0

What is the best way to automatically sign/certify keys?

What i came up with is:

gpg --yes --no-tty --sign-key "mail@example.com"

but --yes is some how ignored and with --no-tty it just fails.

echo "y" | gpg --sign-key "mail@example.com"

does not work either.

Cœur
  • 32,421
  • 21
  • 173
  • 232
x539
  • 976
  • 5
  • 16

1 Answers1

0

Take it as it is, but I come up with this bash script, it uses gpg2 but you can easily change the var GPG. I assume it would be working with gpg but I have not tried.

#!/bin/bash
# /usr/local/bin/gpgsign.sh
#
# Signs the input key ID, using the keyring found in the local .gnupg folder.
#
# Usage:
# gpgsign.sh *key_id*

do_usage() {
    echo -n
    echo "Usage:"
    echo "gpgsign.sh *key_id*"
    exit 1
}

do_fail() {
  echo -ne "\nFailed!\n"
  exit 1
}

do_cancel() {
  echo -ne "\nCanceled!\n"
  exit 0
}

[ 1 -ne $# ] && do_usage

GPG="/usr/bin/gpg2"
GPG_FOLDER=.gnupg
KEY_ID=$1
COMMON_OPTS="--no-default-keyring --homedir .gnupg"
SECRET_KEY_ID=$($GPG $COMMON_OPTS --list-secret-keys | grep sec | awk '{ print $2 }' | awk -F/ '{ print $2 }' | xargs)
KEY_ID_SIGNED_FILE="$KEY_ID.signed-by.$SECRET_KEY_ID.asc"

echo -n Showing the current keyring...
$GPG $COMMON_OPTS -K

# From
# http://stackoverflow.com/questions/226703/how-do-i-prompt-for-input-in-a-linux-shell-script/27875395#27875395
echo -n "It is necessary to retrieve key $KEY_ID, proceed (y/n)? "
stty raw -echo ; answer=$(head -c 1) ; stty sane
if echo "$answer" | grep -iq "^y" ;then
    echo "Downloading..."
else
    do_cancel
fi

$GPG $COMMON_OPTS --recv-keys $KEY_ID
[ 0 -ne $? ] && do_fail

echo -ne "\nSign $KEY_ID (y/n)? "
stty raw -echo ; answer=$(head -c 1) ; stty sane
if echo "$answer" | grep -iq "^y" ;then
    echo -ne "\n"
else
    do_cancel
fi

$GPG $COMMON_OPTS --sign-key $KEY_ID
[ 0 -ne $? ] && do_fail

$GPG $COMMON_OPTS --list-sigs $KEY_ID

WAS_SIGNED=$($GPG $COMMON_OPTS --list-sigs $KEY_ID | grep $SECRET_KEY_ID | awk '{ print $1 }' | uniq)

if echo "$WAS_SIGNED" | grep -iq "sig" ;then

    echo -n "Key $KEY_ID is currently signed, upload to keyserver (y/n)? "
    stty raw -echo ; answer=$(head -c 1) ; stty sane
    if echo "$answer" | grep -iq "^y" ;then
        echo -ne "\nUploading...\n"
        $GPG $COMMON_OPTS --send-keys $KEY_ID
    else
        echo -ne "\nNOTE: key $KEY_ID has been signed, during this o previous sessions by the local
.gnupg identity. A file has been created in the current folder containing the new signed key,
$KEY_ID_SIGNED_FILE, ready to be sent either to a key server or the key owner."
        $GPG $COMMON_OPTS --armor --export $KEY_ID > $KEY_ID_SIGNED_FILE
    fi
else
    do_cancel
fi

echo -ne "\nDone!\n"
Andrea Richiardi
  • 657
  • 5
  • 19