summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-11-26 17:18:57 -0200
committerSilvio Rhatto <rhatto@riseup.net>2013-11-26 17:18:57 -0200
commitef46233be5016435ada01b36d3d9fe27f1097e3b (patch)
tree25c8edec8ff092348317ac3a038f4941ac7acef4
parentcc7f823348eb24802cd85232cdbcdc8b1ab070e0 (diff)
parent5f1590e0722ee5ee9fed2ccc43adfb88f00218fd (diff)
downloadkeyringer-ef46233be5016435ada01b36d3d9fe27f1097e3b.tar.gz
keyringer-ef46233be5016435ada01b36d3d9fe27f1097e3b.tar.bz2
Merge tag 'upstream_keyringer_0.2.9' into debian
Upstream version 0.2.9
-rw-r--r--ChangeLog30
-rw-r--r--Makefile11
-rw-r--r--development.mdwn20
-rwxr-xr-xkeyringer3
-rwxr-xr-xlib/keyringer/actions/append28
-rwxr-xr-xlib/keyringer/actions/del8
-rwxr-xr-xlib/keyringer/actions/encrypt71
-rwxr-xr-xlib/keyringer/actions/ls7
l---------lib/keyringer/actions/rm1
-rwxr-xr-xlib/keyringer/actions/tree31
-rw-r--r--lib/keyringer/completions/bash/keyringer12
-rw-r--r--lib/keyringer/completions/zsh/_keyringer5
-rwxr-xr-xlib/keyringer/functions34
-rw-r--r--share/man/keyringer.179
-rw-r--r--share/man/keyringer.1.mdwn18
15 files changed, 233 insertions, 125 deletions
diff --git a/ChangeLog b/ChangeLog
index 69d58bb..9cc7bb2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,33 @@
+2013-11-26 - 0.2.9 Silvio Rhatto <rhatto@riseup.net>
+
+ Added 'tree' action
+
+ Added 'rm' alias to 'del' action
+
+ Set .gitignore during initialization and when using tmp inside the repository
+
+ Pass options to git-rm at del action
+
+ Simpler ramdisk/tmpfs check at keyringer_check_tmp
+
+ Better mode check on keyringer_check_tmp (closes #30)
+
+ Fixed minor typos
+
+ Man page update
+
+ Temp folder priority set to "$TMPDIR $TMP /tmpĀ /run/shm"
+
+ Avoid bash arrays on append action (closes #26)
+
+ Shell completion enhancements.
+
+ Fixing keyringer_has_action() to correctly handle "/" and ".".
+
+ Action ls now supports leading slash ("/").
+
+ Support for encrypting a whole tree (closes #21)
+
2013-11-14 - 0.2.8 Silvio Rhatto <rhatto@riseup.net>
Updated development workflow and version scheme
diff --git a/Makefile b/Makefile
index 0d2ef3a..360bd29 100644
--- a/Makefile
+++ b/Makefile
@@ -45,7 +45,18 @@ install: clean
@make install_lib install_bin install_doc install_man install_completion
build_man:
+ # Pipe output to sed to avoid http://lintian.debian.org/tags/hyphen-used-as-minus-sign.html
+ # Fixed in http://johnmacfarlane.net/pandoc/releases.html#pandoc-1.10-2013-01-19
pandoc -s -w man share/man/keyringer.1.mdwn -o share/man/keyringer.1
+ sed -i -e 's/--/\\-\\-/g' share/man/keyringer.1
tarball:
git archive --prefix=keyringer-$(VERSION)/ --format=tar HEAD | bzip2 >../tarballs/keyringer-$(VERSION).tar.bz2
+
+release:
+ @make build_man
+ git commit -a -m "Keyringer $(VERSION)"
+ git tag -s $(VERSION) -m "Keyringer $(VERSION)"
+ @make tarball
+ gpg --armor --detach-sign --output ../tarballs/keyringer-$(VERSION).tar.bz2.asc ../tarballs/keyringer-$(VERSION).tar.bz2
+ scp ../tarballs/keyringer-$(VERSION).tar.bz2* keyringer:/var/sites/keyringer/releases/
diff --git a/development.mdwn b/development.mdwn
index cfedb4b..3400643 100644
--- a/development.mdwn
+++ b/development.mdwn
@@ -48,27 +48,11 @@ Prepare the source code:
$EDITOR keyringer # and update KEYRINGER_VERSION
$EDITOR ChangeLog
- make build_man
-
-Commit and tag a release:
-
VERSION="`./keyringer | head -n 1 | cut -d ' ' -f 2`"
- git commit -a -m "Keyringer $VERSION"
- git tag -s $VERSION -m "Keyringer $VERSION"
-
-Create a release file:
-
- make tarball
-
-Sign the release ([see backupninja development guidelines](https://labs.riseup.net/code/projects/backupninja/wiki/Release)):
-
- cd ../tarballs
- gpg --armor --detach-sign keyringer-$VERSION.tar.bz2
-Upload the release:
+Create and upload a new release:
- scp keyringer-$VERSION.tar.bz2* keyringer:/var/sites/keyringer/releases/
- cd -
+ make release
Update the debian branch:
diff --git a/keyringer b/keyringer
index bdb1f6c..11b8aa1 100755
--- a/keyringer
+++ b/keyringer
@@ -90,6 +90,7 @@ function keyringer_init {
# Init
if ! keyringer_is_git "$BASEDIR"; then
keyringer_exec git "$BASEDIR" init
+ keyringer_git_ignore 'tmp/*'
# Edit default recipients
echo "Now you have to edit the default recipient configuration to be able to encrypt secrets."
