From f81d160290440bde9b67ab5f4f5d36f9e0eba1b4 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 17 Nov 2016 11:38:07 -0200 Subject: Updates dev docs --- development.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/development.mdwn b/development.mdwn index 3a1ed34..26d8d73 100644 --- a/development.mdwn +++ b/development.mdwn @@ -53,6 +53,10 @@ Then go back to the develop branch: git checkout develop +Cleanup symlink: + + rm ../keyringer_$VERSION.orig.tar.bz2 + Notes: * `git-import-orig` takes care of running `pristine-tar commit`, of merging of the tag and orig tarball into the upstream branch, and then it merges the result into the debian branch. With the above configuration, it also runs git-dch to do the bulk of the work in `debian/changelog`. -- cgit v1.2.3 From c763dea94d8884b6bb54b94b44b987853aafa87f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 17 Nov 2016 11:38:51 -0200 Subject: Updates dev docs --- development.mdwn | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/development.mdwn b/development.mdwn index 26d8d73..2349c84 100644 --- a/development.mdwn +++ b/development.mdwn @@ -49,9 +49,10 @@ Run lintian (or [add it to your pbuilder hooks](http://askubuntu.com/questions/1 lintian --info --display-info --pedantic --color auto build-area/keyringer_$VERSION*.changes -Then go back to the develop branch: +Then go back to the develop branch and push everything: git checkout develop + git push --all Cleanup symlink: -- cgit v1.2.3 From 2a702bb52842229d8d3e1ad010c92ad810feee15 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:02:48 -0200 Subject: Fixes sclip and adds XDOTOOL_NEXT_WINDOW config --- lib/keyringer/actions/sclip | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/keyringer/actions/sclip b/lib/keyringer/actions/sclip index e4c88fa..a941fd0 100755 --- a/lib/keyringer/actions/sclip +++ b/lib/keyringer/actions/sclip @@ -11,13 +11,18 @@ source "$LIB" || exit 1 shift keyringer $KEYRING xclip $* +# Se window switch combo +if [ -z "$XDOTOOL_NEXT_WINDOW" ]; then + XDOTOOL_NEXT_WINDOW="alt+Tab" +fi + # Move to the next window if which xdotool &> /dev/null; then - xdotool key alt+Tab + xdotool key $XDOTOOL_NEXT_WINDOW fi # Sleep sleep 5 # Overwrite clipboard -cat $RANDOM | sha256sum | base64 -d | xclip +echo $RANDOM | sha256sum | base64 -d | xclip -- cgit v1.2.3 From 85c61ed6857676f4ca259ff73845f3d3c6dab7d2 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:03:09 -0200 Subject: Do not quote around EDITOR --- lib/keyringer/actions/preferences | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/keyringer/actions/preferences b/lib/keyringer/actions/preferences index 6e36ef4..ffabc4c 100755 --- a/lib/keyringer/actions/preferences +++ b/lib/keyringer/actions/preferences @@ -30,7 +30,7 @@ fi if [ "$COMMAND" == "ls" ]; then cat "$PREFERENCES" elif [ "$COMMAND" == "edit" ]; then - "$EDITOR" "$PREFERENCES" + $EDITOR "$PREFERENCES" elif [ "$COMMAND" == "add" ]; then shift 2 [[ -n $* ]] && echo $* >> "$PREFERENCES" -- cgit v1.2.3 From e3273d8ead6ee0da307097febeb27a38e8cc3593 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:05:53 -0200 Subject: Adds pwgen action --- lib/keyringer/actions/pwgen | 35 ++++++++++++++++++++++++++++++++ lib/keyringer/completions/bash/keyringer | 4 ++-- lib/keyringer/completions/zsh/_keyringer | 4 ++-- share/man/keyringer.1.mdwn | 10 +++++++++ 4 files changed, 49 insertions(+), 4 deletions(-) create mode 100755 lib/keyringer/actions/pwgen diff --git a/lib/keyringer/actions/pwgen b/lib/keyringer/actions/pwgen new file mode 100755 index 0000000..45d2bf9 --- /dev/null +++ b/lib/keyringer/actions/pwgen @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +# +# Generates passphrases. