From 539e05b924539b6d5e537eed04832ffd921e8999 Mon Sep 17 00:00:00 2001
From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Thu, 28 Dec 2023 15:37:41 -0700
Subject: [PATCH] Fix the CA (sub)command to export root keys to Secret/.

---
 README.org | 6 ++++--
 inst       | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/README.org b/README.org
index e3e1bb1..8484f52 100644
--- a/README.org
+++ b/README.org
@@ -5865,6 +5865,8 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
   die "Secret/CA/easyrsa: not an executable\n"
     if ! -x "Secret/CA/easyrsa";
   die "Secret/CA/pki/: already exists\n" if -e "Secret/CA/pki";
+
+  umask 077;
   mysystem "cd Secret/CA; ./easyrsa init-pki";
   mysystem "cd Secret/CA; ./easyrsa build-ca nopass";
   # Common Name: small.example.org
@@ -5886,11 +5888,11 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
 	    " --batch --quick-generate-key --passphrase ''",
 	    " root\@core.$pvt");
   mysystem ("gpg --homedir Secret/root.gnupg",
-	    " --export --armor --output root-pub.pem",
+	    " --export --armor --output Secret/root-pub.pem",
 	    " root\@core.$pvt");
   chmod 0440, "root-pub.pem";
   mysystem ("gpg --homedir Secret/root.gnupg",
-	    " --export-secret-key --armor --output root-sec.pem",
+	    " --export-secret-key --armor --output Secret/root-sec.pem",
 	    " root\@core.$pvt");
   chmod 0400, "root-sec.pem";
 
diff --git a/inst b/inst
index 9924c95..92bd003 100755
--- a/inst
+++ b/inst
@@ -66,6 +66,8 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
   die "Secret/CA/easyrsa: not an executable\n"
     if ! -x "Secret/CA/easyrsa";
   die "Secret/CA/pki/: already exists\n" if -e "Secret/CA/pki";
+
+  umask 077;
   mysystem "cd Secret/CA; ./easyrsa init-pki";
   mysystem "cd Secret/CA; ./easyrsa build-ca nopass";
   # Common Name: small.example.org
@@ -87,11 +89,11 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
 	    " --batch --quick-generate-key --passphrase ''",
 	    " root\@core.$pvt");
   mysystem ("gpg --homedir Secret/root.gnupg",
-	    " --export --armor --output root-pub.pem",
+	    " --export --armor --output Secret/root-pub.pem",
 	    " root\@core.$pvt");
   chmod 0440, "root-pub.pem";
   mysystem ("gpg --homedir Secret/root.gnupg",
-	    " --export-secret-key --armor --output root-sec.pem",
+	    " --export-secret-key --armor --output Secret/root-sec.pem",
 	    " root\@core.$pvt");
   chmod 0400, "root-sec.pem";
 
-- 
2.25.1