Merge pull request #2078 from tlaurion/distro_keys_updater-keep_only_primary_signing_key-remove_expired_ones

Distro keys updater keep only primary signing key remove expired ones : reduces size of archilinx.key and tails.key

Author: tlaurion

bin/update_distro_signing_key/archlinux.sh

@@ -0,0 +1,15 @@
+#! /usr/bin/env bash
+# Update the Arch Linux distro signing key (Pierre Schmitz, release engineer).
+# See bin/update_distro_signing_key/helper.sh for details.
+#
+# Key fingerprint: 3E80 CA1A 8B89 F69C BA57  D98A 76A5 EF90 5444 9A5C
+
+set -eo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+exec "$SCRIPT_DIR/lib/helper.sh" \
+	"Arch Linux" \
+	"https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C" \
+	"pierre@archlinux.org" \
+	"initrd/etc/distro/keys/archlinux.key"

bin/update_distro_signing_key/lib/helper.sh

@@ -0,0 +1,108 @@
+#! /usr/bin/env bash
+# Shared helper: download, normalize, and update one distro signing key.
+# Called by per-distro wrapper scripts in bin/update_distro_signing_key/.
+#
+# Usage: update_distro_signing_key_helper.sh <label> <url> <uid> <key_relpath>
+#
+#   <label>       Human-readable distro name, used in log output (e.g. "Tails")
+#   <url>         URL to download the raw key bundle from
+#   <uid>         GPG UID to select for export (email or full name string)
+#   <key_relpath> Repo-relative path to the key file to update
+#                 (e.g. initrd/etc/distro/keys/tails.key)
+#
+# Normalization applied:
+#   --export-options export-minimal,export-clean
+#   --export-filter  drop-subkey=expired -gt 0 || usage !~ s
+#
+# Only the primary key and non-expired signing subkeys are kept — no
+# encryption, authentication, or expired subkeys.
+
+set -eo pipefail
+
+die() { echo "ERROR: $*" >&2; exit 1; }
+
+[ $# -eq 4 ] || die "Usage: $(basename "$0") <label> <url> <uid> <key_relpath>"
+
+LABEL="$1"
+KEY_URL="$2"
+KEY_UID="$3"
+KEY_RELPATH="$4"
+
+REPO_ROOT="$(git -C "$(cd "$(dirname "$0")" && pwd)" rev-parse --show-toplevel)"
+KEY_FILE="$REPO_ROOT/$KEY_RELPATH"
+
+[ -f "$KEY_FILE" ] || die "Key file not found in repo: $KEY_RELPATH"
+
+# Temporary GPG home — cleaned up on exit
+GPGHOME="$(mktemp -d --tmpdir "update-distro-key-XXXXXX")"
+trap 'rm -rf -- "$GPGHOME"' EXIT
+
+echo "[$LABEL] Downloading $KEY_URL ..."
+wget -q "$KEY_URL" -O "$GPGHOME/raw.key" \
+	|| die "[$LABEL] Failed to download key from $KEY_URL"
+
+echo "[$LABEL] Importing key into temporary keyring ..."
+gpg --homedir "$GPGHOME" --batch --import "$GPGHOME/raw.key" 2>/dev/null \
+	|| die "[$LABEL] gpg --import failed"
+
+echo "[$LABEL] Exporting normalized key for '$KEY_UID' ..."
+gpg --homedir "$GPGHOME" --batch \
+	--export --armor \
+	--export-options export-minimal,export-clean \
+	--export-filter 'drop-subkey=expired -gt 0 || usage !~ s' \
+	"$KEY_UID" > "$GPGHOME/normalized.key" \
+	|| die "[$LABEL] gpg --export failed"
+
+[ -s "$GPGHOME/normalized.key" ] \
+	|| die "[$LABEL] Exported key is empty — is '$KEY_UID' present in the downloaded keyring?"
+
+cp "$GPGHOME/normalized.key" "$KEY_FILE"
+echo "[$LABEL] Written to $KEY_RELPATH"
+
+# Report primary key expiry; warn (in color) if expiring within 365 days
+WARN_DAYS=365
+WARN_SECS=$(( WARN_DAYS * 86400 ))
+NOW="$(date +%s)"
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+NC='\033[0m'
+echo ""
+gpg --homedir "$GPGHOME" --batch --list-keys --with-colons "$KEY_UID" 2>/dev/null \
+	| awk -F: -v label="$LABEL" -v now="$NOW" -v warn_secs="$WARN_SECS" \
+	      -v red="$RED" -v yellow="$YELLOW" -v nc="$NC" '
+		/^pub:/ {
+			expiry = $7
+			if (expiry != "") {
+				cmd = "date -d @" expiry " +%Y-%m-%d"
+				cmd | getline expdate
+				close(cmd)
+				days_left = int((expiry - now) / 86400)
+				if (expiry <= now) {
+					print red "WARNING: [" label "] Primary key EXPIRED on " expdate " -- update immediately!" nc
+				} else if ((expiry - now) <= warn_secs) {
+					print yellow "WARNING: [" label "] Primary key expires " expdate " (" days_left " days) -- update soon!" nc
+				} else {
+					print "[" label "] Primary key expires " expdate " (" days_left " days)"
+				}
+			} else {
+				print "[" label "] Primary key: no expiry"
+			}
+		}
+	'
+
+# Report change status via git
+if git -C "$REPO_ROOT" diff --quiet -- "$KEY_RELPATH"; then
+	echo "[$LABEL] No change — key is identical to the committed version."
+else
+	echo ""
+	echo "[$LABEL] Key has CHANGED since the last committed version:"
+	echo ""
+	git -C "$REPO_ROOT" diff --stat -- "$KEY_RELPATH"
+	echo ""
+	echo "Review the diff with:"
+	echo "  git diff -- $KEY_RELPATH"
+	echo ""
+	echo "If the change is expected, commit it with:"
+	echo "  git add $KEY_RELPATH"
+	echo "  git commit -s -S -m 'distro/keys: update $LABEL signing key'"
+fi

