mirror of
https://github.com/Dasharo/heads.git
synced 2026-06-13 10:16:29 -07:00
ebdde47af9
Introduces a maintainable structure for keeping distro signing keys under initrd/etc/distro/keys/ up to date: bin/update_distro_signing_key/lib/helper.sh -- shared logic bin/update_distro_signing_key/tails.sh -- Tails bin/update_distro_signing_key/archlinux.sh -- Arch Linux bin/update_distro_signing_key/qubes.sh -- Qubes OS 4.2/4.3/weekly bin/update_distro_signing_keys.sh -- meta: runs all scripts The meta script auto-discovers all *.sh in update_distro_signing_key/; adding a new distro only requires adding one script there. Exit codes of the meta script: 0 all keys up to date, no action needed 1 one or more keys changed (review with git diff, then commit) 2 one or more per-distro scripts failed (download/import error) The helper normalizes each key with: --export-options export-minimal,export-clean --export-filter drop-subkey=expired -gt 0 || usage !~ s Only the primary key and non-expired signing subkeys are kept -- no encryption, authentication, or expired subkeys. The helper also reports primary key expiry with days remaining, and emits a color-coded warning (yellow) when expiry is within 365 days (one full release cycle) or red if already expired -- so rotations are caught before they ship in a release and break users in the field. All gpg calls use --batch to prevent interactive prompts in CI. git diff uses -C flag to avoid cd side-effects. qubes.sh propagates the highest exit code across all three key updates. GPG work is done in a mktemp directory wiped via trap on EXIT. Signed-off-by: Thierry Laurion <insurgo@riseup.net>