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Parameters +SIZE="$3" +FILE="$2" + +# Generates a random passphrase +function keyringer_pwgen { + ENTROPY_BYTES=${1:-20} # in bytes + ENTROPY_SOURCE="${ENTROPY_SOURCE:-/dev/urandom}" + + # Strip possible newlines if output is wrapped. + # Also strip trailing = signs as they add nothing to the password's entropy. + head -c $ENTROPY_BYTES $ENTROPY_SOURCE | base64 | tr -d '\n=' + echo +} + +# Check +if [ -z "$FILE" ]; then + echo "Usage: keyringer $BASENAME [size]" + exit 1 +elif [ ! -z "$SIZE" ] && ! echo $SIZE | egrep -q '^[0-9]+$'; then + echo "$SIZE is not a number" + exit 1 +fi + +# Encrypt and store a randomly-generated secret +keyringer_pwgen $SIZE | keyringer_exec encrypt "$BASEDIR" "$FILE" diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index ccc8fb9..10b852e 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -93,7 +93,7 @@ _keyringer() { recipients) opts="ls edit" ;; - ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|sclip|find|mv|cp) + ls|tree|mkdir|encrypt|encrypt-batch|pwgen|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|sclip|find|mv|cp) cur="`echo ${cur} | sed -e "s|^/*||"`" # avoid leading slash opts="$(bash -c "set -f && export KEYRINGER_CHECK_RECIPIENTS=false && export KEYRINGER_CHECK_VERSION=false && keyringer $instance ls -p -d ${cur}*" 2> /dev/null)" ;; @@ -128,7 +128,7 @@ _keyringer() { # TODO opts="$(_keyringer_git_complete ${prev} ${cur})" ;; - encrypt|encrypt-batch) + encrypt|encrypt-batch|pwgen) cur="$(_keyringer_path_complete ${cur})" opts="`compgen -o default "${cur}"`" ;; diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index ff74933..7562352 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -49,7 +49,7 @@ _keyringer() { recipients) compadd "$@" ls edit ;; - ls|tree|mkdir|encrypt|encrypt-batch|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|sclip|find|mv|cp) + ls|tree|mkdir|encrypt|encrypt-batch|pwgen|decrypt|edit|append|append-batch|del|rm|recrypt|open|clip|xclip|sclip|find|mv|cp) words[4]="`echo $words[4] | sed -e "s|^/*||"`" # avoid leading slash compadd "$@" $(KEYRINGER_CHECK_RECIPIENTS=false KEYRINGER_CHECK_VERSION=false keyringer $words[2] ls -p -d $words[4]'*' 2> /dev/null) ;; @@ -83,7 +83,7 @@ _keyringer() { git) compadd "$@" $(_keyringer_git_complete $words[4] $words[5]) ;; - encrypt|encrypt-batch) + encrypt|encrypt-batch|pwgen) _files ;; *) diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index 8f024d1..afe7e99 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -163,6 +163,16 @@ open <*secret*> After the application exits, keyringer encrypts the temporary decrypted file again into the secret file and deletes the temporary file. +pwgen <*secret*> [*size*] +: Generates a random passphrase and stores into *secret* pathname with optional + entropy size in bytes. Default size is 20. + + Passphrases will be slightly bigger than size due to base64 conversion. + + With this action you can generate and store a passphrase without need to see + it. Combined with clip or sclip action provides an hygienic way to handle + secrets. + recrypt <*secret*> : Re-encrypts a secret by decrypting it and encrypting it again. Useful when users are added into the recipient configuration. If no *secret* is given, all secrets in the repository -- cgit v1.2.3 From d0cddcae6b79cbe7d9979c0385e100915d1563ae Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:06:27 -0200 Subject: Updates ChangeLog --- ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index 45bae61..ff0ec3a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2016-12-18 - unreleased - Silvio Rhatto + + Adds pwgen action + + Fixes sclip clipboard overwrite procedure + + Adds XDOTOOL_NEXT_WINDOW config into sclip + 2016-11-17 - 0.4.1 - Silvio Rhatto Adds sclip into completions -- cgit v1.2.3 From c12b5c6c7eccb8e0922ff034bb3690774e12998c Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:27:22 -0200 Subject: Make keyringer_check_expiration not fail on subkeys which do not have an expiration date --- lib/keyringer/functions | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 09b004d..fd0176b 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -722,19 +722,25 @@ function keyringer_check_expiration { fi # Check the subkeys - expiry="" - for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do + local subkey="" + for subkey in $(gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub); do + local expiry=$(cut -d : -f 7 <<< "$subkey") + if [[ -z "$expiry" ]]; then + not_expired=1 + break + fi if [[ "$seconds" -lt "$expiry" ]]; then not_expired="1" if [[ "$ahead" -gt "$expiry" ]] && [ "$BASENAME" == "check" ]; then echo "Warning: subkey from $recipient will expire soon, on `date --date="@$expiry"`" fi + break fi done # All subkeys are expired - if [ ! -z "$expiry" ] && [ "$not_expired" != "1" ]; then + if [ ! -z "$subkey" ] && [ "$not_expired" != "1" ]; then echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired." exit 1 fi -- cgit v1.2.3 From 3a84664504c1263cc947735811285ba487305dde Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:27:43 -0200 Subject: Coding style --- lib/keyringer/functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index fd0176b..d2a83f4 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -725,10 +725,12 @@ function keyringer_check_expiration { local subkey="" for subkey in $(gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub); do local expiry=$(cut -d : -f 7 <<< "$subkey") + if [[ -z "$expiry" ]]; then - not_expired=1 - break + not_expired=1 + break fi + if [[ "$seconds" -lt "$expiry" ]]; then not_expired="1" -- cgit v1.2.3 From 47bfafd1226a984452c009b632ad4099c00743c4 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:28:39 -0200 Subject: Updates ChangeLog --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index ff0ec3a..4259447 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 2016-12-18 - unreleased - Silvio Rhatto + Make keyringer_check_expiration not fail on subkeys which do not have an + expiration date (#76 and Debian #847963). + Adds pwgen action Fixes sclip clipboard overwrite procedure -- cgit v1.2.3 From 21ca00d0d8d6e206cb377dc1febe8f66694142d7 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:44:57 -0200 Subject: Fixes keyringer_check_expiration failure if a public key is listed multiple times (#77) --- lib/keyringer/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index d2a83f4..1d53925 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -703,7 +703,7 @@ function keyringer_check_expiration { seconds="`date +%s`" # Check the main key - expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`" + expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | head -n1 | cut -d : -f 7`" # TODO: Time to expire can be configured via repository options. ahead="$((86400 * 30 + $seconds))" -- cgit v1.2.3 From d05af4644b51e515e51c0ff6b6c4fda17aa1f25f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:48:16 -0200 Subject: Updates ChangeLog --- ChangeLog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4259447..393ac20 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,10 @@ 2016-12-18 - unreleased - Silvio Rhatto + Fixes keyringer_check_expiration failure if a public key is listed multiple + times (#77 and Debian #847964) + Make keyringer_check_expiration not fail on subkeys which do not have an - expiration date (#76 and Debian #847963). + expiration date (#76 and Debian #847963) Adds pwgen action -- cgit v1.2.3 From 306e16d5d1cca4216cfc4c5ca17b92f383da51ae Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 12:49:07 -0200 Subject: Minor fixups in index.mdwn (#78) --- index.mdwn | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.mdwn b/index.mdwn index 