bin/update_distro_signing_key/qubes.sh

@@ -0,0 +1,33 @@
+#! /usr/bin/env bash
+# Update all Qubes OS distro signing keys (release 4.2, 4.3, weekly builds).
+# See bin/update_distro_signing_key/helper.sh for details.
+#
+# Key fingerprints:
+#   Qubes 4.2:      9C88 4DF3 F810 64A5 69A4  A9FA E022 E58F 8E34 D89F
+#   Qubes 4.3:      F3FA 3F99 D628 1F7B 3A3E  5E87 1C3D 9B62 7F3F ADA4
+#   Qubes weekly:   9B7E 61D3 BB70 C4B1 335C  E5B6 7B72 A119 CCCA 57BB
+
+set -eo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+HELPER="$SCRIPT_DIR/lib/helper.sh"
+
+rc=0
+run() { "$HELPER" "$@" || { local e=$?; [ $e -gt $rc ] && rc=$e; }; }
+
+run "Qubes OS 4.2" \
+	"https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc" \
+	"Qubes OS Release 4.2 Signing Key" \
+	"initrd/etc/distro/keys/qubes-4.2.key"
+
+run "Qubes OS 4.3" \
+	"https://keys.qubes-os.org/keys/qubes-release-4.3-signing-key.asc" \
+	"Qubes OS Release 4.3 Signing Key" \
+	"initrd/etc/distro/keys/qubes-4.3.key"
+
+run "Qubes OS weekly builds" \
+	"https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9B7E61D3BB70C4B1335CE5B67B72A119CCCA57BB" \
+	"Qubes OS Weekly Builds Signing Key" \
+	"initrd/etc/distro/keys/qubes-weekly-builds-signing-key.asc"
+
+exit "$rc"

bin/update_distro_signing_key/tails.sh

@@ -0,0 +1,13 @@
+#! /usr/bin/env bash
+# Update the Tails distro signing key.
+# See bin/update_distro_signing_key/helper.sh for details.
+
+set -eo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+exec "$SCRIPT_DIR/lib/helper.sh" \
+	"Tails" \
+	"https://tails.boum.org/tails-signing.key" \
+	"tails@boum.org" \
+	"initrd/etc/distro/keys/tails.key"

bin/update_distro_signing_keys.sh

@@ -0,0 +1,48 @@
+#! /usr/bin/env bash
+# Update all distro signing keys in initrd/etc/distro/keys/.
+# Auto-discovers and runs every script in bin/update_distro_signing_key/
+# except helper.sh.  Adding a new distro only requires adding a new script
+# in that directory — this meta script needs no changes.
+#
+# Exit codes:
+#   0  — all keys up to date, no action needed
+#   1  — one or more keys changed (review with git diff, then commit)
+#   2  — one or more per-distro scripts failed (download/import error)
+
+set -eo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SUBDIR="$SCRIPT_DIR/update_distro_signing_key"
+
+failed=()
+
+for script in "$SUBDIR"/*.sh; do
+	if ! "$script"; then
+		failed+=("$(basename "$script")")
+	fi
+	echo ""
+done
+
+echo "========================================"
+
+# Summarize git-changed key files
+mapfile -t changed < <(git -C "$SCRIPT_DIR/.." diff --name-only -- initrd/etc/distro/keys/)
+
+if [ ${#failed[@]} -gt 0 ]; then
+	echo "FAILED: ${failed[*]}"
+fi
+
+if [ ${#changed[@]} -gt 0 ]; then
+	echo "Keys that changed:"
+	for f in "${changed[@]}"; do echo "  $f"; done
+	echo ""
+	echo "Commit all changes with:"
+	echo "  git add initrd/etc/distro/keys/"
+	echo "  git commit -s -S -m 'distro/keys: update distro signing keys'"
+	[ ${#failed[@]} -gt 0 ] && exit 2
+	exit 1
+else
+	echo "All keys are up to date."
+	[ ${#failed[@]} -gt 0 ] && exit 2
+	exit 0
+fi

