This repository has been archived by the owner on Mar 16, 2023. It is now read-only.
improved and fixed key rollover support and the README
This new version introduces a major change to the database as the primary key of the secrets table is extended with the keyid a fingerprint belongs to. This is necessary so that the database supports proper key rollovers without fingerprint collisions between keys. The following steps describe how to properly update an existing database:
- Download the public key of your instance:
wget -O "./secrets.pub" "https://example.com/pub?plain"
- Generate the hexadecimally encoded public key keyid:
openssl rsa -pubin -in "./secrets.pub" -pubout -outform DER 2>/dev/null |
openssl dgst -sha256 -binary |
xxd -p |
tr -d "\n" &&
echo
- Add the new
keyidcolumn to the existing database table:
ALTER TABLE secrets ADD COLUMN keyid VARCHAR(64) FIRST;
- Fill the database with the keyid from step 2:
# setting time=time prevents the timestamps from being updated
UPDATE secrets SET time=time, keyid='<PUBLIC KEY KEYID>';
- Change the primary key constraint of the existing database table:
ALTER TABLE secrets DROP PRIMARY KEY, ADD PRIMARY KEY (keyid, fingerprint);