scripts/sync-keyring

@@ -27,6 +27,7 @@ case "${1:-}" in
 		TARGET=~/buildd-keyring-final
 		KEYRING=~/master-keyrings/buildd-trustedkeys.gpg
 		INCLUDES=/buildd-keyrings/
+		EXPORTKEYRING=
 		;;
 	debian|"")
 		ORIGIN=keyring.debian.org::keyrings
@@ -34,6 +35,9 @@ case "${1:-}" in
 		TARGET=~/keyring-final
 		KEYRING=~/master-keyrings/debian-trustedkeys.gpg
 		INCLUDES=/keyrings/
+		# Import from Debian uploading member keyring
+		# since DAM will not allow non-uploading keyring-maints
+		EXPORTKEYRING="${TARGET}${INCLUDES}debian-keyring.gpg"
 		;;
 	*)
 		echo >&2 "Usage: $0 [debian|buildd]"
@@ -74,3 +78,12 @@ gpg -d sha512sums.txt 2>/dev/null | sed -e 's#^.* #/#' >> .rsync-includes
 
 # copy files into place, deleting any debris in the target area
 rsync -a --include-from=.rsync-includes --exclude='*' --delete-excluded --delete-after $STAGING/ $TARGET/
+
+# update the keys from the source keyring for expiry and revocations
+test -z "$EXPORTKEYRING" && exit 0
+gpg --no-default-keyring --keyring "$KEYRING" --with-colons --with-fingerprint --list-keys |
+awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^pub:/{ ok=1 }' |
+while read -r FINGERPRINT ; do
+	gpg --no-default-keyring --keyring "$EXPORTKEYRING" --export --export-options export-minimal --armour "$FINGERPRINT" |
+	gpg --no-default-keyring --keyring "$KEYRING" --quiet --import
+done