sops-install-secrets: also write out pubring to make gnupg happy

2024-12-14 11:57:52 +00:00 · 2024-03-14 14:21:23 +01:00 · 2024-03-14 14:21:23 +01:00 · 85d13d5aa4
commit 85d13d5aa4
parent a2d9145e98
1 changed files with 14 additions and 0 deletions
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@ -605,11 +605,20 @@ func pruneGenerations(secretsMountPoint, secretsDir string, keepGenerations int)

 func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) error {
 	secringPath := filepath.Join(gpgHome, "secring.gpg")
+	pubringPath := filepath.Join(gpgHome, "pubring.gpg")

 	secring, err := os.OpenFile(secringPath, os.O_WRONLY|os.O_CREATE, 0o600)
 	if err != nil {
 		return fmt.Errorf("Cannot create %s: %w", secringPath, err)
 	}
+	defer secring.Close()
+
+	pubring, err := os.OpenFile(pubringPath, os.O_WRONLY|os.O_CREATE, 0o600)
+	if err != nil {
+		return fmt.Errorf("Cannot create %s: %w", pubringPath, err)
+	}
+	defer pubring.Close()
+
 	for _, p := range keyPaths {
 		sshKey, err := os.ReadFile(p)
 		if err != nil {
@ -627,6 +636,11 @@ func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) erro
 			continue
 		}

+		if err := gpgKey.Serialize(pubring); err != nil {
+			fmt.Fprintf(os.Stderr, "Cannot write pubring: %s\n", err)
+			continue
+		}
+
 		if logcfg.KeyImport {
 			fmt.Printf("%s: Imported %s as GPG key with fingerprint %s\n", path.Base(os.Args[0]), p, hex.EncodeToString(gpgKey.PrimaryKey.Fingerprint[:]))
 		}