@@ -119,7 +120,7 @@ function keyringer_dispatch {
# Config
NAME="keyringer"
-KEYRINGER_VERSION="0.2.8"
+KEYRINGER_VERSION="0.2.9"
CONFIG_VERSION="0.1"
CONFIG_BASE="$HOME/.$NAME"
CONFIG="$CONFIG_BASE/config"
diff --git a/lib/keyringer/actions/append b/lib/keyringer/actions/append
index e945bff..e307056 100755
--- a/lib/keyringer/actions/append
+++ b/lib/keyringer/actions/append
@@ -10,29 +10,11 @@ source "$LIB" || exit 1
# Get file
keyringer_get_file "$2"
-OLDIFS="$IFS"
-IFS=$'\n'
-
-CONTENT=($(keyringer_exec decrypt "$BASEDIR" "$FILE"))
-
+# Only display directions if we're running append, not append-batch
if [ "$BASENAME" == "append" ]; then
- # only display directions if we're running append, not append-batch
- printf "\n%s currently has %d lines\n\n" "$FILE" "${#CONTENT[@]}"
- printf "Now please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE"
-fi
-
-APPEND=($(cat -))
-
-NEW=( ${CONTENT[@]} ${APPEND[@]} )
-
-for element in $(seq 0 $((${#NEW[@]} - 1))); do
- echo ${NEW[$element]}
-done | keyringer_exec encrypt-batch $BASEDIR $FILE
-
-err="$?"
-
-if [ "$err" != "0" ]; then
- exit "$err"
+ printf "Please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE"
fi
-IFS="$OLDIFS"
+# Append content to an existing secret
+( keyringer_exec decrypt "$BASEDIR" "$FILE" && cat ) | \
+ keyringer_exec encrypt-batch $BASEDIR $FILE
diff --git a/lib/keyringer/actions/del b/lib/keyringer/actions/del
index babd212..d160ac4 100755
--- a/lib/keyringer/actions/del
+++ b/lib/keyringer/actions/del
@@ -10,7 +10,13 @@ source "$LIB" || exit 1
# Get file
keyringer_get_file "$2"
+# Set options
+if [ ! -z "$3" ]; then
+ shift 2
+ OPTS="$*"
+fi
+
# Remove
if [ -d "$BASEDIR/.git" ]; then
- keyringer_exec git "$BASEDIR" rm "keys/$FILE"
+ keyringer_exec git "$BASEDIR" rm $OPTS "keys/$FILE"
fi
diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt
index aadb9fa..0a40bc1 100755
--- a/lib/keyringer/actions/encrypt
+++ b/lib/keyringer/actions/encrypt
@@ -17,6 +17,24 @@ function keyringer_usage_encrypt_batch {
keyringer_usage_encrypt $*
}
+# Encrypt a file into the datastore
+function keyringer_encrypt {
+ local file="$1"
+ shift
+
+ if [ -z "$1" ]; then
+ return 1
+ fi
+
+ if [ "$*" != "-" ]; then
+ echo "Encrypting $*..."
