From 77c8173424ab96d4ae126ab40d4f1879a48a72a4 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 4 Oct 2013 13:04:30 -0300 Subject: Development guidelines: change default scp server name --- development.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/development.mdwn b/development.mdwn index d312bf2..cde0561 100644 --- a/development.mdwn +++ b/development.mdwn @@ -60,7 +60,7 @@ Sign the release ([see backupninja development guidelines](https://labs.riseup.n Upload the release: - scp keyringer-$VERSION.tar.bz2* server:/var/sites/keyringer/releases/ + scp keyringer-$VERSION.tar.bz2* keyringer:/var/sites/keyringer/releases/ cd - Update the debian branch: -- cgit v1.2.3 From d402c7b9acd03c9bf8cb4ac9fc4581839cc540b0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 4 Oct 2013 18:23:31 -0300 Subject: Development: create a signed tag in the debian branch --- development.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/development.mdwn b/development.mdwn index cde0561..035f9aa 100644 --- a/development.mdwn +++ b/development.mdwn @@ -82,6 +82,10 @@ Run lintian (or [add it to your pbuilder hooks](http://askubuntu.com/questions/1 lintian --info --display-info --pedantic --color auto \ ../build-area/keyringer_$VERSION*.changes +Create a signed tag in the debian branch: + + git-buildpackage --git-tag-only --git-sign-tags + Notes: * `git-import-orig` takes care of running `pristine-tar commit`, of merging of the tag and orig tarball into the upstream branch, and then it merges the result into the debian branch. With the above configuration, it also runs git-dch to do the bulk of the work in `debian/changelog`. -- cgit v1.2.3 From 72f6db37961e30117818c1d030a7c69869928028 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 18 Oct 2013 17:03:40 -0300 Subject: FHS compliance (closes #18) --- Makefile | 8 +- keyringer | 4 +- lib/keyringer/actions/append | 41 +++++++ lib/keyringer/actions/append-batch | 1 + lib/keyringer/actions/commands | 10 ++ lib/keyringer/actions/decrypt | 17 +++ lib/keyringer/actions/del | 16 +++ lib/keyringer/actions/edit | 45 ++++++++ lib/keyringer/actions/encrypt | 56 +++++++++ lib/keyringer/actions/encrypt-batch | 1 + lib/keyringer/actions/genpair | 222 ++++++++++++++++++++++++++++++++++++ lib/keyringer/actions/git | 16 +++ lib/keyringer/actions/ls | 16 +++ lib/keyringer/actions/open | 1 + lib/keyringer/actions/options | 30 +++++ lib/keyringer/actions/preferences | 37 ++++++ lib/keyringer/actions/recipients | 46 ++++++++ lib/keyringer/actions/recrypt | 45 ++++++++ lib/keyringer/actions/usage | 10 ++ share/keyringer/append | 41 ------- share/keyringer/append-batch | 1 - share/keyringer/commands | 10 -- share/keyringer/decrypt | 17 --- share/keyringer/del | 16 --- share/keyringer/edit | 45 -------- share/keyringer/encrypt | 56 --------- share/keyringer/encrypt-batch | 1 - share/keyringer/genpair | 222 ------------------------------------ share/keyringer/git | 16 --- share/keyringer/ls | 16 --- share/keyringer/open | 1 - share/keyringer/options | 30 ----- share/keyringer/preferences | 37 ------ share/keyringer/recipients | 46 -------- share/keyringer/recrypt | 45 -------- share/keyringer/usage | 10 -- 36 files changed, 615 insertions(+), 617 deletions(-) create mode 100755 lib/keyringer/actions/append create mode 120000 lib/keyringer/actions/append-batch create mode 100755 lib/keyringer/actions/commands create mode 100755 lib/keyringer/actions/decrypt create mode 100755 lib/keyringer/actions/del create mode 100755 lib/keyringer/actions/edit create mode 100755 lib/keyringer/actions/encrypt create mode 120000 lib/keyringer/actions/encrypt-batch create mode 100755 lib/keyringer/actions/genpair create mode 100755 lib/keyringer/actions/git create mode 100755 lib/keyringer/actions/ls create mode 120000 lib/keyringer/actions/open create mode 100755 lib/keyringer/actions/options create mode 100755 lib/keyringer/actions/preferences create mode 100755 lib/keyringer/actions/recipients create mode 100755 lib/keyringer/actions/recrypt create mode 100755 lib/keyringer/actions/usage delete mode 100755 share/keyringer/append delete mode 120000 share/keyringer/append-batch delete mode 100755 share/keyringer/commands delete mode 100755 share/keyringer/decrypt delete mode 100755 share/keyringer/del delete mode 100755 share/keyringer/edit delete mode 100755 share/keyringer/encrypt delete mode 120000 share/keyringer/encrypt-batch delete mode 100755 share/keyringer/genpair delete mode 100755 share/keyringer/git delete mode 100755 share/keyringer/ls delete mode 120000 share/keyringer/open delete mode 100755 share/keyringer/options delete mode 100755 share/keyringer/preferences delete mode 100755 share/keyringer/recipients delete mode 100755 share/keyringer/recrypt delete mode 100755 share/keyringer/usage diff --git a/Makefile b/Makefile index 374579c..7d734ff 100644 --- a/Makefile +++ b/Makefile @@ -24,10 +24,8 @@ clean: install_lib: $(INSTALL) -D --mode=0755 lib/keyringer/functions $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/functions - -install_share: - $(INSTALL) -D --mode=0755 -d share/keyringer $(DESTDIR)/$(PREFIX)/share/$(PACKAGE) - $(INSTALL) -D --mode=0755 share/keyringer/* $(DESTDIR)/$(PREFIX)/share/$(PACKAGE) + $(INSTALL) -D --mode=0755 -d lib/keyringer/actions $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/actions + $(INSTALL) -D --mode=0755 lib/keyringer/actions/* $(DESTDIR)/$(PREFIX)/lib/$(PACKAGE)/actions install_bin: $(INSTALL) -D --mode=0755 keyringer $(DESTDIR)/$(PREFIX)/bin/keyringer @@ -44,7 +42,7 @@ install_completion: $(INSTALL) -D --mode=0644 lib/keyringer/completions/zsh/_keyringer $(DESTDIR)/$(PREFIX)/share/zsh/vendor-completions/_keyringer install: clean - @make install_lib install_share install_bin install_doc install_man install_completion + @make install_lib install_bin install_doc install_man install_completion build_man: pandoc -s -w man share/man/keyringer.1.mdwn -o share/man/keyringer.1 diff --git a/keyringer b/keyringer index a4e8b2c..604ef1d 100755 --- a/keyringer +++ b/keyringer @@ -137,9 +137,9 @@ else fi # Set actions location -if [ -e "`dirname $(readlink -f $0)`/share/$NAME" ]; then +if [ -e "`dirname $(readlink -f $0)`/lib/$NAME/actions" ]; then # Development or local installation layout - ACTIONS="`dirname $(readlink -f $0)`/share/$NAME" + ACTIONS="`dirname $(readlink -f $0)`/lib/$NAME/actions" else # System installation layout ACTIONS="`dirname $(readlink -f $0)`/../share/$NAME" diff --git a/lib/keyringer/actions/append b/lib/keyringer/actions/append new file mode 100755 index 0000000..30c2d5b --- /dev/null +++ b/lib/keyringer/actions/append @@ -0,0 +1,41 @@ +#!/bin/bash +# +# Append information into encrypted files. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Get file +keyringer_get_file "$2" + +OLDIFS="$IFS" +IFS=$'\n' + +CONTENT=($(keyringer_exec decrypt "$BASEDIR" "$FILE")) + +if [ "$BASENAME" == "append" ]; then + # only display directions if we're running append, not append-batch + printf "\n%s currently has %d lines\n\n" "$FILE" "${#CONTENT[@]}" + printf "Now please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" +fi + +# FIXME: dkg doesn't know how to check that this does proper escaping +# (2010-11-16) + +APPEND=($(cat -)) + +NEW=( ${CONTENT[@]} ${APPEND[@]} ) + +for element in $(seq 0 $((${#NEW[@]} - 1))); do + echo ${NEW[$element]} +done | keyringer_exec encrypt-batch $BASEDIR $FILE + +err="$?" + +if [ "$err" != "0" ]; then + exit "$err" +fi + +IFS="$OLDIFS" diff --git a/lib/keyringer/actions/append-batch b/lib/keyringer/actions/append-batch new file mode 120000 index 0000000..6b140f7 --- /dev/null +++ b/lib/keyringer/actions/append-batch @@ -0,0 +1 @@ +append \ No newline at end of file diff --git a/lib/keyringer/actions/commands b/lib/keyringer/actions/commands new file mode 100755 index 0000000..2605666 --- /dev/null +++ b/lib/keyringer/actions/commands @@ -0,0 +1,10 @@ +#!/bin/bash +# +# Show available commands +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +keyringer_show_actions diff --git a/lib/keyringer/actions/decrypt b/lib/keyringer/actions/decrypt new file mode 100755 index 0000000..2b1401c --- /dev/null +++ b/lib/keyringer/actions/decrypt @@ -0,0 +1,17 @@ +#!/bin/bash +# +# Decrypt files. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Get file +keyringer_get_file "$2" + +# Decrypt +$GPG --quiet --use-agent -d "$KEYDIR/$FILE" + +# Exit +exit "$?" diff --git a/lib/keyringer/actions/del b/lib/keyringer/actions/del new file mode 100755 index 0000000..babd212 --- /dev/null +++ b/lib/keyringer/actions/del @@ -0,0 +1,16 @@ +#!/bin/bash +# +# Remove files. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Get file +keyringer_get_file "$2" + +# Remove +if [ -d "$BASEDIR/.git" ]; then + keyringer_exec git "$BASEDIR" rm "keys/$FILE" +fi diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit new file mode 100755 index 0000000..54d0fec --- /dev/null +++ b/lib/keyringer/actions/edit @@ -0,0 +1,45 @@ +#!/bin/bash +# +# Edit keys. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Get file +keyringer_get_file "$2" + +# Set recipients file +keyringer_set_recipients "$FILE" + +# Warn user +echo "Make sure that $BASEDIR is atop of an encrypted volume." + +# Set a tmp file +keyringer_set_tmpfile edit + +# Decrypt the information to the file +$GPG --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" + +if [ "$BASENAME" == "edit" ]; then + APP="$EDITOR" +elif [ "$BASENAME" == "open" ]; then + if which xdg-open &> /dev/null; then + APP="xdg-open" + else + echo "You should have xdg-open application to perform this action, aborting." + exit 1 + fi +fi + +# Prompt +echo "Press any key to open the decrypted data with $APP, Ctrl-C to abort" +read key +$APP "$TMPWORK" + +# Encrypt again +$GPG --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") "$TMPWORK" + +# Remove temp file +keyringer_unset_tmpfile "$TMPWORK" diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt new file mode 100755 index 0000000..cc73b55 --- /dev/null +++ b/lib/keyringer/actions/encrypt @@ -0,0 +1,56 @@ +#!/bin/bash +# +# Encrypt files to multiple recipients. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +if [ ! -z "$3" ]; then + UNENCRYPTED_FILE="$2" + shift 2 + keyringer_get_new_file "$*" + + if [ ! -f "$UNENCRYPTED_FILE" ]; then + echo "Error: cannot encrypted $UNENCRYPTED_FILE: file not found." + exit 1 + fi +else + UNENCRYPTED_FILE="-" + shift + keyringer_get_new_file $* +fi + +# Set recipients file +keyringer_set_recipients "$FILE" + +# Encrypt +mkdir -p "$KEYDIR/`dirname $FILE`" + +if [ "$BASENAME" == "encrypt" ]; then + # Only display directions if we're running encrypt, not encrypt-batch + if [ "$UNENCRYPTED_FILE" == "-" ]; then + echo "Type your message and finish your input with EOF (Ctrl-D)." + fi +fi + +$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" $UNENCRYPTED_FILE + +err="$?" + +if [ "$err" != "0" ]; then + exit "$err" +fi + +if [ "$UNENCRYPTED_FILE" != "-" ]; then + echo "Now make to wipe the non-encrypted $UNENCRYPTED_FILE." +fi + +# Stage +if [ -d "$BASEDIR/.git" ]; then + keyringer_exec git "$BASEDIR" add "keys/$FILE" +fi + +exit "$?" diff --git a/lib/keyringer/actions/encrypt-batch b/lib/keyringer/actions/encrypt-batch new file mode 120000 index 0000000..8267197 --- /dev/null +++ b/lib/keyringer/actions/encrypt-batch @@ -0,0 +1 @@ +encrypt \ No newline at end of file diff --git a/lib/keyringer/actions/genpair b/lib/keyringer/actions/genpair new file mode 100755 index 0000000..f048bc7 --- /dev/null +++ b/lib/keyringer/actions/genpair @@ -0,0 +1,222 @@ +#!