Safeguard: never remove key that signed last git commit

nakamochi · Nov 5, 2024 · c5e0d83 · c5e0d83
1 parent ea1cbc2
commit c5e0d83
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/keys/keys.sh b/keys/keys.sh
@@ -1,12 +1,13 @@
 #!/usr/bin/env bash
 
 current_keys="$(gpg --list-keys --with-colons | grep '^pub' | cut -d: -f5)"
+last_commit_key_id="$(git log --show-signature | grep "Primary key fingerprint" | head -n 1 | tail -c 20 | tr -d ' ')"
 
 new_keylist="$(mktemp)"
 for keyfile in keys/*.asc; do gpg --with-colons "$keyfile" 2>/dev/null | grep '^pub' | cut -d: -f5; done > "$new_keylist"
 # Remove keys that are no longer present
 for key in $current_keys; do
-    if ! grep -qs "$key" "$new_keylist"; then
+    if ! grep -qs "$key" "$new_keylist" && [[ "$key" != "$last_commit_key_id" ]]; then
         echo "Removing key $key..."
         gpg --batch --yes --delete-keys "$key"
     fi