From 4705d861b56fbec26ac0dee8749b74dade3c25c1 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 19:28:16 -0200 Subject: Avoid hyphen-used-as-minus-sign lintian warning --- Makefile | 3 +++ share/man/keyringer.1 | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0d2ef3a..8ec01c2 100644 --- a/Makefile +++ b/Makefile @@ -45,7 +45,10 @@ install: clean @make install_lib install_bin install_doc install_man install_completion build_man: + # Pipe output to sed to avoid http://lintian.debian.org/tags/hyphen-used-as-minus-sign.html + # Fixed in http://johnmacfarlane.net/pandoc/releases.html#pandoc-1.10-2013-01-19 pandoc -s -w man share/man/keyringer.1.mdwn -o share/man/keyringer.1 + sed -i -e 's/--/\\-\\-/g' share/man/keyringer.1 tarball: git archive --prefix=keyringer-$(VERSION)/ --format=tar HEAD | bzip2 >../tarballs/keyringer-$(VERSION).tar.bz2 diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index c3fbc54..99a49bc 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -246,7 +246,7 @@ Metadata is not encrypted, meaning that an attacker with access to a keyringer repository can discover all public key IDs used for encryption, and which secrets are encrypted to which keys. This can be improved in the future by encrypting the repository -configuration with support for the \f[I]--hidden-recipient\f[] GnuPG +configuration with support for the \f[I]\-\-hidden-recipient\f[] GnuPG option. .IP "2." 3 History is not rewritten by default when secrets are removed from a -- cgit v1.2.3 From bf99499751482886833ad7ce77930ba9a12b8a86 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 22:57:59 -0200 Subject: Support for encrypting a whole tree (closes #21) --- ChangeLog | 4 +++ lib/keyringer/actions/encrypt | 71 ++++++++++++++++++++++++++++++++----------- lib/keyringer/functions | 4 +-- share/man/keyringer.1.mdwn | 8 +++-- 4 files changed, 65 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 69d58bb..b55493d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2013-11-14 - Silvio Rhatto + + Support for encrypting a whole tree (closes #21) + 2013-11-14 - 0.2.8 Silvio Rhatto Updated development workflow and version scheme diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt index aadb9fa..0a40bc1 100755 --- a/lib/keyringer/actions/encrypt +++ b/lib/keyringer/actions/encrypt @@ -17,6 +17,24 @@ function keyringer_usage_encrypt_batch { keyringer_usage_encrypt $* } +# Encrypt a file into the datastore +function keyringer_encrypt { + local file="$1" + shift + + if [ -z "$1" ]; then + return 1 + fi + + if [ "$*" != "-" ]; then + echo "Encrypting $*..." + fi + + mkdir -p "$KEYDIR/`dirname "$file"`" + $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$file" "$*" + printf "\n" +} + # Usage if [ -z "$2" ]; then keyringer_action_usage @@ -26,26 +44,31 @@ fi # Aditional parameters if [ ! -z "$3" ]; then # Set secret name and original file - FILE="$2" + BASEPATH="$2" shift 2 UNENCRYPTED_FILE="$*" - # Get original file EXTENSION - FILENAME="$(basename "$UNENCRYPTED_FILE")" - EXTENSION="${FILENAME##*.}" - - # Append file extension in the secret name - # - # Useful when opening files and the application needs the - # extension to guess the file type. - if ! echo $FILE | grep -q -e "\.$EXTENSION$"; then - FILE="$FILE.$EXTENSION" + if [ ! -d "$UNENCRYPTED_FILE" ] && echo "$UNENCRYPTED_FILE" | grep -q -e '\.'; then + # Get original file EXTENSION + FILENAME="$(basename "$UNENCRYPTED_FILE")" + EXTENSION="${FILENAME##*.}" + + # Append file extension in the secret name + # + # Useful when opening files and the application needs the + # extension to guess the file type. + if ! echo $BASEPATH | grep -q -e "\.$EXTENSION$"; then + echo "Appending '$EXTENSION' into secret name..." + FILE="$BASEPATH.