Initial release
This commit is contained in:
commit
172e3884c8
5 changed files with 233 additions and 0 deletions
37
.pre-commit-config.yaml
Normal file
37
.pre-commit-config.yaml
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# Pre-commit hooks to run tests and ensure code is cleaned.
|
||||||
|
# See https://pre-commit.com for more information
|
||||||
|
repos:
|
||||||
|
- repo: https://github.com/asottile/pyupgrade
|
||||||
|
rev: v3.3.1
|
||||||
|
hooks:
|
||||||
|
- id: pyupgrade
|
||||||
|
args: ['--keep-percent-format', '--py37-plus']
|
||||||
|
- repo: https://github.com/psf/black
|
||||||
|
rev: 22.12.0
|
||||||
|
hooks:
|
||||||
|
- id: black
|
||||||
|
args: ['--target-version', 'py37', '--line-length', '100']
|
||||||
|
- repo: https://github.com/PyCQA/isort
|
||||||
|
rev: 5.11.5
|
||||||
|
hooks:
|
||||||
|
- id: isort
|
||||||
|
args: ['--profile', 'black', '--line-length', '100']
|
||||||
|
- repo: https://github.com/PyCQA/flake8
|
||||||
|
rev: 6.0.0
|
||||||
|
hooks:
|
||||||
|
- id: flake8
|
||||||
|
args: ['--max-line-length=100']
|
||||||
|
- repo: local
|
||||||
|
hooks:
|
||||||
|
- id: pylint
|
||||||
|
name: pylint
|
||||||
|
entry: pylint --extension-pkg-whitelist=cx_Oracle
|
||||||
|
language: system
|
||||||
|
types: [python]
|
||||||
|
require_serial: true
|
||||||
|
- repo: https://github.com/Lucas-C/pre-commit-hooks-bandit
|
||||||
|
rev: v1.0.5
|
||||||
|
hooks:
|
||||||
|
- id: python-bandit-vulnerability-check
|
||||||
|
name: bandit
|
||||||
|
args: [--skip, "B101", --recursive, mylib]
|
7
.pylintrc
Normal file
7
.pylintrc
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
[MESSAGES CONTROL]
|
||||||
|
disable=invalid-name,
|
||||||
|
locally-disabled,
|
||||||
|
|
||||||
|
[FORMAT]
|
||||||
|
# Maximum number of characters on a single line.
|
||||||
|
max-line-length=100
|
51
README.md
Normal file
51
README.md
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
# Migrate APT trusted keys
|
||||||
|
|
||||||
|
Script to handle migration of obsolete /etc/apt/trusted.gpg to split GPG
|
||||||
|
keyrings in /etc/apt/trusted.gpg.d.
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
```bash
|
||||||
|
apt install python3 wget
|
||||||
|
wget -O /usr/local/sbin/migrate-apt-trusted-keys \
|
||||||
|
https://gitea.zionetrix.net/bn8/migrate-apt-trusted-keys/raw/branch/main/migrate-apt-trusted-keys
|
||||||
|
chmod 750 /usr/local/sbin/migrate-apt-trusted-keys
|
||||||
|
```
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
```
|
||||||
|
usage: migrate-apt-trusted-keys [-h] [-p KEYRING_PATH] [-o OUTPUT_PATH] [-a]
|
||||||
|
[-f]
|
||||||
|
|
||||||
|
Script to manage the migration from the deprecated /etc/apt/trusted.gpg file
|
||||||
|
to splited GPG keyring in /etc/apt/trusted.gpg.d.
|
||||||
|
|
||||||
|
options:
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
-p KEYRING_PATH, --keyring-path KEYRING_PATH
|
||||||
|
APT keyring file path.
|
||||||
|
-o OUTPUT_PATH, --output-path OUTPUT_PATH
|
||||||
|
Output directory path.
|
||||||
|
-a, --auto Migrate all GPG keys, without user interaction.
|
||||||
|
-f, --force Force mode: overwrite output file if already exists.
|
||||||
|
```
|
||||||
|
|
||||||
|
## Copyright
|
||||||
|
|
||||||
|
Copyright (c) 2023 Benjamin Renard <brenard@zionetrix.net>
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or
|
||||||
|
modify it under the terms of the GNU General Public License version 3
|
||||||
|
as published by the Free Software Foundation.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program; if not, write to the Free Software
|
||||||
|
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
135
migrate-apt-trusted-keys
Executable file
135
migrate-apt-trusted-keys
Executable file
|
@ -0,0 +1,135 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
#
|
||||||
|
# Script to handle migration of obsolete /etc/apt/trusted.gpg to split GPG
|
||||||
|
# keyrings in /etc/apt/trusted.gpg.d.
|
||||||
|
#
|
||||||
|
# Author : Benjamin Renard <brenard@zionetrix.net>
|
||||||
|
# Date : Fri, 07 Jul 2023 12:26:54 +0200
|
||||||
|
# Source : http://gitea.zionetrix.net/bn8/migrate-apt-trusted-keys
|
||||||
|
# Licence : GPL v3
|
||||||
|
#
|
||||||
|
|
||||||
|
"""
|
||||||
|
Script to handle migration of obsolete /etc/apt/trusted.gpg to split GPG
|
||||||
|
keyrings in /etc/apt/trusted.gpg.d.
