diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | ChangeLog | 18 | ||||
-rw-r--r-- | Makefile | 22 | ||||
-rwxr-xr-x | keyringer | 32 | ||||
-rwxr-xr-x | lib/keyringer/actions/cp | 33 | ||||
-rwxr-xr-x | lib/keyringer/actions/edit | 4 | ||||
-rw-r--r-- | lib/keyringer/completions/bash/keyringer | 9 | ||||
-rw-r--r-- | lib/keyringer/completions/zsh/_keyringer | 13 | ||||
-rwxr-xr-x | lib/keyringer/functions | 11 | ||||
-rw-r--r-- | share/keyringer/editors/vim (renamed from lib/keyringer/editors/vim) | 0 | ||||
-rw-r--r-- | share/man/keyringer.1 | 12 | ||||
-rw-r--r-- | share/man/keyringer.1.mdwn | 10 |
12 files changed, 126 insertions, 39 deletions
@@ -3,4 +3,5 @@ debian/keyringer debian/files debian/files debian/keyringer.substvars +tarballs .pc @@ -1,3 +1,21 @@ +2014-08-21 - 0.3.7 - Silvio Rhatto <rhatto@riseup.net> + + Init: just set git user/mail if needed + + Shell completions: use KEYRINGER_CHECK_RECIPIENTS=false to avoid + fatal errors + + Shell completions: minor zsh fixes + + Shell completions: fix handling of keyrings with '-' in their names + + Edit: Unset RELATIVE_PATH before encrypting file + + New 'cp' action + + Reset 'expiry' on keyringer_check_expiration, reported and fixed + by Jamie (closes #62) + 2014-05-20 - 0.3.6 - Silvio Rhatto <rhatto@riseup.net> Makefile fix @@ -14,10 +14,11 @@ # Place - Suite 330, Boston, MA 02111-1307, USA # -PACKAGE = keyringer -VERSION = $(shell ./keyringer | head -n 1 | cut -d ' ' -f 2) -PREFIX ?= /usr/local -INSTALL = /usr/bin/install +PACKAGE = keyringer +VERSION = $(shell ./keyringer | head -n 1 | cut -d ' ' -f 2) +PREFIX ?= /usr/local +ARCHIVE ?= tarballs +INSTALL = /usr/bin/install clean: find . -name *~ | xargs rm -f # clean local backups @@ -26,8 +27,8 @@ install_lib: $(INSTALL) -D --mode=0755 lib/keyringer/functions $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/functions $(INSTALL) -D --mode=0755 -d lib/keyringer/actions $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/actions $(INSTALL) -D --mode=0755 lib/keyringer/actions/* $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/actions - $(INSTALL) -D --mode=0755 -d lib/keyringer/editors $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/editors - $(INSTALL) -D --mode=0755 lib/keyringer/editors/* $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/editors + $(INSTALL) -D --mode=0755 -d share/keyringer/editors $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/editors + $(INSTALL) -D --mode=0644 share/keyringer/editors/* $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/editors install_bin: $(INSTALL) -D --mode=0755 keyringer $(DESTDIR)/$(PREFIX)/bin/keyringer @@ -53,7 +54,8 @@ build_man: sed -i -e 's/--/\\-\\-/g' share/man/keyringer.1 tarball: - git archive --prefix=keyringer-$(VERSION)/ --format=tar HEAD | bzip2 >../tarballs/keyringer-$(VERSION).tar.bz2 + mkdir -p $(ARCHIVE) + git archive --prefix=keyringer-$(VERSION)/ --format=tar HEAD | bzip2 > $(ARCHIVE)/keyringer-$(VERSION).tar.bz2 release: @make build_man @@ -65,8 +67,8 @@ release: git flow release finish -s $(VERSION) git checkout master @make tarball - gpg --use-agent --armor --detach-sign --output ../tarballs/keyringer-$(VERSION).tar.bz2.asc ../tarballs/keyringer-$(VERSION).tar.bz2 - scp ../tarballs/keyringer-$(VERSION).tar.bz2* keyringer:/var/sites/keyringer/releases/ + gpg --use-agent --armor --detach-sign --output $(ARCHIVE)/keyringer-$(VERSION).tar.bz2.asc $(ARCHIVE)/keyringer-$(VERSION).tar.bz2 + scp $(ARCHIVE)/keyringer-$(VERSION).tar.bz2* keyringer:/var/sites/keyringer/releases/ # We're doing tagging afterwards: # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568375 #git tag -s $(VERSION) -m "Keyringer $(VERSION)" @@ -74,7 +76,7 @@ release: debian: git checkout debian - git-import-orig --upstream-vcs-tag=$(VERSION) ../tarballs/keyringer-$(VERSION).tar.bz2 + git-import-orig --upstream-vcs-tag=$(VERSION) $(ARCHIVE)/keyringer-$(VERSION).tar.bz2 # Fine tune debian/changelog prepared by git-dch dch -e git commit -a -m "Updating debian/changelog" @@ -106,8 +106,10 @@ function keyringer_init { keyringer_git_ignore 'tmp/*' # Git configuration - git config user.email "$email" - git config user.name "$name" + if [ ! -z "$email" ]; then + git config user.email "$email" + git config user.name "$name" + fi # Edit default recipients echo "Now you have to edit the default recipient configuration to be able to encrypt secrets." @@ -138,7 +140,7 @@ function keyringer_dispatch { # Config NAME="keyringer" -KEYRINGER_VERSION="0.3.6" +KEYRINGER_VERSION="0.3.7" CONFIG_VERSION="0.1" CONFIG_BASE="$HOME/.$NAME" CONFIG="$CONFIG_BASE/config" @@ -149,13 +151,6 @@ ACTION="$2" # Turn off pathname expansion so expansion can work properly set -f -# Export globals for other scripts -export PREFERENCES="`dirname $CONFIG`/$KEYRING" -export KEYRINGER_VERSION -export CONFIG_VERSION -export KEYRING -export CONFIG - # Set functions location if [ -e "`dirname $(readlink -f $0)`/lib/$NAME/functions" ]; then # Development or local installation layout @@ -165,6 +160,15 @@ else LIB="`dirname $(readlink -f $0)`/../lib/$NAME/functions" fi +# Set shared files location +if [ -e "`dirname $(readlink -f $0)`/share/$NAME" ]; then + # Development or local installation layout + SHARE="`dirname $(readlink -f $0)`/share/$NAME" +else + # System installation layout + SHARE="`dirname $(readlink -f $0)`/../share/$NAME" +fi + # Set actions location if [ -e "`dirname $(readlink -f $0)`/lib/$NAME/actions" ]; then # Development or local installation layout @@ -174,6 +178,14 @@ else ACTIONS="`dirname $(readlink -f $0)`/../lib/$NAME/actions" fi +# Export globals for other scripts +export PREFERENCES="`dirname $CONFIG`/$KEYRING" +export KEYRINGER_VERSION +export CONFIG_VERSION +export KEYRING +export CONFIG +export SHARE + # Load functions source "$LIB" || exit 1 diff --git a/lib/keyringer/actions/cp b/lib/keyringer/actions/cp new file mode 100755 index 0000000..0629b61 --- /dev/null +++ b/lib/keyringer/actions/cp @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Copy secrets. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +CWD="`pwd`" + +# Avoid leading slash +ORIG="$(keyringer_filename `echo "$2" | sed -e "s|^/*||"`)" +DEST="`echo "$3" | sed -e "s|^/*||"`" + +# Set destination +if [ ! -d "$KEYDIR/$RELATIVE_PATH/$DEST" ]; then + keyringer_get_new_file $DEST +else + FILE="$DEST" +fi + +# Check if secret exists +if ! echo "$ORIG" | grep -q '*' && [ ! -e "$KEYDIR/$RELATIVE_PATH/$ORIG" ]; then + echo "Secret not found: $ORIG" + exit 1 +fi + +# Run move command +cd "$KEYDIR" && cp -a "./$RELATIVE_PATH/$ORIG" "./$FILE" +keyringer_exec git "$BASEDIR" add "keys/$FILE" +cd "$CWD" diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit index a5f14d4..c9f3f12 100755 --- a/lib/keyringer/actions/edit +++ b/lib/keyringer/actions/edit @@ -59,9 +59,9 @@ wait echo "Press any key when done using the file and you're sure that $APPNAME is closed." read -s -n 1 -# Encrypt again +# Encrypt again. Unset RELATIVE_PATH as it was already used