$EXTENSION" + fi + else + FILE="$BASEPATH" fi keyringer_get_new_file $FILE - if [ ! -f "$UNENCRYPTED_FILE" ]; then - echo "Error: cannot encrypt $UNENCRYPTED_FILE: file not found." + if [ ! -e "$UNENCRYPTED_FILE" ]; then + echo "Error: cannot encrypt $UNENCRYPTED_FILE: path not found." exit 1 fi else @@ -57,9 +80,7 @@ fi # Set recipients file keyringer_set_recipients "$FILE" -# Encrypt -mkdir -p "$KEYDIR/`dirname $FILE`" - +# Verbosity if [ "$BASENAME" == "encrypt" ]; then # Only display directions if we're running encrypt, not encrypt-batch if [ "$UNENCRYPTED_FILE" == "-" ]; then @@ -67,7 +88,23 @@ if [ "$BASENAME" == "encrypt" ]; then fi fi -$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" "$UNENCRYPTED_FILE" +# Encrypt +if [ "$UNENCRYPTED_FILE" != "-" ] && [ -d "$UNENCRYPTED_FILE" ]; then + # Time to go recursive + BASEPATH="`basename $FILE .asc`" + FILEPATH="`dirname "$UNENCRYPTED_FILE"`" + find $UNENCRYPTED_FILE | while read file; do + if [ ! -d "$file" ]; then + dir="`dirname "$file" | sed -e "s|^$FILEPATH|$BASEPATH|g"`" + keyringer_get_new_file `basename "$file"` + keyringer_encrypt "$dir/$FILE" $file + fi + done + + FILE="$OLD_FILE" +else + keyringer_encrypt $FILE $UNENCRYPTED_FILE +fi err="$?" diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 4c06198..dd31676 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -431,10 +431,10 @@ function keyringer_get_new_file { fi # Sanitize and complete file name - FILE="`echo $FILE | sed -e s/[^A-Za-z0-9.\/\-]/_/g`" + FILE="`echo $FILE | sed -e 's/[^A-Za-z0-9.\/\-]/_/g'`" # Warn user about file name change - if [ "`basename $*`" != "`basename $FILE`" ]; then + if [ "`basename "$*"`" != "`basename $FILE`" ]; then echo "Sanitizing destination filename to `basename $FILE`" fi diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index ee035e3..876f774 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -94,10 +94,12 @@ edit <*secret*> encrypt <*secret*> [*file*] : Encrypts content from standard input or *file* into *secret* pathname. No spaces - are supported in the *secret* name. + are supported in the *secret* name. If *file* is actually a folder, keyringer + will recursivelly encrypt all it's contents. -encrypt-batch <*secret*> -: Encrypt content, batch mode. +encrypt-batch <*secret*> [*file*] +: Encrypt content, batch mode. Behavior is identical to *encrypt* action, but less + verbose. Useful inside scripts. genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*] : Wrapper to generate encryption key-pairs, useful for automated key deployment. -- cgit v1.2.3 From 7d5aea9198395255062c71f2695044a8f98fc891 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 16 Nov 2013 14:07:39 -0200 Subject: Misc enhancements --- ChangeLog | 8 +++++++- lib/keyringer/actions/ls | 7 +++++-- lib/keyringer/completions/bash/keyringer | 10 +++++++--- lib/keyringer/completions/zsh/_keyringer | 3 +++ lib/keyringer/functions | 2 +- 5 files changed, 23 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index b55493d..d287171 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,10 @@ -2013-11-14 - Silvio Rhatto +2013-11-16 - Silvio Rhatto + + Shell completion enhancements. + + Fixing keyringer_has_action() to correctly handle "/" and ".". + + Action ls now supports leading slash ("/"). Support for encrypting a whole tree (closes #21) diff --git a/lib/keyringer/actions/ls b/lib/keyringer/actions/ls index ec8080b..61facc8 100755 --- a/lib/keyringer/actions/ls +++ b/lib/keyringer/actions/ls @@ -10,7 +10,10 @@ source "$LIB" || exit 1 # Aditional parameters CWD="`pwd`" -# Run list command +# Avoid trailing slash shift -cd "$KEYDIR" && ls $* +ARGS="`echo "$*" | sed -e "s|^/*||"`" + +# Run list command +cd "$KEYDIR" && ls $ARGS cd "$CWD" diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index 7bfa62f..88c85cf 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -46,11 +46,12 @@ _keyringer_git_complete() { function _keyringer_path_complete() { # Thanks http://unix.stackexchange.com/questions/55520/create-bash-completion-script-to-autocomplete-paths-after-is-equal-sign cur=${1//\\ / } - [[ ${cur} == "~/"* ]] && cur=${cur/\~/$HOME} + [[ ${cur} == "~"* ]] && cur=${cur/\~/$HOME} echo ${cur} } +# Main completion _keyringer() { # Standard stuff local cur prev command config path keyrings instances instance opts @@ -94,6 +95,7 @@ _keyringer() { opts="ls edit" ;; ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open) + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid trailing slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; genpair) @@ -104,7 +106,7 @@ _keyringer() { ;; init) cur="$(_keyringer_path_complete ${cur})" - opts="$(compgen -o dirnames ${cur})" + opts="`compgen -o default "${cur}"`" ;; *) ;; @@ -112,9 +114,11 @@ _keyringer() { elif [ "${#COMP_WORDS[@]}" == "5" ]; then case "${command}" in recipients) + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid trailing slash opts="$(cd $path/config/recipients && ls --color=never -p ${cur}* 2> /dev/null)" ;; genpair) + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid trailing slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; git) @@ -123,7 +127,7 @@ _keyringer() { ;; encrypt|encrypt-batch) cur="$(_keyringer_path_complete ${cur})" - opts="$(compgen -o dirnames ${cur})" + opts="`compgen -o default "${cur}"`" ;; *) ;; diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index 50ff433..ac31879 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -51,6 +51,7 @@ _keyringer() { compadd "$@" ls edit ;; ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open) + words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid trailing slash compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) ;; genpair) @@ -69,9 +70,11 @@ _keyringer() { misc) case "$words[3]" in recipients) + words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid trailing slash compadd "$@" $(cd $keyring_path/config/recipients && ls --color=never -p $words[5]'*' 2> /dev/null) ;; genpair) + words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid trailing slash compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null) ;; git) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index dd31676..7b96d6f 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -59,7 +59,7 @@ function keyringer_has_action { exit 1 fi - if [ -e "$ACTIONS/$1" ]; then + if [ -e "$ACTIONS/$1" ] && [ ! -d "$ACTIONS/$1" ]; then true else false -- cgit v1.2.3 From 41963ff0f4eccca14dd7a656a2ac8eb7beb2fd85 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 25 Nov 2013 22:04:56 -0200 Subject: Avoid bash arrays on append action (closes #26) --- lib/keyringer/actions/append | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/lib/keyringer/actions/append b/lib/keyringer/actions/append index e945bff..e307056 100755 --- a/lib/keyringer/actions/append +++ b/lib/keyringer/actions/append @@ -10,29 +10,11 @@ source "$LIB" || exit 1 # Get file keyringer_get_file "$2" -OLDIFS="$IFS" -IFS=$'\n' - -CONTENT=($(keyringer_exec decrypt "$BASEDIR" "$FILE")) - +# Only display directions if we're running append, not append-batch if [ "$BASENAME" == "append" ]; then - # only display directions if we're running append, not append-batch - printf "\n%s currently has %d lines\n\n" "$FILE" "${#CONTENT[@]}" - printf "Now please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" -fi - -APPEND=($(cat -)) - -NEW=( ${CONTENT[@]} ${APPEND[@]} ) - -for element in $(seq 0 $((${#NEW[@]} - 1))); do - echo ${NEW[$element]} -done | keyringer_exec encrypt-batch $BASEDIR $FILE - -err="$?" - -if [ "$err" != "0" ]; then - exit "$err" + printf "Please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" fi -IFS="$OLDIFS" +# Append content to an existing secret +( keyringer_exec decrypt "$BASEDIR" "$FILE" && cat ) | \ + keyringer_exec encrypt-batch $BASEDIR $FILE -- cgit v1.2.3 From 34c3eba0b22bc97bf3611294a3464c2d1510a007 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 25 Nov 2013 22:11:29 -0200 Subject: Temp folder priority set to "$TMPDIR $TMP /tmpĀ /run/shm" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/keyringer/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 7b96d6f..828cb31 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -144,7 +144,7 @@ function keyringer_check_tmp { function keyringer_set_tmpfile { local tmp local candidate - local candidates="/tmp /run/shm $TMP" + local candidates="$TMPDIR $TMP /tmp /run/shm" if [ -z "$BASEDIR" ]; then echo "Please set BASEDIR before creating a tmp file" -- cgit v1.2.3 From 5c958eb741dd5c51495c48ef861ef03e107b18f1 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 25 Nov 2013 22:19:46 -0200 Subject: Typo: 'trailing slash' was meant to be 'leading slash' --- lib/keyringer/actions/ls | 2 +- lib/keyringer/completions/bash/keyringer | 