From 2f652e23b37f8ab6bbc31e0dc0349dbb99904992 Mon Sep 17 00:00:00 2001
From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Thu, 20 Nov 2025 16:36:13 -0700
Subject: [PATCH] Install root@core's public key in /etc/root-pub.pem.

Thus anyone can send encrypted email to root with the --recipient-file
option to gpg.

This might have simplified the hacked passwd command if it did not
have to run as sysadm anyway, for /etc/shadow access.
---
 README.org                     | 8 ++++----
 roles_t/core/handlers/main.yml | 2 +-
 roles_t/core/tasks/main.yml    | 4 ++--
 roles_t/core/templates/passwd  | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/README.org b/README.org
index 49b2044..6993612 100644
--- a/README.org
+++ b/README.org
@@ -6383,7 +6383,7 @@ close $TMP;
 
 my $O = new IO::File;
 open $O, ("| gpg --encrypt --armor"
-	  ." --trust-model always --recipient root\@core"
+	  ." --recipient-file /etc/root-pub.pem"
 	  ." > $tmp") or die "Error running gpg > $tmp: $!\n";
 print $O <<EOD;
 username: $username
@@ -6538,10 +6538,10 @@ configuration so that the email to root can be encrypted.
     group: root
 
 - name: Install root PGP key file.
-  become: no
+  become: yes
   copy:
     src: ../Secret/root-pub.pem
-    dest: ~/.gnupg-root-pub.pem
+    dest: /etc/root-pub.pem
     mode: u=r,g=r,o=r
   notify: Import root PGP key.
 #+END_SRC
@@ -6551,7 +6551,7 @@ configuration so that the email to root can be encrypted.
 
 - name: Import root PGP key.
   become: no
-  command: gpg --import ~/.gnupg-root-pub.pem
+  command: gpg --import /etc/root-pub.pem
 #+END_SRC
 
 ** The Old Command
diff --git a/roles_t/core/handlers/main.yml b/roles_t/core/handlers/main.yml
index 891fd89..71d259b 100644
--- a/roles_t/core/handlers/main.yml
+++ b/roles_t/core/handlers/main.yml
@@ -86,4 +86,4 @@
 
 - name: Import root PGP key.
   become: no
-  command: gpg --import ~/.gnupg-root-pub.pem
+  command: gpg --import /etc/root-pub.pem
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index 096092c..879fd0c 100644
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -957,9 +957,9 @@
     group: root
 
 - name: Install root PGP key file.
-  become: no
+  become: yes
   copy:
     src: ../Secret/root-pub.pem
-    dest: ~/.gnupg-root-pub.pem
+    dest: /etc/root-pub.pem
     mode: u=r,g=r,o=r
   notify: Import root PGP key.
diff --git a/roles_t/core/templates/passwd b/roles_t/core/templates/passwd
index e8e511d..584204d 100644
--- a/roles_t/core/templates/passwd
+++ b/roles_t/core/templates/passwd
@@ -51,7 +51,7 @@ close $TMP;
 
 my $O = new IO::File;
 open $O, ("| gpg --encrypt --armor"
-	  ." --trust-model always --recipient root\@core"
+	  ." --recipient-file /etc/root-pub.pem"
 	  ." > $tmp") or die "Error running gpg > $tmp: $!\n";
 print $O <<EOD;
 username: $username
-- 
2.25.1