+ fi
+
+ mkdir -p "$KEYDIR/`dirname "$file"`"
+ $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$file" "$*"
+ printf "\n"
+}
+
# Usage
if [ -z "$2" ]; then
keyringer_action_usage
@@ -26,26 +44,31 @@ fi
# Aditional parameters
if [ ! -z "$3" ]; then
# Set secret name and original file
- FILE="$2"
+ BASEPATH="$2"
shift 2
UNENCRYPTED_FILE="$*"
- # Get original file EXTENSION
- FILENAME="$(basename "$UNENCRYPTED_FILE")"
- EXTENSION="${FILENAME##*.}"
-
- # Append file extension in the secret name
- #
- # Useful when opening files and the application needs the
- # extension to guess the file type.
- if ! echo $FILE | grep -q -e "\.$EXTENSION$"; then
- FILE="$FILE.$EXTENSION"
+ if [ ! -d "$UNENCRYPTED_FILE" ] && echo "$UNENCRYPTED_FILE" | grep -q -e '\.'; then
+ # Get original file EXTENSION
+ FILENAME="$(basename "$UNENCRYPTED_FILE")"
+ EXTENSION="${FILENAME##*.}"
+
+ # Append file extension in the secret name
+ #
+ # Useful when opening files and the application needs the
+ # extension to guess the file type.
+ if ! echo $BASEPATH | grep -q -e "\.$EXTENSION$"; then
+ echo "Appending '$EXTENSION' into secret name..."
+ FILE="$BASEPATH.$EXTENSION"
+ fi
+ else
+ FILE="$BASEPATH"
fi
keyringer_get_new_file $FILE
- if [ ! -f "$UNENCRYPTED_FILE" ]; then
- echo "Error: cannot encrypt $UNENCRYPTED_FILE: file not found."
+ if [ ! -e "$UNENCRYPTED_FILE" ]; then
+ echo "Error: cannot encrypt $UNENCRYPTED_FILE: path not found."
exit 1
fi
else
@@ -57,9 +80,7 @@ fi
# Set recipients file
keyringer_set_recipients "$FILE"
-# Encrypt
-mkdir -p "$KEYDIR/`dirname $FILE`"
-
+# Verbosity
if [ "$BASENAME" == "encrypt" ]; then
# Only display directions if we're running encrypt, not encrypt-batch
if [ "$UNENCRYPTED_FILE" == "-" ]; then
@@ -67,7 +88,23 @@ if [ "$BASENAME" == "encrypt" ]; then
fi
fi
-$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" "$UNENCRYPTED_FILE"
+# Encrypt
+if [ "$UNENCRYPTED_FILE" != "-" ] && [ -d "$UNENCRYPTED_FILE" ]; then
+ # Time to go recursive
+ BASEPATH="`basename $FILE .asc`"
+ FILEPATH="`dirname "$UNENCRYPTED_FILE"`"
+ find $UNENCRYPTED_FILE | while read file; do
+ if [ ! -d "$file" ]; then
+ dir="`dirname "$file" | sed -e "s|^$FILEPATH|$BASEPATH|g"`"
+ keyringer_get_new_file `basename "$file"`
+ keyringer_encrypt "$dir/$FILE" $file
+ fi
+ done
+
+ FILE="$OLD_FILE"
+else
+ keyringer_encrypt $FILE $UNENCRYPTED_FILE
+fi
err="$?"
diff --git a/lib/keyringer/actions/ls b/lib/keyringer/actions/ls
index ec8080b..bb66263 100755
--- a/lib/keyringer/actions/ls
+++ b/lib/keyringer/actions/ls
@@ -10,7 +10,10 @@ source "$LIB" || exit 1
# Aditional parameters
CWD="`pwd`"
-# Run list command
+# Avoid leading slash
shift
-cd "$KEYDIR" && ls $*
+ARGS="`echo "$*" | sed -e "s|^/*||"`"
+
+# Run list command
+cd "$KEYDIR" && ls $ARGS
cd "$CWD"
diff --git a/lib/keyringer/actions/rm b/lib/keyringer/actions/rm
new file mode 120000
index 0000000..1a7ac23
--- /dev/null
+++ b/lib/keyringer/actions/rm
@@ -0,0 +1 @@
+del \ No newline at end of file
diff --git a/lib/keyringer/actions/tree b/lib/keyringer/actions/tree
new file mode 100755
index 0000000..8e94cb0
--- /dev/null
+++ b/lib/keyringer/actions/tree
@@ -0,0 +1,31 @@
+#!/bin/bash
+#
+# List keys.
+#
+
+# Thanks http://www.centerkey.com/tree/
+function keyringer_tree {
+ ls -R $* | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
+}
+
+# Load functions
+LIB="`dirname $0`/../functions"
+source "$LIB" || exit 1
+
+# Aditional parameters
+CWD="`pwd`"
+
+# Avoid leading slash
+shift
+ARGS="`echo "$*" | sed -e "s|^/*||"`"
+
+# Check implementation
+if which tree &> /dev/null; then
+ TREE="tree"
+else
+ TREE="keyringer_tree"
+fi
+
+# Run list command
+cd "$KEYDIR" && $TREE $ARGS
+cd "$CWD"
diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer
index 7bfa62f..eeda27f 100644
--- a/lib/keyringer/completions/bash/keyringer
+++ b/lib/keyringer/completions/bash/keyringer
@@ -46,11 +46,12 @@ _keyringer_git_complete() {
function _keyringer_path_complete() {
# Thanks http://unix.stackexchange.com/questions/55520/create-bash-completion-script-to-autocomplete-paths-after-is-equal-sign
cur=${1//\\ / }
- [[ ${cur} == "~/"* ]] && cur=${cur/\~/$HOME}
+ [[ ${cur} == "~"* ]] && cur=${cur/\~/$HOME}
echo ${cur}
}
+# Main completion
_keyringer() {
# Standard stuff
local cur prev command config path keyrings instances instance opts
@@ -93,7 +94,8 @@ _keyringer() {
recipients)
opts="ls edit"
;;
- ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open)
+ ls|tree|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open)
+ cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash
opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)"
;;
genpair)
@@ -104,7 +106,7 @@ _keyringer() {
;;
init)
cur="$(_keyringer_path_complete ${cur})"
- opts="$(compgen -o dirnames ${cur})"
+ opts="`compgen -o default "${cur}"`"
;;
*)
;;
@@ -112,9 +114,11 @@ _keyringer() {
elif [ "${#COMP_WORDS[@]}" == "5" ]; then
case "${command}" in
recipients)
+ cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash
opts="$(cd $path/config/recipients && ls --color=never -p ${cur}* 2> /dev/null)"
;;
genpair)
+ cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash
opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)"
;;
git)
@@ -123,7 +127,7 @@ _keyringer() {
;;
encrypt|encrypt-batch)
cur="$(_keyringer_path_complete ${cur})"
- opts="$(compgen -o dirnames ${cur})"
+ opts="`compgen -o default "${cur}"`"
;;
*)
;;
diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer
index 50ff433..5717b00 100644
--- a/lib/keyringer/completions/zsh/_keyringer
+++ b/lib/keyringer/completions/zsh/_keyringer
@@ -50,7 +50,8 @@ _keyringer() {
recipients)
compadd "$@" ls edit
;;
- ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open)
+ ls|tree|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open)
+ words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash
compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null)
;;
genpair)
@@ -69,9 +70,11 @@ _keyringer() {
misc)
case "$words[3]" in
recipients)
+ words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash
compadd "$@" $(cd $keyring_path/config/recipients && ls --color=never -p $words[5]'*' 2> /dev/null)
;;
genpair)
+ words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash
compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null)
;;
git)
diff --git a/lib/keyringer/functions b/lib/keyringer/functions
index 4c06198..bef00d9 100755
--- a/lib/keyringer/functions
+++ b/lib/keyringer/functions
@@ -59,7 +59,7 @@ function keyringer_has_action {
exit 1
fi
- if [ -e "$ACTIONS/$1" ]; then
+ if [ -e "$ACTIONS/$1" ] && [ ! -d "$ACTIONS/$1" ]; then
true
else
false
@@ -114,37 +114,23 @@ function keyringer_is_git {
# Check the security of a temporary folder
function keyringer_check_tmp {
local path="$1"
- local minor
- local mode
-
- if [ -z "$path" ]; then
- return
- fi
+ local mount
# Mode check
- if [ "`stat -c "%A" $path`" != "drwxrwxrwt" ]; then
+ if [ -z "$path" ] || [ ! -d "$path" ] || [ ! -w "$path" ] || [ ! -x "$path" ]; then
return 1
fi
# Ramdisk check
- if [ -x "/sbin/udevadm" ]; then
- minor="$(/sbin/udevadm info --device-id-of-file "$path" | cut -d : -f 1)"
