cloudbase/gen-gpg-key.sh

#!/bin/sh
# gen-gpg-key.sh — Generate a passwordless GPG key and export to overlay/.
# Run this BEFORE alpine-make-vm-image on the build host.
set -eu

OVERLAY_DIR="$(dirname "$0")/overlay"
KEY_FILE="$OVERLAY_DIR/root/gpg-key.asc"
KEY_NAME="VM Builder"
KEY_EMAIL="builder@localhost"

if ! command -v gpg >/dev/null 2>&1; then
	echo "ERROR: gpg (gnupg) is required on the build host" >&2
	exit 1
fi

# Ensure the target directory exists
mkdir -p "$(dirname "$KEY_FILE")"

# Only generate if the key file doesn't already exist
if [ -f "$KEY_FILE" ]; then
	echo "GPG key already exists: $KEY_FILE"
	echo "Remove it first if you want to regenerate."
	exit 0
fi

echo "=== Generating passwordless RSA 4096 GPG key ==="

# Create a batch specification for unattended key generation.
# %no-protection means no passphrase.
BATCH_FILE="$(mktemp /tmp/gpg-batch.XXXXXX)"
cat > "$BATCH_FILE" <<'GPGBATCH'
%echo Generating RSA 4096 key...
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: VM Builder
Name-Email: builder@localhost
Expire-Date: 0
%no-protection
%commit
%echo Done
GPGBATCH

gpg --batch --yes --pinentry-mode loopback --generate-key "$BATCH_FILE"
rm -f "$BATCH_FILE"

echo ""
echo "=== Exporting secret key to $KEY_FILE ==="

gpg --batch --yes --pinentry-mode loopback --export-secret-keys --armor "$KEY_EMAIL" > "$KEY_FILE"

# Also export just the public key for reference
gpg --batch --yes --pinentry-mode loopback --export --armor "$KEY_EMAIL" > "$OVERLAY_DIR/root/gpg-pubkey.asc"

echo ""
echo "=== GPG key generated ==="
echo "Public key : $OVERLAY_DIR/root/gpg-pubkey.asc"
echo "Secret key : $KEY_FILE"
echo ""

# Print fingerprint
gpg --batch --fingerprint "$KEY_EMAIL" || true