xbps-keygen

#!/bin/sh
signer="$1"
if [ -z "$signer" ]; then
	exec >&2
	printf "%s <signer> [size=4096]\n" "$0"
	printf "\tgenerates an RSA key appropriate for signing xbps repos\n"
	printf "\tNOTE: signer *IS NOT* XML escaped automatically\n"
	printf "\t      be careful\n"
	exit 1
fi
set -uxe

keysize="${2:-4096}"
openssl genrsa -out repokey 4096
fingerprint="$(openssl rsa -in repokey -pubout | \
	ssh-keygen -i -f /dev/stdin -m PKCS8 | \
	cut -d ' ' -f 2 | base64 -d | openssl md5 -c | cut -d ' ' -f 2)"
cat >"${fingerprint}.plist" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>public-key</key>
	<data>$(openssl rsa -in repokey -pubout | base64 -w 0)</data>
	<key>public-key-size</key>
	<integer>$keysize</integer>
	<key>signature-by</key>
	<string>$signer</string>
	<key>signature-type</key>
	<string>rsa</string>
</dict>
</plist>
EOF
mv repokey "${fingerprint}.rsa"