initial commit as copy from helsinki ansible repo

author: Christian Pointner <equinox@spreadspace.org> 2017-11-21 22:28:39 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2017-11-21 22:28:39 +0100
commit: 91cd5480b5a1ca1103d5e239af3d331477c41c2c (patch)
tree: b495bf31e2d5da50b045838a1e8d0455db09ee65 /gpg
8 files changed, 101 insertions, 0 deletions
diff --git a/gpg/add-key.sh b/gpg/add-key.sh
new file mode 100755
index 00000000..98e29174
--- /dev/null
+++ b/gpg/add-key.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+  echo "no keyfile specified, reading from stdin ..."
+fi
+
+"${BASH_SOURCE%/*}/gpg2.sh" --import $@
+if [ $? -ne 0 ]; then
+  echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+  exit 1
+fi
+
+echo ""
+"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh"
+if [ $? -ne 0 ]; then
+  echo -e "\nERROR: reencrypting vault password file failed!"
+  echo "   You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+  exit 1
+fi
+echo "Successfully reencrypted vault password file!"
+echo "  Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
diff --git a/gpg/get-vault-pass.sh b/gpg/get-vault-pass.sh
new file mode 100755
index 00000000..202c94f7
--- /dev/null
+++ b/gpg/get-vault-pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null
diff --git a/gpg/gpg2.sh b/gpg/gpg2.sh
new file mode 100755
index 00000000..b00c49cf
--- /dev/null
+++ b/gpg/gpg2.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-default-keyring $@
diff --git a/gpg/list-keys.sh b/gpg/list-keys.sh
new file mode 100755
index 00000000..4b010495
--- /dev/null
+++ b/gpg/list-keys.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@
diff --git a/gpg/remove-keys.sh b/gpg/remove-keys.sh
new file mode 100755
index 00000000..80ae1573
--- /dev/null
+++ b/gpg/remove-keys.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+  echo "Please specify at least one key ID!"
+  echo ""
+  echo "You can find out the key ID using the command: gpg/list-keys.sh"
+  echo ""
+  echo " Here is an example output:"
+  echo ""
+  echo "   pub   rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]"
+  echo "         Key fingerprint = 1234 5678 1234 5678 1234  5678 1234 5678 1234 5678"
+  echo "   uid                   [ unknown] Firstname Lastname <lastname@example.com>"
+  echo "   sub   rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]"
+  echo ""
+  echo " The key ID is the hexadecimal number next to rsa4096/ in the line"
+  echo " starting with pub (not sub). In this case the key ID is: 0x1234567812345678"
+  echo ""
+  exit 1
+fi
+
+"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@
+if [ $? -ne 0 ]; then
+  echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+  exit 1
+fi
+
+echo ""
+"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh"
+if [ $? -ne 0 ]; then
+  echo -e "\nERROR: reencrypting vault password file failed!"
+  echo "   You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+  exit 1
+fi
+echo "Successfully reencrypted vault password file!"
+echo "  Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
diff --git a/gpg/set-vault-pass.sh b/gpg/set-vault-pass.sh
new file mode 100755
index 00000000..1fb3426c
--- /dev/null
+++ b/gpg/set-vault-pass.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}')
+if [ -z "$keyids" ]; then
+  echo "ERROR: no keys to encrypt to, is the keyring empty?"
+  exit 1
+fi
+
+receipients=""
+for keyid in $keyids; do
+  receipients="$receipients -r $keyid"
+done
+
+
+"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients
+if [ $? -ne 0 ]; then
+  rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$"
+  exit 1
+fi
+mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg"
diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring.gpg
new file mode 100644
index 00000000..8d2e0443
--- /dev/null
+++ b/gpg/vault-keyring.gpg
diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass.gpg
new file mode 100644
index 00000000..20130b37
--- /dev/null
+++ b/gpg/vault-pass.gpg
@@ -0,0 +1,19 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMA+Qd5U24qffPAQ/+M6LI5+vmyfQqiH14FM6W7q/rjtKpAmkSHrUs2XyFsoF4
+Z0fK8sZivjY/HHxD+hjQJ1GDCEBjQTEgdUmEopj/Di4BS851tClBapa+UPQHezVf
+1LvNEti2e4ghdGDLd+UGF24Mu2SwLyE4neO/VBg2AYiX3AAO+35nIUgrzarVCvhB
+FP6jja1oLmMFfNCw9xSbM1JozwlSOZWPFGt/W1exfthJvFx2r60IdLlBjl6R8SS9
+2sWcFU3tIjcKX1hCFzt+iv+Ks1dPsOIex5GRi2YWl6EOsuafBo7AlhcIXdDSNEyC
++ieXY8VAMqb8kTbaITP+eMYy/gw43Eo5dRyu+kS95pnLcguM8gsaxTgxTW8WGWPh
+JH6ezxyuWS1AlrT0/T9qQtPzz6RO01UpeP/Uwe03p16uCOI5tNOrESoG4OSnwwav
+BP2R6KdjMmPhIheK14krIMRFssx8bWq1/Ib8qkXeVUcFRRnpTdsTtj9hkOM9eLxS
+IJjO5/ny9wQRtO9Mm8QMLBewb602WI8qdE0zSKBofKZUHr92JH+wD69vTkHu3LUi
+tQEGXM5oKUfkbWa+hmNdTPsjPesfR/N/AtAK5vyTofIxs4qGXfoMgnPgchkVi8uK
+IpiSot0Bawg/SIkdTOg3KYaJgqFrqic7eozFj/s89rWNMf0zYiIUkMrrYlQCpYrS
+vAF2iuZCv0WapCgENJ/hykA3XXGn/CeQ6jSpILfLA7fXY0ndblrZONw52+ST0VBn
+3EtV7dvhrx0uaN54u4jdLCI6y5lBfSQaPYtqSl3Gduhl7VzF4FJiXGf6J8yORPaj
+qnIchQmbXoTefnTSvBT+GGWYfQXd7kxnxsL4tR8HzOUZe9pR7XesVdl9TLUjU8NP
+c+aUDAhpCnf32VKmmZGyvIFyH0WcIKgEza5n2Q1mRGLhs9duMTHnC1kjv9wb
+=lDHb
+-----END PGP MESSAGE-----
author	Christian Pointner <equinox@spreadspace.org>	2017-11-21 22:28:39 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2017-11-21 22:28:39 +0100
commit	91cd5480b5a1ca1103d5e239af3d331477c41c2c (patch)
tree	b495bf31e2d5da50b045838a1e8d0455db09ee65 /gpg