#!/bin/sh
#
# Document how to create new GPG key for signing the APT repository.
# This process is repeated every three years (see 3y expire below).
#
# The key definition format is described in
# https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html

set -e

. $(dirname $0)/uiorepo-paths

PUBKEY=$outdir/archive-key.asc
if [ -e $PUBKEY ] ; then
   echo "error: public key $PUBKEY already exist, aborting"
   exit
fi

YEAR=$(date +%Y)
GNUPGHOME=/site/deb/usit-automatic-signing-key

KEYID="USIT's APT archive automatic signing key $YEAR"

# Fairly large, somewhat non-standard.  Not sure what a good number is.
KEYLEN=3965

KEYDEF=$GNUPGHOME/new-key-definition
cat > $KEYDEF <<EOF
    %echo Generating a basic OpenPGP key
    %no-protection
    Key-Type: RSA
    Key-Length: $KEYLEN
    Subkey-Type: RSA
    Subkey-Length: $KEYLEN
    Name-Real: $KEYID
    Name-Email: unix-drift@usit.uio.no
    Expire-Date: 3y
    # Do a commit here, so that we can later print "done" :-)
    %commit
    %echo done
EOF

# Make sure all GPG commands operate on the target directory
export GNUPGHOME

# Create directory as gpg2 --gen-key refuses to do it and fail when it
# is missing.
mkdir -p $GNUPGHOME/private-keys-v1.d

# Using GPG v1 to stay compatible with reprepro in Debian Stretch
gpg2 --verbose --batch --gen-key $KEYDEF
gpg2 --export --armor > $PUBKEY

echo "Remember to update the usit-archive-keyring package"