KEY_EMAIL/g" "$BATCH_FILE"
|
||||
|
||||
gpg --batch --yes --pinentry-mode loopback --generate-key "$BATCH_FILE"
|
||||
rm -f "$BATCH_FILE"
|
||||
|
||||
echo ""
|
||||
echo "=== Exporting secret key to $KEY_FILE ==="
|
||||
|
||||
gpg --batch --yes --pinentry-mode loopback --export-secret-keys --armor "$KEY_EMAIL" > "$KEY_FILE"
|
||||
|
||||
# Also export just the public key for reference
|
||||
gpg --batch --yes --pinentry-mode loopback --export --armor "$KEY_EMAIL" > "./bot-gpg-pubkey.asc"
|
||||
|
||||
# Print fingerprint
|
||||
gpg --batch --fingerprint "$KEY_EMAIL" || true
|
||||
Reference in New Issue
Block a user