+monkeysphere (0.31~pre) UNRELEASED; urgency=low
+
+ * support x509 anchors for monkeysphere-host, allow shared anchor
+ between m-h and m-a (closes MS #2288)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 May 2010 11:23:38 -0400
+
monkeysphere (0.30) unstable; urgency=low
* changing tarball creation and packaging strategies
/etc/monkeysphere/monkeysphere\-authentication.conf
System monkeysphere-authentication config file.
.TP
-/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt
+/etc/monkeysphere/monkeysphere\-authentication\-x509\-anchors.crt or\p \
+/etc/monkeysphere/monkeysphere\-x509\-anchors.crt
If monkeysphere-authentication is configured to query an hkps
keyserver, it will use X.509 Certificate Authority certificates in
this file to validate any X.509 certificates used by the keyserver.
+If the monkeysphere-authentication-x509 file is present, the
+monkeysphere-x509 file will be ignored.
.TP
/var/lib/monkeysphere/authorized_keys/USER
Monkeysphere-generated user authorized_keys files.
/var/lib/monkeysphere/host/
A locked directory (readable only by the superuser) containing copies
of all imported secret keys (this is the host's GNUPGHOME directory).
+.TP
+/etc/monkeysphere/monkeysphere\-host\-x509\-anchors.crt or\p \
+/etc/monkeysphere/monkeysphere\-x509\-anchors.crt
+If monkeysphere-host is configured to query an hkps keyserver for
+publish-keys, it will use X.509 Certificate Authority certificates in
+this file to validate any X.509 certificates used by the keyserver.
+If the monkeysphere-host-x509 file is present, the monkeysphere-x509
+file will be ignored.
.SH AUTHOR
no-greeting
EOF
+ KEYSERVER_OPTIONS=""
+ for anchorfile in "${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do
+ if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then
+ KEYSERVER_OPTIONS="keyserver-options ca-cert-file=$anchorfile"
+ log debug "using $anchorfile for keyserver X.509 anchor"
+ fi
+ done
+
log debug "writing sphere gpg.conf..."
cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF
# Monkeysphere trust sphere GnuPG configuration
# Edits will be overwritten.
no-greeting
list-options show-uid-validity
-keyserver-options ca-cert-file=${SYSCONFIGDIR}/monkeysphere-authentication-x509-anchors.crt
+${KEYSERVER_OPTIONS}
EOF
# make sure the monkeysphere user owns everything in the sphere
su_monkeysphere_user \
"gpg --quiet --import" <"$HOST_KEY_FILE"
+KEYSERVER_OPTIONS=""
+for anchorfile in "${SYSCONFIGDIR}/monkeysphere-host-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do
+ if [ -z "$KEYSERVER_OPTIONS" ] && [ -r "$anchorfile" ] ; then
+ KEYSERVER_OPTIONS="--keyserver-options 'ca-cert-file=$anchorfile'"
+ fi
+done
+
# publish key
su_monkeysphere_user \
- "gpg --keyserver $KEYSERVER --send-keys '0x${keyID}!'"
+ "gpg --keyserver $KEYSERVER $KEYSERVER_OPTIONS --send-keys '0x${keyID}!'"
# remove the tmp file
trap - EXIT
projects / monkeysphere.git / commitdiff