diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2015-03-30 09:04:23 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2015-03-30 09:04:23 -0300 |
commit | e6f6d21f9955ac7c428d8fe43def599c6bc36a8b (patch) | |
tree | 3f7836af002df7bd20b1b4011fa78b95855ec721 | |
parent | cffe8137d024091d0f1bee9c2484c28d2986febc (diff) | |
parent | 347f255ec06b26a0437b653d87b5753d57d3c998 (diff) | |
download | keyringer-e6f6d21f9955ac7c428d8fe43def599c6bc36a8b.tar.gz keyringer-e6f6d21f9955ac7c428d8fe43def599c6bc36a8b.tar.bz2 |
Merge branch 'release/0.3.8'0.3.8
35 files changed, 308 insertions, 299 deletions
@@ -1,3 +1,12 @@ +2015-03-30 - 0.3.8 - Silvio Rhatto <rhatto@riseup.net> + + Eliminates hardcoded bash path, reported and fixed by + polynomial (closes https://github.com/rhatto/keyringer/pull/1). + + Rename genpair action and option (#69) + + Ensure destination folder exists at 'cp' action + 2014-08-21 - 0.3.7 - Silvio Rhatto <rhatto@riseup.net> Init: just set git user/mail if needed diff --git a/contrib/pass b/contrib/pass index b4d5954..80eb744 100755 --- a/contrib/pass +++ b/contrib/pass @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # Sample wrapper program for simplying the use of keyringer. # This wrapper assumes you are using one key file with many diff --git a/development.mdwn b/development.mdwn index bbc688d..db67119 100644 --- a/development.mdwn +++ b/development.mdwn @@ -5,44 +5,11 @@ Index [[!toc levels=4]] -Development environment ------------------------ - -The following steps needs to be run just once for each arch and distro version. - -### Create the `debian/` structure - - if [ ! -d "debian" ]; then - dh_make -p keyringer_0.1 --createorig - fi - -### Setup a sid pbuilder chroot - - DIST=sid git-pbuilder create - -### Setup a sid cowbuilder chroot - - DIST=sid sudo cowbuilder --create - -Environment maintenance ------------------------ - -These steps should be run once in a while to ensure we have an up to date packaging environment. - -### Pbuilder - - DIST=sid git-pbuilder update - -### Cowbuilder - - DIST=sid sudo cowbuilder --update - Coding standards ---------------- - - Respect the existing coding style. - - - Be clear: easy audability must be one of keyringer's requirements. +* Respect the existing coding style. +* Be clear: easy audability must be one of keyringer's requirements. Development workflow -------------------- @@ -86,7 +53,12 @@ Run lintian (or [add it to your pbuilder hooks](http://askubuntu.com/questions/1 Notes: * `git-import-orig` takes care of running `pristine-tar commit`, of merging of the tag and orig tarball into the upstream branch, and then it merges the result into the debian branch. With the above configuration, it also runs git-dch to do the bulk of the work in `debian/changelog`. -* To build a development package, checkout the debian branch, merge master, run `git-dch --auto --snapshot` and build. +* To build a development package, checkout the debian branch, merge master, run `git-dch --auto --snapshot` and build. + +Packaging workflow +------------------ + +We recommend [this packaging workflow](https://git.sarava.org/?p=debian.git;a=blob;f=README.md;hb=HEAD). Adding or changing a subcommand ------------------------------- @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Keyringer key management system. # @@ -140,7 +140,7 @@ function keyringer_dispatch { # Config NAME="keyringer" -KEYRINGER_VERSION="0.3.7" +KEYRINGER_VERSION="0.3.8" CONFIG_VERSION="0.1" CONFIG_BASE="$HOME/.$NAME" CONFIG="$CONFIG_BASE/config" diff --git a/lib/keyringer/actions/append b/lib/keyringer/actions/append index fbb6c1c..df21e03 100755 --- a/lib/keyringer/actions/append +++ b/lib/keyringer/actions/append @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Append information into encrypted files. # diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index c80fa8f..a647e95 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Check a keyring. # diff --git a/lib/keyringer/actions/commands b/lib/keyringer/actions/commands index cb49c02..4888317 100755 --- a/lib/keyringer/actions/commands +++ b/lib/keyringer/actions/commands @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Show available commands # diff --git a/lib/keyringer/actions/commit b/lib/keyringer/actions/commit index b124927..84ead14 100755 --- a/lib/keyringer/actions/commit +++ b/lib/keyringer/actions/commit @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Git commit wrapper. # diff --git a/lib/keyringer/actions/cp b/lib/keyringer/actions/cp