diff options
| -rw-r--r-- | .gitlab-ci.yml | 98 | ||||
| -rw-r--r-- | ChangeLog | 14 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | development.md | 2 | ||||
| -rwxr-xr-x | keyringer | 12 | ||||
| -rwxr-xr-x | lib/keyringer/actions/check | 5 | ||||
| -rw-r--r-- | lib/keyringer/completions/bash/keyringer | 1 | ||||
| -rwxr-xr-x | lib/keyringer/functions | 2 | ||||
| -rw-r--r-- | share/man/keyringer.1 | 32 |
9 files changed, 151 insertions, 17 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..281d60f --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,98 @@ +--- +variables: + KEYRINGER_NON_INTERACTIVE: "1" + +debian: + image: debian:testing + script: + # Configure pbuilder + # + # This should be done before pbuilder is installed. + # Pbuilder is a dependency of git-buildpackage. + # + # With doing this, pbuilder may fail to detect MIRRORSITE during package installation, + # giving errors like + # + # Configuring pbuilder + # -------------------- + # Default mirror not found + # Mirror information detection failed and the user provided no mirror + # information. + # Please enter valid mirror information. + # Please enter the default mirror you want to be used by pbuilder. + # If you leave this field blank, there will be one attempt to autodetect this + # information. If this attempt fails, you will be prompted again to insert some + # valid mirror information. + # Here is a valid mirror example: http://deb.debian.org/debian + # Default mirror site: + # Use of uninitialized value $_[1] in join or string at + # /usr/share/perl5/Debconf/DbDriver/Stack.pm line 112. + # + # As of 2025-01-04, it seems this bug was still not reported upstream. + - echo 'DISTRIBUTION=sid' > /etc/pbuilderrc + - echo 'MIRRORSITE=http://http.debian.net/debian/' >> /etc/pbuilderrc + + # Install dependencies + - apt-get update + - apt-get install -y git + - apt-get install -y git-buildpackage lintian piuparts + + # Build the package + - git fetch --all + - git branch debian --track origin/debian || true + - git checkout debian + - git pull + - gbp buildpackage --git-ignore-new --git-upstream-signatures=no --git-no-sign-tags -us -uc + + # Run lintian + # Usually gbp-buildpackage already calls lintian, but we run it again just to make sure + - lintian --allow-root -v --pedantic ../keyringer_*.deb + + # Run piuparts + #- piuparts ../keyringer*.deb + + # Save artifacts + - mkdir -p dist + - mv ../keyringer_*.* dist + artifacts: + paths: + - dist + +test: + image: debian:testing + script: + # Install keyringer from the distro packaging system + # This ensures the needed dependencies are installed + - apt-get update + - apt-get install -y keyringer + + # Import debian/upstream/signing-key.asc + - git fetch --all + - git branch debian --track origin/debian || true + - git checkout debian + - git pull + - gpg --import < debian/upstream/signing-key.asc + + # Create a test keyring in the develop branch + - git branch develop --track origin/develop || true + - git checkout develop + - git pull + - mkdir -p ~/temp/tests + - git config --global user.name 'Test' + - git config --global user.email 'test@example.org' + - ./keyringer test init ~/temp/tests/keyringer + + # Build the recipients configuration + # Explanation on the "paste" syntax is available at https://stackoverflow.com/a/9605450 + - gpg --with-colons --list-keys | grep "^uid" | head -1 | awk -F ':' '{ x = $10; gsub(/.*</, "", x); gsub(/>/, "", x); print x; }' > ~/temp/tests/recipients + - gpg --with-colons --list-public-keys --with-fingerprint | grep "^fpr" | head -1 | awk -F ':' '{ print $10 }' >> ~/temp/tests/recipients + - paste -d " " - - < ~/temp/tests/recipients > ~/temp/tests/keyringer/config/recipients/default + - rm ~/temp/tests/recipients + - ./keyringer test recipients ls + + # Test the keyring in the develop branch + # This will also test the expiration of the upstream signing key + - ./keyringer test check + + # Tear down the keyring in the develop branch + - ./keyringer test teardown -y @@ -1,3 +1,17 @@ +2025-01-04 - 0.6.0 - Silvio Rhatto <rhatto@riseup.net> + + Fix: check action now exits with non-zero status if there are expiring keys + in the keyring. + + Fix: removed shebang from the bash completion file (#9). + + Feat: GitLab CI support (#10). + + Feat: init: allow for non-interactive keyring creation, useful for + tests (#10). This is controlled by the KEYRINGER_NON_INTERACTIVE + environment variable: when set to "1", keyringer won't do any + interactive procedure related to the keyring initialization. + 2022-08-19 - 0.5.9 - Silvio Rhatto <rhatto@riseup.net> Fix: edit: check whether decryption suceeded @@ -82,7 +82,7 @@ debian: # Fine tune debian/changelog prepared by git-dch dch -e git commit -a -m "Updating debian/changelog" - gbp buildpackage --git-tag-only --git-sign-tags + gbp buildpackage --git-tag-only --git-sign-tags --git-ignore-new web: @ikiwiki --setup ikiwiki.yaml diff --git a/development.md b/development.md index d439742..00c1c66 100644 --- a/development.md +++ b/development.md @@ -43,7 +43,7 @@ Push