6 +++--- lib/keyringer/completions/zsh/_keyringer | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/keyringer/actions/ls b/lib/keyringer/actions/ls index 61facc8..bb66263 100755 --- a/lib/keyringer/actions/ls +++ b/lib/keyringer/actions/ls @@ -10,7 +10,7 @@ source "$LIB" || exit 1 # Aditional parameters CWD="`pwd`" -# Avoid trailing slash +# Avoid leading slash shift ARGS="`echo "$*" | sed -e "s|^/*||"`" diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index 88c85cf..bbd49f5 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -95,7 +95,7 @@ _keyringer() { opts="ls edit" ;; ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open) - cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid trailing slash + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; genpair) @@ -114,11 +114,11 @@ _keyringer() { elif [ "${#COMP_WORDS[@]}" == "5" ]; then case "${command}" in recipients) - cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid trailing slash + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(cd $path/config/recipients && ls --color=never -p ${cur}* 2> /dev/null)" ;; genpair) - cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid trailing slash + cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; git) diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index ac31879..5d0a64c 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -51,7 +51,7 @@ _keyringer() { compadd "$@" ls edit ;; ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open) - words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid trailing slash + words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) ;; genpair) @@ -70,11 +70,11 @@ _keyringer() { misc) case "$words[3]" in recipients) - words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid trailing slash + words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash compadd "$@" $(cd $keyring_path/config/recipients && ls --color=never -p $words[5]'*' 2> /dev/null) ;; genpair) - words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid trailing slash + words[5]="$(echo $words[5] | sed -e "s|^/||")" # TODO: avoid leading slash compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[5]'*' 2> /dev/null) ;; git) -- cgit v1.2.3 From 1297148b7c48f8c9c6677c133ad8b22cd6572c0e Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 25 Nov 2013 22:58:20 -0200 Subject: Fix manpage formatting at 'recipients' action --- share/man/keyringer.1 | 64 ++++++++++++++++++++++++---------------------- share/man/keyringer.1.mdwn | 2 +- 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 99a49bc..35755ae 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -113,11 +113,15 @@ variable and then re-encrypting it. Encrypts content from standard input or \f[I]file\f[] into \f[I]secret\f[] pathname. No spaces are supported in the \f[I]secret\f[] name. +If \f[I]file\f[] is actually a folder, keyringer will recursivelly +encrypt all it\[aq]s contents. .RS .RE .TP -.B encrypt-batch <\f[I]secret\f[]> +.B encrypt-batch <\f[I]secret\f[]> [\f[I]file\f[]] Encrypt content, batch mode. +Behavior is identical to \f[I]encrypt\f[] action, but less verbose. +Useful inside scripts. .RS .RE .TP @@ -193,41 +197,41 @@ aliases. .PP Keyringer uses a default recipients file, but specifying a custom \f[I]recipients-file\f[] pathname will override this default. +.PP For instance, if a user encrypts a secret to a file in the keyring repository\[aq]s \f[I]accounting\f[] folder, a \f[I]recipients-file\f[] under \f[I]accounting\f[] will be used. Encrypting a secret into \f[I]accounting/bank-accounts\f[] will result -in a file +in a file \f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[] +encrypted using the public keys listed in the config +file\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[]. +.PP +Each line in a recipients file has entries in the format +\[aq]john\@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq], where +\f[I]john\@doe.com\f[] is an alias for the GPG public key whose +fingerprint is \f[I]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.\f[] +.PP +All lines starting with the hash (#) character are interpreted as +comments. +.PP +Parameters to the \f[I]recipients\f[] action are: +.TP +.B \f[I]ls\f[] +List all existing recipients files. +.RS .RE +.TP +.B \f[I]edit\f[] +Create or edit a recipients file. +.RS .PP -\f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[] encrypted -using the public keys listed in the config -file\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[]. -.IP -.nf -\f[C] -Each\ line\ in\ a\ recipients\ file\ has\ entries\ in\ the\ format -\[aq]john\@doe.com\ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq],\ where\ *john\@doe.com* -is\ an\ alias\ for\ the\ GPG\ public\ key\ whose\ fingerprint\ is -*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.* - -All\ lines\ starting\ with\ the\ hash\ (#)\ character\ are\ interpreted\ as\ comments. - -Parameters\ to\ the\ *recipients*\ action\ are: - -\ \ *ls* -\ \ :\ \ \ List\ all\ existing\ recipients\ files. - -\ \ *edit* -\ \ :\ \ \ Create\ or\ edit\ a\ recipients\ file. - -\ \ \ \ \ \ Editing\ happens\ using\ the\ editor\ specified\ by\ the\ `$EDITOR` -\ \ \ \ \ \ environment\ variable. - -\ \ \ \ \ \ The\ required\ parameter\ *recipients-file*\ is\ interpreted\ relative -\ \ \ \ \ \ to\ the\ `$KEYRING_FOLDER/config/recipients/`\ folder. -\f[] -.fi +Editing happens using the editor specified by the \f[C]$EDITOR\f[] +environment variable. +.PP +The required parameter \f[I]recipients-file\f[] is interpreted relative +to the \f[C]$KEYRING_FOLDER/config/recipients/\f[] folder. +.RE +.RE .SH FILES .PP $HOME/.keyringer/config : User\[aq]s main configuration file used to map diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index 876f774..d2156d8 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -155,7 +155,7 @@ recipients <*ls*|*edit*> <*recipients-file*> For instance, if a user encrypts a secret to a file in the keyring repository's *accounting* folder, a *recipients-file* under *accounting* will be used. Encrypting a secret into *accounting/bank-accounts* will result in a file - `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the public + `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the public keys listed in the config file`$KEYRING_FOLDER/config/recipients/accounting`. Each line in a recipients file has entries in the format -- cgit v1.2.3 From c7a382d0694d9333ac4221d5158f3fc7763f2452 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 25 Nov 2013 23:07:14 -0200 Subject: Document ramdisk check and fix typ0 at keyringer_check_tmp --- lib/keyringer/functions | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 828cb31..8bad9ed 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -114,7 +114,7 @@ function keyringer_is_git { # Check the security of a temporary folder function keyringer_check_tmp { local path="$1" - local minor + local major local mode if [ -z "$path" ]; then @@ -127,14 +127,16 @@ function keyringer_check_tmp { fi # Ramdisk check + # Non-device mounts have major number "0", see + # https://www.kernel.org/doc/Documentation/devices.txt if [ -x "/sbin/udevadm" ]; then - minor="$(/sbin/udevadm info --device-id-of-file "$path" | cut -d : -f 1)" + major="$(/sbin/udevadm info --device-id-of-file "$path" | cut -d : -f 1)" elif which mountpoint &> /dev/null; then - minor="$(mountpoint -d $(df "$path" | sed -n '$p' | awk '{print $NF}') | cut -d : -f 1)" + major="$(mountpoint -d $(df "$path" | sed -n '$p' | awk '{print $NF}') | cut -d : -f 1)" fi - if [ ! -z "$minor" ]; then - return $minor + if [ ! -z "$major" ]; then + return $major else return 1 fi -- cgit v1.2.3 From 6f768ce30e5218ca983178a73cf1d0c90c922e75 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 25 Nov 2013 23:11:31 -0200 Subject: ChangeLog update --- ChangeLog | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index d287171..d4f6ab0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,12 @@ -2013-11-16 - Silvio Rhatto +2013-11-25 - Silvio Rhatto + + Fixed minor typos + + Man page update + + Temp folder priority set to "$TMPDIR $TMP /tmpĀ /run/shm" + + Avoid bash arrays on append action (closes #26) Shell completion enhancements. -- cgit v1.2.3 From ef014f585c83958488f8349feba9c3eefbf2f419 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 12:26:33 -0200 