From b14ccd2f7a18d48b40b381b42934a3d97da3b99c Mon Sep 17 00:00:00 2001 Message-Id: From: Mark Wooding Date: Sat, 5 Apr 2008 13:23:21 +0100 Subject: [PATCH] tripe-keys: Provide upload-hook for more complicated publishing. Organization: Straylight/Edgeware From: Mark Wooding The existing arrangement of writing the updated files to a local directory are satisfactory for simple situations, but it's not actually desirable to handle sensitive cryptographic keys (e.g., the TrIPE master key!) on the same machine as a public-facing web server. The upload-hook can contain an arbitrary shell-command, though it'll typically be an invocation of rsync or similar. --- keys/tripe-keys.conf.5 | 11 +++++++++++ keys/tripe-keys.in | 2 ++ 2 files changed, 13 insertions(+) diff --git a/keys/tripe-keys.conf.5 b/keys/tripe-keys.conf.5 index 70bd356e..4dcda40b 100644 --- a/keys/tripe-keys.conf.5 +++ b/keys/tripe-keys.conf.5 @@ -112,6 +112,17 @@ default. Usually set up automatically. .I hk-master The fingerprint of the current master signing key. No default. Usually set up automatically. +.TP +.I upload-hook +A shell command to run by +.B tripe-keys upload +after it has successfully written the +.I repos-file +and +.IR sig-file s. +Default is +.B ": run upload hook" +which does nothing. .SS "Crypto parameters" .TP .I kx diff --git a/keys/tripe-keys.in b/keys/tripe-keys.in index 58c36279..1167dea0 100644 --- a/keys/tripe-keys.in +++ b/keys/tripe-keys.in @@ -129,6 +129,7 @@ def conf_defaults(): ('sig-file', '${base-dir}${sig-base}'), ('repos-file', '${base-dir}${repos-base}'), ('conf-file', '${base-dir}tripe-keys.conf'), + ('upload-hook', ': run upload hook'), ('kx', 'dh'), ('kx-param', lambda: {'dh': '-LS -b2048 -B256', 'ec': '-Cnist-p256'}[conf['kx']]), @@ -280,6 +281,7 @@ def cmd_upload(args): finally: OS.chdir(cwd) rmtree('tmp') + run('sh -c ${upload-hook}') def cmd_update(args): cwd = OS.getcwd() -- [mdw]