index 0629b61..1f4ccee 100755 --- a/lib/keyringer/actions/cp +++ b/lib/keyringer/actions/cp @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Copy secrets. # @@ -27,7 +27,10 @@ if ! echo "$ORIG" | grep -q '*' && [ ! -e "$KEYDIR/$RELATIVE_PATH/$ORIG" ]; then exit 1 fi -# Run move command +# Ensure destination folder exists +mkdir -p `dirname "$KEYDIR/$FILE"` + +# Run copy command cd "$KEYDIR" && cp -a "./$RELATIVE_PATH/$ORIG" "./$FILE" keyringer_exec git "$BASEDIR" add "keys/$FILE" cd "$CWD" diff --git a/lib/keyringer/actions/decrypt b/lib/keyringer/actions/decrypt index b63b74e..c6510ee 100755 --- a/lib/keyringer/actions/decrypt +++ b/lib/keyringer/actions/decrypt @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Decrypt files. # diff --git a/lib/keyringer/actions/del b/lib/keyringer/actions/del index d160ac4..2abc414 100755 --- a/lib/keyringer/actions/del +++ b/lib/keyringer/actions/del @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Remove files. # diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit index c9f3f12..4338518 100755 --- a/lib/keyringer/actions/edit +++ b/lib/keyringer/actions/edit @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Edit keys. # diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt index 7415267..3818fa3 100755 --- a/lib/keyringer/actions/encrypt +++ b/lib/keyringer/actions/encrypt @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Encrypt files to multiple recipients. # diff --git a/lib/keyringer/actions/find b/lib/keyringer/actions/find index 9b18d66..dc9d6d1 100755 --- a/lib/keyringer/actions/find +++ b/lib/keyringer/actions/find @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Find secrets. # diff --git a/lib/keyringer/actions/genkeys b/lib/keyringer/actions/genkeys new file mode 100755 index 0000000..f49d6d0 --- /dev/null +++ b/lib/keyringer/actions/genkeys @@ -0,0 +1,227 @@ +#!/usr/bin/env bash +# +# Generate keypairs. +# +# This script is just a wrapper to easily generate keys for +# automated systems. +# + +# Generate a keypair, ssh version +function genkeys_ssh { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -p "Hit ENTER to continue." prompt + + # We're using empty passphrases + ssh-keygen -t rsa -b 4096 -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" + + # Encrypt the result + echo "Encrypting secret key into keyringer..." + cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE" + echo "Encrypting public key into keyringer..." + cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" + + if [ ! -z "$OUTFILE" ]; then + mkdir -p `dirname $OUTFILE` + printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" + cat "$TMPWORK/id_rsa" > "$OUTFILE" + cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub" + fi + + echo "Done" +} + +# Generate a keypair, gpg version +function genkeys_gpg { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + + passphrase="no" + passphrase_confirm="confirm" + + while [ "$passphrase" != "$passphrase_confirm" ]; do + read -s -p "Enter password for the private key: " passphrase + printf "\n" + read -s -p "Enter password again: " passphrase_confirm + printf "\n" + + if [ "$passphrase" != "$passphrase_confirm" ]; then + echo "Password don't match." + fi + done + + # TODO: insert random bytes + # TODO: custom Name-Comment and Name-Email + # TODO: allow for empty passphrases + $GPG --homedir "$TMPWORK" --gen-key --batch <<EOF + Key-Type: RSA + Key-Length: 4096 + Subkey-Type: ELG-E + Subkey-Length: 4096 + Name-Real: $NODE + Name-Email: root@$NODE + Expire-Date: 0 + Passphrase: $passphrase + %commit +EOF + + # Encrypt the result + echo "Encrypting secret key into keyringer..." + $GPG --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE" + echo "Encrypting public key into keyringer..." + $GPG --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" + echo "Encrypting passphrase into keyringer..." + echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd" + + if [ ! -z "$OUTFILE" ]; then + mkdir -p `dirname $OUTFILE` + printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" + $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE" + $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" + fi + + echo "Done" +} + +# Alias +function genkeys_ssl { + genkeys_x509 $* +} + +# Generate a keypair, ssl version +function genkeys_x509 { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -p "Hit ENTER to continue." prompt + + # Check for wildcard certs + if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then + WILDCARD="yes" + CNAME="$NODE" + NODE="`echo $NODE | sed -e 's/^\*\.