Subject: Better mode check on keyringer_check_tmp (closes #30) --- lib/keyringer/functions | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 8bad9ed..667b0cd 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -115,14 +115,9 @@ function keyringer_is_git { function keyringer_check_tmp { local path="$1" local major - local mode - - if [ -z "$path" ]; then - return - fi # Mode check - if [ "`stat -c "%A" $path`" != "drwxrwxrwt" ]; then + if [ -z "$path" ] || [ ! -d "$path" ] || [ ! -w "$path" ] || [ ! -x "$path" ]; then return 1 fi -- cgit v1.2.3 From 812ab3dc1031f34dc001339f2cb9864fd7c09a70 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 13:02:58 -0200 Subject: Simpler ramdisk/tmpfs check at keyringer_check_tmp --- lib/keyringer/functions | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 667b0cd..a278caf 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -114,7 +114,7 @@ function keyringer_is_git { # Check the security of a temporary folder function keyringer_check_tmp { local path="$1" - local major + local mount # Mode check if [ -z "$path" ] || [ ! -d "$path" ] || [ ! -w "$path" ] || [ ! -x "$path" ]; then @@ -122,19 +122,9 @@ function keyringer_check_tmp { fi # Ramdisk check - # Non-device mounts have major number "0", see - # https://www.kernel.org/doc/Documentation/devices.txt - if [ -x "/sbin/udevadm" ]; then - major="$(/sbin/udevadm info --device-id-of-file "$path" | cut -d : -f 1)" - elif which mountpoint &> /dev/null; then - major="$(mountpoint -d $(df "$path" | sed -n '$p' | awk '{print $NF}') | cut -d : -f 1)" - fi - - if [ ! -z "$major" ]; then - return $major - else - return 1 - fi + mount="`df "$path" | sed -n '$p' | awk '{ print $NF }'`" + mount -l -t tmpfs | awk '{ print $3 }' | grep -q -e "^$mount$"; + return $? } # Setup a temporary file -- cgit v1.2.3 From 5ec8ec353ecd15b3d71479d2fcca3346059f955c Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 13:14:17 -0200 Subject: Pass options to git-rm at del action --- lib/keyringer/actions/del | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/keyringer/actions/del b/lib/keyringer/actions/del index babd212..d160ac4 100755 --- a/lib/keyringer/actions/del +++ b/lib/keyringer/actions/del @@ -10,7 +10,13 @@ source "$LIB" || exit 1 # Get file keyringer_get_file "$2" +# Set options +if [ ! -z "$3" ]; then + shift 2 + OPTS="$*" +fi + # Remove if [ -d "$BASEDIR/.git" ]; then - keyringer_exec git "$BASEDIR" rm "keys/$FILE" + keyringer_exec git "$BASEDIR" rm $OPTS "keys/$FILE" fi -- cgit v1.2.3 From 4cf8a17cfbe2a0b2af659f4b75d16e746d976ab6 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 13:29:41 -0200 Subject: Set .gitignore during initialization and when using tmp inside the repository --- keyringer | 1 + lib/keyringer/functions | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/keyringer b/keyringer index bdb1f6c..922f490 100755 --- a/keyringer +++ b/keyringer @@ -90,6 +90,7 @@ function keyringer_init { # Init if ! keyringer_is_git "$BASEDIR"; then keyringer_exec git "$BASEDIR" init + keyringer_git_ignore 'tmp/*' # Edit default recipients echo "Now you have to edit the default recipient configuration to be able to encrypt secrets." diff --git a/lib/keyringer/functions b/lib/keyringer/functions index a278caf..53afd1d 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -153,6 +153,9 @@ function keyringer_set_tmpfile { echo "Press any key to continue, Ctrl-C to abort" read key tmp="$BASEDIR/tmp" + + # Just to be sure + keyringer_git_ignore 'tmp/*' fi # Determine template @@ -163,7 +166,6 @@ function keyringer_set_tmpfile { fi mkdir -p "$tmp" - keyringer_git_ignore 'tmp/*' if [ "$2" == "-d" ]; then TMPWORK="$(mktemp -d "$template")" -- cgit v1.2.3 From 00dbdc632128a719de9adfab62ba7380620dd964 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 13:31:37 -0200 Subject: ChangeLog update --- ChangeLog | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index d4f6ab0..9fe7aa5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,12 @@ -2013-11-25 - Silvio Rhatto +2013-11-26 - Silvio Rhatto + + Set .gitignore during initialization and when using tmp inside the repository + + Pass options to git-rm at del action + + Simpler