From 57cb1ce7ce84a421ac024b75654b12139b9c3e1f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 20 Feb 2014 11:17:14 -0300 Subject: Debian install procedure --- index.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/index.mdwn b/index.mdwn index 1a3fe52..652376d 100644 --- a/index.mdwn +++ b/index.mdwn @@ -26,6 +26,10 @@ Just clone And then leave it somewhere, optionally adding it to your `$PATH` environment variable or package it to your preferred distro. +If you're using debian `jessie` or `unstable`, just run + + apt-get install keyringer + Creating a keyringer repository ------------------------------- -- cgit v1.2.3 From 82f7c084cf17fb8bc2b4d489c986e57f986b7a4d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 20 Feb 2014 13:29:07 -0300 Subject: Fix test output at xclip action --- ChangeLog | 4 ++++ lib/keyringer/actions/xclip | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e7f7cf7..71f541d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2014-02-20 - Silvio Rhatto + + Fix test output at xclip action + 2014-02-20 - 0.3 - Silvio Rhatto Try to find a similar file at keyringer_get_file diff --git a/lib/keyringer/actions/xclip b/lib/keyringer/actions/xclip index b28984f..0ce0652 100755 --- a/lib/keyringer/actions/xclip +++ b/lib/keyringer/actions/xclip @@ -39,7 +39,7 @@ LIB="`dirname $0`/../functions" source "$LIB" || exit 1 # Check for xclip -if ! which xclip; then +if ! which xclip &> /dev/null; then echo "fatal: xclip not found" exit 1 fi -- cgit v1.2.3 From a3061e30e6cfaef2bd40afd91866aac0f7062fa8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 20 Feb 2014 13:41:01 -0300 Subject: Do not use RELATIVE_PATH on git action --- ChangeLog | 2 ++ lib/keyringer/actions/git | 9 +-------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 71f541d..67b0407 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2014-02-20 - Silvio Rhatto + Do not use RELATIVE_PATH on git action + Fix test output at xclip action 2014-02-20 - 0.3 - Silvio Rhatto diff --git a/lib/keyringer/actions/git b/lib/keyringer/actions/git index 108ccea..d4e7aa4 100755 --- a/lib/keyringer/actions/git +++ b/lib/keyringer/actions/git @@ -13,12 +13,5 @@ CWD="`pwd`" # Run git command shift -# Set working folder -if [ ! -z "$RELATIVE_PATH" ]; then - WORK="$KEYDIR/$RELATIVE_PATH" -else - WORK="$BASEDIR" -fi - -mkdir -p "$WORK" && cd "$WORK" && git $* +mkdir -p "$BASEDIR" && cd "$BASEDIR" && git $* cd "$CWD" -- cgit v1.2.3 From 324dc0c1433413f739bd64ed7eda0207658bc84f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 20 Feb 2014 13:47:50 -0300 Subject: Fixed secret paths at mv action --- ChangeLog | 4 +++- lib/keyringer/actions/mv | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 67b0407..b753bc7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,10 @@ 2014-02-20 - Silvio Rhatto + Fixed secret paths at mv action + Do not use RELATIVE_PATH on git action - Fix test output at xclip action + Fixed test output at xclip action 2014-02-20 - 0.3 - Silvio Rhatto diff --git a/lib/keyringer/actions/mv b/lib/keyringer/actions/mv index aaf6772..daac7b0 100755 --- a/lib/keyringer/actions/mv +++ b/lib/keyringer/actions/mv @@ -25,4 +25,4 @@ if ! echo "$ORIG" | grep -q '*' && [ ! -e "$KEYDIR/$RELATIVE_PATH/$ORIG" ]; then fi # Run move command -keyringer_exec git "$BASEDIR" mv $ORIG $FILE +keyringer_exec git "$BASEDIR" mv "keys/$RELATIVE_PATH/$ORIG" "keys/$FILE" -- cgit v1.2.3 From 73eda56a8a1c0d2e262bfad5dee96deb7d4bcb62 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 22 Feb 2014 15:50:43 -0300 Subject: Using XA_PRIMARY selection at xclip action --- ChangeLog | 2 ++ lib/keyringer/actions/xclip | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index b753bc7..c9454e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2014-02-20 - Silvio Rhatto + Using XA_PRIMARY selection at xclip action + Fixed secret paths at mv action Do not use RELATIVE_PATH on git action diff --git a/lib/keyringer/actions/xclip b/lib/keyringer/actions/xclip index 0ce0652..e33c261 100755 --- a/lib/keyringer/actions/xclip +++ b/lib/keyringer/actions/xclip @@ -11,11 +11,13 @@ clip() { # in shell. There must be a better way to deal with this, but because I'm a dolt, # we're going with this for now. - before="$(xclip -o -selection clipboard | base64)" - echo -n "$1" | xclip -selection clipboard + #local xclip="xclip -selection clipboard" + local xclip="xclip" + before="$($xclip -o | base64)" + echo -n "$1" | $xclip ( sleep 45 - now="$(xclip -o -selection clipboard | base64)" + now="$($xclip -o | base64)" if [[ $now != $(echo -n "$1" | base64) ]]; then before="$now" fi @@ -29,7 +31,7 @@ clip() { # so we axe it here: qdbus org.kde.klipper /klipper org.kde.klipper.klipper.clearClipboardHistory &>/dev/null - echo "$before" | base64 -d | xclip -selection clipboard + echo "$before" | base64 -d | $xclip ) & disown echo "Copied $2 to clipboard. Will clear in 45 seconds." } -- cgit v1.2.3 From 23fc1ebe8d32940730007026a76e1819fdc0bb1a Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 22 Feb 2014 15:51:43 -0300 Subject: Formatting xclip function --- lib/keyringer/actions/xclip | 48 ++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/lib/keyringer/actions/xclip b/lib/keyringer/actions/xclip index e33c261..7afdf05 100755 --- a/lib/keyringer/actions/xclip +++ b/lib/keyringer/actions/xclip @@ -7,33 +7,33 @@ # Function thanks to Password Store by Jason A. Donenfeld # distributed under GPLv2+: http://www.zx2c4.com/projects/password-store/ clip() { - # This base64 business is a disgusting hack to deal with newline inconsistancies - # in shell. There must be a better way to deal with this, but because I'm a dolt, - # we're going with this for now. + # This base64 business is a disgusting hack to deal with newline inconsistancies + # in shell. There must be a better way to deal with this, but because I'm a dolt, + # we're going with this for now. #local xclip="xclip -selection clipboard" local xclip="xclip" - before="$($xclip -o | base64)" - echo -n "$1" | $xclip - ( - sleep 45 - now="$($xclip -o | base64)" - if [[ $now != $(echo -n "$1" | base64) ]]; then - before="$now" - fi - - # It might be nice to programatically check to see if klipper exists, - # as well as checking for other common clipboard managers. But for now, - # this works fine -- if qdbus isn't there or if klipper isn't running, - # this essentially becomes a no-op. - # - # Clipboard managers frequently write their history out in plaintext, - # so we axe it here: - qdbus org.kde.klipper /klipper org.kde.klipper.klipper.clearClipboardHistory &>/dev/null - - echo "$before" | base64 -d | $xclip - ) & disown - echo "Copied $2 to clipboard. Will clear in 45 seconds." + before="$($xclip -o | base64)" + echo -n "$1" | $xclip + ( + sleep 45 + now="$($xclip -o | base64)" + if [[ $now != $(echo -n "$1" | base64) ]]; then + before="$now" + fi + + # It might be nice to programatically check to see if klipper exists, + # as well as checking for other common clipboard managers. But for now, + # this works fine -- if qdbus isn't there or if klipper isn't running, + # this essentially becomes a no-op. + # + # Clipboard managers frequently write their history out in plaintext, + # so we axe it here: + qdbus org.kde.klipper /klipper org.kde.klipper.klipper.clearClipboardHistory &>/dev/null + + echo "$before" | base64 -d | $xclip + ) & disown + echo "Copied $2 to clipboard. Will clear in 45 seconds." } # Load functions -- cgit v1.2.3 From aa6ce1eafd8a89cea640841f8e0162415859d536 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 23 Feb 2014 11:33:55 -0300 Subject: Added find action into shell completions --- ChangeLog | 4 +++- lib/keyringer/completions/bash/keyringer | 2 +- lib/keyringer/completions/zsh/_keyringer | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c9454e1..6304d56 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ -2014-02-20 - Silvio Rhatto +2014-02-23 - Silvio Rhatto + + Added find action into shell completions Using XA_PRIMARY selection at xclip action diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index a640583..0f2cb2b 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -94,7 +94,7 @@ _keyringer() { recipients) opts="ls edit" ;; - ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip) + ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find) cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index 1a6d8c6..b4ccdd4 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -50,7 +50,7 @@ _keyringer() { recipients) compadd "$@" ls edit ;; - ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip) + ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|find) words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) ;; -- cgit v1.2.3 From b160c9b14e035da1dd19df9be1b58c61ceea46ad Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 23 Feb 2014 11:35:41 -0300 Subject: Enhanced secret finder at keyringer_get_file --- ChangeLog | 2 ++ lib/keyringer/functions | 7 +++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6304d56..d5c74cf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2014-02-23 - Silvio Rhatto + Enhanced secret finder at keyringer_get_file + Added find action into shell completions Using XA_PRIMARY selection at xclip action diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 014c2c9..475514d 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -413,11 +413,10 @@ function keyringer_get_file { elif [ ! -f "$KEYDIR/$FILE" ]; then # Try to find a similar file count=0 - candidates=(`keyringer_exec find "$BASEDIR" "$1" | grep -e '.asc$'`) + candidates=(`keyringer_exec find "$BASEDIR" | grep -i "$1" | grep -e '.asc$'`) if [ ! -z "$candidates" ]; then - echo "Could not find exact match \"$1\", please chose one" - echo "of the following secrets:" + echo "Could not find exact match \"$1\", please chose one of the following secrets:" echo "" for candidate in ${candidates[@]}; do @@ -426,7 +425,7 @@ function keyringer_get_file { done echo "" - read -p "Enter option: " option + read -p "Enter option (Ctrl-C to abort): " option if [[ "$option" =~ ^[0-9]+$ ]] && [ ! -z "${candidates[$option]}" ]; then FILE="$(keyringer_filename "$RELATIVE_PATH/${candidates[$option]}")" -- cgit v1.2.3 From 43b9567ce09c7c9161b096d9cddac68ec659fa45 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 23 Feb 2014 11:39:02 -0300 Subject: Enhanced secret finder on find action --- ChangeLog | 2 +- lib/keyringer/actions/find | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d5c74cf..cef7a83 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ 2014-02-23 - Silvio Rhatto - Enhanced secret finder at keyringer_get_file + Enhanced secret finder at keyringer_get_file and on find action Added find action into shell completions diff --git a/lib/keyringer/actions/find b/lib/keyringer/actions/find index 21afc7a..9b18d66 100755 --- a/lib/keyringer/actions/find +++ b/lib/keyringer/actions/find @@ -15,5 +15,5 @@ shift ARGS="`echo "$*" | sed -e "s|^/*||"`" # Run find command -cd "$KEYDIR/$RELATIVE_PATH" && find -iname "*$ARGS*" | sed -e 's|^./||g' +cd "$KEYDIR/$RELATIVE_PATH" && find | grep -i "$ARGS" | sed -e 's|^./||g' cd "$CWD" -- cgit v1.2.3 From 4cb5cd0c09da6ed55d1c00f97608e94f9e0b87ff Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 23 Feb 2014 12:26:32 -0300 Subject: Design for check and canary --- lib/keyringer/actions/canary | 46 ++++++++++++++++++++++++++++++++++++++++++++ lib/keyringer/actions/check | 26 +++++++++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100755 lib/keyringer/actions/canary create mode 100755 lib/keyringer/actions/check diff --git a/lib/keyringer/actions/canary b/lib/keyringer/actions/canary new file mode 100755 index 0000000..a27d562 --- /dev/null +++ b/lib/keyringer/actions/canary @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Keyringer's canary warrant implementation. +# +# Inspired by: +# +# https://en.wikipedia.org/wiki/Warrant_canary +# http://www.rsync.net/resources/notices/canary.txt +# +# A canary is: +# +# - Generated using any combination of public available RSS +# feeds configured by user preferences. +# +# - Configured to generate new information once a day. +# If you run it more than that interval, no canary will +# be updated. +# +# A canary is stored: +# +# - In a folder called "canaries" followed by the user ID. +# +# - With an addiditonal timestamp stored plain+signed so it +# can be easily checked. +# +# - Can optionally be uploaded (encrypted or plain+signed) to a +# remote url via scp. +# +# - Can optinally be included in another git repository +# (encrypted or plain+signed), commited and pushed +# to a remote repository (ikiwiki instance, etc). +# +# How to run: +# +# - First, "keyringer preferences edit # basic canary preferences". +# +# - Then, add the following at your ~/.profile or wherever you want your canary +# be called from: "keyringer canary". + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# TODO: code! +echo "Not implemented :(" +exit 1 diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check new file mode 100755 index 0000000..669b994 --- /dev/null +++ b/lib/keyringer/actions/check @@ -0,0 +1,26 @@ +#!