users:werner:getrepokeys
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
users:werner:getrepokeys [2008-05-03 11:04] – kürzere Texte werner | users:werner:getrepokeys [2008-07-06 17:12] (aktuell) – initialisieren OTHERKEYRING werner | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Importieren von GPG-Schlüsseln ====== | ||
+ | ===== Der Grund ===== | ||
+ | |||
+ | Am 2008-01-23 hat sich das openSUSE-Projekt entschieden, | ||
+ | |||
+ | Der openSUSE-Builder Bernhard Walle hat auf seiner Website unter | ||
+ | http:// | ||
+ | |||
+ | |||
+ | |||
+ | ===== Das Script ===== | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | |||
+ | # new 2008-04-23: added switch between zypper and smart repositories | ||
+ | PARA=$(echo " | ||
+ | case " | ||
+ | z|zy|zyp|zypp|zyppe|zypper) | ||
+ | URLSOURCE=" | ||
+ | ;; | ||
+ | *) | ||
+ | URLSOURCE=" | ||
+ | ;; | ||
+ | esac | ||
+ | |||
+ | TEMPREPO="/ | ||
+ | TEMPKEY="/ | ||
+ | |||
+ | # the base URL we search on | ||
+ | # new: use more than one base URL for your repositories: | ||
+ | URLLIST=" | ||
+ | URLLIST=" | ||
+ | |||
+ | for SOS_URL in $URLLIST; do | ||
+ | echo " | ||
+ | SOS_LEN=$(expr length " | ||
+ | # only URLs containing $SOS_URL please: | ||
+ | if [ " | ||
+ | URLLIST=$(smart channel --show | grep ^baseurl | cut -d' ' -f3 | grep " | ||
+ | else | ||
+ | URLLIST=$(grep -r ^baseurl / | ||
+ | fi | ||
+ | |||
+ | for URL in $URLLIST; do | ||
+ | # make sure we have a trailing slash | ||
+ | echo " | ||
+ | |||
+ | # inside the directory should be a .repo file | ||
+ | # so we try to find its name | ||
+ | # substring handling is somewhat #+@%$&# in bash... | ||
+ | URLAST=${URL#" | ||
+ | URLAST=$(echo " | ||
+ | |||
+ | # ...finally... | ||
+ | rm -f " | ||
+ | wget -q " | ||
+ | # REPO file exists and is not zero sized? | ||
+ | if [ ! -f " | ||
+ | echo "Error getting REPO file for $URLAST from $URL" | ||
+ | continue | ||
+ | fi | ||
+ | |||
+ | # now we read the URL of the keyfile from the repo file | ||
+ | KEYURL=$(grep ^gpgkey " | ||
+ | if [ -z " | ||
+ | echo "No key for $URLAST detected" | ||
+ | continue | ||
+ | fi | ||
+ | |||
+ | # download it... | ||
+ | rm -f " | ||
+ | wget -q " | ||
+ | if [ ! -f " | ||
+ | echo "Error getting keyfile $KEYURL for $URLAST" | ||
+ | continue | ||
+ | fi | ||
+ | |||
+ | # identify it, maybe it is already there | ||
+ | KEYID=$(gpg " | ||
+ | # at first, we look inside the rpm database | ||
+ | RPMINSTALL=0 | ||
+ | LANG=C rpm -q " | ||
+ | # next, we look at the gpg keyring | ||
+ | GPGINSTALL=0 | ||
+ | gpg --list-keys " | ||
+ | # so, at the very end, import it - or not :-) | ||
+ | if [ $RPMINSTALL -eq 1 ]; then | ||
+ | echo -n " | ||
+ | rpm --import " | ||
+ | else | ||
+ | echo -n "Key $KEYID for $URLAST already in RPM database" | ||
+ | fi | ||
+ | if [ $GPGINSTALL -eq 1 ]; then | ||
+ | echo ", importing into GPG keyring now" | ||
+ | gpg --import " | ||
+ | else | ||
+ | echo " and present in GPG keyring" | ||
+ | fi | ||
+ | done | ||
+ | done | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Hinweise ===== | ||
+ | |||
+ | Der Code hat den Vorteil, dass ein nicht vorhandener Key durch den temporären Key abgefangen wird und nicht wie bei bwalles Script zum Abbruch führt... | ||
+ | |||
+ | Dieses Script bearbeitet alle Repositories, | ||
+ | |||
+ | <code bash> | ||
+ | URLLIST=" | ||
+ | URLLIST=" | ||
+ | URLLIST=" | ||
+ | </ | ||
+ | |||
+ | usw. Gemäß den Regeln für for-Schleifen der Bash ;-) werden die Einträge in '' | ||
+ | |||
+ | **Achtung**: | ||
+ | |||
+ | Änderung 2008-04-19: die Keys werden jetzt parallel im GPG-Keyring installiert. Das weiß man zu schätzen, wenn man auch apt benutzt ;-) | ||
+ | |||
+ | Änderung 2008-04-23: wird ein Parameter mitgegeben, der eindeutig auf " | ||
+ | |||
+ | Diese Seite ist auch [[users: | ||
+ | |||
+ | **2008-06-22** Unter der kurzen, leicht zu merkenden URL | ||
+ | http:// | ||
+ | |||
+ | **2008-06-27** So, nach etlicher Beobachtung ;-) habe ich den Schluss des Codes etwas umgestaltet: | ||
+ | |||
+ | <code bash> | ||
+ | # identify it, maybe it is already there | ||
+ | KEYID=$(gpg " | ||
+ | INSTALLEDKEYS=$(LANG=C rpm -q " | ||
+ | RPMINSTALL=0 | ||
+ | echo $INSTALLEDKEYS | grep 'is not installed' | ||
+ | # look at PGP/GPG keys here | ||
+ | GPGINST1=0 | ||
+ | gpg --list-keys " | ||
+ | GPGINST2=0 | ||
+ | if [ -f " | ||
+ | gpg --list-keys --no-default-keyring --keyring " | ||
+ | else | ||
+ | GPGINST=5 | ||
+ | fi | ||
+ | # so, at the very end, import it - or not :-) | ||
+ | if [ $RPMINSTALL -eq 1 ]; then | ||
+ | echo -n " | ||
+ | rpm --import " | ||
+ | else | ||
+ | echo -n "Key $KEYID for $URLAST already in RPM database" | ||
+ | fi | ||
+ | if [ $GPGINST1 -eq 1 ]; then | ||
+ | echo -n ", importing into default GPG keyring now" | ||
+ | gpg --import " | ||
+ | else | ||
+ | echo -n " and present in default GPG keyring" | ||
+ | fi | ||
+ | if [ $GPGINST2 -eq 1 ]; then | ||
+ | echo ", importing into rpm keyring now." | ||
+ | gpg --no-options --no-default-keyring --keyring " | ||
+ | elif [ $GPGINST2 -ne 5 ]; then | ||
+ | echo ", present in rpm keyring." | ||
+ | else | ||
+ | echo " | ||
+ | fi | ||
+ | </ | ||
+ | |||
+ | Außenrum sind natürlich noch die beiden do...done-Schleifen! Und bitte nicht vergessen, am Scriptanfang die Variable '' | ||
+ | |||
+ | Damit werden die Keys in beide Keyrings gefüttert, sogar nachträglich. Und in einem der beiden nützen sie sogar :-) |