9af057f..e2a98d9 100644 --- a/index.mdwn +++ b/index.mdwn @@ -21,7 +21,7 @@ Installation Just clone - git clone https//git.fluxo.info/keyringer + git clone https://git.fluxo.info/keyringer And then leave it somewhere, optionally adding it to your `$PATH` environment variable or package it to your preferred distro. @@ -216,8 +216,8 @@ Keyringer's basic concepts are as follows: one encrypted file that contains one line for each secret, e.g. a single file called secrets with lines such as: - emma : root : secret1 - emma - /dev/hda : : secret2 + emma : root : secret1 + emma - /dev/hda : : secret2 Or you may also have a different encrypted file for each secret, e.g. a file called `emma.root` that contains the root passphrase for the server named `emma` and -- cgit v1.2.3 From bcf239c6f069ad6c8d433f89a86b909f432ffab1 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 16:03:01 -0200 Subject: Additional fix for sclip clipboard overwrite procedure --- lib/keyringer/actions/sclip | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/keyringer/actions/sclip b/lib/keyringer/actions/sclip index a941fd0..6016f2b 100755 --- a/lib/keyringer/actions/sclip +++ b/lib/keyringer/actions/sclip @@ -25,4 +25,4 @@ fi sleep 5 # Overwrite clipboard -echo $RANDOM | sha256sum | base64 -d | xclip +echo $RANDOM | sha256sum | base64 | xclip -- cgit v1.2.3 From ef29f9d23a98b4e18b2400f3dd29b32de81514a7 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 19 Dec 2016 16:08:15 -0200 Subject: Removes break statements from keyringer_check_expiration --- lib/keyringer/functions | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 1d53925..bd87fd6 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -728,7 +728,6 @@ function keyringer_check_expiration { if [[ -z "$expiry" ]]; then not_expired=1 - break fi if [[ "$seconds" -lt "$expiry" ]]; then @@ -737,7 +736,6 @@ function keyringer_check_expiration { if [[ "$ahead" -gt "$expiry" ]] && [ "$BASENAME" == "check" ]; then echo "Warning: subkey from $recipient will expire soon, on `date --date="@$expiry"`" fi - break fi done -- cgit v1.2.3 From ea9326628e6e872798a96063fccd76d964a75583 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 21 Dec 2016 10:19:25 -0200 Subject: Keyringer 0.5.0 --- ChangeLog | 2 +- keyringer | 2 +- share/man/keyringer.1 | 14 ++++++++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 393ac20..6f0c59b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -2016-12-18 - unreleased - Silvio Rhatto +2016-12-21 - 0.5.0 - Silvio Rhatto Fixes keyringer_check_expiration failure if a public key is listed multiple times (#77 and Debian #847964) diff --git a/keyringer b/keyringer index 84b25a4..c9e3d8d 100755 --- a/keyringer +++ b/keyringer @@ -140,7 +140,7 @@ function keyringer_dispatch { # Config NAME="keyringer" -KEYRINGER_VERSION="0.4.1" +KEYRINGER_VERSION="0.5.0" CONFIG_VERSION="0.1" CONFIG_BASE="$HOME/.$NAME" CONFIG="$CONFIG_BASE/config" diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 74bcf1f..fe17968 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -222,6 +222,20 @@ After the application exits, keyringer encrypts the temporary decrypted file again into the secret file and deletes the temporary file. .RE .TP +.B pwgen <\f[I]secret\f[]> [\f[I]size\f[]] +Generates a random passphrase and stores into \f[I]secret\f[] pathname +with optional entropy size in bytes. +Default size is 20. +.RS +.PP +Passphrases will be slightly bigger than size due to base64 conversion. +.PP +With this action you can generate and store a passphrase without need to +see it. +Combined with clip or sclip action provides an hygienic way to handle +secrets. +.RE +.TP .B recrypt <\f[I]secret\f[]> Re\-encrypts a secret by decrypting it and encrypting it again. Useful when users are added into the recipient configuration. -- cgit v1.2.3