This file is indexed.

/usr/share/monkeysphere/mh/revoke_key is in monkeysphere 0.36-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
# -*-shell-script-*-
# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)

# Monkeysphere host revoke-key subcommand
#
# The monkeysphere scripts are written by:
# Jameson Rollins <jrollins@finestructure.net>
# Jamie McClelland <jm@mayfirst.org>
# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
#
# They are Copyright 2008-2010, and are all released under the GPL,
# version 3 or later.

# revoke host key

revoke_key() {

    local keyID
    local publish

    keyID=$(check_key_input "$@")

    if [ "$PROMPT" = "false" ] ; then
	publish=N
    else
	cat <<EOF >&2
This will generate a revocation certificate for key $keyID
and dump the certificate to standard output.

It can also directly publish the new revocation certificate
to the public keyservers via $KEYSERVER if you want it to.

Publishing this certificate will IMMEDIATELY and PERMANENTLY revoke
your host key!

EOF
	printf "Publish the certificate after generation? (y/n/Q) " >&2
	read publish
	
	if ! [ "${publish/y/Y}" = 'Y' -o "${publish/n/N}" = 'N' ] ; then
	    failure "aborting at user request"
	fi
    fi
    
    # our current implementation is very simple: we just want to
    # generate the revocation certificate on stdout.  This provides
    # for the two most likely (but hopefully not common) scenarios:

    # an admin wants a revocation certificate for the host which they
    # can store securely offline.  In this case, the admin can
    # redirect stdout to a file, or can simply copy/paste or
    # transcribe from the terminal.

    # Alternately, an admin might want to publish the revocation
    # certificate immediately, which we can help them do as well.

    if [ "$PROMPT" = 'false' ] ; then
	# FIXME: allow the end user to choose something other than
	# "key was compromised" (1) and to supply their own revocation
	# string.

	local revoke_commands="y
1
Monkeysphere host key revocation (automated) $(date '+%F_%T%z')

y

"
	revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg_host --command-fd 0 --armor --gen-revoke "0x${keyID}!" <<<"$revoke_commands" ) \
	    || failure "Failed to generate revocation certificate!"

    else
    # note: we're not using the gpg_host function because we actually
    # want to use gpg's UI in this case, so we want to omit --no-tty
	revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${keyID}!") \
	    || failure "Failed to generate revocation certificate!"
    fi

    # if you run gpg --gen-revoke but cancel it or quit in the middle,
    # it returns success, but emits no revocation certificate:
    if ! [ "$revcert" ] ; then
	failure "Revocation canceled."
    fi

    ## ok, now we have the revocation certificate.  Print it, and
    ## offer to publish if originally requested:
    printf "%s\n" "$revcert"

    if [ "${publish/y/Y}" = 'Y' ] ; then
	printf "\n" >&2
	printf "Really publish this cert to $KEYSERVER ? (Y/n) " >&2
	read really
	if [ "${really/n/N}" = 'N' ] ; then
	    printf "Not publishing.\n" >&2
	else
	    local newhome=$(msmktempdir)
	    GNUPGHOME="$newhome" gpg --no-tty --quiet --import < "$HOST_KEY_FILE"
	    GNUPGHOME="$newhome" gpg --no-tty --quiet --import <<< "$revcert"
	    GNUPGHOME="$newhome" gpg --keyserver "$KEYSERVER" --send "0x${keyID}!"
	    rm -rf "$newhome"
	fi
    fi
}