Feature/homectl recovery key update (#38702)

Implements the ability to add recovery keys to existing user accounts
via homectl update --recovery-key=yes. Previously, recovery keys could
only be configured during initial user creation, requiring users to
recreate their entire home directory to add recovery keys later.

Fixes: #23602

NEWS

@@ -1,5 +1,11 @@
 systemd System and Service Manager
 
+CHANGES WITH 259 in spe:
+
+        * homectl's --recovery-key= option may now be used with the "update"
+          command to add recovery keys to existing user accounts. Previously,
+          recovery keys could only be configured during initial user creation.
+
 CHANGES WITH 258:
 
         Incompatible changes:

man/homectl.xml

@@ -1584,6 +1584,13 @@ homectl update lafcadio --pkcs11-token-uri=auto</programlisting>
       <programlisting># Allow a FIDO2 security token to unlock the account of user 'nihilbaxter'.
 homectl update nihilbaxter --fido2-device=auto</programlisting>
     </example>
+
+    <example>
+      <title>Add a recovery key to an existing user account:</title>
+
+      <programlisting># Generate and add a recovery key for user 'emily'.
+homectl update emily --recovery-key=yes</programlisting>
+    </example>
   </refsect1>
 
   <refsect1>

src/home/homectl.c

@@ -1829,9 +1829,15 @@ static int acquire_updated_home_record(
                         return r;
         }
 
+        if (arg_recovery_key) {
+                r = identity_add_recovery_key(&json);
+                if (r < 0)
+                        return r;
+        }
+
         /* If the user supplied a full record, then add in lastChange, but do not override. Otherwise always
          * override. */
-        r = update_last_change(&json, arg_pkcs11_token_uri || arg_fido2_device, !arg_identity);
+        r = update_last_change(&json, arg_pkcs11_token_uri || arg_fido2_device || arg_recovery_key, !arg_identity);
         if (r < 0)
                 return r;