[tor-commits] [tor-browser-build/master] Bug 30549: Add script to remove expired and revoked sub-keys from a keyring file

Mon Jul 1 15:29:12 UTC 2019

commit 419b0bef89047450a88292ea34bb8ef1e746bbea
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Mon Jul 1 16:02:54 2019 +0200

    Bug 30549: Add script to remove expired and revoked sub-keys from a keyring file
    
    The tools/keyring/drop-expired-sub-keys script can be used to drop all
    expired and revoked sub-keys from a keyring.
    
    We also add the script tools/keyring/list-all-keyrings which can be used
    to list all the keys included in all the keyring files, to make it
    easier to review if any key needs to be removed.
---
 tools/keyring/README                | 29 +++++++++++++++++++++++++++++
 tools/keyring/drop-expired-sub-keys | 22 ++++++++++++++++++++++
 tools/keyring/list-all-keyrings     | 10 ++++++++++
 3 files changed, 61 insertions(+)

diff --git a/tools/keyring/README b/tools/keyring/README
new file mode 100644
index 0000000..ffbb2a8
--- /dev/null
+++ b/tools/keyring/README
@@ -0,0 +1,29 @@
+The keyring/ directory contains some gpg keyring files that we use
+during the build to verify gpg signatures on downloaded files, or git
+tags. In order to be able to continue to use a git tag even after the
+key or sub-key that signed it expired (which is common when one is
+rotating sub-keys frequently), we configured gpg to ignore key expirations
+when verifying git tag signatures. However this also means that we should
+make sure that our keyring files do not contain expired keys or subkeys
+that are not supposed to be used anymore.
+
+This directory contains some scripts that can help clean the keyring
+files.
+
+The complete process for cleaning keyring files starts with:
+
+ - Run `list-all-keyrings` to see if we include any expired key or sub-key.
+
+Then for each expired key or sub-key:
+
+ - Check if the expiration is expected, and do nothing in that case.
+
+ - Check if the owner of that key or sub-key extended it, and in that
+   case add the updated key or sub-key.
+
+ - If a key is not needed anymore (but other keys in the keyring are
+   still needed), remove it with `gpg --delete-keys <key>`.
+
+ - If a sub-key is not needed anymore, but the main key still contains
+   at least one other valid sub-key, use `drop-expired-sub-keys` to
+   remove the expired sub-key.
diff --git a/tools/keyring/drop-expired-sub-keys b/tools/keyring/drop-expired-sub-keys
new file mode 100755
index 0000000..e7bbe50
--- /dev/null
+++ b/tools/keyring/drop-expired-sub-keys
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Drop expired and revoked sub-keys from a keyring file
+#
+# usage: drop-expired-sub-keys <keyring-file>
+#
+# Note: this script only handles the case where all expired and revoked
+# sub-keys should be removed, so it cannot be used in the cases where
+# some of the expired sub-keys need to be kept. It is also only handling
+# one small part of the process to clean the keyring files and is not
+# supposed to be run on all keyring files.
+#
+# See the README file for the complete process for cleaning keyring files.
+
+set -e
+keyring="$1"
+test -f "$keyring"
+tmpfile=$(mktemp)
+gpg --no-auto-check-trustdb --no-default-keyring --keyring "$keyring" --armor --export-options export-clean --export-filter 'drop-subkey=expired -t || revoked -t' --export > "$tmpfile"
+rm -f "$keyring"
+gpg --no-auto-check-trustdb --trust-model always --no-default-keyring --keyring "$keyring" --import "$tmpfile"
+rm -f "$tmpfile"
diff --git a/tools/keyring/list-all-keyrings b/tools/keyring/list-all-keyrings
new file mode 100755
index 0000000..2d053c4
--- /dev/null
+++ b/tools/keyring/list-all-keyrings
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# List all keys included in our keyring files, including expired sub-keys.
+
+set -e
+cd $(dirname "$0")/../..
+for keyring in ./keyring/*.gpg
+do
+    gpg --no-auto-check-trustdb --list-options show-unusable-subkeys,show-keyring --no-default-keyring --list-keys --keyring "$keyring"
+done