- elif which mountpoint &> /dev/null; then
- minor="$(mountpoint -d $(df "$path" | sed -n '$p' | awk '{print $NF}') | cut -d : -f 1)"
- fi
-
- if [ ! -z "$minor" ]; then
- return $minor
- else
- return 1
- fi
+ mount="`df "$path" | sed -n '$p' | awk '{ print $NF }'`"
+ mount -l -t tmpfs | awk '{ print $3 }' | grep -q -e "^$mount$"
}
# Setup a temporary file
function keyringer_set_tmpfile {
local tmp
local candidate
- local candidates="/tmp /run/shm $TMP"
+ local candidates="$TMPDIR $TMP /tmp /run/shm"
if [ -z "$BASEDIR" ]; then
echo "Please set BASEDIR before creating a tmp file"
@@ -166,6 +152,9 @@ function keyringer_set_tmpfile {
echo "Press any key to continue, Ctrl-C to abort"
read key
tmp="$BASEDIR/tmp"
+
+ # Just to be sure
+ keyringer_git_ignore 'tmp/*'
fi
# Determine template
@@ -176,7 +165,6 @@ function keyringer_set_tmpfile {
fi
mkdir -p "$tmp"
- keyringer_git_ignore 'tmp/*'
if [ "$2" == "-d" ]; then
TMPWORK="$(mktemp -d "$template")"
@@ -431,10 +419,10 @@ function keyringer_get_new_file {
fi
# Sanitize and complete file name
- FILE="`echo $FILE | sed -e s/[^A-Za-z0-9.\/\-]/_/g`"
+ FILE="`echo $FILE | sed -e 's/[^A-Za-z0-9.\/\-]/_/g'`"
# Warn user about file name change
- if [ "`basename $*`" != "`basename $FILE`" ]; then
+ if [ "`basename "$*"`" != "`basename $FILE`" ]; then
echo "Sanitizing destination filename to `basename $FILE`"
fi
diff --git a/share/man/keyringer.1 b/share/man/keyringer.1
index c3fbc54..c0fed1c 100644
--- a/share/man/keyringer.1
+++ b/share/man/keyringer.1
@@ -59,6 +59,14 @@ Like the git wrapper, this is a wrapper around the \f[I]LS(1)\f[]
command.
.RS
.RE
+.TP
+.B tree <\f[I]path\f[]>
+List contents from the toplevel repository \f[I]keys\f[] folder or from
+relative paths if \f[I]path\f[] is specified using a tree-like format.
+Like the ls wrapper, this is a wrapper around the \f[I]TREE(1)\f[]
+command.
+.RS
+.RE
.SH SECRET MANIPULATION ACTIONS
.PP
All secret manipulation actions operate upon a \f[I]secret\f[] which is
@@ -102,6 +110,11 @@ Git history.\f[] To completely remove a file from a keyring, you should
also rewrite the Git history yourself.
.RE
.TP
+.B rm <\f[I]secret\f[]>
+Alias for \f[I]del\f[] action.
+.RS
+.RE
+.TP
.B edit <\f[I]secret\f[]>
Edit a secret by temporarily decrypting it, opening the decrypted copy
into the text editor defined by the \f[I]$EDITOR\f[] environment
@@ -113,11 +126,15 @@ variable and then re-encrypting it.
Encrypts content from standard input or \f[I]file\f[] into
\f[I]secret\f[] pathname.
No spaces are supported in the \f[I]secret\f[] name.
+If \f[I]file\f[] is actually a folder, keyringer will recursivelly
+encrypt all it\[aq]s contents.
.RS
.RE
.TP
-.B encrypt-batch <\f[I]secret\f[]>
+.B encrypt-batch <\f[I]secret\f[]> [\f[I]file\f[]]
Encrypt content, batch mode.
+Behavior is identical to \f[I]encrypt\f[] action, but less verbose.
+Useful inside scripts.
.RS
.RE
.TP
@@ -193,41 +210,41 @@ aliases.
.PP
Keyringer uses a default recipients file, but specifying a custom
\f[I]recipients-file\f[] pathname will override this default.
+.PP
For instance, if a user encrypts a secret to a file in the keyring
repository\[aq]s \f[I]accounting\f[] folder, a \f[I]recipients-file\f[]
under \f[I]accounting\f[] will be used.
Encrypting a secret into \f[I]accounting/bank-accounts\f[] will result
-in a file
+in a file \f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[]
+encrypted using the public keys listed in the config
+file\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[].
+.PP
+Each line in a recipients file has entries in the format
+\[aq]john\@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq], where
+\f[I]john\@doe.com\f[] is an alias for the GPG public key whose
+fingerprint is \f[I]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.\f[]
+.PP
+All lines starting with the hash (#) character are interpreted as
+comments.
