diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2013-11-26 17:18:57 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2013-11-26 17:18:57 -0200 |
commit | ef46233be5016435ada01b36d3d9fe27f1097e3b (patch) | |
tree | 25c8edec8ff092348317ac3a038f4941ac7acef4 | |
parent | cc7f823348eb24802cd85232cdbcdc8b1ab070e0 (diff) | |
parent | 5f1590e0722ee5ee9fed2ccc43adfb88f00218fd (diff) | |
download | keyringer-ef46233be5016435ada01b36d3d9fe27f1097e3b.tar.gz keyringer-ef46233be5016435ada01b36d3d9fe27f1097e3b.tar.bz2 |
Merge tag 'upstream_keyringer_0.2.9' into debian
Upstream version 0.2.9
-rw-r--r-- | ChangeLog | 30 | ||||
-rw-r--r-- | Makefile | 11 | ||||
-rw-r--r-- | development.mdwn | 20 | ||||
-rwxr-xr-x | keyringer | 3 | ||||
-rwxr-xr-x | lib/keyringer/actions/append | 28 | ||||
-rwxr-xr-x | lib/keyringer/actions/del | 8 | ||||
-rwxr-xr-x | lib/keyringer/actions/encrypt | 71 | ||||
-rwxr-xr-x | lib/keyringer/actions/ls | 7 | ||||
l--------- | lib/keyringer/actions/rm | 1 | ||||
-rwxr-xr-x | lib/keyringer/actions/tree | 31 | ||||
-rw-r--r-- | lib/keyringer/completions/bash/keyringer | 12 | ||||
-rw-r--r-- | lib/keyringer/completions/zsh/_keyringer | 5 | ||||
-rwxr-xr-x | lib/keyringer/functions | 34 | ||||
-rw-r--r-- | share/man/keyringer.1 | 79 | ||||
-rw-r--r-- | share/man/keyringer.1.mdwn | 18 |
15 files changed, 233 insertions, 125 deletions
@@ -1,3 +1,33 @@ +2013-11-26 - 0.2.9 Silvio Rhatto <rhatto@riseup.net> + + Added 'tree' action + + Added 'rm' alias to 'del' action + + Set .gitignore during initialization and when using tmp inside the repository + + Pass options to git-rm at del action + + Simpler ramdisk/tmpfs check at keyringer_check_tmp + + Better mode check on keyringer_check_tmp (closes #30) + + Fixed minor typos + + Man page update + + Temp folder priority set to "$TMPDIR $TMP /tmpĀ /run/shm" + + Avoid bash arrays on append action (closes #26) + + Shell completion enhancements. + + Fixing keyringer_has_action() to correctly handle "/" and ".". + + Action ls now supports leading slash ("/"). + + Support for encrypting a whole tree (closes #21) + 2013-11-14 - 0.2.8 Silvio Rhatto <rhatto@riseup.net> Updated development workflow and version scheme @@ -45,7 +45,18 @@ install: clean @make install_lib install_bin install_doc install_man install_completion build_man: + # Pipe output to sed to avoid http://lintian.debian.org/tags/hyphen-used-as-minus-sign.html + # Fixed in http://johnmacfarlane.net/pandoc/releases.html#pandoc-1.10-2013-01-19 pandoc -s -w man share/man/keyringer.1.mdwn -o share/man/keyringer.1 + sed -i -e 's/--/\\-\\-/g' share/man/keyringer.1 tarball: git archive --prefix=keyringer-$(VERSION)/ --format=tar HEAD | bzip2 >../tarballs/keyringer-$(VERSION).tar.bz2 + +release: + @make build_man + git commit -a -m "Keyringer $(VERSION)" + git tag -s $(VERSION) -m "Keyringer $(VERSION)" + @make tarball + gpg --armor --detach-sign --output ../tarballs/keyringer-$(VERSION).tar.bz2.asc ../tarballs/keyringer-$(VERSION).tar.bz2 + scp ../tarballs/keyringer-$(VERSION).tar.bz2* keyringer:/var/sites/keyringer/releases/ diff --git a/development.mdwn b/development.mdwn index cfedb4b..3400643 100644 --- a/development.mdwn +++ b/development.mdwn @@ -48,27 +48,11 @@ Prepare the source code: $EDITOR keyringer # and update KEYRINGER_VERSION $EDITOR ChangeLog - make build_man - -Commit and tag a release: - VERSION="`./keyringer | head -n 1 | cut -d ' ' -f 2`" - git commit -a -m "Keyringer $VERSION" - git tag -s $VERSION -m "Keyringer $VERSION" - -Create a release