35 lines
1.2 KiB
Bash
Executable File
35 lines
1.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# preset-signing-passphrase.sh — Cache the signing subkey passphrase in the
|
|
# dedicated signing agent so that automated builds can sign without a prompt.
|
|
#
|
|
# Run this ONCE in an interactive terminal after system boot (or after the
|
|
# agent cache expires). The passphrase is cached for 24 h (see gpg-agent.conf).
|
|
#
|
|
# Usage:
|
|
# ./tools/preset-signing-passphrase.sh
|
|
#
|
|
# The script will prompt for the passphrase via the terminal (not pinentry).
|
|
|
|
set -euo pipefail
|
|
|
|
GNUPGHOME="${GNUPGHOME:-$HOME/.gnupg-signing}"
|
|
KEYGRIP="619844703EC398E70B0045D7150F08179CFEEFE3"
|
|
GPG_PRESET="/usr/lib/gnupg/gpg-preset-passphrase"
|
|
|
|
if [ ! -x "$GPG_PRESET" ]; then
|
|
echo "Error: gpg-preset-passphrase not found at $GPG_PRESET" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Ensure the agent is running with our config.
|
|
GNUPGHOME="$GNUPGHOME" gpg-connect-agent --homedir "$GNUPGHOME" /bye >/dev/null 2>&1 || true
|
|
|
|
echo -n "Signing subkey passphrase: "
|
|
read -rs PASSPHRASE
|
|
echo
|
|
|
|
echo -n "$PASSPHRASE" | GNUPGHOME="$GNUPGHOME" "$GPG_PRESET" --homedir "$GNUPGHOME" --preset "$KEYGRIP"
|
|
|
|
echo "Passphrase cached for keygrip $KEYGRIP (24 h TTL)."
|
|
echo "Test: GNUPGHOME=$GNUPGHOME gpg --homedir $GNUPGHOME --batch --detach-sign --armor --output /dev/null /dev/null"
|