+.PP
+Parameters to the \f[I]recipients\f[] action are:
+.TP
+.B \f[I]ls\f[]
+List all existing recipients files.
+.RS
.RE
+.TP
+.B \f[I]edit\f[]
+Create or edit a recipients file.
+.RS
.PP
-\f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[] encrypted
-using the public keys listed in the config
-file\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[].
-.IP
-.nf
-\f[C]
-Each\ line\ in\ a\ recipients\ file\ has\ entries\ in\ the\ format
-\[aq]john\@doe.com\ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq],\ where\ *john\@doe.com*
-is\ an\ alias\ for\ the\ GPG\ public\ key\ whose\ fingerprint\ is
-*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.*
-
-All\ lines\ starting\ with\ the\ hash\ (#)\ character\ are\ interpreted\ as\ comments.
-
-Parameters\ to\ the\ *recipients*\ action\ are:
-
-\ \ *ls*
-\ \ :\ \ \ List\ all\ existing\ recipients\ files.
-
-\ \ *edit*
-\ \ :\ \ \ Create\ or\ edit\ a\ recipients\ file.
-
-\ \ \ \ \ \ Editing\ happens\ using\ the\ editor\ specified\ by\ the\ `$EDITOR`
-\ \ \ \ \ \ environment\ variable.
-
-\ \ \ \ \ \ The\ required\ parameter\ *recipients-file*\ is\ interpreted\ relative
-\ \ \ \ \ \ to\ the\ `$KEYRING_FOLDER/config/recipients/`\ folder.
-\f[]
-.fi
+Editing happens using the editor specified by the \f[C]$EDITOR\f[]
+environment variable.
+.PP
+The required parameter \f[I]recipients-file\f[] is interpreted relative
+to the \f[C]$KEYRING_FOLDER/config/recipients/\f[] folder.
+.RE
+.RE
.SH FILES
.PP
$HOME/.keyringer/config : User\[aq]s main configuration file used to map
@@ -246,7 +263,7 @@ Metadata is not encrypted, meaning that an attacker with access to a
keyringer repository can discover all public key IDs used for
encryption, and which secrets are encrypted to which keys.
This can be improved in the future by encrypting the repository
-configuration with support for the \f[I]--hidden-recipient\f[] GnuPG
+configuration with support for the \f[I]\-\-hidden-recipient\f[] GnuPG
option.
.IP "2." 3
History is not rewritten by default when secrets are removed from a
diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn
index ee035e3..d4b71e3 100644
--- a/share/man/keyringer.1.mdwn
+++ b/share/man/keyringer.1.mdwn
@@ -56,6 +56,11 @@ ls <*path*>
if *path* is specified. Like the git wrapper, this is a wrapper around the *LS(1)*
command.
+tree <*path*>
+: List contents from the toplevel repository *keys* folder or from relative paths
+ if *path* is specified using a tree-like format. Like the ls wrapper, this is a
+ wrapper around the *TREE(1)* command.
+
# SECRET MANIPULATION ACTIONS
All secret manipulation actions operate upon a *secret* which is the pathname
@@ -88,16 +93,21 @@ del <*secret*>
To completely remove a file from a keyring, you should also rewrite the Git
history yourself.
+rm <*secret*>
+: Alias for *del* action.
+
edit <*secret*>
: Edit a secret by temporarily decrypting it, opening the decrypted copy into the
text editor defined by the *$EDITOR* environment variable and then re-encrypting it.
encrypt <*secret*> [*file*]
: Encrypts content from standard input or *file* into *secret* pathname. No spaces
- are supported in the *secret* name.
+ are supported in the *secret* name. If *file* is actually a folder, keyringer
+ will recursivelly encrypt all it's contents.
-encrypt-batch <*secret*>
-: Encrypt content, batch mode.
+encrypt-batch <*secret*> [*file*]
+: Encrypt content, batch mode. Behavior is identical to *encrypt* action, but less
+ verbose. Useful inside scripts.
genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*]
: Wrapper to generate encryption key-pairs, useful for automated key deployment.
@@ -153,7 +163,7 @@ recipients <*ls*|*edit*> <*recipients-file*>
For instance, if a user encrypts a secret to a file in the keyring repository's
*accounting* folder, a *recipients-file* under *accounting* will be used.
Encrypting a secret into *accounting/bank-accounts* will result in a file
- `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the public
+ `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the public
keys listed in the config file`$KEYRING_FOLDER/config/recipients/accounting`.
Each line in a recipients file has entries in the format