file: - - make tarball - -Sign the release ([see backupninja development guidelines](https://labs.riseup.net/code/projects/backupninja/wiki/Release)): - - cd ../tarballs - gpg --armor --detach-sign keyringer-$VERSION.tar.bz2 -Upload the release: +Create and upload a new release: - scp keyringer-$VERSION.tar.bz2* keyringer:/var/sites/keyringer/releases/ - cd - + make release Update the debian branch: @@ -90,6 +90,7 @@ function keyringer_init { # Init if ! keyringer_is_git "$BASEDIR"; then keyringer_exec git "$BASEDIR" init + keyringer_git_ignore 'tmp/*' # Edit default recipients echo "Now you have to edit the default recipient configuration to be able to encrypt secrets." @@ -119,7 +120,7 @@ function keyringer_dispatch { # Config NAME="keyringer" -KEYRINGER_VERSION="0.2.8" +KEYRINGER_VERSION="0.2.9" CONFIG_VERSION="0.1" CONFIG_BASE="$HOME/.$NAME" CONFIG="$CONFIG_BASE/config" diff --git a/lib/keyringer/actions/append b/lib/keyringer/actions/append index e945bff..e307056 100755 --- a/lib/keyringer/actions/append +++ b/lib/keyringer/actions/append @@ -10,29 +10,11 @@ source "$LIB" || exit 1 # Get file keyringer_get_file "$2" -OLDIFS="$IFS" -IFS=$'\n' - -CONTENT=($(keyringer_exec decrypt "$BASEDIR" "$FILE")) - +# Only display directions if we're running append, not append-batch if [ "$BASENAME" == "append" ]; then - # only display directions if we're running append, not append-batch - printf "\n%s currently has %d lines\n\n" "$FILE" "${#CONTENT[@]}" - printf "Now please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" -fi - -APPEND=($(cat -)) - -NEW=( ${CONTENT[@]} ${APPEND[@]} ) - -for element in $(seq 0 $((${#NEW[@]} - 1))); do - echo ${NEW[$element]} -done | keyringer_exec encrypt-batch $BASEDIR $FILE - -err="$?" - -if [ "$err" != "0" ]; then - exit "$err" + printf "Please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" fi -IFS="$OLDIFS" +# Append content to an existing secret +( keyringer_exec decrypt "$BASEDIR" "$FILE" && cat ) | \ + keyringer_exec encrypt-batch $BASEDIR $FILE diff --git a/lib/keyringer/actions/del b/lib/keyringer/actions/del index babd212..d160ac4 100755 --- a/lib/keyringer/actions/del +++ b/lib/keyringer/actions/del @@ -10,7 +10,13 @@ source "$LIB" || exit 1 # Get file keyringer_get_file "$2" +# Set options +if [ ! -z "$3" ]; then + shift 2 + OPTS="$*" +fi + # Remove if [ -d "$BASEDIR/.git" ]; then - keyringer_exec git "$BASEDIR" rm "keys/$FILE" + keyringer_exec git "$BASEDIR" rm $OPTS "keys/$FILE" fi diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt index aadb9fa..0a40bc1 100755 --- a/lib/keyringer/actions/encrypt +++ b/lib/keyringer/actions/encrypt @@ -17,6 +17,24 @@ function keyringer_usage_encrypt_batch { keyringer_usage_encrypt $* } +# Encrypt a file into the datastore +function keyringer_encrypt { + local file="$1" + shift + + if [ -z "$1" ]; then + return 1 + fi + + if [ "$*" != "-" ]; then + echo "Encrypting $*..." + fi + + mkdir -p "$KEYDIR/`dirname "$file"`" + $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$file" "$*" + printf "\n" +} + # Usage if [ -z "$2" ]; then keyringer_action_usage @@ -26,26 +44,31 @@ fi # Aditional parameters if [ ! -z "$3" ]; then # Set secret name and original file - FILE="$2" + BASEPATH="$2" shift 2 UNENCRYPTED_FILE="$*" - # Get original file EXTENSION - FILENAME="$(basename "$UNENCRYPTED_FILE")" - EXTENSION="${FILENAME##*.}" - - # Append file extension in the secret name - # - # Useful when opening files and the application needs the - # extension to guess the file type. - if ! echo $FILE | grep -q -e "\.