1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00
metasploit-framework/tools/dev/sign-dev-keys.sh
Tod Beardsley 7a321c7350
Import, sign, and publish signed dev keys
This largely automates the process of importing developer keys,
much like `import-dev-keys.sh`, but also takes the additional, sadly
manual step of signing the key with your default key, and uploading
those keys to https://sks-keyservers.net.

In effect, you are stating that you trust keys published on keybase.io
and are listed as such on the official Metasploit-Framework development
wiki.

If your own default key either has no passphrase, or has a passphrase
cached in a keymanager, the process merely requires you hit `y` for
every key, and `y` again for keys with multiple IDs. Otherwise, you
will need to provide your passphrase for each signing. Temporarily
removing the passphrase alleviates this pain.

Of course, this assumes you actually trust the development wiki
and keybase to do the right thing. The tradition is to individually
verify each key through some personally invented means, such as in
person with a government ID check.

Note that `import-dev-keys.sh` currently lists a number of keys
not on Keybase, and that functionality has not been carried over
to this script.
2016-07-06 10:33:02 -05:00

27 lines
799 B
Bash
Executable File

#!/bin/bash
# Imports and signs dev keys fetched from Keybase, as asserted by the
# Metasploit-Framework development wiki. Requires bash version 3 or so for
# regular expression pattern match
COMMITTER_KEYS_URL='https://raw.githubusercontent.com/wiki/rapid7/metasploit-framework/Committer-Keys.md'
KEYBASE_KEY_URLS=$(
\curl -sSL $COMMITTER_KEYS_URL |
\awk '$4 ~/https:\/\/keybase.io\//' |
\sed 's#.*\(https://keybase.io/[^)]*\).*#\1/key.asc#'
)
for key in $KEYBASE_KEY_URLS; do
echo [*] Importing $key
THIS_KEY=$(
\curl -sSL $key |
\gpg --no-auto-check-trustdb --import - 2>&1 |
\head -1 | \cut -f 3 -d " " | \sed 's/://'
)
echo [*] Signing $THIS_KEY
\gpg --sign-key $THIS_KEY
echo [*] Sending $THIS_KEY
\gpg --keyserver sks-keyservers.net --send-key $THIS_KEY
done