/bin/bash +# +# Check a keyring. +# +# See also some useful OpenPGP maintenance scripts: +# +# - git://lair.fifthhorseman.net/~mjgoins/cur +# - https://gitorious.org/key-report +# - https://github.com/ilf/gpg-maintenance.git +# +# This script can run from a crontab, client of server side to check +# keyringer health status. + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# TODO: Automatically fetch absent keys from all recipients. +# TODO: Automatically pull a repository. +# TODO: Check if keys in all recipients files are about to expire. +# TODO: Time to expire can be configured via repository options. +# TODO: Users can be alerted by mail if configured by user preferences. +# TODO: Check canaries' timestamps, warning by mail if configured by user preferences. +# TODO: Outgoing emails can be encrypted. +echo "Not implemented :(" +exit 1 -- cgit v1.2.3 From 7dfa9fe0c70bf96736237aacf3c56d16695c6096 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 24 Feb 2014 20:26:26 -0300 Subject: Starting to code check action --- lib/keyringer/actions/check | 15 ++++++++------ lib/keyringer/functions | 50 ++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 56 insertions(+), 9 deletions(-) diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 669b994..14eb30b 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -7,20 +7,23 @@ # - git://lair.fifthhorseman.net/~mjgoins/cur # - https://gitorious.org/key-report # - https://github.com/ilf/gpg-maintenance.git +# - https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ # -# This script can run from a crontab, client of server side to check +# This script can run from a crontab, client or server side to check # keyringer health status. # Load functions LIB="`dirname $0`/../functions" source "$LIB" || exit 1 -# TODO: Automatically fetch absent keys from all recipients. -# TODO: Automatically pull a repository. +# The following should run automatically from keyringer_check_recipients: +# +# TODO: Pull the keyring repository. +# TODO: Fetch absent keys from all recipients. # TODO: Check if keys in all recipients files are about to expire. # TODO: Time to expire can be configured via repository options. # TODO: Users can be alerted by mail if configured by user preferences. -# TODO: Check canaries' timestamps, warning by mail if configured by user preferences. # TODO: Outgoing emails can be encrypted. -echo "Not implemented :(" -exit 1 + +# This should be done here: +# TODO: Check canaries' timestamps, warning by mail if configured by user preferences. diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 475514d..4746859 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -514,11 +514,23 @@ function keyringer_usage { } # Check recipients +# TODO: break in smaller pieces function keyringer_check_recipients { + # Shall we check recipients? if [ "$KEYRINGER_CHECK_RECIPIENTS" == "false" ]; then return fi + # Local variables + local processed=":" + + # Sync the repository + if [ "$BASENAME" == "check" ]; then + echo "Syncing git repository..." + keyringer_exec git "$BASEDIR" pull + echo "" + fi + # Check if recipients file is empty. if [ "`grep -vE "^#|^$" "$RECIPIENTS"/* | wc -l`" == 0 ] && [ "$SUBCOMMAND" != "edit" ]; then echo "Fatal: no recipients configured for this keyring." @@ -538,6 +550,13 @@ function keyringer_check_recipients { fi for recipient in $(cat "$RECIPIENTS"/* | grep -v '^#' | awk '{ print $2 }'); do + # Process a recipient just once + if echo $processed | grep -q "$recipient:"; then + continue + else + processed="$processed$recipient:" + fi + size=$(echo "$recipient" | wc -c) if (( $size < 41 )); then echo "Fatal: please set the full GPG signature hash for key ID $recipient:" @@ -561,9 +580,32 @@ EOF else gpg --list-key "$recipient" &> /dev/null if [ "$?" != "0" ]; then - echo "Fatal: no such key $recipient on your GPG keyring." - echo "Please check for this key or fix the recipient file." - exit 1 + if [ "$BASENAME" == "check" ]; then + # TODO: gpg-maintenance trickery + # TODO: should be controlled by user preference + refresh="no" + echo "Trying to receive missing key $recipient..." + gpg --batch --recv-keys "$recipient" + echo "" + if [ "$?" != 0 ]; then + echo "Error fetching $recipient from keyservers." + continue + fi + else + echo "Fatal: no such key $recipient on your GPG keyring." + echo "Please check for this key or fix the recipient file." + + exit 1 + fi + fi + + # Refresh keys + if [ "$BASENAME" == "check" ] && [ "$refresh" != "no" ]; then + # TODO: gpg-maintenance trickery + # TODO: should be controlled by user preference + echo "Trying to refresh key $recipient..." + gpg --batch --refresh-keys "$recipient" + echo "" fi # Current date @@ -573,6 +615,7 @@ EOF expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`" # Check if key is expired + # TODO: check if key is about to expire if [ ! -z "$expiry" ] && [[ "$seconds" -gt "$expiry" ]]; then echo "Fatal: primary key for $recipient expired on `date --date="@$expiry"`" exit 1 @@ -580,6 +623,7 @@ EOF # Check the subkeys for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do if [[ "$seconds" -lt "$expiry" ]]; then + # TODO: check if subkey is about to expire not_expired="1" fi -- cgit v1.2.3 From 