to determine FILE path export KEYRINGER_ADD_EXTENSION=false -keyringer_exec encrypt "$BASEDIR" "$FILE" "$TMPWORK" +RELATIVE_PATH="" keyringer_exec encrypt "$BASEDIR" "$FILE" "$TMPWORK" # Check exit status errcrypt="$?" diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index 0f2cb2b..27cf919 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -69,7 +69,6 @@ _keyringer() { fi # Process config - source $config/config keyrings="`ls --color=never $config | sed -e '/^config$/d' | xargs`" # Available instances @@ -77,13 +76,13 @@ _keyringer() { # The current instance instance="${COMP_WORDS[1]}" - path="`eval echo '$'$instance`" + path="`grep -e "^$instance=" "$config/config" | tail -n 1 | cut -d = -f 2 | sed -e 's/"//g' -e "s/'//g" | sed -e 's/ *#.*$//'`" # Command completions if [ "${#COMP_WORDS[@]}" == "2" ]; then opts="$keyrings" elif [ "${#COMP_WORDS[@]}" == "3" ] && echo "${prev}" | grep -qe "$instances"; then - opts="`export KEYRINGER_CHECK_VERSION=false && keyringer $instance commands`" + opts="`export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance commands`" elif [ "${#COMP_WORDS[@]}" == "3" ]; then opts="init" elif [ "${#COMP_WORDS[@]}" == "4" ]; then @@ -96,7 +95,7 @@ _keyringer() { ;; ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find) cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash - opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" + opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; genpair) opts="gpg ssh ssl ssl-self" @@ -119,7 +118,7 @@ _keyringer() { ;; genpair) cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash - opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" + opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; git) # TODO diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index b4ccdd4..ab95c3d 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -19,9 +19,8 @@ _keyringer() { fi # Process config - source $config/config local keyrings="`ls --color=never $config | sed -e '/^config$/d' | xargs`" - local keyring_path="`eval echo '$'$words[2]`" + local keyring_path="`grep -e "^$words[2]=" "$config/config" | tail -n 1 | cut -d = -f 2 | sed -e 's/"//g' -e "s/'//g" | sed -e 's/ *#.*$//'`" local instances="`echo $keyrings | sed -e 's/ /$\\\|^/g' -e 's/^/^/' -e 's/$/$/'`" _arguments \ @@ -37,7 +36,7 @@ _keyringer() { ;; action) if echo $words[2] | grep -qe "$instances"; then - compadd "$@" `KEYRINGER_CHECK_VERSION=false keyringer $words[2] commands` + compadd "$@" `KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] commands` else compadd "$@" "init" fi @@ -52,7 +51,7 @@ _keyringer() { ;; ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find) words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash - compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) + compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) ;; genpair) compadd "$@" gpg ssh ssl ssl-self @@ -71,11 +70,11 @@ _keyringer() { case "$words[3]" in recipients) words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash - compadd "$@" $(cd $keyring_path/config/recipients && ls --color=never -p $words[5]'*' 2> /dev/null) + compadd "$@" $(cd $keyring_path/config/recipients && ls --color=never -p $words[5]* 2> /dev/null) ;; genpair) words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash - compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null) + compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null) ;; git) compadd "$@" $(_keyringer_git_complete $words[4] $words[5]) @@ -88,7 +87,7 @@ _keyringer() { esac ;; *) - if [ $words[3] == "git" ]; then + if [[ $words[3] == "git" ]]; then # TODO true fi diff --git a/lib/keyringer/functions b/lib/keyringer/functions index fdd8439..42c047d 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -72,7 +72,7 @@ function keyringer_exec { action="$1" basedir="$2" shift 2 - + # Dispatch if keyringer_has_action "$action"; then "$ACTIONS/$action" "$basedir" $* @@ -171,7 +171,7 @@ function keyringer_set_tmpfile { else TMPWORK="$(mktemp "$template")" fi - + if [ "$?" != "0" ]; then printf "Error: can't set TMPWORK %s\n" "$TMPWORK" exit 1 @@ -250,7 +250,7 @@ function keyringer_git_ignore { function keyringer_set_env { if [ -z "$1" ]; then echo "Error: missing arguments for keyringer_set_env" - exit 1 + exit 1 fi ACTIONS="`dirname $0`" @@ -287,7 +287,7 @@ function keyringer_set_env { # Avoid viminfo, see https://keyringer.pw/trac/ticket/50 if $EDITOR --help | grep -q -e "^VIM"; then if ! echo $EDITOR | grep -q -- "-i NONE"; then - EDITOR="$EDITOR -S `dirname $LIB`/editors/vim" + EDITOR="$EDITOR -S $SHARE/editors/vim" fi fi @@ -429,7 +429,7 @@ function keyringer_get_option { # Get a file argument function keyringer_get_file { FILE="$(keyringer_filename "$RELATIVE_PATH/$1")" - + if [ -z "$FILE" ]; then keyringer_action_usage exit 1 @@ -715,6 +715,7 @@ function keyringer_check_expiration { fi # Check the subkeys + expiry="" for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do if [[ "$seconds" -lt "$expiry" ]]; then not_expired="1" diff --git a/lib/keyringer/editors/vim b/share/keyringer/editors/vim index 0f877df..0f877df 100644 --- a/lib/keyringer/editors/vim +++ b/share/keyringer/editors/vim diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 95c236d..82cb520 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -164,6 +164,11 @@ Alias for \f[I]del\f[] action. .RS .RE .TP +.B cp <\f[I]secret\f[]> <\f[I]dest\f[]> +Copy a secret. +.RS +.RE +.TP .B mv <\f[I]secret\f[]> <\f[I]dest\f[]> Rename a secret. .RS @@ -370,6 +375,13 @@ using the \f[I]git\f[] action. Keyringer does not protect data which were not encrypted to a keyring, so be careful when decrypting secrets and writing them to the disk or other storage media. +.PP +Pay special attention that keyringer outputs data to stdout, which could +be easilly spotted by any agent looking directly at you computer screen. +.PP +The xclip action even copies secret data to the X11 clipboard, which can +be accessed by any application running in the user\[aq]s X11 session, so +use this feature carefully. .SH SEE ALSO .PP The \f[I]README\f[] file distributed with Keyringer contains full diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index 407baaa..af098a3 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -128,6 +128,9 @@ del <*secret*> rm <*secret*> : Alias for *del* action. +cp <*secret*> <*dest*> +: Copy a secret. + mv <*secret*> <*dest*> : Rename a secret. @@ -284,6 +287,13 @@ Keyringer currently has the following limitations: so be careful when decrypting secrets and writing them to the disk or other storage media. + Pay special attention that keyringer outputs data to stdout, which could + be easilly spotted by any agent looking directly at you computer screen. + + The xclip action even copies secret data to the X11 clipboard, which can + be accessed by any application running in the user's X11 session, so use + this feature carefully. + # SEE ALSO The *README* file distributed with Keyringer contains full documentation. |