//'`" + else + CNAME="${NODE}" + fi + + # Setup + cd "$TMPWORK" + + # Generate certificate +cat <<EOF >> openssl.conf +[ req ] +default_keyfile = ${NODE}_privatekey.pem +distinguished_name = req_distinguished_name +encrypt_key = no +req_extensions = v3_req # Extensions to add to certificate request +string_mask = nombstr + +[ req_distinguished_name ] +commonName_default = ${CNAME} +organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +emailAddress = Email Address +localityName = Locality +stateOrProvinceName = State +countryName = Country Name +commonName = Common Name + +[ v3_req ] +extendedKeyUsage=serverAuth,clientAuth +EOF + + # Add SubjectAltNames so wildcard certs can work correctly. + if [ "$WILDCARD" == "yes" ]; then +cat <<EOF >> openssl.conf +subjectAltName=DNS:${NODE}, DNS:${CNAME} +EOF + fi + + echo "Please review your OpenSSL configuration:" + cat openssl.conf + read -p "Hit ENTER to continue." prompt + + openssl req -batch -nodes -config openssl.conf -newkey rsa:4096 -sha256 \ + -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem + + openssl req -noout -text -in ${NODE}_csr.pem + + # Self-sign + if [ "$KEYTYPE" == "ssl-self" ]; then + openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365 + chmod 600 "${NODE}_privatekey.pem" + fi + + # Encrypt the result + echo "Encrypting private key into keyringer..." + cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem" + echo "Encrypting certificate request into keyringer..." + cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr" + + if [ "$KEYTYPE" == "ssl-self" ]; then + echo "Encrypting certificate into keyringer..." + cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" + elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then + # Remove any existing crt + keyringer_exec del "$BASEDIR" "$FILE.crt" + fi + + cd "$CWD" + + if [ ! -z "$OUTFILE" ]; then + mkdir -p `dirname $OUTFILE` + printf "Saving copies at %s\n" "`dirname $OUTFILE`" + cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" + cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr" + + if [ -f "$TMPWORK/${NODE}.crt" ]; then + cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt" + fi + fi + + # Show cert fingerprint + if [ "$KEYTYPE" == "ssl-self" ]; then + openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint + fi + + echo "Done" +} + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +KEYTYPE="$2" +FILE="$RELATIVE_PATH/$3" +NODE="$4" +OUTFILE="$5" +CWD="`pwd`" + +# Verify +if [ -z "$NODE" ]; then + echo -e "Usage: keyringer <keyring> $BASENAME <gpg|ssh|x509|x509-self|ssl|ssl-self> <file> <hostname> [outfile]" + echo -e "Options:" + echo -e "\t gpg|ssh|x509[-self]|ssl|ssl[-self]: key type." + echo -e "\t file : base file name for encrypted output (relative to keys folder)," + echo -e "\t without spaces" + echo -e "\t hostname : host for the key pair" + echo -e "\t outfile : optional unencrypted output file, useful for deployment," + echo -e "\t without spaces" + exit 1 +elif [ ! -e "$KEYDIR" ]; then + echo "Folder not found: $KEYDIR, leaving" + exit 1 +fi + +# Set a tmp file +keyringer_set_tmpfile genpair -d + +# Dispatch +echo "Generating $KEYTYPE key for $NODE..." +if [ "$KEYTYPE" == "ssl-self" ] || [ "$KEYTYPE" == "x509-self" ]; then + genkeys_x509 +else + genkeys_"$KEYTYPE" +fi + +# Cleanup +cd "$CWD" +rm -rf "$TMPWORK" +trap - EXIT diff --git a/lib/keyringer/actions/genpair b/lib/keyringer/actions/genpair index 6fc6dcd..d936499 100755..120000 --- a/lib/keyringer/actions/genpair +++ b/lib/keyringer/actions/genpair @@ -1,222 +1 @@ -#!/bin/bash -# -# Generate keypairs. -# -# This script is just a wrapper to easily generate keys for -# automated systems. -# - -# Generate a keypair, ssh version -function genpair_ssh { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - read -p "Hit ENTER to continue." prompt - - # We're using empty passphrases - ssh-keygen -t rsa -b 4096 -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" - - # Encrypt the result - echo "Encrypting secret key into keyringer..." - cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE" - echo "Encrypting public key into keyringer..." - cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" - - if [ ! -z "$OUTFILE" ]; then - mkdir -p `dirname $OUTFILE` - printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" - cat "$TMPWORK/id_rsa" > "$OUTFILE" - cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub" - fi - - echo "Done" -} - -# Generate