$EXTENSION$"; then - FILE="$FILE.$EXTENSION" + if [ ! -d "$UNENCRYPTED_FILE" ] && echo "$UNENCRYPTED_FILE" | grep -q -e '\.'; then + # Get original file EXTENSION + FILENAME="$(basename "$UNENCRYPTED_FILE")" + EXTENSION="${FILENAME##*.}" + + # Append file extension in the secret name + # + # Useful when opening files and the application needs the + # extension to guess the file type. + if ! echo $BASEPATH | grep -q -e "\.$EXTENSION$"; then + echo "Appending '$EXTENSION' into secret name..." + FILE="$BASEPATH.$EXTENSION" + fi + else + FILE="$BASEPATH" fi keyringer_get_new_file $FILE - if [ ! -f "$UNENCRYPTED_FILE" ]; then - echo "Error: cannot encrypt $UNENCRYPTED_FILE: file not found." + if [ ! -e "$UNENCRYPTED_FILE" ]; then + echo "Error: cannot encrypt $UNENCRYPTED_FILE: path not found." exit 1 fi else @@ -57,9 +80,7 @@ fi # Set recipients file keyringer_set_recipients "$FILE" -# Encrypt -mkdir -p "$KEYDIR/`dirname $FILE`" - +# Verbosity if [ "$BASENAME" == "encrypt" ]; then # Only display directions if we're running encrypt, not encrypt-batch if [ "$UNENCRYPTED_FILE" == "-" ]; then @@ -67,7 +88,23 @@ if [ "$BASENAME" == "encrypt" ]; then fi fi -$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" "$UNENCRYPTED_FILE" +# Encrypt +if [ "$UNENCRYPTED_FILE" != "-" ] && [ -d "$UNENCRYPTED_FILE" ]; then + # Time to go recursive + BASEPATH="`basename $FILE .asc`" + FILEPATH="`dirname "$UNENCRYPTED_FILE"`" + find $UNENCRYPTED_FILE | while read file; do + if [ ! -d "$file" ]; then + dir="`dirname "$file" | sed -e "s|^$FILEPATH|$BASEPATH|g"`" + keyringer_get_new_file `basename "$file"` + keyringer_encrypt "$dir/$FILE" $file + fi + done + + FILE="$OLD_FILE" +else + keyringer_encrypt $FILE $UNENCRYPTED_FILE +fi err="$?" diff --git a/lib/keyringer/actions/ls b/lib/keyringer/actions/ls index ec8080b..bb66263 100755 --- a/lib/keyringer/actions/ls +++ b/lib/keyringer/actions/ls @@ -10,7 +10,10 @@ source "$LIB" || exit 1 # Aditional parameters CWD="`pwd`" -# Run list command +# Avoid leading slash shift -cd "$KEYDIR" && ls $* +ARGS="`echo "$*" | sed -e "s|^/*||"`" + +# Run list command +cd "$KEYDIR" && ls $ARGS cd "$CWD" diff --git a/lib/keyringer/actions/rm b/lib/keyringer/actions/rm new file mode 120000 index 0000000..1a7ac23 --- /dev/null +++ b/lib/keyringer/actions/rm @@ -0,0 +1 @@ +del
\ No newline at end of file diff --git a/lib/keyringer/actions/tree b/lib/keyringer/actions/tree new file mode 100755 index 0000000..8e94cb0 --- /dev/null +++ b/lib/keyringer/actions/tree @@ -0,0 +1,31 @@ +#!/bin/bash +# +# List keys. +# + +# Thanks http://www.centerkey.com/tree/ +function keyringer_tree { + ls -R $* | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' +} + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +CWD="`pwd`" + +# Avoid leading slash +shift +ARGS="`echo "$*" | sed -e "s|^/*||"`" + +# Check implementation +if which tree &> /dev/null; then + TREE="tree" +else + TREE="keyringer_tree" +fi + +# Run list command +cd "$KEYDIR" && $TREE $ARGS +cd "$CWD" diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index 7bfa62f..eeda27f 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -46,11 +46,12 @@ _keyringer_git_complete() { function _keyringer_path_complete() { # Thanks http://unix.stackexchange.com/questions/55520/create-bash-completion-script-to-autocomplete-paths-after-is-equal-sign cur=${1//\\ / } - [[ ${cur} == "~/"* ]] && cur=${cur/\~/$HOME} + [[ ${cur} == "~"* ]] && cur=${cur/\~/$HOME} echo ${cur} } +# Main completion _keyringer() { # Standard