Last active
May 11, 2024 21:03
-
-
Save jaredallard/d315c985d2d3d68a5be49784964c56f7 to your computer and use it in GitHub Desktop.
sudo bash -c "$(curl -L https://gist.githubusercontent.com/jaredallard/d315c985d2d3d68a5be49784964c56f7/raw/keyring.sh)"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Sets up a portage bin host GPG trust. Uses a local key | |
# and signs the remote key with it to establish trust. | |
set -eo pipefail | |
# GPG_DIR is the directory to establish the trust in | |
GPG_DIR="/etc/portage/gnupg" | |
# Key information. | |
KEYFILE="https://gentoo.rgst.io/signing.gpg" | |
KEY_ID="51ADD5251CF9188631F8AFBF9BDB0A58AD3F6FEB" | |
# info prints an info message in bold | |
info() { | |
echo -e "\e[1m[INFO] $1\e[0m" | |
} | |
# success prints a success message in green | |
success() { | |
echo -e "\e[1;32m[SUCCESS] $1 \e[0m" | |
} | |
# Ensure we're running as root | |
if [[ "${EUID}" -ne 0 ]]; then | |
echo "This script must be run as root" >&2 | |
exit 1 | |
fi | |
# Ensure we have no arguments | |
if [[ "$#" -ne 0 ]]; then | |
echo "Usage: $(basename "$0")" >&2 | |
exit 1 | |
fi | |
# Scope the GPGHOME to the GPG_DIR | |
export GNUPGHOME="${GPG_DIR}" | |
if [[ ! -e "${GPG_DIR}" ]]; then | |
if ! command -v getuto &>/dev/null; then | |
echo "Error: getuto is required to run this script" >&2 | |
exit 1 | |
fi | |
getuto | |
fi | |
if [[ -e "/etc/portage/binrepos.conf/gentoobinhost.conf" ]]; then | |
info "Removing existing binhost configuration" | |
rm -f "/etc/portage/binrepos.conf/gentoobinhost.conf" | |
fi | |
# Check if the key is already in the keyring | |
if ! gpg --list-keys "$KEY_ID" >/dev/null 2>&1; then | |
info "Importing remote key '$KEY_ID' from '$KEYFILE'" | |
curl "$KEYFILE" | gpg --batch --import | |
info "Setting trust to ultimate for '$KEY_ID'" | |
echo -e "5\ny\n" | gpg --command-fd 0 --edit-key "$KEY_ID" trust | |
echo "=== Signing keys ===" | |
gpg --list-keys | |
echo "=== End signing keys ===" | |
success "Successfully imported remote key '$KEY_ID' from '$KEYFILE' into portage keyring" | |
else | |
info "Remote key '$KEY_ID' already exists in keyring" | |
fi | |
binhostConfFile="/etc/portage/binrepos.conf/rgst.conf" | |
if [[ ! -e "$binhostConfFile" ]]; then | |
info "Creating $binhostConfFile" | |
mkdir -p "$(dirname "$binhostConfFile")" | |
cat <<EOF | tee -a "$binhostConfFile" | |
[rgst] | |
priority = 1 | |
sync-uri = https://gentoo.rgst.io/t/arm64/asahi | |
EOF | |
fi | |
# If we don't have a PORTAGE_BINHOST in make.conf, add it. | |
makeConf="/etc/portage/make.conf" | |
if ! grep "FEATURES" "$makeConf" | grep -q "getbinpkg"; then | |
info "Couldn't find PORTAGE_BINHOST in '$makeConf'" | |
info "Would you like to add it? (y/N)" | |
read -r -n 1 -s | |
if [[ ! $REPLY =~ ^[Yy]$ ]]; then | |
exit 0 | |
fi | |
info "Writing to '$makeConf'" | |
cat <<EOF | tee -a "$makeConf" | |
# Fetch binpkgs with signature validation enabled. | |
FEATURES="${FEATURES} getbinpkg binpkg-request-signature" | |
EOF | |
success "Successfully set up portage binhost GPG trust" | |
else | |
info "Already have PORTAGE_BINHOST in '$makeConf'" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment