5 orig_domain=$domain date=$(date +%Y-%m-%d)
7 ## The key types are adorned with bit lengths. Work out the raw key type
10 for kt in $keytypes; do
11 rawkeytypes="$rawkeytypes ${kt%:*}"
14 ## Start a new output directory.
17 exec 3<etc/hosts 4>publish.new/hosts.list 5>publish.new/known_hosts
18 echo ":certificate-authority" >&4
19 for kt in $rawkeytypes; do
20 cp ca/ca-$kt.pub publish.new/
21 read pub <ca/ca-$kt.pub
22 echo "@cert-authority $scope $pub" |
23 tee publish.new/ca-$kt.entry >&4
24 ssh-keygen -lv -fca/ca-$kt.pub | sed 's,^,| ,' >&4
27 ## Sign the various host keys.
29 echo >&5 "### BEGIN $domain KEYS (generated $date)"
30 while read line <&3; do
32 ## Ignore comments and empty lines.
34 "#"* | "") continue ;;
39 ## Read the host line.
43 @*) echo >&2 "$0: unknown directive \`$1'"; exit 1 ;;
49 ## If this is a different host, then start a new section of the list.
52 *) { echo; echo ":host $host"; } >&4 ;;
56 ## Build a list of names for the host.
59 .*) for h in $nicks; do names=${names:+$names,}$h$n.$domain; done ;;
60 *.* | *:*) names=${names:+$names,}$n ;;
61 *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n.$domain ;;
66 for kt in $rawkeytypes; do
67 if [ ! -f host/$host-$kt.pub ]; then continue; fi
68 cp host/$host-$kt.pub publish.new/
69 ssh-keygen -q -tv00 -sca/ca-$kt \
70 -h -I"$cacomment:$host.$domain" -n$names \
72 publish.new/$host-$kt.pub
73 mv publish.new/$host-$kt-cert.pub \
74 publish.new/$host-$kt.cert
76 { printf "%s " $names; cat host/$host-$kt.pub; } >&$fd
78 ssh-keygen -lv -fhost/$host-$kt.pub | sed 's,^,| ,' >&4
81 echo >&5 "### END $domain KEYS"
85 run_gpg --armor -o publish.new/hosts.asc \
86 --clearsign publish.new/hosts.list
87 rm publish.new/hosts.list
89 ## Include a copy of the public key.
90 run_gpg --export --armor -o publish.new/ca-gnupg.asc
93 if [ -d publish ]; then
95 mv publish publish.old
97 mv publish.new publish