stuff local cur prev command config path keyrings instances instance opts @@ -93,7 +94,8 @@ _keyringer() { recipients) opts="ls edit" ;; - ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open) + ls|tree|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open) + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; genpair) @@ -104,7 +106,7 @@ _keyringer() { ;; init) cur="$(_keyringer_path_complete ${cur})" - opts="$(compgen -o dirnames ${cur})" + opts="`compgen -o default "${cur}"`" ;; *) ;; @@ -112,9 +114,11 @@ _keyringer() { elif [ "${#COMP_WORDS[@]}" == "5" ]; then case "${command}" in recipients) + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(cd $path/config/recipients && ls --color=never -p ${cur}* 2> /dev/null)" ;; genpair) + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; git) @@ -123,7 +127,7 @@ _keyringer() { ;; encrypt|encrypt-batch) cur="$(_keyringer_path_complete ${cur})" - opts="$(compgen -o dirnames ${cur})" + opts="`compgen -o default "${cur}"`" ;; *) ;; diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index 50ff433..5717b00 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -50,7 +50,8 @@ _keyringer() { recipients) compadd "$@" ls edit ;; - ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open) + ls|tree|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open) + words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) ;; genpair) @@ -69,9 +70,11 @@ _keyringer() { misc) case "$words[3]" in recipients) + words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash compadd "$@" $(cd $keyring_path/config/recipients && ls --color=never -p $words[5]'*' 2> /dev/null) ;; genpair) + words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null) ;; git) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 4c06198..bef00d9 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -59,7 +59,7 @@ function keyringer_has_action { exit 1 fi - if [ -e "$ACTIONS/$1" ]; then + if [ -e "$ACTIONS/$1" ] && [ ! -d "$ACTIONS/$1" ]; then true else false @@ -114,37 +114,23 @@ function keyringer_is_git { # Check the security of a temporary folder function keyringer_check_tmp { local path="$1" - local minor - local mode - - if [ -z "$path" ]; then - return - fi + local mount # Mode check - if [ "`stat -c "%A" $path`" != "drwxrwxrwt" ]; then + if [ -z "$path" ] || [ ! -d "$path" ] || [ ! -w "$path" ] || [ ! -x "$path" ]; then return 1 fi # Ramdisk check - if [ -x "/sbin/udevadm" ]; then - minor="$(/sbin/udevadm info --device-id-of-file "$path" | cut -d : -f 1)" - elif which mountpoint &> /dev/null; then - minor="$(mountpoint -d $(df "$path" | sed -n '$p' | awk '{print $NF}') | cut -d : -f 1)" - fi - - if [ ! -z "$minor" ]; then - return $minor - else - return 1 - fi + mount="`df "$path" | sed -n '$p' | awk '{ print $NF }'`" + mount -l -t tmpfs | awk '{ print $3 }' | grep -q -e "^$mount$" } # Setup a temporary file function keyringer_set_tmpfile { local tmp local candidate - local candidates="/tmp /run/shm $TMP" + local candidates="$TMPDIR $TMP /tmp /run/shm" if [ -z "$BASEDIR" ]; then echo "Please set BASEDIR before creating a tmp file" @@ -166,6 +152,9 @@ function keyringer_set_tmpfile { echo "Press any key to continue, Ctrl-C to abort" read key tmp="$BASEDIR/tmp" + + # Just to be sure + keyringer_git_ignore 'tmp/*' fi # Determine template @@ -176,7 +165,6 @@ function keyringer_set_tmpfile { fi mkdir -p "$tmp" - keyringer_git_ignore 'tmp/*' if [ "$2" == "-d" ]; then TMPWORK="$(mktemp -d "$template")" @@ -431,10 +419,10 @@ function keyringer_get_new_file { fi # Sanitize and complete file name - FILE="`echo $FILE | sed -e s/[^A-Za-z0-9.