bearnet/scripts/gen-gpg-key.sh

#!/bin/sh
# gen-gpg-key.sh — Generate a passwordless GPG key and export to overlay/.
# Run this BEFORE alpine-make-vm-image on the build host.
set -eu

KEY_FILE="./bot-gpg-key.asc"
KEY_NAME=${KEY_NAME:-"VM Builder"}
KEY_EMAIL=${KEY_EMAIL:-"builder@localhost"}
echo "Gnerating GPG key on behalf of $KEY_NAME ($KEY_EMAIL)"
if ! command -v gpg >/dev/null 2>&1; then
	echo "ERROR: gpg (gnupg) is required on the build host" >&2
	exit 1
fi

# Use an isolated temporary GNUPGHOME so the host keyring is never touched.
GNUPGHOME="$(mktemp -d /tmp/gpg-tmphome.XXXXXX)"
export GNUPGHOME
cleanup_home() { rm -rf "$GNUPGHOME"; }
trap cleanup_home EXIT

# Ensure the target directory exists
mkdir -p "$(dirname "$KEY_FILE")"

# Only generate if the key file doesn't already exist
if [ -f "$KEY_FILE" ]; then
	echo "GPG key already exists: $KEY_FILE"
	echo "Remove it first if you want to regenerate."
	exit 0
fi

echo "=== Generating passwordless RSA 4096 GPG key ==="

# Create a batch specification for unattended key generation.
# %no-protection means no passphrase.
BATCH_FILE="$(mktemp /tmp/gpg-batch.XXXXXX)"
cat > "$BATCH_FILE" <<'GPGBATCH'
%echo Generating RSA 4096 key...
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: KEY_NAME
Name-Email: KEY_EMAIL
Expire-Date: 0
%no-protection
%commit
%echo Done
GPGBATCH

sed -i "s/KEY_NAME/$KEY_NAME/g" "$BATCH_FILE"
sed -i "s/KEY_EMAIL/$KEY_EMAIL/g" "$BATCH_FILE"

gpg --batch --yes --pinentry-mode loopback --generate-key "$BATCH_FILE"
rm -f "$BATCH_FILE"

echo ""
echo "=== Exporting secret key to $KEY_FILE ==="

gpg --batch --yes --pinentry-mode loopback --export-secret-keys --armor "$KEY_EMAIL" > "$KEY_FILE"

# Also export just the public key for reference
gpg --batch --yes --pinentry-mode loopback --export --armor "$KEY_EMAIL" > "./bot-gpg-pubkey.asc"

# Print fingerprint
gpg --batch --fingerprint "$KEY_EMAIL" || true