Fixing the Parabola WoT

Some commands from the master-keys processing were missing and thus generated
an incomplete WoT, since some signatures where removed.

Also, $GPG wasn't locally signing keys with multiple IDs, because it makes two
questions and $GPG was expecting one.  This is still happening on pacman-key
and the fix is going to be applied on pacman 4.1.

1 files changed, 19 insertions, 5 deletions

diff --git a/parabola-keyring/update-keys b/parabola-keyring/update-keys
index 235e620..5765ae4 100755
--- a/parabola-keyring/update-keys
+++ b/parabola-keyring/update-keys
@@ -3,7 +3,7 @@
 export LANG=C
 
 TMPDIR=$(mktemp -d)
-trap "rm -rf '${TMPDIR}'" EXIT
+#trap "rm -rf '${TMPDIR}'" EXIT
 
 KEYSERVER='hkp://pool.sks-keyservers.net'
 GPG="gpg --quiet --batch --no-tty --no-permission-warning --keyserver "${KEYSERVER}" --homedir ${TMPDIR}"
@@ -29,15 +29,29 @@ while read -ra data; do
 	keyid="${data[0]}"
 	username="${data[@]:1}"
 	${GPG} --recv-keys ${keyid} &>/dev/null
-	printf 'clean\nquit\ny\n' | \
+	printf 'lsign\ny\ny\nsave\ny\n' | \
+		${GPG} --command-fd 0 --edit-key ${keyid}
+	echo "${keyid}:4:" | tee -a parabola-trusted
+done < packager-keyids
+${GPG} --import-ownertrust < parabola-trusted 2>/dev/null
+
+while read -ra data; do
+	keyid="${data[0]}"
+	username="${data[@]:1}"
+	printf 'clean\nquit\n' | \
 		${GPG} --command-fd 0 --edit-key ${keyid}
 	FD=$(mktemp)
 	exec 4>"${FD}"
-	${GPG} --yes --lsign-key ${keyid} &>/dev/null
-	${GPG} --armor --output packager/${username}.asc --export ${keyid}
-	echo "${keyid}:4:" >> parabola-trusted
+	if ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:'; then
+		echo "key is not fully trusted: ${keyid} ${username}"
+	else
+		${GPG} --armor --output packager/${username}.asc --export ${keyid}
+	fi
 done < packager-keyids
 
 cat packager/*.asc > parabola.gpg
 
 popd >/dev/null
+
+echo $TMPDIR
+rm /tmp/tmp.*