\/\-]/_/g`" + FILE="`echo $FILE | sed -e 's/[^A-Za-z0-9.\/\-]/_/g'`" # Warn user about file name change - if [ "`basename $*`" != "`basename $FILE`" ]; then + if [ "`basename "$*"`" != "`basename $FILE`" ]; then echo "Sanitizing destination filename to `basename $FILE`" fi diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index c3fbc54..c0fed1c 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -59,6 +59,14 @@ Like the git wrapper, this is a wrapper around the \f[I]LS(1)\f[] command. .RS .RE +.TP +.B tree <\f[I]path\f[]> +List contents from the toplevel repository \f[I]keys\f[] folder or from +relative paths if \f[I]path\f[] is specified using a tree-like format. +Like the ls wrapper, this is a wrapper around the \f[I]TREE(1)\f[] +command. +.RS +.RE .SH SECRET MANIPULATION ACTIONS .PP All secret manipulation actions operate upon a \f[I]secret\f[] which is @@ -102,6 +110,11 @@ Git history.\f[] To completely remove a file from a keyring, you should also rewrite the Git history yourself. .RE .TP +.B rm <\f[I]secret\f[]> +Alias for \f[I]del\f[] action. +.RS +.RE +.TP .B edit <\f[I]secret\f[]> Edit a secret by temporarily decrypting it, opening the decrypted copy into the text editor defined by the \f[I]$EDITOR\f[] environment @@ -113,11 +126,15 @@ variable and then re-encrypting it. Encrypts content from standard input or \f[I]file\f[] into \f[I]secret\f[] pathname. No spaces are supported in the \f[I]secret\f[] name. +If \f[I]file\f[] is actually a folder, keyringer will recursivelly +encrypt all it\[aq]s contents. .RS .RE .TP -.B encrypt-batch <\f[I]secret\f[]> +.B encrypt-batch <\f[I]secret\f[]> [\f[I]file\f[]] Encrypt content, batch mode. +Behavior is identical to \f[I]encrypt\f[] action, but less verbose. +Useful inside scripts. .RS .RE .TP @@ -193,41 +210,41 @@ aliases. .PP Keyringer uses a default recipients file, but specifying a custom \f[I]recipients-file\f[] pathname will override this default. +.PP For instance, if a user encrypts a secret to a file in the keyring repository\[aq]s \f[I]accounting\f[] folder, a \f[I]recipients-file\f[] under \f[I]accounting\f[] will be used. Encrypting a secret into \f[I]accounting/bank-accounts\f[] will result -in a file +in a file \f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[] +encrypted using the public keys listed in the config +file\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[]. +.PP +Each line in a recipients file has entries in the format +\[aq]john\@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq], where +\f[I]john\@doe.com\f[] is an alias for the GPG public key whose +fingerprint is \f[I]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.\f[] +.PP +All lines starting with the hash (#) character are interpreted as +comments. +.PP +Parameters to the \f[I]recipients\f[] action are: +.TP +.B \f[I]ls\f[] +List all existing recipients files. +.RS .RE +.TP +.B \f[I]edit\f[] +Create or edit a recipients file. +.RS .PP -\f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[] encrypted -using the public keys listed in the config -file\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[]. -.IP -.nf -\f[C] -Each\ line\ in\ a\ recipients\ file\ has\ entries\ in\ the\ format -\[aq]john\@doe.com\ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq],\ where\ *john\@doe.com* -is\ an\ alias\ for\ the\ GPG\ public\ key\ whose\ fingerprint\ is -*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.