Safeguard: never remove key that signed last git commit

kristapsk · kristapsk · commit 775a247bb63c · 2024-11-06T01:10:08.000+02:00
diff --git a/keys/keys.sh b/keys/keys.sh
@@ -1,12 +1,14 @@
 #!/usr/bin/env bash
 
 current_keys="$(gpg --list-keys --with-colons | grep '^pub' | cut -d: -f5)"
+last_commit_key_id="$(git log --show-signature | grep "Primary key fingerprint" | head -n 1 | tail -c 20 | tr -d ' ')"
 
 new_keylist="$(mktemp)"
 for keyfile in keys/*.asc; do gpg --with-colons "$keyfile" 2>/dev/null | grep '^pub' | cut -d: -f5; done > "$new_keylist"
-# Remove keys that are no longer present
+# Remove keys that are no longer present.
+# But, as a safeguard, never allow removal of key that signed last commit.
 for key in $current_keys; do
-    if ! grep -qs "$key" "$new_keylist"; then
+    if ! grep -qs "$key" "$new_keylist" && [[ "$key" != "$last_commit_key_id" ]]; then
         echo "Removing key $key..."
         gpg --batch --yes --delete-keys "$key"
     fi