everything: Build the package from the debian Git branch: - gbp buildpackage + gbp buildpackage --git-ignore-new Run lintian (or [add it to your pbuilder hooks](http://askubuntu.com/questions/140697/how-do-i-run-lintian-from-pbuilder-dist)): @@ -112,10 +112,12 @@ function keyringer_init { fi # Edit default recipients - echo "Now you have to edit the default recipient configuration to be able to encrypt secrets." - echo "Press any key to proceed editing..." - read key - keyringer_exec recipients "$BASEDIR" edit default + if [ "$KEYRINGER_NON_INTERACTIVE" != "1" ]; then + echo "Now you have to edit the default recipient configuration to be able to encrypt secrets." + echo "Press any key to proceed editing..." + read key + keyringer_exec recipients "$BASEDIR" edit default + fi # Stage and commit keyringer_exec git "$BASEDIR" add . @@ -140,7 +142,7 @@ function keyringer_dispatch { # Config NAME="keyringer" -KEYRINGER_VERSION="0.5.9" +KEYRINGER_VERSION="0.6.0" CONFIG_VERSION="0.1" CONFIG_BASE="$HOME/.$NAME" CONFIG="$CONFIG_BASE/config" diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 8722381..58adaf5 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -27,3 +27,8 @@ source "$LIB" maintenance $* || exit 1 # This should be done here: # TODO: Check canaries' timestamps, warning by mail if configured by user preferences. + +# Since this is the check action, it should exit whenever there's a warning +if [ "$KEYRINGER_HAS_EXPIRING_KEYS" == "1" ]; then + exit 1 +fi diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index 10b852e..4aa4b75 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -1,4 +1,3 @@ -#!bash # # Keyringer bash completion # diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 308d0ea..0a5ad57 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -766,6 +766,8 @@ function keyringer_check_expiration { if [[ "$ahead" -gt "$expiry" ]] && [ "$BASENAME" == "check" ]; then echo "Warning: subkey from $recipient will expire soon, on `date --date="@$expiry"`" + + KEYRINGER_HAS_EXPIRING_KEYS="1" fi fi done diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 9e60ae0..0ef1530 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -1,5 +1,19 @@ -.\" Automatically generated by Pandoc 2.9.2.1 +.\" Automatically generated by Pandoc 2.17.1.1 .\" +.\" Define V font for inline verbatim, using C font in formats +.\" that render this, and otherwise B font. +.ie "\f[CB]x\f[]"x" \{\ +. ftr V B +. ftr VI BI +. ftr VB B +. ftr VBI BI +.\} +.el \{\ +. ftr V CR +. ftr VI CI +. ftr VB CB +. ftr VBI CBI +.\} .TH "KEYRINGER" "1" "Oct 25, 2013" "Keyringer User Manual" "" .hy .SH NAME @@ -48,7 +62,7 @@ After initialization, \f[I]path\f[R] will contain a folder structure for storing secrets and metadata (user aka recipients, groups of recipients, etc). .PP -Also, an entry will be added to \f[C]$HOME/.keyringer/config\f[R] +Also, an entry will be added to \f[V]$HOME/.keyringer/config\f[R] allowing keyringer to find the keyring by its alias. .RE .TP @@ -104,9 +118,9 @@ Run maintenance checks in a keyring. .PP All secret manipulation actions operate upon a \f[I]secret\f[R] which is the pathname of an encrypted file relative to the keyring with optional -\f[C].asc\f[R] extension. +\f[V].asc\f[R] extension. .PP -If the \f[C].asc\f[R] extension is omitted, keyringer will add it at the +If the \f[V].asc\f[R] extension is omitted, keyringer will add it at the end of the pathname. .PP No spaces are allowed in the secret name. @@ -247,7 +261,7 @@ List, edit or add \f[I]user\f[R] preferences for a given repository. .RS .PP User preferences are settings which are saved in the user\[cq]s -keyringer folder (\f[C]$HOME/.keyringer/\f[R]), and not shared with the +keyringer folder (\f[V]$HOME/.keyringer/\f[R]), and not shared with the other users. .PP Preferences are written using the \f[I]KEY=VALUE\f[R] syntax. @@ -276,9 +290,9 @@ For instance, if a user encrypts a secret to a file in the keyring repository\[cq]s \f[I]accounting\f[R] folder, a \f[I]recipients-file\f[R] under \f[I]accounting\f[R] will be used. Encrypting a secret into \f[I]accounting/bank-accounts\f[R] will result -in a file \f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[R] +in a file \f[V]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[R] encrypted using the public keys listed in the config -file\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[R]. +file\f[V]$KEYRING_FOLDER/config/recipients/accounting\f[R]. .PP Each line in a recipients file has entries in the format `john\[at]doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', where @@ -297,11 +311,11 @@ List all existing recipients files. Create or edit a recipients file. .RS .PP -Editing happens using the editor specified by the \f[C]$EDITOR\f[R] +Editing happens using the editor specified by the \f[V]$EDITOR\f[R] environment variable. .PP The required parameter \f[I]recipients-file\f[R] is interpreted relative -to the \f[C]$KEYRING_FOLDER/config/recipients/\f[R] folder. +to the \f[V]$KEYRING_FOLDER/config/recipients/\f[R] folder. .RE .RE .SH FILES |