install.fairie/docs/scripts/before/run_onchange_before_91-configure-gpg.sh.tmpl.md
2023-11-05 01:46:18 +00:00

3.4 KiB

title description sidebar_label slug githubLocation scriptLocation repoLocation
GPG Configuration Imports the public GPG key defined by the variable `KEYID` and then assigns it ultimate trust 91 GPG Configuration /scripts/before/run_onchange_before_91-configure-gpg.sh.tmpl https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoiscripts/universal/run_onchange_before_91-configure-gpg.sh.tmpl https://github.com/megabyte-labs/install.doctor/raw/master/home/.chezmoiscripts/universal/run_onchange_before_91-configure-gpg.sh.tmpl home/.chezmoiscripts/universal/run_onchange_before_91-configure-gpg.sh.tmpl

GPG Configuration

Imports the public GPG key defined by the variable KEYID and then assigns it ultimate trust

Overview

This script imports your publicly hosted GPG key using pgp.mit.edu as the key host. It then assigns it the ultimate trust level. It also downloads and configures GPG to use the configuration defined in .config.gpg in the home/.chezmoidata.yaml file.

Source Code

#!/usr/bin/env bash
# @file GPG Configuration
# @brief Imports the public GPG key defined by the variable `KEYID` and then assigns it ultimate trust
# @description
#     This script imports your publicly hosted GPG key using `pgp.mit.edu` as the key host. It then assigns it
#     the ultimate trust level. It also downloads and configures GPG to use the configuration defined in `.config.gpg`
#     in the `home/.chezmoidata.yaml` file.

{{ includeTemplate "universal/profile-before" }}
{{ includeTemplate "universal/logg-before" }}

KEYID="{{ .user.gpg.id }}"

if [ -n "$KEYID" ] && command -v gpg > /dev/null; then
  if [ ! -d "$HOME/.gnupg" ]; then
    mkdir "$HOME/.gnupg"
  fi
  chown "$(whoami)" "$HOME/.gnupg"
  chmod 700 "$HOME/.gnupg"
  chown -Rf "$(whoami)" "$HOME/.gnupg/"
  find "$HOME/.gnupg" -type f -exec chmod 600 {} \;
  find "$HOME/.gnupg" -type d -exec chmod 700 {} \;
  if [ ! -f "$HOME/.gnupg/gpg.conf" ]; then
    logg 'Downloading hardened gpg.conf file to ~/.gpnupg/gpg.conf'
    curl -sSL "{{ .config.gpg }}" > "$HOME/.gnupg/gpg.conf"
    chmod 600 "$HOME/.gnupg/gpg.conf"
  fi
  KEYID_TRIMMED="$(echo "$KEYID" | sed 's/^0x//')"
  if ! gpg --list-secret-keys --keyid-format=long | grep "$KEYID_TRIMMED" > /dev/null; then
    logg info 'Attempting to download the specified public GPG key ({{ .user.gpg.id }}) from public keyservers'
    sudo pkill dirmngr
    dirmngr --daemon --standard-resolver
    gpg --keyserver https://pgp.mit.edu --recv "$KEYID" || EXIT_CODE=$?
    if [ -n "$EXIT_CODE" ]; then
      logg info 'Non-zero exit code received when downloading public GPG key'
      gpg --keyserver hkps://pgp.mit.edu --recv "$KEYID" || EXIT_CODE=$?
      if [ -n "$EXIT_CODE" ]; then
        logg info 'Non-zero exit code received when trying to retrieve public user GPG key on hkps://pgp.mit.edu'
        gpgconf --kill dirmngr
        KEYID="${KEYID^^}"
        KEYID="$(echo "$KEYID" | sed 's/^0X/0x/')"
        if [ -f "$HOME/.gnupg/public/$KEYID.sig" ]; then
          gpg --import "$HOME/.gnupg/public/$KEYID.sig"
        fi
      else
        logg success 'Successfully imported configured public user GPG key'
      fi
    fi
  else
    logg info 'Key is already in keyring'
  fi
  logg 'Ensuring the trust of the provided public GPG key is set to maximum'
  echo -e "trust\n5\ny" | gpg --command-fd 0 --edit-key "$KEYID"
else
  logg warn 'gpg appears to be unavailable. Is it installed and on the PATH?'
fi