/bin/bash +# +# Generate keypairs. +# +# This script is just a wrapper to easily generate keys for +# automated systems. +# + +# Generate a keypair, ssh version +function genpair_ssh { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -p "Hit ENTER to continue." prompt + + # We're using empty passphrases + ssh-keygen -t rsa -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" + + # Encrypt the result + echo "Encrypting secret key into keyringer..." + cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE" + echo "Encrypting public key into keyringer..." + cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" + + if [ ! -z "$OUTFILE" ]; then + mkdir -p `dirname $OUTFILE` + printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" + cat "$TMPWORK/id_rsa" > "$OUTFILE" + cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub" + fi + + echo "Done" +} + +# Generate a keypair, gpg version +function genpair_gpg { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + + passphrase="no" + passphrase_confirm="confirm" + + while [ "$passphrase" != "$passphrase_confirm" ]; do + read -s -p "Enter password for the private key: " passphrase + printf "\n" + read -s -p "Enter password again: " passphrase_confirm + printf "\n" + + if [ "$passphrase" != "$passphrase_confirm" ]; then + echo "Password don't match." + fi + done + + # TODO: insert random bytes + # TODO: custom Name-Comment and Name-Email + # TODO: allow for empty passphrases + $GPG --homedir "$TMPWORK" --gen-key --batch < "$OUTFILE" + $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" + fi + + echo "Done" +} + +# Generate a keypair, ssl version +function genpair_ssl { + echo "Make sure that $KEYDIR is atop of an encrypted volume." + read -p "Hit ENTER to continue." prompt + + # Check for wildcard certs + if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then + WILDCARD="yes" + CNAME="$NODE" + NODE="`echo $NODE | sed -e 's/^\*\.//'`" + else + CNAME="${NODE}" + fi + + # Setup + cd "$TMPWORK" + + # Generate certificate +cat <> openssl.conf +[ req ] +default_keyfile = ${NODE}_privatekey.pem +distinguished_name = req_distinguished_name +encrypt_key = no +req_extensions = v3_req # Extensions to add to certificate request +string_mask = nombstr + +[ req_distinguished_name ] +commonName_default = ${CNAME} +organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +emailAddress = Email Address +localityName = Locality +stateOrProvinceName = State +countryName = Country Name +commonName = Common Name + +[ v3_req ] +extendedKeyUsage=serverAuth,clientAuth +EOF + + # Add SubjectAltNames so wildcard certs can work correctly. + if [ "$WILDCARD" == "yes" ]; then +cat <> openssl.conf +subjectAltName=DNS:${NODE}, DNS:${CNAME} +EOF + fi + + echo "Please review your OpenSSL configuration:" + cat openssl.conf + read -p "Hit ENTER to continue." prompt + + openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ + -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem + + openssl req -noout -text -in ${NODE}_csr.pem + + # Self-sign + if [ "$KEYTYPE" == "ssl-self" ]; then + openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365 + chmod 600 "${NODE}_privatekey.pem" + fi + + # Encrypt the result + echo "Encrypting private key into keyringer..." + cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem" + echo "Encrypting certificate request into keyringer..." + cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr" + + if [ "$KEYTYPE" == "ssl-self" ]; then + echo "Encrypting certificate into keyringer..." + cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" + elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then + # Remove any existing crt + keyringer_exec del "$BASEDIR" "$FILE.crt" + fi + + cd "$CWD" + + if [ ! -z "$OUTFILE" ]; then + mkdir -p `dirname $OUTFILE` + printf "Saving copies at %s\n" "`dirname $OUTFILE`" + cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" + cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr" + + if [ -f "$TMPWORK/${NODE}.crt" ]; then + cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt" + fi + fi + + # Show cert fingerprint + if [ "$KEYTYPE" == "ssl-self" ]; then + openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint + fi + + echo "Done" +} + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +KEYTYPE="$2" +FILE="$3" +NODE="$4" +OUTFILE="$5" +CWD="`pwd`" + +# Verify +if [ -z "$NODE" ]; then + echo -e "Usage: keyringer $BASENAME [outfile]" + echo -e "Options:" + echo -e "\t gpg|ssh|ssl[-self]: key type." + echo -e "\t file : base file name for encrypted output (relative to keys folder)," + echo -e "\t without spaces" + echo -e "\t hostname : host for the key pair" + echo -e "\t outfile : optional unencrypted output file, useful for deployment," + echo -e "\t without spaces" + exit 1 +elif [ ! -e "$KEYDIR" ]; then + echo "Folder not found: $KEYDIR, leaving" + exit 1 +fi + +# Set a tmp file +keyringer_set_tmpfile genpair -d + +# Dispatch +echo "Generating $KEYTYPE key for $NODE..." +if [ "$KEYTYPE" == "ssl-self" ]; then + genpair_ssl +else + genpair_"$KEYTYPE" +fi + +# Cleanup +cd "$CWD" +rm -rf "$TMPWORK" +trap - EXIT diff --git a/lib/keyringer/actions/git b/lib/keyringer/actions/git new file mode 100755 index 0000000..3c4f435 --- /dev/null +++ b/lib/keyringer/actions/git @@ -0,0 +1,16 @@ +#!/bin/bash +# +# Git wrapper. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +CWD="`pwd`" + +# Run git command +shift +mkdir -p "$BASEDIR" && cd "$BASEDIR" && git $* +cd "$CWD" diff --git a/lib/keyringer/actions/ls b/lib/keyringer/actions/ls new file mode 100755 index 0000000..ec8080b --- /dev/null +++ b/lib/keyringer/actions/ls @@ -0,0 +1,16 @@ +#!/bin/bash +# +# List keys. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Aditional parameters +CWD="`pwd`" + +# Run list command +shift +cd "$KEYDIR" && ls $* +cd "$CWD" diff --git a/lib/keyringer/actions/open b/lib/keyringer/actions/open new file mode 120000 index 0000000..8491ab9 --- /dev/null +++ b/lib/keyringer/actions/open @@ -0,0 +1 @@ +edit \ No newline at end of file diff --git a/lib/keyringer/actions/options b/lib/keyringer/actions/options new file mode 100755 index 0000000..8508aea --- /dev/null +++ b/lib/keyringer/actions/options @@ -0,0 +1,30 @@ +#!/bin/bash +# +# Recipient management. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Command parser +keyringer_get_command "$2" + +# Create options file if old repository +if [ ! -e "$OPTIONS" ]; then + echo "Creating options file..." + touch "$OPTIONS" + keyringer_exec git "$BASEDIR" add config/options +fi + +if [ "$COMMAND" == "ls" ]; then + cat "$OPTIONS" +elif [ "$COMMAND" == "edit" ]; then + "$EDITOR" "$OPTIONS" +elif [ "$COMMAND" == "add" ]; then + shift 2 + echo $* >> "$OPTIONS" +else + printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" + exit 1 +fi diff --git a/lib/keyringer/actions/preferences b/lib/keyringer/actions/preferences new file mode 100755 index 0000000..e82848d --- /dev/null +++ b/lib/keyringer/actions/preferences @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Manipulate preferences. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +COMMAND="$2" + +if [ -z "$COMMAND" ]; then + echo "Usage: keyringer preferences [arguments]" + echo "Available commands:" + echo " ls" + echo " edit" + echo " add" + exit 1 +fi + +# Create options file if old repository +if [ ! -e "$PREFERENCES" ]; then + echo "Creating preferences file..." + touch "$PREFERENCES" +fi + +if [ "$COMMAND" == "ls" ]; then + cat "$PREFERENCES" +elif [ "$COMMAND" == "edit" ]; then + "$EDITOR" "$PREFERENCES" +elif [ "$COMMAND" == "add" ]; then + shift 2 + [[ -n $* ]] && echo $* >> "$PREFERENCES" +else + printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" + exit 1 +fi diff --git a/lib/keyringer/actions/recipients b/lib/keyringer/actions/recipients new file mode 100755 index 0000000..7093a6b --- /dev/null +++ b/lib/keyringer/actions/recipients @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Recipient management. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +# Command parser +keyringer_get_command "$2" + +# Set recipients file +keyringer_set_new_recipients "$3" + +if [ "$COMMAND" == "ls" ]; then + if [ ! -z "$3" ]; then + if [ -e "$RECIPIENTS_FILE" ]; then + cat "$RECIPIENTS_FILE" + else + echo "Recipients file not found: $RECIPIENTS_FILE_BASE" + exit 1 + fi + else + for recipients in `ls $RECIPIENTS`; do + echo "In recipients file $recipients:" + echo "-----------------------------------------------------------------------------------" + cat $RECIPIENTS/$recipients + echo "" + done + fi +elif [ "$COMMAND" == "edit" ]; then + if [ ! -z "$3" ]; then + keyringer_create_new_recipients $RECIPIENTS_FILE + $EDITOR "$RECIPIENTS_FILE" + keyringer_check_recipients + keyringer_exec git "$BASEDIR" add "$RECIPIENTS_FILE_BASE" + else + echo "Please specify one recipient to edit among the available:" + ls $RECIPIENTS | sed -e 's/^/\t/' + exit 1 + fi +else + printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" + exit 1 +fi diff --git a/lib/keyringer/actions/recrypt b/lib/keyringer/actions/recrypt new file mode 100755 index 0000000..014fef7 --- /dev/null +++ b/lib/keyringer/actions/recrypt @@ -0,0 +1,45 @@ +#!/bin/bash +# +# Re-encrypt files to multiple recipients. +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +function keyringer_recrypt { + # Get file + keyringer_get_file "$1" + + # Set recipients file + keyringer_set_recipients "$FILE" + + # Decrypt + decrypted="$($GPG --use-agent -d "$KEYDIR/$FILE" 2> /dev/null)" + + if [ "$?" != "0" ]; then + echo "Decryption error." + exit 1 + fi + + # Recrypt + recrypted="`echo "$decrypted" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE")`" + + if [ "$?" != "0" ]; then + echo "Recryption error." + exit 1 + fi + + unset decrypted + echo "$recrypted" > "$KEYDIR/$FILE" +} + +if [ ! -z "$2" ]; then + keyringer_recrypt $2 +else + cd $KEYDIR && find | while read file; do + if [ ! -d "$KEYDIR/$file" ]; then + keyringer_recrypt "$file" + fi + done +fi diff --git a/lib/keyringer/actions/usage b/lib/keyringer/actions/usage new file mode 100755 index 0000000..f4ac0fa --- /dev/null +++ b/lib/keyringer/actions/usage @@ -0,0 +1,10 @@ +#!/bin/bash +# +# Show available commands +# + +# Load functions +LIB="`dirname $0`/../functions" +source "$LIB" || exit 1 + +keyringer_usage diff --git a/share/keyringer/append b/share/keyringer/append deleted file mode 100755 index bcc9e5e..0000000 --- a/share/keyringer/append +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -# -# Append information into encrypted files. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Get file -keyringer_get_file "$2" - -OLDIFS="$IFS" -IFS=$'\n' - -CONTENT=($(keyringer_exec decrypt "$BASEDIR" "$FILE")) - -if [ "$BASENAME" == "append" ]; then - # only display directions if we're running append, not append-batch - printf "\n%s currently has %d lines\n\n" "$FILE" "${#CONTENT[@]}" - printf "Now please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" -fi - -# FIXME: dkg doesn't know how to check that this does proper escaping -# (2010-11-16) - -APPEND=($(cat -)) - -NEW=( ${CONTENT[@]} ${APPEND[@]} ) - -for element in $(seq 0 $((${#NEW[@]} - 1))); do - echo ${NEW[$element]} -done | keyringer_exec encrypt-batch $BASEDIR $FILE - -err="$?" - -if [ "$err" != "0" ]; then - exit "$err" -fi - -IFS="$OLDIFS" diff --git a/share/keyringer/append-batch b/share/keyringer/append-batch deleted file mode 120000 index 6b140f7..0000000 --- a/share/keyringer/append-batch +++ /dev/null @@ -1 +0,0 @@ -append \ No newline at end of file diff --git a/share/keyringer/commands b/share/keyringer/commands deleted file mode 100755 index 139725a..0000000 --- a/share/keyringer/commands +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# -# Show available commands -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -keyringer_show_actions diff --git a/share/keyringer/decrypt b/share/keyringer/decrypt deleted file mode 100755 index bab9b34..0000000 --- a/share/keyringer/decrypt +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# -# Decrypt files. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Get file -keyringer_get_file "$2" - -# Decrypt -$GPG --quiet --use-agent -d "$KEYDIR/$FILE" - -# Exit -exit "$?" diff --git a/share/keyringer/del b/share/keyringer/del deleted file mode 100755 index 4eca0e3..0000000 --- a/share/keyringer/del +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# -# Remove files. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Get file -keyringer_get_file "$2" - -# Remove -if [ -d "$BASEDIR/.git" ]; then - keyringer_exec git "$BASEDIR" rm "keys/$FILE" -fi diff --git a/share/keyringer/edit b/share/keyringer/edit deleted file mode 100755 index fe05ecc..0000000 --- a/share/keyringer/edit +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -# -# Edit keys. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Get file -keyringer_get_file "$2" - -# Set recipients file -keyringer_set_recipients "$FILE" - -# Warn user -echo "Make sure that $BASEDIR is atop of an encrypted volume." - -# Set a tmp file -keyringer_set_tmpfile edit - -# Decrypt the information to the file -$GPG --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" - -if [ "$BASENAME" == "edit" ]; then - APP="$EDITOR" -elif [ "$BASENAME" == "open" ]; then - if which xdg-open &> /dev/null; then - APP="xdg-open" - else - echo "You should have xdg-open application to perform this action, aborting." - exit 1 - fi -fi - -# Prompt -echo "Press any key to open the decrypted data with $APP, Ctrl-C to abort" -read key -$APP "$TMPWORK" - -# Encrypt again -$GPG --yes -o "$KEYDIR/$FILE" --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") "$TMPWORK" - -# Remove temp file -keyringer_unset_tmpfile "$TMPWORK" diff --git a/share/keyringer/encrypt b/share/keyringer/encrypt deleted file mode 100755 index ac305a4..0000000 --- a/share/keyringer/encrypt +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -# -# Encrypt files to multiple recipients. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Aditional parameters -if [ ! -z "$3" ]; then - UNENCRYPTED_FILE="$2" - shift 2 - keyringer_get_new_file "$*" - - if [ ! -f "$UNENCRYPTED_FILE" ]; then - echo "Error: cannot encrypted $UNENCRYPTED_FILE: file not found." - exit 1 - fi -else - UNENCRYPTED_FILE="-" - shift - keyringer_get_new_file $* -fi - -# Set recipients file -keyringer_set_recipients "$FILE" - -# Encrypt -mkdir -p "$KEYDIR/`dirname $FILE`" - -if [ "$BASENAME" == "encrypt" ]; then - # Only display directions if we're running encrypt, not encrypt-batch - if [ "$UNENCRYPTED_FILE" == "-" ]; then - echo "Type your message and finish your input with EOF (Ctrl-D)." - fi -fi - -$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" $UNENCRYPTED_FILE - -err="$?" - -if [ "$err" != "0" ]; then - exit "$err" -fi - -if [ "$UNENCRYPTED_FILE" != "-" ]; then - echo "Now make to wipe the non-encrypted $UNENCRYPTED_FILE." -fi - -# Stage -if [ -d "$BASEDIR/.git" ]; then - keyringer_exec git "$BASEDIR" add "keys/$FILE" -fi - -exit "$?" diff --git a/share/keyringer/encrypt-batch b/share/keyringer/encrypt-batch deleted file mode 120000 index 8267197..0000000 --- a/share/keyringer/encrypt-batch +++ /dev/null @@ -1 +0,0 @@ -encrypt \ No newline at end of file diff --git a/share/keyringer/genpair b/share/keyringer/genpair deleted file mode 100755 index f977714..0000000 --- a/share/keyringer/genpair +++ /dev/null @@ -1,222 +0,0 @@ -#!/bin/bash -# -# Generate keypairs. -# -# This script is just a wrapper to easily generate keys for -# automated systems. -# - -# Generate a keypair, ssh version -function genpair_ssh { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - read -p "Hit ENTER to continue." prompt - - # We're using empty passphrases - ssh-keygen -t rsa -P '' -f "$TMPWORK/id_rsa" -C "root@$NODE" - - # Encrypt the result - echo "Encrypting secret key into keyringer..." - cat "$TMPWORK/id_rsa" | keyringer_exec encrypt "$BASEDIR" "$FILE" - echo "Encrypting public key into keyringer..." - cat "$TMPWORK/id_rsa.pub" | keyringer_exec encrypt "$BASEDIR" "$FILE.pub" - - if [ ! -z "$OUTFILE" ]; then - mkdir -p `dirname $OUTFILE` - printf "Saving copies at %s and %s.pub\n" "$OUTFILE" "$OUTFILE" - cat "$TMPWORK/id_rsa" > "$OUTFILE" - cat "$TMPWORK/id_rsa.pub" > "$OUTFILE.pub" - fi - - echo "Done" -} - -# Generate a keypair, gpg version -function genpair_gpg { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - - passphrase="no" - passphrase_confirm="confirm" - - while [ "$passphrase" != "$passphrase_confirm" ]; do - read -s -p "Enter password for the private key: " passphrase - printf "\n" - read -s -p "Enter password again: " passphrase_confirm - printf "\n" - - if [ "$passphrase" != "$passphrase_confirm" ]; then - echo "Password don't match." - fi - done - - # TODO: insert random bytes - # TODO: custom Name-Comment and Name-Email - # TODO: allow for empty passphrases - $GPG --homedir "$TMPWORK" --gen-key --batch < "$OUTFILE" - $GPG --armor --homedir "$TMPWORK" --export > "$OUTFILE.pub" - fi - - echo "Done" -} - -# Generate a keypair, ssl version -function genpair_ssl { - echo "Make sure that $KEYDIR is atop of an encrypted volume." - read -p "Hit ENTER to continue." prompt - - # Check for wildcard certs - if [ "`echo $NODE | cut -d . -f 1`" == "*" ]; then - WILDCARD="yes" - CNAME="$NODE" - NODE="`echo $NODE | sed -e 's/^\*\.//'`" - else - CNAME="${NODE}" - fi - - # Setup - cd "$TMPWORK" - - # Generate certificate -cat <> openssl.conf -[ req ] -default_keyfile = ${NODE}_privatekey.pem -distinguished_name = req_distinguished_name -encrypt_key = no -req_extensions = v3_req # Extensions to add to certificate request -string_mask = nombstr - -[ req_distinguished_name ] -commonName_default = ${CNAME} -organizationName = Organization Name -organizationalUnitName = Organizational Unit Name -emailAddress = Email Address -localityName = Locality -stateOrProvinceName = State -countryName = Country Name -commonName = Common Name - -[ v3_req ] -extendedKeyUsage=serverAuth,clientAuth -EOF - - # Add SubjectAltNames so wildcard certs can work correctly. - if [ "$WILDCARD" == "yes" ]; then -cat <> openssl.conf -subjectAltName=DNS:${NODE}, DNS:${CNAME} -EOF - fi - - echo "Please review your OpenSSL configuration:" - cat openssl.conf - read -p "Hit ENTER to continue." prompt - - openssl req -batch -nodes -config openssl.conf -newkey rsa:2048 -sha256 \ - -keyout ${NODE}_privatekey.pem -out ${NODE}_csr.pem - - openssl req -noout -text -in ${NODE}_csr.pem - - # Self-sign - if [ "$KEYTYPE" == "ssl-self" ]; then - openssl x509 -in "${NODE}_csr.pem" -out "$NODE.crt" -req -signkey "${NODE}_privatekey.pem" -days 365 - chmod 600 "${NODE}_privatekey.pem" - fi - - # Encrypt the result - echo "Encrypting private key into keyringer..." - cat "${NODE}_privatekey.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.pem" - echo "Encrypting certificate request into keyringer..." - cat "${NODE}_csr.pem" | keyringer_exec encrypt "$BASEDIR" "$FILE.csr" - - if [ "$KEYTYPE" == "ssl-self" ]; then - echo "Encrypting certificate into keyringer..." - cat "${NODE}.crt" | keyringer_exec encrypt "$BASEDIR" "$FILE.crt" - elif [ -f "$BASEDIR/keys/$FILE.crt.asc" ]; then - # Remove any existing crt - keyringer_exec del "$BASEDIR" "$FILE.crt" - fi - - cd "$CWD" - - if [ ! -z "$OUTFILE" ]; then - mkdir -p `dirname $OUTFILE` - printf "Saving copies at %s\n" "`dirname $OUTFILE`" - cat "$TMPWORK/${NODE}_privatekey.pem" > "$OUTFILE.pem" - cat "$TMPWORK/${NODE}_csr.pem" > "$OUTFILE.csr" - - if [ -f "$TMPWORK/${NODE}.crt" ]; then - cat "$TMPWORK/${NODE}.crt" > "$OUTFILE.crt" - fi - fi - - # Show cert fingerprint - if [ "$KEYTYPE" == "ssl-self" ]; then - openssl x509 -noout -in "$TMPWORK/${NODE}.crt" -fingerprint - fi - - echo "Done" -} - -# Load functions -LIB="`dirname $0`/../../lib/keyringer" -source "$LIB/functions" || exit 1 - -# Aditional parameters -KEYTYPE="$2" -FILE="$3" -NODE="$4" -OUTFILE="$5" -CWD="`pwd`" - -# Verify -if [ -z "$NODE" ]; then - echo -e "Usage: keyringer $BASENAME [outfile]" - echo -e "Options:" - echo -e "\t gpg|ssh|ssl[-self]: key type." - echo -e "\t file : base file name for encrypted output (relative to keys folder)," - echo -e "\t without spaces" - echo -e "\t hostname : host for the key pair" - echo -e "\t outfile : optional unencrypted output file, useful for deployment," - echo -e "\t without spaces" - exit 1 -elif [ ! -e "$KEYDIR" ]; then - echo "Folder not found: $KEYDIR, leaving" - exit 1 -fi - -# Set a tmp file -keyringer_set_tmpfile genpair -d - -# Dispatch -echo "Generating $KEYTYPE key for $NODE..." -if [ "$KEYTYPE" == "ssl-self" ]; then - genpair_ssl -else - genpair_"$KEYTYPE" -fi - -# Cleanup -cd "$CWD" -rm -rf "$TMPWORK" -trap - EXIT diff --git a/share/keyringer/git b/share/keyringer/git deleted file mode 100755 index cd2a188..0000000 --- a/share/keyringer/git +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# -# Git wrapper. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Aditional parameters -CWD="`pwd`" - -# Run git command -shift -mkdir -p "$BASEDIR" && cd "$BASEDIR" && git $* -cd "$CWD" diff --git a/share/keyringer/ls b/share/keyringer/ls deleted file mode 100755 index 31e8805..0000000 --- a/share/keyringer/ls +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# -# List keys. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -# Aditional parameters -CWD="`pwd`" - -# Run list command -shift -cd "$KEYDIR" && ls $* -cd "$CWD" diff --git a/share/keyringer/open b/share/keyringer/open deleted file mode 120000 index 8491ab9..0000000 --- a/share/keyringer/open +++ /dev/null @@ -1 +0,0 @@ -edit \ No newline at end of file diff --git a/share/keyringer/options b/share/keyringer/options deleted file mode 100755 index 3047380..0000000 --- a/share/keyringer/options +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# -# Recipient management. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer" -source "$LIB/functions" || exit 1 - -# Command parser -keyringer_get_command "$2" - -# Create options file if old repository -if [ ! -e "$OPTIONS" ]; then - echo "Creating options file..." - touch "$OPTIONS" - keyringer_exec git "$BASEDIR" add config/options -fi - -if [ "$COMMAND" == "ls" ]; then - cat "$OPTIONS" -elif [ "$COMMAND" == "edit" ]; then - "$EDITOR" "$OPTIONS" -elif [ "$COMMAND" == "add" ]; then - shift 2 - echo $* >> "$OPTIONS" -else - printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" - exit 1 -fi diff --git a/share/keyringer/preferences b/share/keyringer/preferences deleted file mode 100755 index 2819b50..0000000 --- a/share/keyringer/preferences +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# -# Manipulate preferences. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -COMMAND="$2" - -if [ -z "$COMMAND" ]; then - echo "Usage: keyringer preferences [arguments]" - echo "Available commands:" - echo " ls" - echo " edit" - echo " add" - exit 1 -fi - -# Create options file if old repository -if [ ! -e "$PREFERENCES" ]; then - echo "Creating preferences file..." - touch "$PREFERENCES" -fi - -if [ "$COMMAND" == "ls" ]; then - cat "$PREFERENCES" -elif [ "$COMMAND" == "edit" ]; then - "$EDITOR" "$PREFERENCES" -elif [ "$COMMAND" == "add" ]; then - shift 2 - [[ -n $* ]] && echo $* >> "$PREFERENCES" -else - printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" - exit 1 -fi diff --git a/share/keyringer/recipients b/share/keyringer/recipients deleted file mode 100755 index 0460842..0000000 --- a/share/keyringer/recipients +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash -# -# Recipient management. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer" -source "$LIB/functions" || exit 1 - -# Command parser -keyringer_get_command "$2" - -# Set recipients file -keyringer_set_new_recipients "$3" - -if [ "$COMMAND" == "ls" ]; then - if [ ! -z "$3" ]; then - if [ -e "$RECIPIENTS_FILE" ]; then - cat "$RECIPIENTS_FILE" - else - echo "Recipients file not found: $RECIPIENTS_FILE_BASE" - exit 1 - fi - else - for recipients in `ls $RECIPIENTS`; do - echo "In recipients file $recipients:" - echo "-----------------------------------------------------------------------------------" - cat $RECIPIENTS/$recipients - echo "" - done - fi -elif [ "$COMMAND" == "edit" ]; then - if [ ! -z "$3" ]; then - keyringer_create_new_recipients $RECIPIENTS_FILE - $EDITOR "$RECIPIENTS_FILE" - keyringer_check_recipients - keyringer_exec git "$BASEDIR" add "$RECIPIENTS_FILE_BASE" - else - echo "Please specify one recipient to edit among the available:" - ls $RECIPIENTS | sed -e 's/^/\t/' - exit 1 - fi -else - printf "%s: No such command %s\n" "$BASENAME" "$COMMAND" - exit 1 -fi diff --git a/share/keyringer/recrypt b/share/keyringer/recrypt deleted file mode 100755 index 63f7bc6..0000000 --- a/share/keyringer/recrypt +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -# -# Re-encrypt files to multiple recipients. -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -function keyringer_recrypt { - # Get file - keyringer_get_file "$1" - - # Set recipients file - keyringer_set_recipients "$FILE" - - # Decrypt - decrypted="$($GPG --use-agent -d "$KEYDIR/$FILE" 2> /dev/null)" - - if [ "$?" != "0" ]; then - echo "Decryption error." - exit 1 - fi - - # Recrypt - recrypted="`echo "$decrypted" | $GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE")`" - - if [ "$?" != "0" ]; then - echo "Recryption error." - exit 1 - fi - - unset decrypted - echo "$recrypted" > "$KEYDIR/$FILE" -} - -if [ ! -z "$2" ]; then - keyringer_recrypt $2 -else - cd $KEYDIR && find | while read file; do - if [ ! -d "$KEYDIR/$file" ]; then - keyringer_recrypt "$file" - fi - done -fi diff --git a/share/keyringer/usage b/share/keyringer/usage deleted file mode 100755 index a4602ac..0000000 --- a/share/keyringer/usage +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# -# Show available commands -# - -# Load functions -LIB="`dirname $0`/../../lib/keyringer/functions" -source "$LIB" || exit 1 - -keyringer_usage -- cgit v1.2.3 From 542dc1e13a658b7be8f2e155799230da91e5a4c3 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 18 Oct 2013 17:08:46 -0300 Subject: ChangeLog update --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 7e946d4..85f121a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2013-10-18 - Silvio Rhatto + + Strict FHS compliance (closes #18) + 2013-10-04 - 0.2.6 Silvio Rhatto Removing debian specifics from the master branch (#1) -- cgit v1.2.3 From 68015ba7a8903d03802fca12676e55b5281d51d8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 22 Oct 2013 21:52:25 -0200 Subject: Fix remaining share -> lib issue --- keyringer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keyringer b/keyringer index 604ef1d..abd0a57 100755 --- a/keyringer +++ b/keyringer @@ -142,7 +142,7 @@ if [ -e "`dirname $(readlink -f $0)`/lib/$NAME/actions" ]; then ACTIONS="`dirname $(readlink -f $0)`/lib/$NAME/actions" else # System installation layout - ACTIONS="`dirname $(readlink -f $0)`/../share/$NAME" + ACTIONS="`dirname $(readlink -f $0)`/../lib/$NAME/actions" fi # Load functions -- cgit v1.2.3 From 42e90fa4aadf20bb9f601f827617a04797eb5c4c Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 24 Oct 2013 14:28:03 -0200 Subject: Debian packaging / upstream guide --- development.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/development.mdwn b/development.mdwn index 035f9aa..f432ca8 100644 --- a/development.mdwn +++ b/development.mdwn @@ -108,3 +108,5 @@ References * [git-pbuilder](https://wiki.debian.org/git-pbuilder). * [PackagingWithGit - Debian Wiki](https://wiki.debian.org/PackagingWithGit). * [Generating pristine tarballs from git repositories](http://joeyh.name/blog/entry/generating_pristine_tarballs_from_git_repositories/). +* [Debian Packaging](https://wiki.debian.org/Packaging). +* [Debian Upstream Guide](https://wiki.debian.org/UpstreamGuide). -- cgit v1.2.3 From 47eb829ca054682f7ee16b07d8c6e2b0221f9397 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 24 Oct 2013 21:08:15 -0200 Subject: Dev note --- development.mdwn | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/development.mdwn b/development.mdwn index f432ca8..8c0c1ad 100644 --- a/development.mdwn +++ b/development.mdwn @@ -91,11 +91,12 @@ Notes: * `git-import-orig` takes care of running `pristine-tar commit`, of merging of the tag and orig tarball into the upstream branch, and then it merges the result into the debian branch. With the above configuration, it also runs git-dch to do the bulk of the work in `debian/changelog`. * To build a development package, checkout the debian branch, merge master, run `git-dch --auto --snapshot` and build. -Adding a subcommand -------------------- +Adding or changing a subcommand +------------------------------- -When adding a new subcommand, ensure: +When adding a new subcommand or changing subcommand behavior, ensure: +* Documentation is updated. * Manpage is updated. * Shell completions are updated. -- cgit v1.2.3 From 42e81a0d15be5c62913c51f16986c5ea8fc92c70 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 24 Oct 2013 21:15:16 -0200 Subject: FIXME moved to #26 --- lib/keyringer/actions/append | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/keyringer/actions/append b/lib/keyringer/actions/append index 30c2d5b..e945bff 100755 --- a/lib/keyringer/actions/append +++ b/lib/keyringer/actions/append @@ -21,9 +21,6 @@ if [ "$BASENAME" == "append" ]; then printf "Now please write the content to be appended on %s, finnishing with Ctrl-D:\n" "$FILE" fi -# FIXME: dkg doesn't know how to check that this does proper escaping -# (2010-11-16) - APPEND=($(cat -)) NEW=( ${CONTENT[@]} ${APPEND[@]} ) -- cgit v1.2.3 From 3a03d2a8e068fc38b1d87134b86c4f62abfcf65b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 24 Oct 2013 21:30:18 -0200 Subject: Minor fix --- lib/keyringer/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 66a23df..0864b91 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -504,7 +504,7 @@ function keyringer_set_new_recipients { function keyringer_create_new_recipients { if [ ! -e "$1" ]; then mkdir -p "`dirname $1`" - echo "# Use entries in the form of 'john@doe.com XXXXXXXX" > "$1" + echo "# Use entries in the form of 'john@doe.com XXXXXXXX'" > "$1" echo "" >> "$1" fi } -- cgit v1.2.3 From 85d7c3258505b7f065e30d62024d22c796077726 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 24 Oct 2013 21:32:57 -0200 Subject: Manpage update --- share/man/keyringer.1 | 64 ++++++++++++++++++++++++++++++++++------------ share/man/keyringer.1.mdwn | 63 ++++++++++++++++++++++++++++++++------------- 2 files changed, 93 insertions(+), 34 deletions(-) diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 9b6a2f5..c140dc5 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -1,4 +1,4 @@ -.TH KEYRINGER 1 "Sep 10, 2013" "Keyringer User Manual" +.TH KEYRINGER 1 "Oct 24, 2013" "Keyringer User Manual" .SH NAME .PP keyringer - encrypted and distributed secret sharing software @@ -7,8 +7,14 @@ keyringer - encrypted and distributed secret sharing software keyringer <\f[I]keyring\f[]> <\f[I]action\f[]> [\f[I]options\f[]]... .SH DESCRIPTION .PP -Keyringer lets you manage and share secrets using GPG and git with -custom commands to encrypt, decrypt, recrypt, create key pairs, etc. +Keyringer lets you manage and share secrets using GnuPG and Git in a +distributed fashion. +.PP +It has custom commands to encrypt, decrypt and recrypt secrets as well +as create key pairs and supports encryption to multiple recipients and +groups of different recipients to ensure the same repository can be +shared with a workgroup but allowing to keep some secrets available just +to subsets of that group. .PP Secrets are encrypted using GPG and added to a git tree so later then can be synced with remote branches. @@ -58,10 +64,12 @@ No spaces are allowed in the secret name. .PP Secret manipulation actions do not commit changes into the secret repository. -After any manipulation, the user has to manually commit the changes -using the git wrapper action. +Instead, the user has to manually commit the changes using the git +wrapper action. .PP -append <\f[I]secret\f[]> : Append contents into a secret. +append <\f[I]secret\f[]> : Append contents into a secret by decrypting +the secret, appending lines read from the standard input and encrypting +again. .PP append-batch <\f[I]secret\f[]> : Append contents into a secret, batch mode. @@ -71,10 +79,12 @@ decrypt <\f[I]secret\f[]> : Decrypts a secret into standard output. del <\f[I]secret\f[]> : Removes a secret using git. After deleting a secret a git commit and push is still needed to update remote repositories. -To completely remove a file from a keyring, you should also rewrite the -git history by yourself. .PP -edit <\f[I]secret\f[]> : Edits a secret by temporarily decrypting it, +Please note that this command \f[B]does not remove the secret from the +git history.