initrd/etc/distro/keys/archlinux.key

@@ -1,21 +1,14 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mDMEY1+RVxYJKwYBBAHaRw8BAQdAd3XdZwOmmiALePwd26Bu3hPblAfHflGN+Lud
-gE2Qyby0JFBpZXJyZSBTY2htaXR6IDxwaWVycmVAYXJjaGxpbnV4LmRlPoiWBBMW
-CAA+AhsDBQkcMgSABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEPoDKGouJ9py6
-V9mKdqXvkFREmlwFAmNfk2gACgkQdqXvkFREmlzdiwD9Hf7TDfxBrJ1YwpD9lLtU
-VI4Kpze3P5deOb5REsGE5ocBAPn7WymPFoTUfrrxfmlsqZtSz+2D5GdXEWQYOTqU
-vu0MtCVQaWVycmUgU2NobWl0eiA8cGllcnJlQGFyY2hsaW51eC5vcmc+iJkEExYI
-AEECGwMFCRwyBIAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ+gMoai4n2nLpX
-2Yp2pe+QVESaXAUCY1+TaAIZAQAKCRB2pe+QVESaXLQPAQCFeOXY4m9LPfMDNzrO
-IElLyh+w9p9PBa80AsAsjXGC1gEAy9Ymc3jnAj2MJDnby3b5WyNzDbjBMKVhv2Cv
-mDln0Aq4MwRjX5HTFgkrBgEEAdpHDwEBB0DjSWuxVrnVYEIcJlRJPmn54ReBGvqP
-+EYB2BVx5ZFPv4h+BBgWCAAmFiEEPoDKGouJ9py6V9mKdqXvkFREmlwFAmNfkdMC
-GyAFCRwyBIAACgkQdqXvkFREmlzEGwEAwvDuiUn1Mgw0x7/m0hXzveAAgLVdJWD+
-0/YiepxE9GoA/jCgNca2AuWyi416FYQkFtqtlIjWUb56hY5WlBvpNZIOuDgEY1+R
-VxIKKwYBBAGXVQEFAQEHQIhe0t8UMpN+G4c24ByW/Y1vu1m3C62KsvlRPzw/R0AN
-AwEIB4h+BBgWCAAmFiEEPoDKGouJ9py6V9mKdqXvkFREmlwFAmNfkVcCGwwFCRwy
-BIAACgkQdqXvkFREmlynZgD+PlibATlapVxz6EprGMfnktevUlfWQwShRJ+w/x8I
-zyAA/0nOvoE7j4sdvg4QoW/s2nPYaDy8EK/XAMRT15eScYIH
-=FFYH
+gE2Qyby0JVBpZXJyZSBTY2htaXR6IDxwaWVycmVAYXJjaGxpbnV4Lm9yZz6ImQQT
+FggAQQIbAwUJHDIEgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBD6AyhqLifac
+ulfZinal75BURJpcBQJjX5NoAhkBAAoJEHal75BURJpctA8BAIV45djib0s98wM3
+Os4gSUvKH7D2n08FrzQCwCyNcYLWAQDL1iZzeOcCPYwkOdvLdvlbI3MNuMEwpWG/
+YK+YOWfQCrQkUGllcnJlIFNjaG1pdHogPHBpZXJyZUBhcmNobGludXguZGU+iJYE
+ExYIAD4CGwMFCRwyBIAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ+gMoai4n2
+nLpX2Yp2pe+QVESaXAUCY1+TaAAKCRB2pe+QVESaXN2LAP0d/tMN/EGsnVjCkP2U
+u1RUjgqnN7c/l145vlESwYTmhwEA+ftbKY8WhNR+uvF+aWypm1LP7YPkZ1cRZBg5
+OpS+7Qw=
+=6aX0
 -----END PGP PUBLIC KEY BLOCK-----