|
||||||
|
"""
|
||||||
|
|
||||||
|
import argparse
|
||||||
|
import os
|
||||||
|
import re
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
import traceback
|
||||||
|
|
||||||
|
# Variables
|
||||||
|
raw_output = ""
|
||||||
|
|
||||||
|
# Args Parsing
|
||||||
|
parser = argparse.ArgumentParser(description=__doc__)
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
"-p", "--keyring-path", help="APT keyring file path.", type=str, default="/etc/apt/trusted.gpg"
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"-o", "--output-path", help="Output directory path.", type=str, default="/etc/apt/trusted.gpg.d"
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"-a", "--auto", help="Migrate all GPG keys, without user interaction.", action="store_true"
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
"-f",
|
||||||
|
"--force",
|
||||||
|
help="Force mode: overwrite output file if already exists.",
|
||||||
|
action="store_true",
|
||||||
|
)
|
||||||
|
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
if not os.path.exists(args.keyring_path):
|
||||||
|
parser.error(f"APT keyring file {args.keyring_path} not found.")
|
||||||
|
|
||||||
|
if not os.path.isdir(args.output_path):
|
||||||
|
parser.error(f"Output directory {args.output_path} not found (or is not a directory).")
|
||||||
|
|
||||||
|
# Execute Command
|
||||||
|
process = subprocess.run(
|
||||||
|
args=["gpg", "--keyring", args.keyring_path, "--list-keys"], capture_output=True, check=True
|
||||||
|
)
|
||||||
|
if process.returncode > 0:
|
||||||
|
print("No fingerprints found!")
|
||||||
|
sys.exit()
|
||||||
|
raw_output = str(process.stdout.decode("utf-8"))
|
||||||
|
|
||||||
|
all_keys = []
|
||||||
|
current_key = None
|
||||||
|
key_id_line = re.compile("^ +([0-9A-F]+)$")
|
||||||
|
uid_line = re.compile("^uid +.*<[^@]+@([^>]+)>$")
|
||||||
|
for line in raw_output.split("\n")[2:]:
|
||||||
|
if not line:
|
||||||
|
continue
|
||||||
|
|
||||||
|
if line.startswith("pub") and current_key:
|
||||||
|
all_keys.append(current_key)
|
||||||
|
current_key = None
|
||||||
|
|
||||||
|
if current_key is None:
|
||||||
|
current_key = {"lines": [], "id": None, "domain": None}
|
||||||
|
|
||||||
|
current_key["lines"].append(line)
|
||||||
|
m = key_id_line.match(line)
|
||||||
|
if m:
|
||||||
|
current_key["id"] = m.group(1)
|
||||||
|
m = uid_line.match(line)
|
||||||
|
if m:
|
||||||
|
current_key["domain"] = m.group(1)
|
||||||
|
|
||||||
|
|
||||||
|
if current_key:
|
||||||
|
all_keys.append(current_key)
|
||||||
|
|
||||||
|
for key in all_keys:
|
||||||
|
if not args.auto:
|
||||||
|
print("\n\n")
|
||||||
|
print("\n".join(key["lines"]))
|
||||||
|
answer = input("Do you want to migrate this key [Y/n]? ")
|
||||||
|
answer = answer.strip().lower()
|
||||||
|
if answer and answer != "y":
|
||||||
|
continue
|
||||||
|
|
||||||
|
print(f"Migrate key {key['id']}...")
|
||||||
|
name = "-".join(key["domain"].lower().split(".")[:-1]) if key["domain"] else key["id"]
|
||||||
|
name += ".gpg"
|
||||||
|
if not args.auto:
|
||||||
|
answer = input(f"Key name [{name}]? ")
|
||||||
|
name = answer.strip() if answer else name
|
||||||
|
|
||||||
|
output_path = os.path.join(args.output_path, name)
|
||||||
|
print(f"Export key {key['id']} to {output_path}...")
|
||||||
|
try:
|
||||||
|
if os.path.exists(output_path):
|
||||||
|
if not args.force:
|
||||||
|
if args.auto:
|
||||||
|
print(f"Outfile '{output_path}' already exists, pass")
|
||||||
|
continue
|
||||||
|
answer = input(f"Outfile '{output_path}' already exists, overwrite [y/N]? ")
|
||||||
|
answer = answer.strip().lower()
|
||||||
|
if answer != "y":
|
||||||
|
continue
|
||||||
|
print(f"Remove existing output file '{output_path}'")
|
||||||
|
os.remove(output_path)
|
||||||
|
|
||||||
|
# pylint: disable=consider-using-with
|
||||||
|
export_cmd = subprocess.Popen(
|
||||||
|
("gpg", "--keyring", args.keyring_path, "--export", key["id"]), stdout=subprocess.PIPE
|
||||||
|
)
|
||||||
|
output_cmd = subprocess.check_output(
|
||||||
|
("gpg", "--dearmour", "-o", output_path), stdin=export_cmd.stdout
|
||||||
|
)
|
||||||
|
export_cmd.wait()
|
||||||
|
print(f"Key {key['id']} exported to {output_path}")
|
||||||
|
print()
|
||||||
|
except Exception: # pylint: disable=broad-exception-caught
|
||||||
|
print(f"Fail to export key {key['id']} to {output_path}")
|
||||||
|
traceback.print_exc()
|
||||||
|
|
||||||
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4 expandtab
|
3
setup.cfg
Normal file
3
setup.cfg
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
[flake8]
|
||||||
|
ignore = E501,W503
|
||||||
|
max-line-length = 100
|
Loading…
Reference in a new issue