\f[] To completely remove a file from a keyring, you should +also rewrite the git history by yourself. +.PP +edit <\f[I]secret\f[]> : Edit a secret by temporarily decrypting it, opening the decrypted copy into the text editor defined by the \f[I]$EDITOR\f[] environment variable and then recrypting it again. .PP @@ -88,7 +98,12 @@ genpair <\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]> [\f[I]options\f[]] : Wrapper to generete encryption keypairs, useful for automated key deployment. .PP -open <\f[I]secret\f[]> : Open a secret using xdg-open. +open <\f[I]secret\f[]> : Decrypt a secret into a temporary folder and +opening it using xdg-open which then tries to figure out the file type +and calling the associated application. +.PP +After the application exits, keyringer encrypts the temporary decrypted +file again into the secret file. .PP recrypt <\f[I]secret\f[]> : Recrypts a secret by decrypting it and recrypting again. @@ -108,6 +123,10 @@ saved into the repository, making it available for all users with access to the repository and hence is a \f[I]global\f[] configuration stanza for a given keyring. .PP +Options are written using the \f[I]KEY=VALUE\f[] syntax. +All lines starting with the hash (#) character are interpreted as +comments. +.PP preferences <\f[I]ls\f[]|\f[I]edit\f[]|\f[I]add\f[]> : List, edit or add \f[I]user\f[] preferences for a given repository. .PP @@ -115,11 +134,18 @@ User preferences are specific configurations for the keyring which are saved into the user\[aq]s keyringer folder (\f[C]$HOME/.keyringer/\f[]) hence not shared with the other users. .PP -recipients <\f[I]ls\f[]|\f[I]edit\f[]> <\f[I]recipient-file\f[]> : List -or edit recipient configuration. +Preferences are written using the \f[I]KEY=VALUE\f[] syntax. +All lines starting with the hash (#) character are interpreted as +comments. +.PP +usage : Show keyringer usage information. +.PP +recipients <\f[I]ls\f[]|\f[I]edit\f[]> <\f[I]recipient-file\f[]> : List, +create or edit recipient configuration. .PP Recipient files are lists of OpenPGP public key fingerprints which are -used by keyringer when encrypting secrets. +used by keyringer when encrypting secrets and associated with email +aliases. .PP Keyringer uses a default recipient file and supports custom \f[I]recipient-files\f[] which overrides the default recipient file @@ -133,19 +159,25 @@ will result in a file \f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[] encrypted using the public keys listed in \f[C]$KEYRING_FOLDER/config/recipients/accounting\f[] config file. +.PP +Each line in a recipients file has entries in the form of +\[aq]john\@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq], where +\f[I]john\@doe.com\f[] is an alias for the GPG public key whose +fingerprint is \f[I]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.\f[] +.PP +All lines starting with the hash (#) character are interpreted as +comments. .SS OPTIONS .PP ls : List all existing recipient files. .PP edit : Create or edit a recipient-file. .PP -Edition happens using the editor specified by the \f[C]$EDITOR\f[] +Editing happens using the editor specified by the \f[C]$EDITOR\f[] environment variable. .PP The required parameter \f[I]recipient-file\f[] is taken relativelly from the \f[C]$KEYRING_FOLDER/config/recipients/\f[] folder. -.PP -usage : Show keyringer usage information. .SH FILES .PP $HOME/.keyringer/config : User\[aq]s main configuration file used to map diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index d7fb2a6..e4713bd 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -1,6 +1,6 @@ % KEYRINGER(1) Keyringer User Manual % Silvio Rhatto -% Sep 10, 2013 +% Oct 24, 2013 # NAME @@ -12,11 +12,17 @@ keyringer <*keyring*> <*action*> [*options*]... # DESCRIPTION -Keyringer lets you manage and share secrets using GPG and git with custom -commands to encrypt, decrypt, recrypt, create key pairs, etc. +Keyringer lets you manage and share secrets using GnuPG and Git in a +distributed fashion. -Secrets are encrypted using GPG and added to a git tree so later then can -be synced with remote branches. +It has custom commands to encrypt, decrypt and recrypt secrets as well as +create key pairs and supports encryption to multiple recipients and groups of +different recipients to ensure the same repository can be shared with a +workgroup but allowing to keep some secrets available just to subsets of that +group. + +Secrets are encrypted using GPG and added to a git tree so later then can be +synced with remote branches. # ACTIONS @@ -58,11 +64,12 @@ pathname. No spaces are allowed in the secret name. Secret manipulation actions do not commit changes into the secret repository. -After any manipulation, the user has to manually commit the changes using the -git wrapper action. +Instead, the user has to manually commit the changes using the git wrapper +action. append <*secret*> -: Append contents into a secret. +: Append contents into a secret by decrypting the secret, appending lines read + from the standard input and encrypting again. append-batch <*secret*> : Append contents into a secret, batch mode. @@ -72,11 +79,14 @@ decrypt <*secret*> del <*secret*> : Removes a secret using git. After deleting a secret a git commit and push is still - needed to update remote repositories. To completely remove a file from a keyring, - you should also rewrite the git history by yourself. + needed to update remote repositories. + + Please note that this command **does not remove the secret from the git history.** + To completely remove a file from a keyring, you should also rewrite the git + history by yourself. edit <*secret*> -: Edits a secret by temporarily decrypting it, opening the decrypted copy into the +: Edit a secret by temporarily decrypting it, opening the decrypted copy into the text editor defined by the *$EDITOR* environment variable and then recrypting it again. @@ -91,7 +101,11 @@ genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*] : Wrapper to generete encryption keypairs, useful for automated key deployment. open <*secret*> -: Open a secret using xdg-open. +: Decrypt a secret into a temporary folder and opening it using xdg-open which + then tries to figure out the file type and calling the associated application. + + After the application exits, keyringer encrypts the temporary decrypted file + again into the secret file. recrypt <*secret*> : Recrypts a secret by decrypting it and recrypting again. Useful when users are added @@ -110,6 +124,9 @@ options <*ls*|*edit*|*add*> saved into the repository, making it available for all users with access to the repository and hence is a *global* configuration stanza for a given keyring. + Options are written using the *KEY=VALUE* syntax. All lines starting with the + hash (#) character are interpreted as comments. + preferences <*ls*|*edit*|*add*> : List, edit or add *user* preferences for a given repository. @@ -117,11 +134,17 @@ preferences <*ls*|*edit*|*add*> saved into the user's keyringer folder (`$HOME/.keyringer/`) hence not shared with the other users. + Preferences are written using the *KEY=VALUE* syntax. All lines starting with the + hash (#) character are interpreted as comments. + +usage +: Show keyringer usage information. + recipients <*ls*|*edit*> <*recipient-file*> -: List or edit recipient configuration. +: List, create or edit recipient configuration. Recipient files are lists of OpenPGP public key fingerprints which are used - by keyringer when encrypting secrets. + by keyringer when encrypting secrets and associated with email aliases. Keyringer uses a default recipient file and supports custom *recipient-files* which overrides the default recipient file according to it's matching pathname. @@ -134,6 +157,13 @@ recipients <*ls*|*edit*> <*recipient-file*> public keys listed in `$KEYRING_FOLDER/config/recipients/accounting` config file. + Each line in a recipients file has entries in the form of + 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', where *john@doe.com* + is an alias for the GPG public key whose fingerprint is + *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.* + + All lines starting with the hash (#) character are interpreted as comments. + ### OPTIONS ls @@ -142,15 +172,12 @@ ls edit : Create or edit a recipient-file. - Edition happens using the editor specified by the `$EDITOR` + Editing happens using the editor specified by the `$EDITOR` environment variable. The required parameter *recipient-file* is taken relativelly from the `$KEYRING_FOLDER/config/recipients/` folder. -usage -: Show keyringer usage information. - # FILES $HOME/.keyringer/config -- cgit v1.2.3 From bfc4231e2beb7507e4de5a3533b9e9dd7ed2e926 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 25 Oct 2013 20:45:37 -0200 Subject: Manpage formatting --- share/man/keyringer.1 | 174 +++++++++++++++++++++++++++++---------------- share/man/keyringer.1.mdwn | 158 ++++++++++++++++++++-------------------- 2 files changed, 191 insertions(+), 141 deletions(-) diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index c140dc5..c9c923b 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -27,12 +27,13 @@ Repository lookup and manipulation actions. Secret manipulation actions. .IP "3." 3 Configuration actions. -.SS REPOSITORY LOOKUP AND MANIPULATION ACTIONS -.PP -init <\f[I]path\f[]> [\f[I]remote\f[]] : Initialize a new keyringer -repository. +.SH REPOSITORY LOOKUP AND MANIPULATION ACTIONS +.TP +.B init <\f[I]path\f[]> [\f[I]remote\f[]] +Initialize a new keyringer repository. If a \f[I]remote\f[] URL is specified, keyringer will clone an existing repository. +.RS .PP After initialization, \f[I]path\f[] will contain a folder structure for storing secrets and metadata (user aka recipients, groups of recipients, @@ -40,18 +41,23 @@ etc). .PP Also, an entry on \f[C]$HOME/.keyringer/config\f[] will be added allowing keyringer to find the keyring by it\[aq]s alias. -.PP -git <\f[I]action\f[]> <\f[I]options\f[]> : Git wrapper that operates -from the toplevel keyring repository. +.RE +.TP +.B git <\f[I]action\f[]> <\f[I]options\f[]> +Git wrapper that operates from the toplevel keyring repository. You can issue any \f[I]GIT(1)\f[] subcommand with this action that it will be applied into the keyring repository. -.PP -ls <\f[I]path\f[]> : List contents from the toplevel repository -\f[I]keys\f[] folder or from relative paths if \f[I]path\f[] is -specified. +.RS +.RE +.TP +.B ls <\f[I]path\f[]> +List contents from the toplevel repository \f[I]keys\f[] folder or from +relative paths if \f[I]path\f[] is specified. Like the git wrapper, this is a wrapper around the \f[I]LS(1)\f[] command. -.SS SECRET MANIPULATION ACTIONS +.RS +.RE +.SH SECRET MANIPULATION ACTIONS .PP All secret manipulation actions operates upon a \f[I]secret\f[] which is the pathname of an encrypted file relative to keyring with optional @@ -66,57 +72,87 @@ Secret manipulation actions do not commit changes into the secret repository. Instead, the user has to manually commit the changes using the git wrapper action. -.PP -append <\f[I]secret\f[]> : Append contents into a secret by decrypting -the secret, appending lines read from the standard input and encrypting -again. -.PP -append-batch <\f[I]secret\f[]> : Append contents into a secret, batch -mode. -.PP -decrypt <\f[I]secret\f[]> : Decrypts a secret into standard output. -.PP -del <\f[I]secret\f[]> : Removes a secret using git. +.TP +.B append <\f[I]secret\f[]> +Append contents into a secret by decrypting the secret, appending lines +read from the standard input and encrypting again. +.RS +.RE +.TP +.B append-batch <\f[I]secret\f[]> +Append contents into a secret, batch mode. +.RS +.RE +.TP +.B decrypt <\f[I]secret\f[]> +Decrypts a secret into standard output. +.RS +.RE +.TP +.B del <\f[I]secret\f[]> +Removes a secret using git. After deleting a secret a git commit and push is still needed to update remote repositories. +.RS .PP Please note that this command \f[B]does not remove the secret from the git history.