summaryrefslogtreecommitdiff
path: root/Makefile
diff options
context:
space:
mode:
Diffstat (limited to 'Makefile')
-rw-r--r--Makefile126
1 files changed, 77 insertions, 49 deletions
diff --git a/Makefile b/Makefile
index 62690e3..d1858f4 100644
--- a/Makefile
+++ b/Makefile
@@ -1,49 +1,77 @@
-SHELL=/bin/bash
-# The git user home, from where repos are served
-PREFIX=/srv/git
-# The git user
-USER=git
-# The git-shell path
-GIT_SHELL=/usr/bin/git-shell
-# The hacking.git clone
-HACKERS=$(shell pwd)
-
-# Add all of your pubkeys
-# TODO this can fail if you don't have any keys (why don't you)
-bootstrap:
- cat $(HOME)/.ssh/id_{rsa,ecdsa,dsa}.pub >>authorized_keys 2>/dev/null || true
- git commit authorized_keys -m "Bootstraping hacking.git" ; \
-
-# Create the user
-user:
- useradd --home $(PREFIX) \
- --shell $(GIT_SHELL) \
- --create-home \
- --system \
- --user-group \
- $(USER)
-
-# Check if we have at least a key
-check:
- if [ $(shell wc -l authorized_keys | cut -d' ' -f1) -eq 0 ]; then \
- echo 'Add at least your key to authorized_keys!'; \
- exit 1 ;\
- fi
-
-# Add the hackers repo to the local clone
-install-local:
- git remote add git git:hackers.git
- cat ssh_config >>$(HOME)/.ssh/config
-
-# Create the hackers.git bare repo and clone as .ssh
-# Then create needed symlinks and add hooks to hackers.git
-install: check
- cd $(PREFIX); \
- git clone --bare $(HACKERS) hackers.git && \
- git clone hackers.git .ssh && \
- chmod 700 $(PREFIX) && \
- chmod 700 .ssh && \
- chmod 600 .ssh/authorized_keys && \
- ln -s $(PREFIX)/.ssh/git-hooks/hackers-update hackers.git/hooks/post-receive && \
- ln -s $(PREFIX)/.ssh/git-shell-commands && \
- chown -R $(USER):$(USER) $(PREFIX)
+export LANG=C
+export SHELL=/bin/bash
+
+KEYSERVER = hkp://pool.sks-keyservers.net
+GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir output/cache/pacman-keyring/gpghome
+MKDIRS = mkdir -p
+FAIL = exit 1
+
+keyring_name = parabola
+
+all: PHONY pacman-keyring
+
+clean: PHONY
+ rm -rf output/cache
+
+####
+
+pacman-keyring: PHONY \
+ output/pacman-keyring/${keyring_name}.gpg \
+ output/pacman-keyring/${keyring_name}-trusted \
+ output/pacman-keyring/${keyring_name}-revoked
+
+# Assemble the list of .asc files needed to generate the keyring
+output/cache/pacman-keyring/deps.mk: hackers.yml bin/list-pgp-keyids
+ $(MKDIRS) ${@D}
+ { \
+ echo output/pacman-keyring/${keyring_name}.gpg: $$(bin/list-pgp-keyids | sed -r 's|(\S+) .*|output/cache/pacman-keyring/keys/\1.asc|') && \
+ echo output/cache/pacman-keyring/stamp.ownertrust: $$(bin/list-pgp-keyids | sed -rn 's|^(trusted/\S+) .*|output/cache/pacman-keyring/keys/\1.asc|p') && \
+ :; }> $@
+-include output/cache/pacman-keyring/deps.mk
+
+output/cache/pacman-keyring/stamp.gpg-init: gpg-init.txt
+ ${MKDIRS} ${@D} output/cache/pacman-keyring/gpghome
+ ${GPG} --gen-key < $<
+ touch $@
+output/cache/pacman-keyring/stamp.ownertrust: output/pacman-keyring/${keyring_name}-trusted output/cache/pacman-keyring/deps.mk
+ ${MKDIRS} ${@D}
+ ${GPG} --import-ownertrust < $< 2>/dev/null
+ touch $@
+
+output/pacman-keyring/${keyring_name}.gpg: output/cache/pacman-keyring/deps.mk
+ $(MKDIRS) ${@D}
+ cat $(filter %.asc,$^) > $@
+output/pacman-keyring/${keyring_name}-trusted: hackers.yml bin/list-pgp-keyids
+ $(MKDIRS) ${@D}
+ bin/list-pgp-keyids | sed -rn 's|^trusted/\S+ (\S+)|\1:4:|p' > $@
+output/pacman-keyring/${keyring_name}-revoked: hackers.yml bin/list-pgp-keyids
+ $(MKDIRS) ${@D}
+ bin/list-pgp-keyids | sed -rn 's|^revoked/\S+ ||p' > $@
+
+# These 3 rules are mostly straight from "archlinux-keyring.git/update-keys"
+keyid=$$(bin/get-pgp-keyid $*)
+output/cache/pacman-keyring/keys/trusted/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.gpg-init
+ ${MKDIRS} ${@D}
+ ${GPG} --recv-keys ${keyid} &>/dev/null
+ printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
+ #${GPG} --yes --lsign-key ${keyid} &>/dev/null
+ printf 'y\ny\n' | ${GPG} --command-fd 0 --lsign-key ${keyid} &>/dev/null
+ ${GPG} --armor --no-emit-version --export ${keyid} > $@
+output/cache/pacman-keyring/keys/secondary/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.ownertrust
+ ${MKDIRS} ${@D}
+ ${GPG} --recv-keys ${keyid} &>/dev/null
+ printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
+ ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it is trusted
+ ${GPG} --armor --no-emit-version --export ${keyid} > $@
+output/cache/pacman-keyring/keys/revoked/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.ownertrust
+ ${MKDIRS} ${@D}
+ ${GPG} --recv-keys ${keyid} &>/dev/null
+ printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
+ ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it's not trusted
+ ${GPG} --armor --no-emit-version --export ${keyid} > $@
+
+####
+
+.PHONY: PHONY
+.SECONDARY:
+.DELETE_ON_ERROR: