From 4707d391430ebacd08d00bfcf36360fe982b195a Mon Sep 17 00:00:00 2001 From: steering7253 Date: Mon, 18 May 2026 06:12:21 -0600 Subject: add gpg auth --- gpg-verify | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100755 gpg-verify (limited to 'gpg-verify') diff --git a/gpg-verify b/gpg-verify new file mode 100755 index 0000000..615a499 --- /dev/null +++ b/gpg-verify @@ -0,0 +1,57 @@ +#!/bin/bash + +set -o pipefail +exec &>>/var/log/gpg-verify.log +perl -MData::Dumper -e 'print Dumper(\@ARGV);' "$@" + +if [ $# -ne 4 ]; then + exit 2 +fi + +username="$1" +nonce="$2" +key="$3" +sig="$4" + +keyring="$(mktemp)" +curl -sL "$key" | gpg -o - --dearmor >"$keyring" || exit 7 +gpgv_out="$(gpgv --keyring "$keyring" <(echo "$sig" | sed 's/-----BEGIN PGP SIGNATURE-----/&\n\n/') <(echo "$nonce") 2>&1)" +verified_key="$(echo "$gpgv_out" |& grep -oP 'gpgv:\s*using \S+ key \K.*')" + +echo "keyring: $keyring" +echo "$gpgv_out" + +if ! echo "$gpgv_out" | grep -qP 'gpgv: Good signature from'; then + exit 3 +fi + +if [ -z "$verified_key" ]; then + exit 4 +fi + +if [ "$username" = "new" ]; then + if new_user="$(grep -l -s -r -P '^\s*auth:\s*pgp-fingerprint\s+\Q'"$verified_key"'\E(\s|$)' /opt/autopeer/dn42-registry/data/mntner/ | perl -ne 's@^.*/@@; s@-MNT$@@; print lc;' | head -1)"; then + echo "making $new_user"; exit 0 + if getent passwd "$new_user" &>/dev/null; then + exit 0 + else + echo "[autopeer $(hostname -f)] New user being created: $new_user from $key $connection" | socat stdio "$NOTIFY_TO" + /usr/sbin/adduser --disabled-password --quiet --comment "created at $(date +%s) by $key ${connection//:/_}" --ingroup autopeer "$new_user" + /usr/sbin/adduser "$new_user" bird + ( umask 0077; touch "/var/log/autopeer/$new_user".{tim,io}; ) + chown "$new_user" "/var/log/autopeer/$new_user".{tim,io} + exit 0 + fi + else + exit 5 + fi +else + if grep -q -s -P '^\s*auth:\s*pgp-fingerprint\s+\Q'"$verified_key"'\E(\s|$)' /opt/autopeer/dn42-registry/data/mntner/"$(echo "$username" | perl -ne 's@$@-MNT@; print uc;')"; then + exit 0 + else + exit 6 + fi +fi + + +exit 1 -- cgit v1.3.1-10-gc9f91