Trusted key adding / removal via updates

apply.sh

@@ -12,6 +12,11 @@ exit_code=0
 # defined in the caller script
 rootdir="$SYSUPDATES_ROOTDIR"
 
+# keys
+printf "######## keys\n" 1>&2
+cd "$rootdir"
+./keys/keys.sh || exit 1
+
 # base os
 printf "######## base os\n" 1>&2
 cd "$rootdir"

keys/keys.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+current_keys="$(gpg --list-keys --with-colons | grep '^pub' | cut -d: -f5)"
+last_commit_key_id="$(git log --show-signature | grep "Primary key fingerprint" | head -n 1 | tail -c 20 | tr -d ' ')"
+
+new_keylist="$(mktemp)"
+for keyfile in keys/*.asc; do gpg --with-colons "$keyfile" 2>/dev/null | grep '^pub' | cut -d: -f5; done > "$new_keylist"
+# Remove keys that are no longer present.
+# But, as a safeguard, never allow removal of key that signed last commit.
+for key in $current_keys; do
+    if ! grep -qs "$key" "$new_keylist" && [[ "$key" != "$last_commit_key_id" ]]; then
+        echo "Removing key $key..."
+        gpg --batch --yes --delete-keys "$key"
+    fi
+done
+rm "$new_keylist"
+
+# Import new keys
+for keyfile in keys/*.asc; do
+    keyid="$(gpg --with-colons "$keyfile" 2>/dev/null | grep '^pub' | cut -d: -f5)"
+    if ! grep -qs "$keyid" <<< "$current_keys"; then
+        echo "Importing key $keyid from $keyfile..."
+        gpg --import "$keyfile"
+        echo -e "trust\n5\ny\n" | gpg --batch --no-tty --command-fd 0 --expert --edit-key "$keyid"
+    fi
+done