The existing arrangement of writing the updated files to a local directory
are satisfactory for simple situations, but it's not actually desirable
to handle sensitive cryptographic keys (e.g., the TrIPE master key!) on
the same machine as a public-facing web server.
The upload-hook can contain an arbitrary shell-command, though it'll
typically be an invocation of rsync or similar.
.I hk-master
The fingerprint of the current master signing key. No default. Usually
set up automatically.
+.TP
+.I upload-hook
+A shell command to run by
+.B tripe-keys upload
+after it has successfully written the
+.I repos-file
+and
+.IR sig-file s.
+Default is
+.B ": run upload hook"
+which does nothing.
.SS "Crypto parameters"
.TP
.I kx
('sig-file', '${base-dir}${sig-base}'),
('repos-file', '${base-dir}${repos-base}'),
('conf-file', '${base-dir}tripe-keys.conf'),
+ ('upload-hook', ': run upload hook'),
('kx', 'dh'),
('kx-param', lambda: {'dh': '-LS -b2048 -B256',
'ec': '-Cnist-p256'}[conf['kx']]),
finally:
OS.chdir(cwd)
rmtree('tmp')
+ run('sh -c ${upload-hook}')
def cmd_update(args):
cwd = OS.getcwd()