6e3b2e49d62ae9418e80fe63e511ef3b8f73acae Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 24 Feb 2014 20:29:24 -0300 Subject: ChangeLog and TODO update --- ChangeLog | 4 +++- lib/keyringer/actions/canary | 2 +- lib/keyringer/actions/check | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index cef7a83..615902d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ -2014-02-23 - Silvio Rhatto +2014-02-24 - Silvio Rhatto + + Starting to code new actions: check (#39) and canary (#40) Enhanced secret finder at keyringer_get_file and on find action diff --git a/lib/keyringer/actions/canary b/lib/keyringer/actions/canary index a27d562..b00926d 100755 --- a/lib/keyringer/actions/canary +++ b/lib/keyringer/actions/canary @@ -32,7 +32,7 @@ # # How to run: # -# - First, "keyringer preferences edit # basic canary preferences". +# - First, "keyringer preferences edit # basic canary preferences". # # - Then, add the following at your ~/.profile or wherever you want your canary # be called from: "keyringer canary". diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 14eb30b..098d163 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -27,3 +27,4 @@ source "$LIB" || exit 1 # This should be done here: # TODO: Check canaries' timestamps, warning by mail if configured by user preferences. +# TODO: Git maintenance operations. -- cgit v1.2.3 From 01a7518bcef3cdb1d3816ef9443373243f6510ed Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Feb 2014 12:41:41 -0300 Subject: Git maintenance operations --- lib/keyringer/actions/check | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 098d163..83401b8 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -27,4 +27,13 @@ source "$LIB" || exit 1 # This should be done here: # TODO: Check canaries' timestamps, warning by mail if configured by user preferences. -# TODO: Git maintenance operations. + +# Git maintenance operations. +if [ -d "$BASEDIR/.git" ]; then + echo "Running git maintenance operations..." + keyringer_exec git "$BASEDIR" fsck + keyringer_exec git "$BASEDIR" gc --prune=all +else + echo "Fatal: not a git repository: $BASEDIR" + exit 1 +fi -- cgit v1.2.3 From a7afc30ecce868a396f5df2ca6d42059dbcdc958 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Feb 2014 13:00:50 -0300 Subject: New function keyringer_check_repository --- lib/keyringer/actions/check | 14 +++----------- lib/keyringer/functions | 34 +++++++++++++++++++++++++++------- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 83401b8..70fa7b4 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -16,7 +16,8 @@ LIB="`dirname $0`/../functions" source "$LIB" || exit 1 -# The following should run automatically from keyringer_check_recipients: +# The following should run automatically from keyringer_check_recipients +# and keyringer_check_repository: # # TODO: Pull the keyring repository. # TODO: Fetch absent keys from all recipients. @@ -24,16 +25,7 @@ source "$LIB" || exit 1 # TODO: Time to expire can be configured via repository options. # TODO: Users can be alerted by mail if configured by user preferences. # TODO: Outgoing emails can be encrypted. +# TODO: Git maintenance operations. # This should be done here: # TODO: Check canaries' timestamps, warning by mail if configured by user preferences. - -# Git maintenance operations. -if [ -d "$BASEDIR/.git" ]; then - echo "Running git maintenance operations..." - keyringer_exec git "$BASEDIR" fsck - keyringer_exec git "$BASEDIR" gc --prune=all -else - echo "Fatal: not a git repository: $BASEDIR" - exit 1 -fi diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 4746859..e594fd1 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -301,6 +301,11 @@ function keyringer_set_env { # Upgrade configuration keyringer_upgrade + # Check repository integrity + if [ "$BASENAME" == "check" ]; then + keyringer_check_repository + fi + # Check recipients file keyringer_check_recipients $SUBCOMMAND @@ -513,6 +518,28 @@ function keyringer_usage { fi } +# Check repository integrity +function keyringer_check_repository { + # Check if it's a git repository + if [ ! -d "$BASEDIR/.git" ]; then + echo "Fatal: not a git repository: $BASEDIR" + exit 1 + fi + + # Git maintenance operations + echo "Running git maintenance operations..." + keyringer_exec git "$BASEDIR" fsck + keyringer_exec git "$BASEDIR" gc --prune=all + echo "" + + # Sync the repository + if [ "`keyringer_exec git "$BASEDIR" remote | wc -l`" != "0" ]; then + echo "Syncing git repository..." + keyringer_exec git "$BASEDIR" pull + echo "" + fi +} + # Check recipients # TODO: break in smaller pieces function keyringer_check_recipients { @@ -524,13 +551,6 @@ function keyringer_check_recipients { # Local variables local processed=":" - # Sync the repository - if [ "$BASENAME" == "check" ]; then - echo "Syncing git repository..." - keyringer_exec git "$BASEDIR" pull - echo "" - fi - # Check if recipients file is empty. if [ "`grep -vE "^#|^$" "$RECIPIENTS"/* | wc -l`" == 0 ] && [ "$SUBCOMMAND" != "edit" ]; then echo "Fatal: no recipients configured for this keyring." -- cgit v1.2.3 From d5c78e5d1597128fc8442c1efa31dff3f886e323 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Feb 2014 15:55:07 -0300 Subject: TODO update --- lib/keyringer/actions/check | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 70fa7b4..1ccd9c8 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -19,13 +19,13 @@ source "$LIB" || exit 1 # The following should run automatically from keyringer_check_recipients # and keyringer_check_repository: # -# TODO: Pull the keyring repository. -# TODO: Fetch absent keys from all recipients. +# Pull the keyring repository. +# Git maintenance operations. +# Fetch absent keys from all recipients. # TODO: Check if keys in all recipients files are about to expire. # TODO: Time to expire can be configured via repository options. # TODO: Users can be alerted by mail if configured by user preferences. # TODO: Outgoing emails can be encrypted. -# TODO: Git maintenance operations. # This should be done here: # TODO: Check canaries' timestamps, warning by mail if configured by user preferences. -- cgit v1.2.3 From e33b8aa1d3a8377abccb738b6af163b1881bb708 