eid-ops/global/post-tasks.d/015cosmos-trust

#!/bin/bash

if [ -z "$COSMOS_KEYS" ]; then
   COSMOS_KEYS=/etc/cosmos/keys
fi

bold='\e[1m'
reset='\e[0m'
red='\033[01;31m'

# Associative array of fingerprints in the GPG keyring
declare -A KEYRING

# Associative array with expired keys in the GPG keyring
declare -A EXPIRED

# associative array with non-expired keys found in $COSMOS_KEYS directory
declare -A SEEN

# Load information about all keys present in the GPG keyring
for line in $(cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" { print $2 ":" $5 }'); do
    IFS=':' read -r expired fp <<< $line
    KEYRING[$fp]='1'
    if [[ $expired == 'e' ]]; then
	EXPIRED[$fp]=1
    fi
done

# Install new keys discovered in the $COSMOS_KEYS directory
for k in $COSMOS_KEYS/*.pub; do
    if [[ ! -s $k ]]; then
	# Silently ignore empty files
	continue
    fi
    pubkeys_in_file=$(cosmos gpg --with-colons --with-fingerprint < $k 2>&1 | grep "^pub:")
    non_expired_pubkeys_in_file=$(echo ${pubkeys_in_file} | awk -F: '$2 != "e" { print $0 }')
    if [[ ! $non_expired_pubkeys_in_file ]]; then
	echo -e "$0: ${red}Ignoring file with expired pubkey: ${k}${reset}"
	continue
    fi

    fp=$(echo ${pubkeys_in_file} | awk -F: '{print $5}')

    # Remember that we saw fingerprint $fp in file $k
    SEEN[$fp]=$k

    if [[ ! ${KEYRING[$fp]} ]]; then
	echo -e "$0: ${bold}Importing new key ${fp}${reset} from ${k}"
	cosmos gpg --no-tty --import < $k
    elif [[ ${EXPIRED[$fp]} ]]; then
	echo -e "$0: ${bold}Re-importing expired key ${fp}${reset} from ${k}"
	cosmos gpg --no-tty --import < $k
    fi
done

# Delete keys no longer present (or expired) in $COSMOS_KEYS directory
for fp in ${!KEYRING[@]}; do
    if [[ ! ${SEEN[$fp]} ]]; then
	echo -e "$0: ${bold}Deleting key${reset} ${fp} not present (or expired) in ${COSMOS_KEYS}"
	cosmos gpg --fingerprint $fp
	cosmos gpg --yes --batch --delete-key $fp || true
    fi
done