* - -All\ lines\ starting\ with\ the\ hash\ (#)\ character\ are\ interpreted\ as\ comments. - -Parameters\ to\ the\ *recipients*\ action\ are: - -\ \ *ls* -\ \ :\ \ \ List\ all\ existing\ recipients\ files. - -\ \ *edit* -\ \ :\ \ \ Create\ or\ edit\ a\ recipients\ file. - -\ \ \ \ \ \ Editing\ happens\ using\ the\ editor\ specified\ by\ the\ `$EDITOR` -\ \ \ \ \ \ environment\ variable. - -\ \ \ \ \ \ The\ required\ parameter\ *recipients-file*\ is\ interpreted\ relative -\ \ \ \ \ \ to\ the\ `$KEYRING_FOLDER/config/recipients/`\ folder. -\f[] -.fi +Editing happens using the editor specified by the \f[C]$EDITOR\f[] +environment variable. +.PP +The required parameter \f[I]recipients-file\f[] is interpreted relative +to the \f[C]$KEYRING_FOLDER/config/recipients/\f[] folder. +.RE +.RE .SH FILES .PP $HOME/.keyringer/config : User\[aq]s main configuration file used to map @@ -246,7 +263,7 @@ Metadata is not encrypted, meaning that an attacker with access to a keyringer repository can discover all public key IDs used for encryption, and which secrets are encrypted to which keys. This can be improved in the future by encrypting the repository -configuration with support for the \f[I]--hidden-recipient\f[] GnuPG +configuration with support for the \f[I]\-\-hidden-recipient\f[] GnuPG option. .IP "2." 3 History is not rewritten by default when secrets are removed from a diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index ee035e3..d4b71e3 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -56,6 +56,11 @@ ls <*path*> if *path* is specified. Like the git wrapper, this is a wrapper around the *LS(1)* command. +tree <*path*> +: List contents from the toplevel repository *keys* folder or from relative paths + if *path* is specified using a tree-like format. Like the ls wrapper, this is a + wrapper around the *TREE(1)* command. + # SECRET MANIPULATION ACTIONS All secret manipulation actions operate upon a *secret* which is the pathname @@ -88,16 +93,21 @@ del <*secret*> To completely remove a file from a keyring, you should also rewrite the Git history yourself. +rm <*secret*> +: Alias for *del* action. + edit <*secret*> : Edit a secret by temporarily decrypting it, opening the decrypted copy into the text editor defined by the *$EDITOR* environment variable and then re-encrypting it. encrypt <*secret*> [*file*] : Encrypts content from standard input or *file* into *secret* pathname. No spaces - are supported in the *secret* name. + are supported in the *secret* name. If *file* is actually a folder, keyringer + will recursivelly encrypt all it's contents. -encrypt-batch <*secret*> -: Encrypt content, batch mode. +encrypt-batch <*secret*> [*file*] +: Encrypt content, batch mode. Behavior is identical to *encrypt* action, but less + verbose. Useful inside scripts. genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*] : Wrapper to generate encryption key-pairs, useful for automated key deployment. @@ -153,7 +163,7 @@ recipients <*ls*|*edit*> <*recipients-file*> For instance, if a user encrypts a secret to a file in the keyring repository's *accounting* folder, a *recipients-file* under *accounting* will be used. Encrypting a secret into *accounting/bank-accounts* will result in a file - `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the public + `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the public keys listed in the config file`$KEYRING_FOLDER/config/recipients/accounting`. Each line in a recipients file has entries in the format |