service-provider-template/.vault/vault-rekey.sh

53 lines
1.0 KiB
Bash
Raw Normal View History

#!/bin/sh
DATE=$(date "+%Y%m%d-%s")
# default key locations
TARGET=".vault/vault-pass.gpg"
KEYFILE=".vault/vault-keys"
# read keys from here, overridden by KEYFILE
#KEYS="XXX"
check_input()
{
if [ -z "$KEYS" ]; then
if [ -z "$1" ]; then
echo >&2 "supply at least one key ID"
exit 1
fi
fi
}
if [ -f "$KEYFILE" ]; then
KEYS="$(cat $KEYFILE | tr '\n' ' ')"
fi
if [ -f "$1" ]; then
TARGET=$1
check_input "$2"
shift
else
if [ -f "$TARGET" ]; then
check_input "$1"
else
echo >&2 "default target not found: $TARGET"
exit 2
fi
fi
# backup existing vault
mv "$TARGET" "$TARGET-$DATE"
# build key list
# loop twice once for the array and once for the flat var to maintain sh compat
for KEY in $KEYS; do KEY_LIST=$KEY_LIST"-r $KEY "; done
for KEY in "$@"; do KEY_LIST=$KEY_LIST"-r $KEY "; done
# rekey target file, ignore shellcheck globbing/word splitting warning
gpg -q -d "$TARGET-$DATE" | gpg -q -e --trust-model always $KEY_LIST -o "$TARGET"
# verification
#md5sum "$TARGET-$DATE"
#md5sum "$TARGET"