Skip to content

Commit

Permalink
feat: monitor pgp key expiration
Browse files Browse the repository at this point in the history
For: #46
  • Loading branch information
ben-grande committed May 14, 2024
1 parent d148599 commit c6e4224
Show file tree
Hide file tree
Showing 2 changed files with 71 additions and 0 deletions.
38 changes: 38 additions & 0 deletions .github/workflows/cron.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <[email protected]>
#
# SPDX-License-Identifier: GPL-3.0-or-later

---
name: Cron

# yamllint disable-line rule:truthy
on:
# yamllint disable-line rule:empty-values
push:
branches:
- main
pull_request:
branches:
- main
types:
- opened
- reopened
- synchronize
schedule:
- cron: "0 0 15,30 * *"

concurrency:
group: ci-${{ github.ref }}-10
cancel-in-progress: true

jobs:
pgp-expiration-check:
strategy:
fail-fast: false
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Discover keys that are expired or close to expiration date
run: scripts/pgp-expiration.sh $(find -type f -name "*.asc")
33 changes: 33 additions & 0 deletions scripts/pgp-expiration.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#!/bin/sh

## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <[email protected]>
##
## SPDX-License-Identifier: AGPL-3.0-or-later

set -eu

now="$(date +%s)"
fail="0"
for key in "${@}"; do
## TODO: exit only after evaluating all subkeys, not on the first error.
gpg --no-keyring --no-auto-check-trustdb --no-autostart \
--with-colons --show-keys "${key}" |
awk -v key="${key}" -v now="${now}" -F ':' '/^(p|s)ub:/ {
if ($7=="") {
next
}
if ($7<now) {
print key ": expired:", $5 >"/dev/stderr";
exit 1
}
# 60 days
else if (($7-now)<(60*60*24*60)) {
print key ": expires soon:", $5 >"/dev/stderr";
exit 1
}
}' || fail="1"
done

if test "${fail}" = "1"; then
exit 1
fi

0 comments on commit c6e4224

Please sign in to comment.