a keypair, gpg version -function genpair_gpg { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - - passphrase="no" - passphrase_confirm="confirm" - - while [ "$passphrase" != "$passphrase_confirm" ]; do - read -s -p "Enter password for the private key: " passphrase - printf "\n" - read -s -p "Enter password again: " passphrase_confirm - printf "\n" - - if [ "$passphrase" != "$passphrase_confirm" ]; then - echo "Password don't match." - fi - done - - # TODO: insert random bytes - # TODO: custom Name-Comment and Name-Email - # TODO: allow for empty passphrases - $GPG --homedir "$TMPWORK" --gen-key --batch <<EOF - Key-Type: RSA - Key-Length: 4096 - Subkey-Type: ELG-E - Subkey-Length: 4096 - Name-Real: $NODE - Name-Email: root@$NODE - Expire-Date: 0 - Passphrase: $passphrase - %commit -EOF - - # Encrypt the result - echo "Encrypting secret key into keyringer..." - $GPG --armor --homedir "$TMPWORK" --export-secret-keys | keyringer_exec encrypt "$BASEDIR" "$FILE" - echo "Encrypting public key into keyringer..." - $GPG --armor --homedir "$TMPWORK" --export | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" - echo "Encrypting passphrase into keyringer..." - echo "Passphrase for $FILE: $passphrase" | keyringer_exec encrypt "$BASEDIR" "$FILE.passwd" - - if [ ! -z "$OUTFILE" ]; then - mkdir -p `dirname $OUTFILE` - printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" - $GPG --armor --homedir "$TMPWORK" --export-secret-keys > "$OUTFILE" - $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" - fi - - echo "Done" -} - -# Generate a keypair, ssl version -function genpair_ssl { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - read -p "Hit ENTER to continue." prompt - - # Check for wildcard certs - if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then - WILDCARD="yes" - CNAME="$NODE" - NODE="`echo $NODE | sed -e 's/^\*\.//'`" - else - CNAME="${NODE}" - fi - - # Setup - cd "$TMPWORK" - - # Generate certificate -cat <<EOF >> openssl.conf -[ req ] -default_keyfile = ${NODE}_privatekey.pem -distinguished_name = req_distinguished_name -encrypt_key = no -req_extensions = v3_req # Extensions to add to certificate request -string_mask = nombstr - -[ req_distinguished_name ] -commonName_default = ${CNAME} -organizationName = Organization Name -organizationalUnitName = Organizational Unit Name -emailAddress = Email Address -localityName = Locality -stateOrProvinceName = State -countryName = Country Name -commonName = Common Name - -[ v3_req ] -extendedKeyUsage=serverAuth,clientAuth -EOF - - # Add SubjectAltNames so wildcard certs can work correctly. - if [ "$WILDCARD" == "yes" ]; then -cat <<EOF >> openssl.conf -subjectAltName=DNS:${NODE}, DNS:${CNAME} -EOF - fi - - echo "Please review your OpenSSL configuration:" - cat openssl.conf - read -p "Hit ENTER to continue." prompt - - openssl req -batch -nodes -config openssl.conf -newkey rsa:4096 -sha256 \ - -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem - - openssl req -noout -text -in ${NODE}_csr.pem - - # Self-sign - if [ "$KEYTYPE" == "ssl-self" ]; then - openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365 - chmod 600 "${NODE}_privatekey.pem" - fi - - # Encrypt the result - echo "Encrypting private key into keyringer..." - cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem" - echo "Encrypting certificate request into keyringer..." - cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr" - - if [ "$KEYTYPE" == "ssl-self" ]; then - echo "Encrypting certificate into keyringer..." - cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" - elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then - # Remove any existing crt - keyringer_exec del "$BASEDIR" "$FILE.crt" - fi - - cd "$CWD" - - if [ ! -z "$OUTFILE" ]; then - mkdir -p `dirname $OUTFILE` - printf "Saving copies at %s\n" "`dirname $OUTFILE`" - cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" - cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr" - - if [ -f "$TMPWORK/${NODE}.crt" ]; then - cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt" - fi - fi - - # Show cert fingerprint - if [ "$KEYTYPE" == "ssl-self" ]; then - openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint - fi - - echo "Done" -} - -# Load functions -LIB="`dirname $0`/../functions" -source "$LIB" || exit 1 - -# Aditional parameters -KEYTYPE="$2" -FILE="$RELATIVE_PATH/$3" -NODE="$4" -OUTFILE="$5" -CWD="`pwd`" - -# Verify -if [ -z "$NODE" ]; then - echo -e "Usage: keyringer <keyring> $BASENAME <gpg|ssh|ssl|ssl-self> <file> <hostname> [outfile]" - echo -e "Options:" - echo -e "\t gpg|ssh|ssl[-self]: key type." - echo -e "\t file : base file name for encrypted output (relative to keys folder)," - echo -e "\t without spaces" - echo -e "\t hostname : host for the key pair" - echo -e "\t outfile : optional unencrypted output file, useful for deployment," - echo -e "\t without spaces" - exit 1 -elif [ ! -e "$KEYDIR" ]; then - echo "Folder not found: $KEYDIR, leaving" - exit 1 -fi - -# Set a tmp file -keyringer_set_tmpfile genpair -d - -# Dispatch -echo "Generating $KEYTYPE key for $NODE..." -if [ "$KEYTYPE" == "ssl-self" ]; then - genpair_ssl -else - genpair_"$KEYTYPE" -fi - -# Cleanup -cd "$CWD" -rm -rf "$TMPWORK" -trap - EXIT +genkeys
\ No newline at end of file diff --git a/lib/keyringer/actions/git b/lib/keyringer/actions/git index 059b20e..218273f 100755 --- a/lib/keyringer/actions/git +++ b/lib/keyringer/actions/git @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Git wrapper. # diff --git a/lib/keyringer/actions/ls b/lib/keyringer/actions/ls index 93f5f75..b992ad4 100755 --- a/lib/keyringer/actions/ls +++ b/lib/keyringer/actions/ls @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # List keys. # diff --git a/lib/keyringer/actions/mkdir b/lib/keyringer/actions/mkdir index b31eb0b..63442a4 100755 --- a/lib/keyringer/actions/mkdir +++ b/lib/keyringer/actions/mkdir @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Create folders. # diff --git a/lib/keyringer/actions/mv b/lib/keyringer/actions/mv index daac7b0..2324145 100755 --- a/lib/keyringer/actions/mv +++ b/lib/keyringer/actions/mv @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Move secrets. # diff --git a/lib/keyringer/actions/options b/lib/keyringer/actions/options index b210e1a..eea73e8 100755 --- a/lib/keyringer/actions/options +++ b/lib/keyringer/actions/options @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Repository options management. # diff --git a/lib/keyringer/actions/preferences b/lib/keyringer/actions/preferences index 114f9ac..6e36ef4 100755 --- a/lib/keyringer/actions/preferences +++ b/lib/keyringer/actions/preferences @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Manipulate user preferences. # diff --git a/lib/keyringer/actions/recipients b/lib/keyringer/actions/recipients index 4149786..29f9d38 100755 --- a/lib/keyringer/actions/recipients +++ b/lib/keyringer/actions/recipients @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Recipient management. # diff --git a/lib/keyringer/actions/recrypt b/lib/keyringer/actions/recrypt index 30c9254..5dce1ba 100755 --- a/lib/keyringer/actions/recrypt +++ b/lib/keyringer/actions/recrypt @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Re-encrypt files to multiple recipients. # diff --git a/lib/keyringer/actions/rmdir b/lib/keyringer/actions/rmdir index 398cf11..da7abe5 100755 --- a/lib/keyringer/actions/rmdir +++ b/lib/keyringer/actions/rmdir @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Remove folders. # diff --git a/lib/keyringer/actions/shell b/lib/keyringer/actions/shell index ab170b1..491fe0a 100755 --- a/lib/keyringer/actions/shell +++ b/lib/keyringer/actions/shell @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Interactive shell. # diff --git a/lib/keyringer/actions/teardown b/lib/keyringer/actions/teardown index 64da740..5bfb121 100755 --- a/lib/keyringer/actions/teardown +++ b/lib/keyringer/actions/teardown @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Remove a keyring. # diff --git a/lib/keyringer/actions/tree b/lib/keyringer/actions/tree index 8f9d7cd..9c09bfc 100755 --- a/lib/keyringer/actions/tree +++ b/lib/keyringer/actions/tree @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # List keys, tree version. # diff --git a/lib/keyringer/actions/usage b/lib/keyringer/actions/usage index 2ca7639..15096a0 100755 --- a/lib/keyringer/actions/usage +++ b/lib/keyringer/actions/usage @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Show available commands # diff --git a/lib/keyringer/actions/xclip b/lib/keyringer/actions/xclip index 7afdf05..0e60bbd 100755 --- a/lib/keyringer/actions/xclip +++ b/lib/keyringer/actions/xclip @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Decrypt secret header to clipboard. # diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index 27cf919..fc952eb 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -93,12 +93,12 @@ _keyringer() { recipients) opts="ls edit" ;; - ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find) + ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find|mv|cp) cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; - genpair) - opts="gpg ssh ssl ssl-self" + genkeys|genpair) + opts="gpg ssh x509 x509-self ssl ssl-self" ;; git) opts="$(_keyringer_git_complete ${cur})" @@ -112,11 +112,15 @@ _keyringer() { esac elif [ "${#COMP_WORDS[@]}" == "5" ]; then case "${command}" in + mv|cp) + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash + opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" + ;; recipients) cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(cd $path/config/recipients && ls --color=never -p ${cur}* 2> /dev/null)" ;; - genpair) + genkeys|genpair) cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index ab95c3d..d4b89b1 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -49,12 +49,12 @@ _keyringer() { recipients) compadd "$@" ls edit ;; - ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find) + ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find|mv|cp) words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) ;; - genpair) - compadd "$@" gpg ssh ssl ssl-self + genkeys|genpair) + compadd "$@" gpg ssh x509 x509-self ssl ssl-self ;; git) compadd "$@" $(_keyringer_git_complete $words[4]) @@ -68,11 +68,15 @@ _keyringer() { ;; misc) case "$words[3]" in + mv|cp) + words[5]="`echo $words[5] | sed -e "s|^/*||"`" # avoid leading slash + compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null) + ;; recipients) words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash compadd "$@" $(cd $keyring_path/config/recipients && ls --color=never -p $words[5]* 2> /dev/null) ;; - genpair) + genkeys|genpair) words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null) ;; diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 42c047d..ab519b2 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Common functions. # diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 82cb520..13de085 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -201,13 +201,21 @@ Useful inside scripts. .RS .RE .TP -.B genpair <\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]> +.B genkeys +<\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]x509\f[]|\f[I]x509-self\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]> [\f[I]options\f[]] Wrapper to generate encryption key-pairs, useful for automated key deployment. .RS .RE .TP +.B genpair +<\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]x509\f[]|\f[I]x509-self\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]> +[\f[I]options\f[]] +Alias for \f[I]genkeys\f[] action. +.RS +.RE +.TP .B open <\f[I]secret\f[]> Decrypt a secret into a temporary folder and open it using xdg-open, which tries to figure out the file type and then calls the associated @@ -377,7 +385,7 @@ so be careful when decrypting secrets and writing them to the disk or other storage media. .PP Pay special attention that keyringer outputs data to stdout, which could -be easilly spotted by any agent looking directly at you computer screen. +be easily spotted by any agent looking directly at you computer screen. .PP The xclip action even copies secret data to the X11 clipboard, which can be accessed by any application running in the user\[aq]s X11 session, so diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index af098a3..55ae216 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -150,9 +150,12 @@ encrypt-batch <*secret*> [*file*] : Encrypt content, batch mode. Behavior is identical to *encrypt* action, but less verbose. Useful inside scripts. -genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*] +genkeys <*ssh*|*gpg*|*x509*|*x509-self*|*ssl*|*ssl-self*> [*options*] : Wrapper to generate encryption key-pairs, useful for automated key deployment. +genpair <*ssh*|*gpg*|*x509*|*x509-self*|*ssl*|*ssl-self*> [*options*] +: Alias for *genkeys* action. + open <*secret*> : Decrypt a secret into a temporary folder and open it using xdg-open, which tries to figure out the file type and then calls the associated application. @@ -288,7 +291,7 @@ Keyringer currently has the following limitations: other storage media. Pay special attention that keyringer outputs data to stdout, which could - be easilly spotted by any agent looking directly at you computer screen. + be easily spotted by any agent looking directly at you computer screen. The xclip action even copies secret data to the X11 clipboard, which can be accessed by any application running in the user's X11 session, so use |