--- /dev/null
+#!/bin/sh -eu
+# DESCRIPTION: génère une clef OpenPGP primaire pour $uid et une clef secondaire par $subkey_caps
+# SYNTAX: $uid
+# ENV: $gpg_options
+# ENV: $subkey_caps
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+uid="$1"
+install -d -m 700 \
+ var/pub/openpgp
+install -d -m 700 \
+ var/sec \
+ var/sec/openpgp
+if test ! -e "$tool"/var/sec/openpgp/"$uid".pass.gpg
+ then gpg --encrypt $gpg_options -o "$tool"/var/sec/openpgp/"$uid".pass.gpg <<-EOF
+ $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42)
+ EOF
+ fi
+if ! "$tool"/remote/gpg --list-keys -- "$uid" >/dev/null
+ then
+ "$tool"/remote/gpg --batch --gen-key
+ # DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4
+ Key-Type: RSA
+ Key-Length: 4096
+ Key-Usage: sign
+ Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+ Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY
+ $(cat -)
+ %commit
+ EOF
+ fi
+caps=$(
+ "$tool"/remote/gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \
+ -- "$uid" |
+ sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d'
+ )
+for cap in ${subkey_caps:-}
+ do
+ test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" ||
+ printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save |
+ "$tool"/remote/gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \
+ --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF
+ $(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+ EOF
+ done