commit 419b0bef89047450a88292ea34bb8ef1e746bbea Author: Nicolas Vigier <boklm@torproject.org> Date: Mon Jul 1 16:02:54 2019 +0200 Bug 30549: Add script to remove expired and revoked sub-keys from a keyring file The tools/keyring/drop-expired-sub-keys script can be used to drop all expired and revoked sub-keys from a keyring. We also add the script tools/keyring/list-all-keyrings which can be used to list all the keys included in all the keyring files, to make it easier to review if any key needs to be removed. --- tools/keyring/README | 29 +++++++++++++++++++++++++++++ tools/keyring/drop-expired-sub-keys | 22 ++++++++++++++++++++++ tools/keyring/list-all-keyrings | 10 ++++++++++ 3 files changed, 61 insertions(+) diff --git a/tools/keyring/README b/tools/keyring/README new file mode 100644 index 0000000..ffbb2a8 --- /dev/null +++ b/tools/keyring/README @@ -0,0 +1,29 @@ +The keyring/ directory contains some gpg keyring files that we use +during the build to verify gpg signatures on downloaded files, or git +tags. In order to be able to continue to use a git tag even after the +key or sub-key that signed it expired (which is common when one is +rotating sub-keys frequently), we configured gpg to ignore key expirations +when verifying git tag signatures. However this also means that we should +make sure that our keyring files do not contain expired keys or subkeys +that are not supposed to be used anymore. + +This directory contains some scripts that can help clean the keyring +files. + +The complete process for cleaning keyring files starts with: + + - Run `list-all-keyrings` to see if we include any expired key or sub-key. + +Then for each expired key or sub-key: + + - Check if the expiration is expected, and do nothing in that case. + + - Check if the owner of that key or sub-key extended it, and in that + case add the updated key or sub-key. + + - If a key is not needed anymore (but other keys in the keyring are + still needed), remove it with `gpg --delete-keys <key>`. + + - If a sub-key is not needed anymore, but the main key still contains + at least one other valid sub-key, use `drop-expired-sub-keys` to + remove the expired sub-key. diff --git a/tools/keyring/drop-expired-sub-keys b/tools/keyring/drop-expired-sub-keys new file mode 100755 index 0000000..e7bbe50 --- /dev/null +++ b/tools/keyring/drop-expired-sub-keys @@ -0,0 +1,22 @@ +#!/bin/bash + +# Drop expired and revoked sub-keys from a keyring file +# +# usage: drop-expired-sub-keys <keyring-file> +# +# Note: this script only handles the case where all expired and revoked +# sub-keys should be removed, so it cannot be used in the cases where +# some of the expired sub-keys need to be kept. It is also only handling +# one small part of the process to clean the keyring files and is not +# supposed to be run on all keyring files. +# +# See the README file for the complete process for cleaning keyring files. + +set -e +keyring="$1" +test -f "$keyring" +tmpfile=$(mktemp) +gpg --no-auto-check-trustdb --no-default-keyring --keyring "$keyring" --armor --export-options export-clean --export-filter 'drop-subkey=expired -t || revoked -t' --export > "$tmpfile" +rm -f "$keyring" +gpg --no-auto-check-trustdb --trust-model always --no-default-keyring --keyring "$keyring" --import "$tmpfile" +rm -f "$tmpfile" diff --git a/tools/keyring/list-all-keyrings b/tools/keyring/list-all-keyrings new file mode 100755 index 0000000..2d053c4 --- /dev/null +++ b/tools/keyring/list-all-keyrings @@ -0,0 +1,10 @@ +#!/bin/sh + +# List all keys included in our keyring files, including expired sub-keys. + +set -e +cd $(dirname "$0")/../.. +for keyring in ./keyring/*.gpg +do + gpg --no-auto-check-trustdb --list-options show-unusable-subkeys,show-keyring --no-default-keyring --list-keys --keyring "$keyring" +done