diff options
Diffstat (limited to 'lib/keyringer')
| -rwxr-xr-x | lib/keyringer/actions/commit | 14 | ||||
| -rwxr-xr-x | lib/keyringer/actions/edit | 20 | ||||
| -rwxr-xr-x | lib/keyringer/actions/encrypt | 4 | ||||
| -rwxr-xr-x | lib/keyringer/actions/find | 2 | ||||
| -rwxr-xr-x | lib/keyringer/actions/genpair | 4 | ||||
| -rwxr-xr-x | lib/keyringer/actions/git | 3 | ||||
| -rwxr-xr-x | lib/keyringer/actions/recrypt | 6 | ||||
| -rwxr-xr-x | lib/keyringer/functions | 14 |
8 files changed, 54 insertions, 13 deletions
diff --git a/lib/keyringer/actions/commit b/lib/keyringer/actions/commit new file mode 100755 index 0000000..b124927 --- /dev/null +++ b/lib/keyringer/actions/commit @@ -0,0 +1,14 @@ +#!/bin/bash +# +# Git commit wrapper. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Fix positional arguments +shift + +# Run git command +keyringer_exec git "$BASEDIR" commit $* diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit index 03ccdab..3ccf977 100755 --- a/lib/keyringer/actions/edit +++ b/lib/keyringer/actions/edit @@ -38,11 +38,27 @@ fi # Prompt echo "Press any key to open the decrypted data with $APP, Ctrl-C to abort" -read key +echo "WARNING: please make sure that $APP doesn't leak data to external applications or files" +echo "Press ENTER to continue" +read -s key $APP "$TMPWORK" +# Wait for background process to finish +wait + +# Workaround for some applications running in client/server mode, handling open file requests +# to a daemon and exiting immediatelly, making keyringer guess the editing is over and the file +# must be encrypted again (See #49). +# +# Thus, we cannot just wipe the file and exit keyringer, as the user might have a buffered copy +# of the unencrypted file in the application, which can lead to information leakage if the user +# saves the file and leaves the editor. +echo "Press any key when done using the file and you're sure that $APP is closed." +read -s -n 1 + # Encrypt again -$GPG --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") "$TMPWORK" +export KEYRINGER_ADD_EXTENSION=false +keyringer_exec encrypt "$BASEDIR" "$FILE" "$TMPWORK" # Check exit status errcrypt="$?" diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt index e9bf453..7415267 100755 --- a/lib/keyringer/actions/encrypt +++ b/lib/keyringer/actions/encrypt @@ -57,9 +57,11 @@ if [ ! -z "$3" ]; then # # Useful when opening files and the application needs the # extension to guess the file type. - if ! echo $BASEPATH | grep -q -e "\.$EXTENSION$"; then + if [ "$KEYRINGER_ADD_EXTENSION" != "false" ] && ! echo $BASEPATH | grep -q -e "\.$EXTENSION$"; then echo "Appending '$EXTENSION' into secret name..." FILE="$BASEPATH.$EXTENSION" + else + FILE="$BASEPATH" fi else FILE="$BASEPATH" diff --git a/lib/keyringer/actions/find b/lib/keyringer/actions/find index 21afc7a..9b18d66 100755 --- a/lib/keyringer/actions/find +++ b/lib/keyringer/actions/find @@ -15,5 +15,5 @@ shift ARGS="`echo "$*" | sed -e "s|^/*||"`" # Run find command -cd "$KEYDIR/$RELATIVE_PATH" && find -iname "*$ARGS*" | sed -e 's|^./||g' +cd "$KEYDIR/$RELATIVE_PATH" && find | grep -i "$ARGS" | sed -e 's|^./||g' cd "$CWD" diff --git a/lib/keyringer/actions/genpair b/lib/keyringer/actions/genpair index 6898b0f..6fc6dcd 100755 --- a/lib/keyringer/actions/genpair +++ b/lib/keyringer/actions/genpair @@ -12,7 +12,7 @@ function genpair_ssh { read -p "Hit ENTER to continue." prompt # We're using empty passphrases - ssh-keygen -t rsa -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" + ssh-keygen -t rsa -b 4096 -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" # Encrypt the result echo "Encrypting secret key into keyringer..." @@ -132,7 +132,7 @@ EOF cat openssl.conf read -p "Hit ENTER to continue." prompt - openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ + openssl req -batch -nodes -config openssl.conf -newkey rsa:4096 -sha256 \ -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem openssl req -noout -text -in ${NODE}_csr.pem diff --git a/lib/keyringer/actions/git b/lib/keyringer/actions/git index d4e7aa4..059b20e 100755 --- a/lib/keyringer/actions/git +++ b/lib/keyringer/actions/git @@ -10,8 +10,9 @@ source "$LIB" || exit 1 # Aditional parameters CWD="`pwd`" -# Run git command +# Fix positional arguments shift +# Run git command mkdir -p "$BASEDIR" && cd "$BASEDIR" && git $* cd "$CWD" diff --git a/lib/keyringer/actions/recrypt b/lib/keyringer/actions/recrypt index 696399b..30c9254 100755 --- a/lib/keyringer/actions/recrypt +++ b/lib/keyringer/actions/recrypt @@ -16,10 +16,10 @@ function keyringer_recrypt { keyringer_set_recipients "$FILE" # Decrypt - decrypted="$($GPG --use-agent -d "$KEYDIR/$FILE" 2> /dev/null)" + decrypted="$($GPG --use-agent -d "$KEYDIR/$FILE")" if [ "$?" != "0" ]; then - echo "Decryption error." + echo "Decryption error on $1." exit 1 fi @@ -27,7 +27,7 @@ function keyringer_recrypt { recrypted="`echo "$decrypted" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE")`" if [ "$?" != "0" ]; then - echo "Recryption error." + echo "Recryption error on $1." exit 1 fi diff --git a/lib/keyringer/functions b/lib/keyringer/functions index f1af951..50d01db 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -284,6 +284,13 @@ function keyringer_set_env { fi fi + # Avoid viminfo, see https://keyringer.pw/trac/ticket/50 + if $EDITOR --help | grep -q -e "^VIM"; then + if ! echo $EDITOR | grep -q -- "-i NONE"; then + EDITOR="$EDITOR -i NONE '+set nowritebackup' '+set nobackup'" + fi + fi + if [ ! -f "$OPTIONS" ]; then echo "No option config was found" exit 1 @@ -429,7 +436,7 @@ function keyringer_get_file { elif [ ! -f "$KEYDIR/$FILE" ]; then # Try to find a similar file count=0 - candidates=(`keyringer_exec find "$BASEDIR" "$1*.asc"`) + candidates=(`keyringer_exec find "$BASEDIR" | grep -i "$1" | grep -e '.asc$'`) if [ ! -z "$candidates" ]; then echo "Could not find exact match for \"$1\", please choose one of the following secrets:" @@ -510,7 +517,7 @@ function keyringer_action_usage { # Return available actions function keyringer_show_actions { - ls $ACTIONS + ls -C $ACTIONS } # Usage @@ -518,7 +525,7 @@ function keyringer_usage { local keyrings="$(ls --color=never `dirname $CONFIG` | sed -e 's/config//' | xargs)" printf "Keyringer $KEYRINGER_VERSION\n" - printf "Usage: %s <keyring> <action> [arguments]\n\n" "$BASENAME" + printf "Usage: keyringer <keyring> <action> [arguments]\n\n" # Display only when not in a keyring context if [ ! -z "$keyrings" ] && [ -z "$1" ]; then @@ -531,6 +538,7 @@ function keyringer_usage { printf "\tinit <path> [remote]\n" $BASENAME fi keyringer_show_actions | sed -e 's/^/\t/' + printf "\n" } # Check repository integrity |