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Feb 2014 15:56:54 -0300 Subject: Canary will be coded in a separate branch --- ChangeLog | 4 ++-- lib/keyringer/actions/canary | 46 -------------------------------------------- 2 files changed, 2 insertions(+), 48 deletions(-) delete mode 100755 lib/keyringer/actions/canary diff --git a/ChangeLog b/ChangeLog index 615902d..dd2dc8d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ -2014-02-24 - Silvio Rhatto +2014-02-25 - Silvio Rhatto - Starting to code new actions: check (#39) and canary (#40) + New action: check (#39) Enhanced secret finder at keyringer_get_file and on find action diff --git a/lib/keyringer/actions/canary b/lib/keyringer/actions/canary deleted file mode 100755 index b00926d..0000000 --- a/lib/keyringer/actions/canary +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash -# -# Keyringer's canary warrant implementation. -# -# Inspired by: -# -# https://en.wikipedia.org/wiki/Warrant_canary -# http://www.rsync.net/resources/notices/canary.txt -# -# A canary is: -# -# - Generated using any combination of public available RSS -# feeds configured by user preferences. -# -# - Configured to generate new information once a day. -# If you run it more than that interval, no canary will -# be updated. -# -# A canary is stored: -# -# - In a folder called "canaries" followed by the user ID. -# -# - With an addiditonal timestamp stored plain+signed so it -# can be easily checked. -# -# - Can optionally be uploaded (encrypted or plain+signed) to a -# remote url via scp. -# -# - Can optinally be included in another git repository -# (encrypted or plain+signed), commited and pushed -# to a remote repository (ikiwiki instance, etc). -# -# How to run: -# -# - First, "keyringer preferences edit # basic canary preferences". -# -# - Then, add the following at your ~/.profile or wherever you want your canary -# be called from: "keyringer canary". - -# Load functions -LIB="`dirname $0`/../functions" -source "$LIB" || exit 1 - -# TODO: code! -echo "Not implemented :(" -exit 1 -- cgit v1.2.3 From b24bd68b002e49b0fea6d1e9c04cdde0be98c899 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Feb 2014 16:00:09 -0300 Subject: Manpage update: check action --- share/man/keyringer.1.mdwn | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index e8df829..9412b5d 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -62,7 +62,7 @@ ls <*path*> mkdir <*path*> : Create a directory inside the repository *keys* folder. -:rmdir <*path*> +rmdir <*path*> : Remove an empty folder inside the repository *keys* folder. tree <*path*> @@ -84,6 +84,9 @@ teardown : Remove permanently a local copy of a repository, very dangerous if you have just a single copy. +check +: Run maintenance checks in a keyring. + # SECRET MANIPULATION ACTIONS All secret manipulation actions operate upon a *secret* which is the pathname -- cgit v1.2.3 From 2b2cbe33a1aefb9b8eb2b812f1d4b3274e51a0df Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Feb 2014 16:21:48 -0300 Subject: Break keyringer_check_recipients into smaller pieces --- lib/keyringer/actions/check | 5 +- lib/keyringer/functions | 180 +++++++++++++++++++++++++++----------------- 2 files changed, 112 insertions(+), 73 deletions(-) diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 1ccd9c8..527af5a 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -22,10 +22,7 @@ source "$LIB" || exit 1 # Pull the keyring repository. # Git maintenance operations. # Fetch absent keys from all recipients. -# TODO: Check if keys in all recipients files are about to expire. -# TODO: Time to expire can be configured via repository options. -# TODO: Users can be alerted by mail if configured by user preferences. -# TODO: Outgoing emails can be encrypted. +# Check key expirations # This should be done here: # TODO: Check canaries' timestamps, warning by mail if configured by user preferences. diff --git a/lib/keyringer/functions b/lib/keyringer/functions index e594fd1..ca59501 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -540,8 +540,54 @@ function keyringer_check_repository { fi } +# Receive keys from keyservers +# TODO: gpg-maintenance trickery +# TODO: should be controlled by user preference +function keyringer_recv_keys { + local recipient="$1" + + echo "Trying to receive missing key $recipient..." + gpg --batch --recv-keys "$recipient" +} + +# Refresh keys from keyserver +# TODO: gpg-maintenance trickery +# TODO: should be controlled by user preference +function keyringer_refresh_keys { + local recipient="$1" + + echo "Trying to refresh key $recipient..." + gpg --batch --refresh-keys "$recipient" +} + +# Check recipient size +function keyringer_check_recipient_size { + local recipient="$1" + local size=$(echo "$recipient" | wc -c) + + if (( $size < 41 )); then + echo "Fatal: please set the full GPG signature hash for key ID $recipient:" + cat <<-EOF + +Please provide a full OpenPGP fingerprint, for example: + + john@doe.com ABCD1234ABCD12345678ABCD1234ABCD12345678 + +Short key ids (for example, DEADBEEF or DECAF123) are not allowed in +recipient files because they are easy to spoof. Researchers have proven +that it is possible to build fake keys to match any possible short key +id by using a few gigabytes of disk space, and a day of computation on +common hardware. + +Otherwise, the encryption can be broken, if someone spoofs a short key +id, and causes a participant in a keyringer repository to encrypt +secrets to a fake key. +EOF + exit 1 + fi +} + # Check recipients -# TODO: break in smaller pieces function keyringer_check_recipients { # Shall we check recipients? if [ "$KEYRINGER_CHECK_RECIPIENTS" == "false" ]; then @@ -577,85 +623,81 @@ function keyringer_check_recipients { processed="$processed$recipient:" fi - size=$(echo "$recipient" | wc -c) - if (( $size < 41 )); then - echo "Fatal: please set the full GPG signature hash for key ID $recipient:" - cat <<-EOF + # Check recipient size + keyringer_check_recipient_size "$recipient" -Please provide a full OpenPGP fingerprint, for example: + # Check if key is present + keyringer_check_recipient_key "$recipient" - john@doe.com ABCD1234ABCD12345678ABCD1234ABCD12345678 + # Refresh keys + if [ "$BASENAME" == "check" ] && [ "$refresh" != "no" ]; then + keyringer_refresh_keys "$recipient" + echo "" + fi -Short key ids (for example, DEADBEEF or DECAF123) are not allowed in -recipient files because they are easy to spoof. Researchers have proven -that it is possible to build fake keys to match any possible short key -id by using a few gigabytes of disk space, and a day of computation on -common hardware. + # Check key expiration + keyringer_check_expiration "$recipient" -Otherwise, the encryption can be broken, if someone spoofs a short key -id, and causes a participant in a keyringer repository to encrypt -secrets to a fake key. -EOF - exit 1 - else - gpg --list-key "$recipient" &> /dev/null - if [ "$?" != "0" ]; then - if [ "$BASENAME" == "check" ]; then - # TODO: gpg-maintenance trickery - # TODO: should be controlled by user preference - refresh="no" - echo "Trying to receive missing key $recipient..." - gpg --batch --recv-keys "$recipient" - echo "" - if [ "$?" != 0 ]; then - echo "Error fetching $recipient from keyservers." - continue - fi - else - echo "Fatal: no such key $recipient on your GPG keyring." - echo "Please check for this key or fix the recipient file." - - exit 1 - fi - fi + done +} - # Refresh keys - if [ "$BASENAME" == "check" ] && [ "$refresh" != "no" ]; then - # TODO: gpg-maintenance trickery - # TODO: should be controlled by user preference - echo "Trying to refresh key $recipient..." - gpg --batch --refresh-keys "$recipient" - echo "" +# Check if a key is present +function keyringer_check_recipient_key { + local recipient="$1" + + gpg --list-key "$recipient" &> /dev/null + if [ "$?" != "0" ]; then + if [ "$BASENAME" == "check" ]; then + refresh="no" + keyringer_recvs_keys "$recipient" + if [ "$?" != 0 ]; then + echo "Error fetching $recipient from keyservers." + continue fi + echo "" + else + echo "Fatal: no such key $recipient on your GPG keyring." + echo "Please check for this key or fix the recipient file." - # Current date - seconds="`date +%s`" + exit 1 + fi + fi +} - # Check the main key - expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`" +# Check key expiration +# TODO: Check if keys in all recipients files are about to expire. +# TODO: Time to expire can be configured via repository options. +# TODO: Users can be alerted by mail if configured by user preferences. +# TODO: Outgoing emails can be encrypted. +function keyringer_check_expiration { + # Variables + local recipient="$1" + + # Current date + seconds="`date +%s`" + + # Check the main key + expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`" + + # Check if key is expired + # TODO: check if key is about to expire + if [ ! -z "$expiry" ] && [[ "$seconds" -gt "$expiry" ]]; then + echo "Fatal: primary key for $recipient expired on `date --date="@$expiry"`" + exit 1 + else + # Check the subkeys + for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do + if [[ "$seconds" -lt "$expiry" ]]; then + # TODO: check if subkey is about to expire + not_expired="1" + fi - # Check if key is expired - # TODO: check if key is about to expire - if [ ! -z "$expiry" ] && [[ "$seconds" -gt "$expiry" ]]; then - echo "Fatal: primary key for $recipient expired on `date --date="@$expiry"`" + if [ "$not_expired" != "1" ]; then + echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired." exit 1 - else - # Check the subkeys - for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do - if [[ "$seconds" -lt "$expiry" ]]; then - # TODO: check if subkey is about to expire - not_expired="1" - fi - - if [ "$not_expired" != "1" ]; then - echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired." - exit 1 - fi - done fi - - fi - done + done + fi } # Set recipients -- cgit v1.2.3 From f6b2f4910184cdce2c1a27fab16eeebecd789446 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Feb 2014 17:07:21 -0300 Subject: Check if keys are about to expire --- lib/keyringer/functions | 44 +++++++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index ca59501..4ded3b3 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -665,13 +665,10 @@ function keyringer_check_recipient_key { } # Check key expiration -# TODO: Check if keys in all recipients files are about to expire. -# TODO: Time to expire can be configured via repository options. -# TODO: Users can be alerted by mail if configured by user preferences. -# TODO: Outgoing emails can be encrypted. function keyringer_check_expiration { # Variables local recipient="$1" + local not_expired="0" # Current date seconds="`date +%s`" @@ -679,24 +676,37 @@ function keyringer_check_expiration { # Check the main key expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`" + # TODO: Time to expire can be configured via repository options. + ahead="$((86400 * 30 + $seconds))" + # Check if key is expired - # TODO: check if key is about to expire if [ ! -z "$expiry" ] && [[ "$seconds" -gt "$expiry" ]]; then echo "Fatal: primary key for $recipient expired on `date --date="@$expiry"`" exit 1 - else - # Check the subkeys - for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do - if [[ "$seconds" -lt "$expiry" ]]; then - # TODO: check if subkey is about to expire - not_expired="1" - fi + fi - if [ "$not_expired" != "1" ]; then - echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired." - exit 1 - fi - done + # Check if key is about to expire + # TODO: Users can be alerted by mail if configured by user preferences. + # TODO: Outgoing emails can be encrypted. + if [ "$BASENAME" == "check" ] && [ ! -z "$expiry" ] && [[ "$ahead" -gt "$expiry" ]]; then + echo "Warning: key $recipient will expire soon, on `date --date="@$expiry"`" + fi + + # Check the subkeys + for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do + if [[ "$seconds" -lt "$expiry" ]]; then + not_expired="1" + fi + + if [[ "$ahead" -gt "$expiry" ]] && [ "$BASENAME" == "check" ]; then + echo "Warning: subkey from $recipient will expire soon, on `date --date="@$expiry"`" + fi + done + + # All subkeys are expired + if [ "$not_expired" != "1" ]; then + echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired." + exit 1 fi } -- cgit v1.2.3 From d2b6a5193d7dbb28351ec2108ac119a42c7365e3 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Feb 2014 18:28:17 -0300 Subject: Skeleton for keyringer_get_option --- lib/keyringer/actions/options | 2 +- lib/keyringer/actions/preferences | 2 +- lib/keyringer/functions | 11 +++++++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/keyringer/actions/options b/lib/keyringer/actions/options index 3bf0e43..b210e1a 100755 --- a/lib/keyringer/actions/options +++ b/lib/keyringer/actions/options @@ -1,6 +1,6 @@ #!