blob: a6929dd887a05462076ac1b4cae5f322c5948372 [file] [log] [blame]
#!/bin/bash
set -e
GCLOUD="gcloud --project=mendel-linux-cloud-infra"
PRIVKEY_NAME="mendel-linux-signing-key"
PASSPHRASE_NAME="mendel-linux-signing-key-passphrase"
export TMPARCHIVE="$(mktemp /tmp/XXXXXXXX.tar.gz)"
export GNUPGHOME="$(mktemp -d /tmp/XXXXXXXX)"
chmod 700 $GNUPGHOME
cleanup() {
find $GNUPGHOME -type f |xargs shred -u
rm -rf $GNUPGHOME
shred -u $TMPARCHIVE
trap
}
trap cleanup KILL INT EXIT RETURN
echo Fetching passphrase
PASSPHRASE="$(${GCLOUD} secrets versions access latest \
--secret=${PASSPHRASE_NAME})"
gpg --batch --generate-key - <<EOF
%echo Generating signing key
Key-Type: RSA
Key-Length: 4096
Key-Usage: encrypt sign auth cert
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: encrypt sign auth cert
Name-Real: Mendel Linux Release Masters
Name-Email: coral-support@google.com
Expire-Date: 0
Passphrase: ${PASSPHRASE}
%commit
%echo Key generation done
EOF
echo Archiving GPG homedir
chmod 600 "${TMPARCHIVE}"
tar -C "${GNUPGHOME}" -zcf "${TMPARCHIVE}" .
echo Uploading archive to cloud storage
${GCLOUD} secrets versions add "${PRIVKEY_NAME}" \
--data-file="${TMPARCHIVE}"