path: root/gpg-verify

#!/bin/bash

set -o pipefail
exec &>>/var/log/gpg-verify.log

if [ $# -ne 4 ]; then
	exit 2
fi

username="$1"
nonce="$2"
key="$3"
sig="$4"

cd /opt/autopeer
NOTIFY_TO="$(python3 -c 'import config; print(config.NOTIFY_TO)')"
echo "[autopeer $(hostname -f)] pgp: $username $key" | socat stdio "$NOTIFY_TO"

keyring="$(mktemp)"
curl -sL "$key" | gpg -o - --dearmor >"$keyring" || exit 7
gpgv_out="$(gpgv --status-fd 1 --keyring "$keyring" <(echo "$sig" | sed 's/-----BEGIN PGP SIGNATURE-----/&\n\n/') <(echo "$nonce"))"
#[GNUPG:] VALIDSIG 1449565B711BABA3BC5347AE66B26E9D823D8647 2026-05-18 1779109475 0 4 0 22 10 00 1449565B711BABA3BC5347AE66B26E9D823D8647

echo "keyring: $keyring"
echo "$gpgv_out"

if ! echo "$gpgv_out" | grep -qP '^\[GNUPG:\] VALIDSIG '; then
	exit 3
fi

verified_key="$(echo "$gpgv_out" | grep -P '^\[GNUPG:\] VALIDSIG ' | cut -d' ' -f12)"

if [ -z "$verified_key" ]; then
	exit 4
fi

if [ "$username" = "new" ]; then
	if new_user="$(grep -l -s -r -P '^\s*auth:\s*pgp-fingerprint\s+\Q'"$verified_key"'\E(\s|$)' /opt/autopeer/dn42-registry/data/mntner/ | perl -ne 's@^.*/@@; s@-MNT$@@; print lc;' | head -1)"; then
		echo "making $new_user"; exit 0
		if getent passwd "$new_user" &>/dev/null; then
			exit 0
		else
			echo "[autopeer $(hostname -f)] New user being created: $new_user from $key $verified_key" | socat stdio "$NOTIFY_TO"
			/usr/sbin/adduser --disabled-password --quiet --comment "created at $(date +%s) by $verified_key" --ingroup autopeer "$new_user"
			/usr/sbin/adduser "$new_user" bird
			( umask 0077; touch "/var/log/autopeer/$new_user".{tim,io}; )
			chown "$new_user" "/var/log/autopeer/$new_user".{tim,io}
			exit 0
		fi
	else
		exit 5
	fi
else
	if grep -q -s -P '^\s*auth:\s*pgp-fingerprint\s+\Q'"$verified_key"'\E(\s|$)' /opt/autopeer/dn42-registry/data/mntner/"$(echo "$username" | perl -ne 's@$@-MNT@; print uc;')"; then
		exit 0
	else
		exit 6
	fi
fi


exit 1