/bin/bash # -# Recipient management. +# Repository options management. # # Load functions diff --git a/lib/keyringer/actions/preferences b/lib/keyringer/actions/preferences index f7507a7..114f9ac 100755 --- a/lib/keyringer/actions/preferences +++ b/lib/keyringer/actions/preferences @@ -1,6 +1,6 @@ #!/bin/bash # -# Manipulate preferences. +# Manipulate user preferences. # # Load functions diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 4ded3b3..ec3eb0c 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -408,6 +408,17 @@ function keyringer_upgrade { fi } +# Get an option +# +# Given that options are shared among users through the +# repository, we can't just "source $OPTIONS" as we would +# be opening a simple arbitrary code execution hole. +# +# TODO +function keyringer_get_option { + false +} + # Get a file argument function keyringer_get_file { FILE="$(keyringer_filename "$RELATIVE_PATH/$1")" -- cgit v1.2.3 From 34ef511e0404012dff2b44fa3f8453c926aa5456 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 27 Feb 2014 15:55:52 -0300 Subject: Do not trigger a false positive when subkeys has no expiry date --- lib/keyringer/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index ec3eb0c..e60657a 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -715,7 +715,7 @@ function keyringer_check_expiration { done # All subkeys are expired - if [ "$not_expired" != "1" ]; then + if [ ! -z "$expiry" ] && [ "$not_expired" != "1" ]; then echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired." exit 1 fi -- cgit v1.2.3 From 66812bcf7655bf22aafe58d8d60c96a03114bf0b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 28 Feb 2014 16:48:22 -0300 Subject: Software comparison --- index.mdwn | 3 +++ lib/keyringer/actions/check | 1 + 2 files changed, 4 insertions(+) diff --git a/index.mdwn b/index.mdwn index 652376d..ee3870a 100644 --- a/index.mdwn +++ b/index.mdwn @@ -206,6 +206,9 @@ given key), but it's possible to: Never decrypt a key and write it to the disk, except if you're adding it to your personall keyring. +Check [this page](https://wiki.koumbit.net/PasswordManagementService/SoftwareComparison) +a comparison on different password management tools. + Requirements ------------ diff --git a/lib/keyringer/actions/check b/lib/keyringer/actions/check index 527af5a..c80fa8f 100755 --- a/lib/keyringer/actions/check +++ b/lib/keyringer/actions/check @@ -7,6 +7,7 @@ # - git://lair.fifthhorseman.net/~mjgoins/cur # - https://gitorious.org/key-report # - https://github.com/ilf/gpg-maintenance.git +# - https://github.com/EtiennePerot/parcimonie.sh # - https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ # # This script can run from a crontab, client or server side to check -- cgit v1.2.3 From c03461f7ee7308d89b45c495c85512362e36433b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 14 Mar 2014 10:28:09 -0300 Subject: Check if keyring exists --- keyringer | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/keyringer b/keyringer index 0930637..e57dfd0 100755 --- a/keyringer +++ b/keyringer @@ -161,6 +161,12 @@ fi # Load functions source "$LIB" || exit 1 +# Check if keyring exist +if [ ! -f "$CONFIG_BASE/$KEYRING" ]; then + echo "No such keyring $KEYRING" + exit 1 +fi + # Setup main configuration and load preferences keyringer_config_load -- cgit v1.2.3 From dee97a0629659ed8e2c8a716611e88a9bb7f068d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 14 Mar 2014 10:28:28 -0300 Subject: Use 'actions' instead of 'commands' --- lib/keyringer/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index e60657a..ca7f411 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -519,7 +519,7 @@ function keyringer_usage { printf "Keyringer $KEYRINGER_VERSION\n" printf "Usage: %s [arguments]\n\n" "$BASENAME" - printf "Available commands: \n\n" + printf "Available actions: \n\n" keyringer_show_actions | sed -e 's/^/\t/' # Display only when not in a keyring context -- cgit v1.2.3 From 301b02acc4d165548d8209dd5b5e2f214dcde765 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 14 Mar 2014 10:33:33 -0300 Subject: Always use keyringer_exec / init action check --- keyringer | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keyringer b/keyringer index e57dfd0..da87678 100755 --- a/keyringer +++ b/keyringer @@ -97,7 +97,7 @@ function keyringer_init { echo "Now you have to edit the default recipient configuration to be able to encrypt secrets." echo "Press any key to proceed editing..." read key - keyringer $KEYRING recipients edit default + keyringer_exec recipients "$BASEDIR" edit default # Stage and commit keyringer_exec git "$BASEDIR" add . @@ -162,7 +162,7 @@ fi source "$LIB" || exit 1 # Check if keyring exist -if [ ! -f "$CONFIG_BASE/$KEYRING" ]; then +if [ ! -f "$CONFIG_BASE/$KEYRING" ] && [ "$ACTION" != "init" ]; then echo "No such keyring $KEYRING" exit 1 fi -- cgit v1.2.3 From 15fbe5a432a361cc9c7a628aaae7c041263d3086 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 14 Mar 2014 10:53:09 -0300 Subject: Check git configuration --- keyringer | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/keyringer b/keyringer index da87678..161ab5e 100755 --- a/keyringer +++ b/keyringer @@ -39,6 +39,18 @@ function keyringer_init { exit 1 fi + # Check user configuration: git might complain if those aren't set + if [ -z "`git config --global --get user.name`" ] || [ -z "`git config --global --get user.email`" ]; then + echo "Please chose the name and email address that should identify your changes in the new