\f[] To completely remove a file from a keyring, you should also rewrite the git history by yourself. -.PP -edit <\f[I]secret\f[]> : Edit a secret by temporarily decrypting it, -opening the decrypted copy into the text editor defined by the -\f[I]$EDITOR\f[] environment variable and then recrypting it again. -.PP -encrypt [\f[I]file\f[]] <\f[I]secret\f[]> : Encrypts content from -standard input or \f[I]file\f[] into \f[I]secret\f[] pathname. +.RE +.TP +.B edit <\f[I]secret\f[]> +Edit a secret by temporarily decrypting it, opening the decrypted copy +into the text editor defined by the \f[I]$EDITOR\f[] environment +variable and then recrypting it again. +.RS +.RE +.TP +.B encrypt [\f[I]file\f[]] <\f[I]secret\f[]> +Encrypts content from standard input or \f[I]file\f[] into +\f[I]secret\f[] pathname. No spaces are supported in the \f[I]file\f[] name. -.PP -encrypt-batch <\f[I]secret\f[]> : Encrypt content, batch mode. -.PP -genpair <\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]> -[\f[I]options\f[]] : Wrapper to generete encryption keypairs, useful for -automated key deployment. -.PP -open <\f[I]secret\f[]> : Decrypt a secret into a temporary folder and -opening it using xdg-open which then tries to figure out the file type -and calling the associated application. +.RS +.RE +.TP +.B encrypt-batch <\f[I]secret\f[]> +Encrypt content, batch mode. +.RS +.RE +.TP +.B genpair <\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]> +[\f[I]options\f[]] +Wrapper to generete encryption keypairs, useful for automated key +deployment. +.RS +.RE +.TP +.B open <\f[I]secret\f[]> +Decrypt a secret into a temporary folder and opening it using xdg-open +which then tries to figure out the file type and calling the associated +application. +.RS .PP After the application exits, keyringer encrypts the temporary decrypted file again into the secret file. -.PP -recrypt <\f[I]secret\f[]> : Recrypts a secret by decrypting it and -recrypting again. +.RE +.TP +.B recrypt <\f[I]secret\f[]> +Recrypts a secret by decrypting it and recrypting again. Useful when users are added into recipient configuration. If no \f[I]secret\f[] is given, all secrets in the repository are re-encrypted. -.SS CONFIGURATION ACTIONS -.PP -commands : List available actions, useful for shell completion and -syntax check. -.PP -options <\f[I]ls\f[]|\f[I]edit\f[]|\f[I]add\f[]> : List, edit or add -miscelaneous \f[I]repository\f[] options. +.RS +.RE +.SH CONFIGURATION ACTIONS +.TP +.B commands +List available actions, useful for shell completion and syntax check. +.RS +.RE +.TP +.B options <\f[I]ls\f[]|\f[I]edit\f[]|\f[I]add\f[]> +List, edit or add miscelaneous \f[I]repository\f[] options. +.RS .PP Repository options are specific configurations for the keyring which are saved into the repository, making it available for all users with access @@ -126,9 +162,11 @@ for a given keyring. Options are written using the \f[I]KEY=VALUE\f[] syntax. All lines starting with the hash (#) character are interpreted as comments. -.PP -preferences <\f[I]ls\f[]|\f[I]edit\f[]|\f[I]add\f[]> : List, edit or add -\f[I]user\f[] preferences for a given repository. +.RE +.TP +.B preferences <\f[I]ls\f[]|\f[I]edit\f[]|\f[I]add\f[]> +List, edit or add \f[I]user\f[] preferences for a given repository. +.RS .PP User preferences are specific configurations for the keyring which are saved into the user\[aq]s keyringer folder (\f[C]$HOME/.keyringer/\f[]) @@ -137,11 +175,16 @@ hence not shared with the other users. Preferences are written using the \f[I]KEY=VALUE\f[] syntax. All lines starting with the hash (#) character are interpreted as comments. -.PP -usage : Show keyringer usage information. -.PP -recipients <\f[I]ls\f[]|\f[I]edit\f[]> <\f[I]recipient-file\f[]> : List, -create or edit recipient configuration. +.RE +.TP +.B usage +Show keyringer usage information. +.RS +.RE +.TP +.B recipients <\f[I]ls\f[]|\f[I]edit\f[]> <\f[I]recipient-file\f[]> +List, create or edit recipient configuration. +.RS .PP Recipient files are lists of OpenPGP public key fingerprints which are used by keyringer when encrypting secrets and associated with email @@ -167,17 +210,24 @@ fingerprint is \f[I]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.\f[] .PP All lines starting with the hash (#) character are interpreted as comments. +.RE .SS OPTIONS -.PP -ls : List all existing recipient files. -.PP -edit : Create or edit a recipient-file. +.TP +.B ls +List all existing recipient files. +.RS +.RE +.TP +.B edit +Create or edit a recipient-file. +.RS .PP Editing happens using the editor specified by the \f[C]$EDITOR\f[] environment variable. .PP The required parameter \f[I]recipient-file\f[] is taken relativelly from the \f[C]$KEYRING_FOLDER/config/recipients/\f[] folder. +.RE .SH FILES .PP $HOME/.keyringer/config : User\[aq]s main configuration file used to map diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index e4713bd..d77fb92 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -32,28 +32,28 @@ Keyringer has three types of actions: 2. Secret manipulation actions. 3. Configuration actions. -## REPOSITORY LOOKUP AND MANIPULATION ACTIONS +# REPOSITORY LOOKUP AND MANIPULATION ACTIONS init <*path*> [*remote*] -: Initialize a new keyringer repository. If a *remote* URL is specified, keyringer will - clone an existing repository. +: Initialize a new keyringer repository. If a *remote* URL is specified, keyringer will + clone an existing repository. - After initialization, *path* will contain a folder structure for storing secrets - and metadata (user aka recipients, groups of recipients, etc). + After initialization, *path* will contain a folder structure for storing secrets + and metadata (user aka recipients, groups of recipients, etc). - Also, an entry on `$HOME/.keyringer/config` will be added allowing keyringer to - find the keyring by it's alias. + Also, an entry on `$HOME/.keyringer/config` will be added allowing keyringer to + find the keyring by it's alias. git <*action*> <*options*> -: Git wrapper that operates from the toplevel keyring repository. You can issue any - *GIT(1)* subcommand with this action that it will be applied into the keyring repository. +: Git wrapper that operates from the toplevel keyring repository. You can issue any + *GIT(1)* subcommand with this action that it will be applied into the keyring repository. ls <*path*> -: List contents from the toplevel repository *keys* folder or from relative paths - if *path* is specified. Like the git wrapper, this is a wrapper around the *LS(1)* - command. +: List contents from the toplevel repository *keys* folder or from relative paths + if *path* is specified. Like the git wrapper, this is a wrapper around the *LS(1)* + command. -## SECRET MANIPULATION ACTIONS +# SECRET MANIPULATION ACTIONS All secret manipulation actions operates upon a *secret* which is the pathname of an encrypted file relative to keyring with optional `.asc` extension. @@ -68,127 +68,127 @@ Instead, the user has to manually commit the changes using the git wrapper action. append <*secret*> -: Append contents into a secret by decrypting the secret, appending lines read - from the standard input and encrypting again. +: Append contents into a secret by decrypting the secret, appending lines read + from the standard input and encrypting again. append-batch <*secret*> -: Append contents into a secret, batch mode. +: Append contents into a secret, batch mode. decrypt <*secret*> -: Decrypts a secret into standard output. +: Decrypts a secret into standard output. del <*secret*> -: Removes a secret using git. After deleting a secret a git commit and push is still - needed to update remote repositories. +: Removes a secret using git. After deleting a secret a git commit and push is still + needed to update remote repositories. - Please note that this command **does not remove the secret from the git history.** - To completely remove a file from a keyring, you should also rewrite the git - history by yourself. + Please note that this command **does not remove the secret from the git history.** + To completely remove a file from a keyring, you should also rewrite the git + history by yourself. edit <*secret*> -: Edit a secret by temporarily decrypting it, opening the decrypted copy into the - text editor defined by the *$EDITOR* environment variable and then recrypting it - again. +: Edit a secret by temporarily decrypting it, opening the decrypted copy into the + text editor defined by the *$EDITOR* environment variable and then recrypting it + again. encrypt [*file*] <*secret*> -: Encrypts content from standard input or *file* into *secret* pathname. No spaces - are supported in the *file* name. +: Encrypts content from standard input or *file* into *secret* pathname. No spaces + are supported in the *file* name. encrypt-batch <*secret*> -: Encrypt content, batch mode. +: Encrypt content, batch mode. genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*] -: Wrapper to generete encryption keypairs, useful for automated key deployment. +: Wrapper to generete encryption keypairs, useful for automated key deployment. open <*secret*> -: Decrypt a secret into a temporary folder and opening it using xdg-open which - then tries to figure out the file type and calling the associated application. +: Decrypt a secret into a temporary folder and opening it using xdg-open which + then tries to figure out the file type and calling the associated application. - After the application exits, keyringer encrypts the temporary decrypted file - again into the secret file. + After the application exits, keyringer encrypts the temporary decrypted file + again into the secret file. recrypt <*secret*> -: Recrypts a secret by decrypting it and recrypting again. Useful when users are added - into recipient configuration. If no *secret* is given, all secrets in the repository - are re-encrypted. +: Recrypts a secret by decrypting it and recrypting again. Useful when users are added + into recipient configuration. If no *secret* is given, all secrets in the repository + are re-encrypted. -## CONFIGURATION ACTIONS +# CONFIGURATION ACTIONS commands -: List available actions, useful for shell completion and syntax check. +: List available actions, useful for shell completion and syntax check. options <*ls*|*edit*|*add*> -: List, edit or add miscelaneous *repository* options. +: List, edit or add miscelaneous *repository* options. - Repository options are specific configurations for the keyring which are - saved into the repository, making it available for all users with access to the - repository