ramdisk/tmpfs check at keyringer_check_tmp + + Better mode check on keyringer_check_tmp (closes #30) Fixed minor typos -- cgit v1.2.3 From 9594510d81e582327b70ab62c9214d5c3cdc41b8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 13:51:03 -0200 Subject: Adding 'release' Makefile target for a cleaner workflow --- Makefile | 8 ++++++++ development.mdwn | 20 ++------------------ 2 files changed, 10 insertions(+), 18 deletions(-) diff --git a/Makefile b/Makefile index 8ec01c2..360bd29 100644 --- a/Makefile +++ b/Makefile @@ -52,3 +52,11 @@ build_man: tarball: git archive --prefix=keyringer-$(VERSION)/ --format=tar HEAD | bzip2 >../tarballs/keyringer-$(VERSION).tar.bz2 + +release: + @make build_man + git commit -a -m "Keyringer $(VERSION)" + git tag -s $(VERSION) -m "Keyringer $(VERSION)" + @make tarball + gpg --armor --detach-sign --output ../tarballs/keyringer-$(VERSION).tar.bz2.asc ../tarballs/keyringer-$(VERSION).tar.bz2 + scp ../tarballs/keyringer-$(VERSION).tar.bz2* keyringer:/var/sites/keyringer/releases/ diff --git a/development.mdwn b/development.mdwn index cfedb4b..3400643 100644 --- a/development.mdwn +++ b/development.mdwn @@ -48,27 +48,11 @@ Prepare the source code: $EDITOR keyringer # and update KEYRINGER_VERSION $EDITOR ChangeLog - make build_man - -Commit and tag a release: - VERSION="`./keyringer | head -n 1 | cut -d ' ' -f 2`" - git commit -a -m "Keyringer $VERSION" - git tag -s $VERSION -m "Keyringer $VERSION" - -Create a release file: - - make tarball - -Sign the release ([see backupninja development guidelines](https://labs.riseup.net/code/projects/backupninja/wiki/Release)): - - cd ../tarballs - gpg --armor --detach-sign keyringer-$VERSION.tar.bz2 -Upload the release: +Create and upload a new release: - scp keyringer-$VERSION.tar.bz2* keyringer:/var/sites/keyringer/releases/ - cd - + make release Update the debian branch: -- cgit v1.2.3 From f8641707496199e65eb37384791ff362d7710c72 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 14:09:20 -0200 Subject: Cleanup at keyringer_check_tmp --- lib/keyringer/functions | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 53afd1d..bef00d9 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -123,8 +123,7 @@ function keyringer_check_tmp { # Ramdisk check mount="`df "$path" | sed -n '$p' | awk '{ print $NF }'`" - mount -l -t tmpfs | awk '{ print $3 }' | grep -q -e "^$mount$"; - return $? + mount -l -t tmpfs | awk '{ print $3 }' | grep -q -e "^$mount$" } # Setup a temporary file -- cgit v1.2.3 From 17bfa3c574c8a44614053410edf06791cb432dbc Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 16:18:55 -0200 Subject: New actions: tree and rm (alias for del) --- ChangeLog | 4 ++++ lib/keyringer/actions/rm | 1 + lib/keyringer/actions/tree | 19 +++++++++++++++++++ lib/keyringer/completions/bash/keyringer | 2 +- lib/keyringer/completions/zsh/_keyringer | 2 +- share/man/keyringer.1.mdwn | 8 ++++++++ 6 files changed, 34 insertions(+), 2 deletions(-) create mode 120000 lib/keyringer/actions/rm create mode 100755 lib/keyringer/actions/tree diff --git a/ChangeLog b/ChangeLog index 9fe7aa5..343d7d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 2013-11-26 - Silvio Rhatto + Added 'tree' action + + Added 'rm' alias to 'del' action + Set .gitignore during initialization and when using tmp inside the repository Pass options to git-rm at del action diff --git a/lib/keyringer/actions/rm b/lib/keyringer/actions/rm new file mode 120000 index 0000000..1a7ac23 --- /dev/null +++ b/lib/keyringer/actions/rm @@ -0,0 +1 @@ +del \ No newline at end of file diff --git a/lib/keyringer/actions/tree b/lib/keyringer/actions/tree new file mode 100755 index 0000000..2033abd --- /dev/null +++ b/lib/keyringer/actions/tree @@ -0,0 +1,19 @@ +#!/bin/bash +# +# List keys. