feat: find PGP keys from within the linter

- Find PGP keys using the same methods as other scripts;
- Lower threshold to 30 days by default;
- Add environment variable to set threshold;
- Add colors to distinguish expired from expires soon; and
- Add days until key expiration when it is below threshold.
This commit is contained in:
Ben Grande 2024-07-11 15:25:51 +02:00
parent 7a0fac1dbb
commit 04d1aaf63e
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
2 changed files with 85 additions and 30 deletions

View File

@ -24,4 +24,4 @@ jobs:
with:
fetch-depth: 0
- name: Discover keys that are expired or close to expiration date
run: scripts/pgp-lint.sh $(find -type f -name "*.asc")
run: scripts/pgp-lint.sh

View File

@ -6,44 +6,99 @@
set -eu
command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; }
repo_toplevel="$(git rev-parse --show-toplevel)"
test -d "${repo_toplevel}" || exit 1
unset repo_toplevel
now="$(date +%s)"
fail="0"
if test -z "${1-}"; then
echo "No file provided" >&2
exit 1
find_tool="$(./scripts/best-program.sh fd fdfind find)"
if test -n "${1-}"; then
files=""
for f in "${@}"; do
test -f "${f}" || continue
test -r "${f}" || continue
extension="${f##*.}"
case "${extension}" in
asc|gpg) files="${files} ${f}";;
*) continue;;
esac
done
else
case "${find_tool}" in
fd|fdfind)
files="$(${find_tool} . -H -t f -e asc -e gpg | sort -d)"
;;
find)
files="$(find . -type f \( -name '*.asc' -o -name '*.gpg' \) | sort -d)"
;;
*) echo "Unsupported find tool" >&2; exit 1;;
esac
fi
for key in "${@}"; do
if test -z "${files}"; then
exit 0
fi
for key in ${files}; do
data="$(gpg --no-keyring --no-auto-check-trustdb --no-autostart \
--with-colons --show-keys "${key}")"
nr="$(echo "${data}" | awk '/^(p|s)ub:/' | wc -l | cut -d " " -f1)"
--with-colons --show-keys "${key}")"
nr="$(echo "${data}" | grep -Ec '^(p|s)ub:')"
## Threshold in days.
threshold="${PGP_LINT_THRESHOLD:-30}"
tty_stderr=0
if test -t 2; then
tty_stderr=1
fi
echo "${data}" | awk -v fail="0" -v key="${key}" -v nr="${nr}" \
-v now="${now}" -F ':' '/^(p|s)ub:/ {
nlines++;
if ($7=="") {
if (nlines==nr) { if (fail==1) { exit 1; }; }
next
-v threshold="${threshold}" -v now="${now}" -v color="${tty_stderr}" \
-F ':' '
BEGIN {
MAGENTA = ""
YELLOW = ""
RED = ""
RESET = ""
if (color == 1) {
MAGENTA = "\033[1;35m"
YELLOW = "\033[1;33m"
RED = "\033[1;31m"
RESET = "\033[0m"
}
}
if ($7<now) {
print key ": expired:", $5 >"/dev/stderr";
fail=1
if (nlines==nr) { if (fail==1) { exit 1; }; }
next
}
/^(p|s)ub:/{
# 60 days
else if (($7-now)<(60*60*24*60)) {
print key ": expires soon:", $5 >"/dev/stderr";
fail=1
if (nlines==nr) { if (fail==1) { exit 1; }; }
next
}
nlines++
if (fail==1) {
exit 1
}
}' || fail="1"
if ($7 == "") {
if (nlines == nr ) { if (fail == 1) { exit 1 } }
next
}
if ($7 < now) {
message = MAGENTA key RESET ":" RED " expired " RESET ": " $5
print message >"/dev/stderr"
fail = 1
if (nlines == nr ) { if (fail == 1) { exit 1 } }
next
}
else if (($7 - now) < (60 * 60 * 24 * threshold )) {
remaining_days = int(($7 - now) / (60 * 60 * 24))
message_prefix = MAGENTA key RESET ":" YELLOW " expires in "
message_suffix = remaining_days " days" RESET ": " $5
message = message_prefix message_suffix
print message >"/dev/stderr"
fail = 1
if (nlines == nr ) { if (fail == 1) { exit 1 } }
next
}
if (fail == 1) {
exit 1
}
}' || fail="1"
done
if test "${fail}" = "1"; then