and hence is a *global* configuration stanza for a given keyring. + Repository options are specific configurations for the keyring which are + saved into the repository, making it available for all users with access to the + repository and hence is a *global* configuration stanza for a given keyring. - Options are written using the *KEY=VALUE* syntax. All lines starting with the - hash (#) character are interpreted as comments. + Options are written using the *KEY=VALUE* syntax. All lines starting with the + hash (#) character are interpreted as comments. preferences <*ls*|*edit*|*add*> -: List, edit or add *user* preferences for a given repository. +: List, edit or add *user* preferences for a given repository. - User preferences are specific configurations for the keyring which are - saved into the user's keyringer folder (`$HOME/.keyringer/`) hence not - shared with the other users. + User preferences are specific configurations for the keyring which are + saved into the user's keyringer folder (`$HOME/.keyringer/`) hence not + shared with the other users. - Preferences are written using the *KEY=VALUE* syntax. All lines starting with the - hash (#) character are interpreted as comments. + Preferences are written using the *KEY=VALUE* syntax. All lines starting with the + hash (#) character are interpreted as comments. usage -: Show keyringer usage information. +: Show keyringer usage information. recipients <*ls*|*edit*> <*recipient-file*> -: List, create or edit recipient configuration. +: List, create or edit recipient configuration. - Recipient files are lists of OpenPGP public key fingerprints which are used - by keyringer when encrypting secrets and associated with email aliases. + Recipient files are lists of OpenPGP public key fingerprints which are used + by keyringer when encrypting secrets and associated with email aliases. - Keyringer uses a default recipient file and supports custom *recipient-files* which - overrides the default recipient file according to it's matching pathname. + Keyringer uses a default recipient file and supports custom *recipient-files* which + overrides the default recipient file according to it's matching pathname. - For instance, a the *recipient-file* called *accounting* will be used - wherever a user encrypts a secret to a file residing from the *accounting* - folder in the keyring repository. In that case, encrypting a secret into - *accounting/bank-accounts* will result in a file - `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the - public keys listed in `$KEYRING_FOLDER/config/recipients/accounting` config - file. + For instance, a the *recipient-file* called *accounting* will be used + wherever a user encrypts a secret to a file residing from the *accounting* + folder in the keyring repository. In that case, encrypting a secret into + *accounting/bank-accounts* will result in a file + `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the + public keys listed in `$KEYRING_FOLDER/config/recipients/accounting` config + file. - Each line in a recipients file has entries in the form of - 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', where *john@doe.com* - is an alias for the GPG public key whose fingerprint is - *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.* + Each line in a recipients file has entries in the form of + 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', where *john@doe.com* + is an alias for the GPG public key whose fingerprint is + *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.* - All lines starting with the hash (#) character are interpreted as comments. + All lines starting with the hash (#) character are interpreted as comments. -### OPTIONS +## OPTIONS ls -: List all existing recipient files. +: List all existing recipient files. edit -: Create or edit a recipient-file. +: Create or edit a recipient-file. - Editing happens using the editor specified by the `$EDITOR` - environment variable. + Editing happens using the editor specified by the `$EDITOR` + environment variable. - The required parameter *recipient-file* is taken relativelly - from the `$KEYRING_FOLDER/config/recipients/` folder. + The required parameter *recipient-file* is taken relativelly + from the `$KEYRING_FOLDER/config/recipients/` folder. # FILES $HOME/.keyringer/config -: User's main configuration file used to map alias names to keyrings. +: User's main configuration file used to map alias names to keyrings. $HOME/.keyringer/*keyring* -: User preferences for the keyringer aliased *keyring* keyring. +: User preferences for the keyringer aliased *keyring* keyring. $KEYRING_FOLDER/config/options -: Custom keyring options which will be applied for all users that use - the keyringer repository. +: Custom keyring options which will be applied for all users that use + the keyringer repository. # LIMITATIONS -- cgit v1.2.3 From e52add756e7d6d79516e96639dd020303fc93348 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 25 Oct 2013 21:13:22 -0200 Subject: Manpage: limitations --- index.mdwn | 2 ++ share/man/keyringer.1 | 11 +++++---- share/man/keyringer.1.mdwn | 61 +++++++++++++++++++++++++++++++++++----------- 3 files changed, 55 insertions(+), 19 deletions(-) diff --git a/index.mdwn b/index.mdwn index 5985cf6..cc70d60 100644 --- a/index.mdwn +++ b/index.mdwn @@ -4,6 +4,8 @@ Keyringer lets you manage and share secrets using GPG and git with custom commands to encrypt, decrypt, recrypt, create key pairs, etc. - Project page: [https://keyringer.pw](https://keyringer.pw) +- Manpage: [keyringer.1](share/man/keyringer.1) +- License: [GPLv3+](LICENSE). - Issue tracker: [https://keyringer.pw/trac](https://keyringer.pw/trac) - Tor hidden service: [http://y6ntvl5bzs3c7ffa.onion](http://y6ntvl5bzs3c7ffa.onion) - Releases: [https://keyringer.pw/releases](releases) diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index c9c923b..9f9f835 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -210,15 +210,15 @@ fingerprint is \f[I]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.\f[] .PP All lines starting with the hash (#) character are interpreted as comments. -.RE -.SS OPTIONS +.PP +Parameters to the \f[I]recipients\f[] subcommand are: .TP -.B ls +.B \f[I]ls\f[] List all existing recipient files. .RS .RE .TP -.B edit +.B \f[I]edit\f[] Create or edit a recipient-file. .RS .PP @@ -228,6 +228,7 @@ environment variable. The required parameter \f[I]recipient-file\f[] is taken relativelly from the \f[C]$KEYRING_FOLDER/config/recipients/\f[] folder. .RE +.RE .SH FILES .PP $HOME/.keyringer/config : User\[aq]s main configuration file used to map @@ -247,4 +248,4 @@ documentation. The Keyringer source code and all documentation may be downloaded from . .SH AUTHORS -Silvio Rhatto. +Silvio Rhatto . diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index d77fb92..7e79b35 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -1,6 +1,6 @@ % KEYRINGER(1) Keyringer User Manual -% Silvio Rhatto -% Oct 24, 2013 +% Silvio Rhatto +% Oct 25, 2013 # NAME @@ -28,9 +28,13 @@ synced with remote branches. Keyringer has three types of actions: -1. Repository lookup and manipulation actions. -2. Secret manipulation actions. -3. Configuration actions. +1. Repository lookup and manipulation actions, which handles repository initialization, + content tracking and navigation. + +2. Secret manipulation actions, which takes care of encrypting, decrypting and other + read/write operations on secrets. + +3. Configuration actions, handling repository metadata. # REPOSITORY LOOKUP AND MANIPULATION ACTIONS @@ -164,19 +168,19 @@ recipients <*ls*|*edit*> <*recipient-file*> All lines starting with the hash (#) character are interpreted as comments. -## OPTIONS + Parameters to the *recipients* action are: -ls -: List all existing recipient files. + *ls* + : List all existing recipient files. -edit -: Create or edit a recipient-file. + *edit* + : Create or edit a recipient-file. - Editing happens using the editor specified by the `$EDITOR` - environment variable. + Editing happens using the editor specified by the `$EDITOR` + environment variable. - The required parameter *recipient-file* is taken relativelly - from the `$KEYRING_FOLDER/config/recipients/` folder. + The required parameter *recipient-file* is taken relativelly + from the `$KEYRING_FOLDER/config/recipients/` folder. # FILES @@ -192,6 +196,35 @@ $KEYRING_FOLDER/config/options # LIMITATIONS +Keyringer currently has the following limitations: + +* Metadata is not encrypted, meaning that an attacker with access to a keyringer + repository knows all public key IDs are used for encryption and which secrets + are encrypted to which keys. This can be improved in the future by encrypting + the repository configuration with support for *--hidden-recipient* GnuPG + option. + +* History is not rewritten by default when secrets are removed from a keyringer + repository. After a secret is removed with *del* action, it will still be + available in the repository history even after a commit. This is by design + due to the following reasons: + + 1. It's the default behavior of the Git content tracker. Forcing the + deletion by default could break the expected behavior and hence limit + the repository's backup features, which can be helpful is someone + mistakenly overwrites a secret. + + 2. History rewriting cannot be considered a security measure against the + unauthorized access to a secret as it doesn't automatically update all + working copies of the repository. + + In the case that the secret is a passphrase, the recommended measure + against such attack is to change the passphrase, making useless the + knowledge of the previous secret. + + Users wishing to edit their repository history should proceed manually + using the *git* action. + # SEE ALSO The *README* file distributed with Keyringer contains full documentation. -- cgit v1.2.3 From b348d0e911eef62732ebb01a63ad4ce59fbb4695 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 25 Oct 2013 21:13:44 -0200 Subject: Manpage: limitations (2) --- share/man/keyringer.1 | 44 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 9f9f835..822c54e 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -1,4 +1,4 @@ -.TH KEYRINGER 1 "Oct 24, 2013" "Keyringer User Manual" +.TH KEYRINGER 1 "Oct 25, 2013" "Keyringer User Manual" .SH NAME .PP keyringer - encrypted and distributed secret sharing software @@ -22,11 +22,13 @@ can be synced with remote branches. .PP Keyringer has three types of actions: .IP "1." 3 -Repository lookup and manipulation actions. +Repository lookup and manipulation actions, which handles repository +initialization, content tracking and navigation. .IP "2." 3 -Secret manipulation actions. +Secret manipulation actions, which takes care of encrypting, decrypting +and other read/write operations on secrets. .IP "3." 3 -Configuration actions. +Configuration actions, handling repository metadata. .SH REPOSITORY LOOKUP AND MANIPULATION ACTIONS .TP .B init <\f[I]path\f[]> [\f[I]remote\f[]] @@ -211,7 +213,7 @@ fingerprint is \f[I]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.