keyring." + read -p "Enter your desired name/pseudonym: " name + read -p "Enter your desired email address: " email + + if [ -z "$name" ] || [ -z "$email" ]; then + echo "Aborting." + exit 1 + fi + fi + # Setup if [ ! -z "$URL" ]; then git clone "$URL" "$BASEDIR" @@ -93,6 +105,10 @@ function keyringer_init { keyringer_exec git "$BASEDIR" init keyringer_git_ignore 'tmp/*' + # Git configuration + git config user.email "$email" + git config user.name "$name" + # Edit default recipients echo "Now you have to edit the default recipient configuration to be able to encrypt secrets." echo "Press any key to proceed editing..." @@ -161,7 +177,7 @@ fi # Load functions source "$LIB" || exit 1 -# Check if keyring exist +# Check if keyring exists if [ ! -f "$CONFIG_BASE/$KEYRING" ] && [ "$ACTION" != "init" ]; then echo "No such keyring $KEYRING" exit 1 -- cgit v1.2.3 From 3f7f4aa86309ebc44e1097158ec33abda3465945 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 14 Mar 2014 10:55:19 -0300 Subject: Basic checks --- keyringer | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/keyringer b/keyringer index 161ab5e..0ec90be 100755 --- a/keyringer +++ b/keyringer @@ -177,8 +177,11 @@ fi # Load functions source "$LIB" || exit 1 -# Check if keyring exists -if [ ! -f "$CONFIG_BASE/$KEYRING" ] && [ "$ACTION" != "init" ]; then +# Basic checks +if [ -z "$KEYRING" ]; then + keyringer_usage + exit 1 +elif [ ! -f "$CONFIG_BASE/$KEYRING" ] && [ "$ACTION" != "init" ]; then echo "No such keyring $KEYRING" exit 1 fi @@ -187,10 +190,7 @@ fi keyringer_config_load # Dispatch -if [ -z "$KEYRING" ]; then - keyringer_usage - exit 1 -elif [ -z "$ACTION" ]; then +if [ -z "$ACTION" ]; then # Run shell if no action were given keyringer $KEYRING shell elif [ "$ACTION" == "init" ]; then -- cgit v1.2.3 From 86835f829aacd8466e1fbc908b77de75d722423d Mon Sep 17 00:00:00 2001 From: rhatto Date: Fri, 14 Mar 2014 13:22:36 -0300 Subject: Use --include at git config --- keyringer | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keyringer b/keyringer index 0ec90be..a8dd5c7 100755 --- a/keyringer +++ b/keyringer @@ -40,8 +40,8 @@ function keyringer_init { fi # Check user configuration: git might complain if those aren't set - if [ -z "`git config --global --get user.name`" ] || [ -z "`git config --global --get user.email`" ]; then - echo "Please chose the name and email address that should identify your changes in the new keyring." + if [ -z "`git config --global --includes --get user.name`" ] || [ -z "`git config --global --includes --get user.email`" ]; then + echo "No git config found, so please chose a name and email address to identify your changes in the new keyring repository." read -p "Enter your desired name/pseudonym: " name read -p "Enter your desired email address: " email -- cgit v1.2.3 From 927a8392b30b2329b60f181fb0a67bd450f6df4e Mon Sep 17 00:00:00 2001 From: rhatto Date: Fri, 14 Mar 2014 13:23:04 -0300 Subject: Try to get an initial recipient (#32) --- lib/keyringer/functions | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index ca7f411..0b084af 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -772,10 +772,35 @@ function keyringer_set_new_recipients { # Create a new recipients file function keyringer_create_new_recipients { - if [ ! -e "$1" ]; then - mkdir -p "`dirname $1`" + local recipients="$1" + local recipient + local key + local uid + local fpr + + if [ ! -e "$recipients" ]; then + mkdir -p "`dirname $recipients`" echo "# Use entries in the form of 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'" > "$1" - echo "" >> "$1" + echo "" >> "$recipients" + + # Try to get an initial recipient + if [ -e "$HOME/.gnupg/gpg.conf" ]; then + recipient="`grep -e "^default-key" ~/.gnupg/gpg.conf | cut -d ' ' -f 2`" + + if [ ! -z "$recipient" ]; then + key="`gpg --fingerprint --with-colons $recipient 2> /dev/null`" + + if [ "$?" == "0" ]; then + fpr="`echo "$key" | grep -e '^fpr:' | head -1 | cut -d : -f 10`" + uid="`echo "$key" | grep -e '^uid:' | head -1 | cut -d : -f 10 | sed -e 's|^[^<]*<||' -e 's|>$||'`" + + if [ ! -z "$uid" ] && [ ! -z "$fpr" ]; then + echo "Default key $fpr ($uid) found at ~/.gnupg/gpg.conf, using as initial recipient." + echo "$uid $fpr" >> "$recipients" + fi + fi + fi + fi fi } -- cgit v1.2.3 From 8498a11b0b94ea07acb5efc991b70f2fbe84b7ba Mon Sep 17 00:00:00 2001 From: rhatto Date: Fri, 14 Mar 2014 13:24:08 -0300 Subject: ChangeLog update --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index dd2dc8d..fd7baca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2014-02-25 - Silvio Rhatto + Try to get an initial recipient (#32) + New action: check (#39) Enhanced secret finder at keyringer_get_file and on find action -- cgit v1.2.3 From 38c1700e6e21d070c39e0e64127995b3246d7460 Mon Sep 17 00:00:00 2001 From: rhatto Date: Fri, 14 Mar 2014 13:25:47 -0300 Subject: Keyringer 0.3.1 --- ChangeLog | 2 +- keyringer | 2 +- share/man/keyringer.1 | 7 ++++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index fd7baca..6730f39 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -2014-02-25 - Silvio Rhatto +2014-03-14 - 0.3.1 - Silvio Rhatto Try to get an initial recipient (#32) diff --git a/keyringer b/keyringer index a8dd5c7..dd6e828 100755 --- a/keyringer +++ b/keyringer @@ -138,7 +138,7 @@ function keyringer_dispatch { # Config NAME="keyringer" -KEYRINGER_VERSION="0.3" +KEYRINGER_VERSION="0.3.1" CONFIG_VERSION="0.1" CONFIG_BASE="$HOME/.$NAME" CONFIG="$CONFIG_BASE/config" diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 8402b9c..9d2eae8 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -70,7 +70,7 @@ Create a directory inside the repository \f[I]keys\f[] folder. .RS .RE .TP -.B :rmdir <\f[I]path\f[]> +.B rmdir <\f[I]path\f[]> Remove an empty folder inside the repository \f[I]keys\f[] folder. .RS .RE @@ -101,6 +101,11 @@ Remove permanently a local copy of a repository, very dangerous if you have just a single copy. .RS .RE +.TP +.B check +Run maintenance checks in a keyring. +.RS +.RE .SH SECRET MANIPULATION ACTIONS .PP All secret manipulation actions operate upon a \f[I]secret\f[] which is -- cgit v1.2.3