out of band keyring transfer is not necessary, since repo is cloned securely

Makefile

@@ -11,7 +11,7 @@ build: deps dist/setup-config
 	ln -sf dist/build/propellor/propellor
 
 deps:
-	@if [ $$(whoami) = root ]; then apt-get -y install gnupg ghc cabal-install libghc-missingh-dev libghc-ansi-terminal-dev libghc-ifelse-dev libghc-unix-compat-dev libghc-hslogger-dev libghc-base64-bytestring-dev; fi || true
+	@if [ $$(whoami) = root ]; then apt-get -y install gnupg ghc cabal-install libghc-missingh-dev libghc-ansi-terminal-dev libghc-ifelse-dev libghc-unix-compat-dev libghc-hslogger-dev; fi || true
 
 dist/setup-config: propellor.cabal
 	cabal configure

Propellor/CmdLine.hs

@@ -3,14 +3,10 @@ module Propellor.CmdLine where
 import System.Environment
 import Data.List
 import System.Exit
-import qualified Data.ByteString.Lazy as BL
-import qualified Data.ByteString.Base64.Lazy as B64
-import Data.Bits.Utils
 
 import Propellor
 import Utility.FileMode
 import Utility.SafeCommand
-import Utility.Data
 
 data CmdLine
 	= Run HostName
@@ -83,12 +79,7 @@ spin host = do
 			hClose fromh
 		status <- getstatus fromh `catchIO` error "protocol error"
 		case status of
-			HaveKeyRing -> finish
+			Ready -> finish
-			NeedKeyRing -> do
-				d <- w82s . BL.unpack . B64.encode
-					<$> BL.readFile keyring
-				senddata toh keyring keyringMarker d
-				finish
 			NeedGitClone -> do
 				hClose toh
 				hClose fromh
@@ -148,7 +139,7 @@ sendGitClone host url = do
 		, "rm -f " ++ remotebundle
 		]
 
-data BootStrapStatus = HaveKeyRing | NeedKeyRing | NeedGitClone
+data BootStrapStatus = Ready | NeedGitClone
 	deriving (Read, Show, Eq)
 
 type Marker = String
@@ -157,9 +148,6 @@ type Marked = String
 statusMarker :: Marker
 statusMarker = "STATUS"
 
-keyringMarker :: Marker
-keyringMarker = "KEYRING"
-
 privDataMarker :: String
 privDataMarker = "PRIVDATA "
 
@@ -177,19 +165,13 @@ fromMarked marker s
 
 boot :: [Property] -> IO ()
 boot props = do
-	havering <- doesFileExist keyring
+	putStrLn $ toMarked statusMarker $ show Ready
-	putStrLn $ toMarked statusMarker $ show $ if havering then HaveKeyRing else NeedKeyRing
 	hFlush stdout
 	reply <- hGetContentsStrict stdin
 
 	makePrivDataDir
 	maybe noop (writeFileProtected privDataLocal) $
 		fromMarked privDataMarker reply
-	case eitherToMaybe . B64.decode . BL.pack . s2w8 =<< fromMarked keyringMarker reply of
-		Nothing -> noop
-		Just d -> do
-			writeFileProtected keyring ""
-			BL.writeFile keyring d
 	ensureProperties props
 
 addKey :: String -> IO ()

README

@@ -54,7 +54,7 @@ for available fields.
 
 It's often easiest for a remote host to use a git:// or http://
 url to its origin repository, rather than ssh://. So, to avoid a MITM
-attack, propellor checks that the top commit in the git repository is gpg
+attack, propellor checks that any commit it fetched from origin is gpg
 signed by a trusted gpg key, and refuses to deploy it otherwise.
 
 This is only done when privdata/keyring.gpg exists. To set it up:
@@ -62,8 +62,4 @@ This is only done when privdata/keyring.gpg exists. To set it up:
 gpg --gen-key                 # only if you don't already have a gpg key
 propellor --add-key $MYKEYID
 
-The keyring.gpg can be checked into git, but to ensure that it's
-used from the beginning when bootstrapping, propellor --spin
-transfers it to the host using ssh.
-
 [1] http://reclass.pantsfullofunix.net/

propellor.cabal

@@ -26,7 +26,6 @@ Description:
 Executable propellor
   Main-Is: config.hs
   GHC-Options: -Wall
-  Extensions: PackageImports
   Build-Depends: MissingH, directory, filepath, base >= 4.5, base < 5, 
    IfElse, process, bytestring, hslogger, unix-compat, ansi-terminal,
    containers, base64-bytestring
@@ -36,7 +35,6 @@ Executable propellor
 
 Library
   GHC-Options: -Wall
-  Extensions: PackageImports
   Build-Depends: MissingH, directory, filepath, base >= 4.5, base < 5, 
    IfElse, process, bytestring, hslogger, unix-compat, ansi-terminal,
    containers, dataenc