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +CWD="`pwd`" + +# Avoid leading slash +shift +ARGS="`echo "$*" | sed -e "s|^/*||"`" + +# Run list command +cd "$KEYDIR" && tree $ARGS +cd "$CWD" diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index bbd49f5..eeda27f 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -94,7 +94,7 @@ _keyringer() { recipients) opts="ls edit" ;; - ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open) + ls|tree|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open) cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index 5d0a64c..5717b00 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -50,7 +50,7 @@ _keyringer() { recipients) compadd "$@" ls edit ;; - ls|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|recrypt|open) + ls|tree|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open) words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash compadd "$@" $(KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) ;; diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index d2156d8..d4b71e3 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -56,6 +56,11 @@ ls <*path*> if *path* is specified. Like the git wrapper, this is a wrapper around the *LS(1)* command. +tree <*path*> +: List contents from the toplevel repository *keys* folder or from relative paths + if *path* is specified using a tree-like format. Like the ls wrapper, this is a + wrapper around the *TREE(1)* command. + # SECRET MANIPULATION ACTIONS All secret manipulation actions operate upon a *secret* which is the pathname @@ -88,6 +93,9 @@ del <*secret*> To completely remove a file from a keyring, you should also rewrite the Git history yourself. +rm <*secret*> +: Alias for *del* action. + edit <*secret*> : Edit a secret by temporarily decrypting it, opening the decrypted copy into the text editor defined by the *$EDITOR* environment variable and then re-encrypting it. -- cgit v1.2.3 From b7fc52ce27c4c415c322b0b0ed8eee296cfa47ee Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 16:27:56 -0200 Subject: Builtin implementation for 'tree' action --- lib/keyringer/actions/tree | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/keyringer/actions/tree b/lib/keyringer/actions/tree index 2033abd..8e94cb0 100755 --- a/lib/keyringer/actions/tree +++ b/lib/keyringer/actions/tree @@ -3,6 +3,11 @@ # List keys. # +# Thanks http://www.centerkey.com/tree/ +function keyringer_tree { + ls -R $* | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' +} + # Load functions LIB="`dirname $0`/../functions" source "$LIB" || exit 1 @@ -14,6 +19,13 @@ CWD="`pwd`" shift ARGS="`echo "$*" | sed -e "s|^/*||"`" +# Check implementation +if which tree &> /dev/null; then + TREE="tree" +else + TREE="keyringer_tree" +fi + # Run list command -cd "$KEYDIR" && tree $ARGS +cd "$KEYDIR" && $TREE $ARGS cd "$CWD" -- cgit v1.2.3 From 0358ba548d9d3aaaeb23984e092318522238bca9 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 26 Nov 2013 16:52:09 -0200 Subject: Keyringer 0.2.9 --- ChangeLog | 2 +- keyringer | 2 +- share/man/keyringer.1 | 13 +++++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 343d7d6..9cc7bb2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -2013-11-26 - Silvio Rhatto +2013-11-26 - 0.2.9 Silvio Rhatto Added 'tree' action diff --git a/keyringer b/keyringer index 922f490..11b8aa1 100755 --- a/keyringer +++ b/keyringer @@ -120,7 +120,7 @@ function keyringer_dispatch { # Config NAME="keyringer" -KEYRINGER_VERSION="0.2.8" +KEYRINGER_VERSION="0.2.9" CONFIG_VERSION="0.1" CONFIG_BASE="$HOME/.$NAME" CONFIG="$CONFIG_BASE/config" diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 35755ae..c0fed1c 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -59,6 +59,14 @@ Like the git wrapper, this is a wrapper around the \f[I]LS(1)\f[] command. .RS .RE +.TP +.B tree <\f[I]path\f[]> +List contents from the toplevel repository \f[I]keys\f[] folder or from +relative paths if \f[I]path\f[] is specified using a tree-like format. +Like the ls wrapper, this is a wrapper around the \f[I]TREE(1)\f[] +command. +.RS +.RE .SH SECRET MANIPULATION ACTIONS .PP All secret manipulation actions operate upon a \f[I]secret\f[] which is @@ -102,6 +110,11 @@ Git history.\f[] To completely remove a file from a keyring, you should also rewrite the Git history yourself. .RE .TP +.B rm <\f[I]secret\f[]> +Alias for \f[I]del\f[] action. +.RS +.RE +.TP .B edit <\f[I]secret\f[]> Edit a secret by temporarily decrypting it, opening the decrypted copy into the text editor defined by the \f[I]$EDITOR\f[] environment -- cgit v1.2.3