bin: Support multiple fingerprints in CK8S_PGP_FP during init

bin/init.bash

@@ -76,18 +76,27 @@ if ! array_contains "${CK8S_K8S_INSTALLER}" "${ck8s_k8s_installers[@]}"; then
 fi
 
 generate_sops_config() {
+  local fingerprints
+
   if [ -n "${CK8S_PGP_FP:-}" ]; then
-    if ! gpg --list-keys | grep "${CK8S_PGP_FP}" >/dev/null 2>&1; then
-      log_error "ERROR: Fingerprint does not exist in gpg keyring."
-      log_error "CK8S_PGP_FP=${CK8S_PGP_FP}"
-      exit 1
-    fi
-    fingerprint="${CK8S_PGP_FP}"
+    local fingerprint
+    local -a fingerprints_split
+
+    IFS=, read -ra fingerprints_split <<<"${CK8S_PGP_FP}"
+
+    for fingerprint in "${fingerprints_split[@]}"; do
+      if ! gpg --list-keys "${fingerprint}" >/dev/null 2>&1; then
+        log_error "ERROR: Fingerprint ${fingerprint} does not exist in gpg keyring."
+        log_error "CK8S_PGP_FP=${CK8S_PGP_FP}"
+        exit 1
+      fi
+    done
+    fingerprints="${CK8S_PGP_FP}"
   elif [ -n "${CK8S_PGP_UID:-}" ]; then
-    fingerprint=$(gpg --list-keys --with-colons "${CK8S_PGP_UID}" |
+    fingerprints=$(gpg --list-keys --with-colons "${CK8S_PGP_UID}" |
       awk -F: '$1 == "fpr" {print $10;}' | head -n 1 ||
       echo "")
-    if [ -z "${fingerprint}" ]; then
+    if [ -z "${fingerprints}" ]; then
       log_error "ERROR: Unable to get fingerprint from gpg keyring using UID."
       log_error "CK8S_PGP_UID=${CK8S_PGP_UID}"
       exit 1
@@ -97,9 +106,9 @@ generate_sops_config() {
     exit 1
   fi
 
-  log_info "Initializing SOPS config with PGP fingerprint: ${fingerprint}"
+  log_info "Initializing SOPS config with PGP fingerprints: ${fingerprints}"
 
-  sops_config_write_fingerprints "${fingerprint}"
+  sops_config_write_fingerprints "${fingerprints}"
 }
 
 # Usage: generate_default_config <default_config>

tests/common/bats/gpg.bash

@@ -7,7 +7,7 @@ gpg.auto_generate_key() {
   gpg --batch --generate-key <<EOF
 Key-Type: RSA
 Key-Length: 4096
-Name-Real: Welkin / Apps / Tests
+Name-Real: Welkin / Apps / Tests / ${1}
 Name-Email: [email protected]
 Expire-Date: 1d
 %no-protection
@@ -16,16 +16,11 @@ Expire-Date: 1d
 EOF
 }
 
-# Creates a temporary gpg home and generates a temporary key
-# CK8S_PGP_FP will be set with the fingerprint
-gpg.setup() {
-  GNUPGHOME="$(mktemp --directory)"
-  export GNUPGHOME
-
+gpg.auto_generate_key_retry() {
   local n
   for n in $(seq 3); do
     # Retry as gpg-agent might not reliably start
-    if gpg.auto_generate_key; then
+    if gpg.auto_generate_key "${1}"; then
       break
     fi
     echo "failed to generate gpg key try ${n}" >&2
@@ -35,8 +30,18 @@ gpg.setup() {
   if [[ "${n}" == "0" ]]; then
     exit 1
   fi
+}
+
+# Creates a temporary gpg home and generates a temporary key
+# CK8S_PGP_FP will be set with the fingerprint
+gpg.setup() {
+  GNUPGHOME="$(mktemp --directory)"
+  export GNUPGHOME
+
+  gpg.auto_generate_key_retry "Key one"
+  gpg.auto_generate_key_retry "Key two"
 
-  CK8S_PGP_FP="$(gpg --list-secret-keys --with-colons | grep -A1 '^sec' | grep '^fpr' | awk -F: '{print $10}')"
+  CK8S_PGP_FP="$(gpg --list-secret-keys --with-colons | grep -A1 '^sec' | grep '^fpr' | awk -F: '{print $10}' | paste -sd "," -)"
   export CK8S_PGP_FP
 }
 

tests/unit/general/bin-init.bats

@@ -75,7 +75,7 @@ teardown_file() {
 
   CK8S_PGP_FP="123" run ck8s init both
   assert_failure
-  assert_output --partial "Fingerprint does not exist in gpg keyring"
+  assert_output --partial "Fingerprint 123 does not exist in gpg keyring"
 
   CK8S_PGP_UID="asd" run ck8s init both
   assert_failure