\f[] All lines starting with the hash (#) character are interpreted as comments. .PP -Parameters to the \f[I]recipients\f[] subcommand are: +Parameters to the \f[I]recipients\f[] action are: .TP .B \f[I]ls\f[] List all existing recipient files. @@ -240,6 +242,38 @@ aliased \f[I]keyring\f[] keyring. $KEYRING_FOLDER/config/options : Custom keyring options which will be applied for all users that use the keyringer repository. .SH LIMITATIONS +.PP +Keyringer currently has the following limitations: +.IP \[bu] 2 +Metadata is not encrypted, meaning that an attacker with access to a +keyringer repository knows all public key IDs are used for encryption +and which secrets are encrypted to which keys. +This can be improved in the future by encrypting the repository +configuration with support for \f[I]--hidden-recipient\f[] GnuPG option. +.IP \[bu] 2 +History is not rewritten by default when secrets are removed from a +keyringer repository. +After a secret is removed with \f[I]del\f[] action, it will still be +available in the repository history even after a commit. +This is by design due to the following reasons: +.IP "1." 3 +It\[aq]s the default behavior of the Git content tracker. +Forcing the deletion by default could break the expected behavior and +hence limit the repository\[aq]s backup features, which can be helpful +is someone mistakenly overwrites a secret. +.IP "2." 3 +History rewriting cannot be considered a security measure against the +unauthorized access to a secret as it doesn\[aq]t automatically update +all working copies of the repository. +.RS 4 +.PP +In the case that the secret is a passphrase, the recommended measure +against such attack is to change the passphrase, making useless the +knowledge of the previous secret. +.PP +Users wishing to edit their repository history should proceed manually +using the \f[I]git\f[] action. +.RE .SH SEE ALSO .PP The \f[I]README\f[] file distributed with Keyringer contains full -- cgit v1.2.3 From 95416da3c798fb915c6a1d3ea515dd4bdb3d4437 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 25 Oct 2013 21:14:50 -0200 Subject: Manpage formatting --- index.mdwn | 2 +- share/man/keyringer.1.mdwn | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/index.mdwn b/index.mdwn index cc70d60..a26f903 100644 --- a/index.mdwn +++ b/index.mdwn @@ -5,7 +5,7 @@ commands to encrypt, decrypt, recrypt, create key pairs, etc. - Project page: [https://keyringer.pw](https://keyringer.pw) - Manpage: [keyringer.1](share/man/keyringer.1) -- License: [GPLv3+](LICENSE). +- License: [GPLv3+](LICENSE) - Issue tracker: [https://keyringer.pw/trac](https://keyringer.pw/trac) - Tor hidden service: [http://y6ntvl5bzs3c7ffa.onion](http://y6ntvl5bzs3c7ffa.onion) - Releases: [https://keyringer.pw/releases](releases) diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index 7e79b35..6b7915e 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -198,23 +198,23 @@ $KEYRING_FOLDER/config/options Keyringer currently has the following limitations: -* Metadata is not encrypted, meaning that an attacker with access to a keyringer +1. Metadata is not encrypted, meaning that an attacker with access to a keyringer repository knows all public key IDs are used for encryption and which secrets are encrypted to which keys. This can be improved in the future by encrypting the repository configuration with support for *--hidden-recipient* GnuPG option. -* History is not rewritten by default when secrets are removed from a keyringer +2. History is not rewritten by default when secrets are removed from a keyringer repository. After a secret is removed with *del* action, it will still be available in the repository history even after a commit. This is by design due to the following reasons: - 1. It's the default behavior of the Git content tracker. Forcing the + - It's the default behavior of the Git content tracker. Forcing the deletion by default could break the expected behavior and hence limit the repository's backup features, which can be helpful is someone mistakenly overwrites a secret. - 2. History rewriting cannot be considered a security measure against the + - History rewriting cannot be considered a security measure against the unauthorized access to a secret as it doesn't automatically update all working copies of the repository. -- cgit v1.2.3 From 75a1e30ead416c1e48b11ab416c4b32a3a15555d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 25 Oct 2013 21:15:20 -0200 Subject: Manpage formatting (2) --- share/man/keyringer.1 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 822c54e..0f6e62d 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -244,28 +244,28 @@ applied for all users that use the keyringer repository. .SH LIMITATIONS .PP Keyringer currently has the following limitations: -.IP \[bu] 2 +.IP "1." 3 Metadata is not encrypted, meaning that an attacker with access to a keyringer repository knows all public key IDs are used for encryption and which secrets are encrypted to which keys. This can be improved in the future by encrypting the repository configuration with support for \f[I]--hidden-recipient\f[] GnuPG option. -.IP \[bu] 2 +.IP "2." 3 History is not rewritten by default when secrets are removed from a keyringer repository. After a secret is removed with \f[I]del\f[] action, it will still be available in the repository history even after a commit. This is by design due to the following reasons: -.IP "1." 3 +.IP \[bu] 2 It\[aq]s the default behavior of the Git content tracker. Forcing the deletion by default could break the expected behavior and hence limit the repository\[aq]s backup features, which can be helpful is someone mistakenly overwrites a secret. -.IP "2." 3 +.IP \[bu] 2 History rewriting cannot be considered a security measure against the unauthorized access to a secret as it doesn\[aq]t automatically update all working copies of the repository. -.RS 4 +.RS 2 .PP In the case that the secret is a passphrase, the recommended measure against such attack is to change the passphrase, making useless the -- cgit v1.2.3 From a063767e242051895afd9e44f6bcdcdeebc9eaef Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 26 Oct 2013 13:47:26 -0200 Subject: Minor manpage fix --- share/man/keyringer.1.mdwn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index 6b7915e..ab2242d 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -106,10 +106,10 @@ genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*] open <*secret*> : Decrypt a secret into a temporary folder and opening it using xdg-open which - then tries to figure out the file type and calling the associated application. + tries to figure out the file type and then calling the associated application. After the application exits, keyringer encrypts the temporary decrypted file - again into the secret file. + again into the secret file and deletes the temporary file. recrypt <*secret*> : Recrypts a secret by decrypting it and recrypting again. Useful when users are added -- cgit v1.2.3 From 03fee91e968daa553a197feb89eada9caa406d10 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 27 Oct 2013 14:29:00 -0200 Subject: Manpage english review (thanks Justin B Rye from debian-l10n-english) (#5) --- share/man/keyringer.1.mdwn | 107 +++++++++++++++++++++------------------------ 1 file changed, 51 insertions(+), 56 deletions(-) diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index ab2242d..396e44d 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -15,23 +15,22 @@ keyringer <*keyring*> <*action*> [*options*]... Keyringer lets you manage and share secrets using GnuPG and Git in a distributed fashion. -It has custom commands to encrypt, decrypt and recrypt secrets as well as -create key pairs and supports encryption to multiple recipients and groups of -different recipients to ensure the same repository can be shared with a -workgroup but allowing to keep some secrets available just to subsets of that -group. +It has custom commands to create key-pairs and to encrypt, decrypt and +re-encrypt secrets. It also supports encryption to multiple recipients +and groups of recipients, to allow a workgroup to share access to a single +repository while restricting some secrets to subsets of the group. -Secrets are encrypted using GPG and added to a git tree so later then can be -synced with remote branches. +Secrets are encrypted using GPG and added to a Git tree so that they can be +synced with remote branches later. # ACTIONS Keyringer has three types of actions: -1. Repository lookup and manipulation actions, which handles repository initialization, +1. Repository lookup and manipulation actions, which handle repository initialization, content tracking and navigation. -2. Secret manipulation actions, which takes care of encrypting, decrypting and other +2. Secret manipulation actions, which take care of encrypting, decrypting and other read/write operations on secrets. 3. Configuration actions, handling repository metadata. @@ -45,12 +44,12 @@ init <*path*> [*remote*] After initialization, *path* will contain a folder structure for storing secrets and metadata (user aka recipients, groups of recipients, etc). - Also, an entry on `$HOME/.keyringer/config` will be added allowing keyringer to - find the keyring by it's alias. + Also, an entry will be added to `$HOME/.keyringer/config` allowing keyringer to + find the keyring by its alias. git <*action*> <*options*> : Git wrapper that operates from the toplevel keyring repository. You can issue any - *GIT(1)* subcommand with this action that it will be applied into the keyring repository. + *GIT(1)* subcommand with this action to have it applied in the keyring repository. ls <*path*> : List contents from the toplevel repository *keys* folder or from relative paths @@ -59,10 +58,10 @@ ls <*path*> # SECRET MANIPULATION ACTIONS -All secret manipulation actions operates upon a *secret* which is the pathname -of an encrypted file relative to keyring with optional `.asc` extension. +All secret manipulation actions operate upon a *secret* which is the pathname +of an encrypted file relative to the keyring with optional `.asc` extension. -If the `.asc` extension is ommited, keyringer will add it in the end of the +If the `.asc` extension is omitted, keyringer will add it at the end of the pathname. No spaces are allowed in the secret name. @@ -82,17 +81,16 @@ decrypt <*secret*> : Decrypts a secret into standard output. del <*secret*> -: Removes a secret using git. After deleting a secret a git commit and push is still +: Removes a secret using Git. After deleting a secret a git commit and push is still needed to update remote repositories. - Please note that this command **does not remove the secret from the git history.** - To completely remove a file from a keyring, you should also rewrite the git - history by yourself. + Please note that this command **does not remove the secret from the Git history.** + To completely remove a file from a keyring, you should also rewrite the Git + history yourself. edit <*secret*> : Edit a secret by temporarily decrypting it, opening the decrypted copy into the - text editor defined by the *$EDITOR* environment variable and then recrypting it - again. + text editor defined by the *$EDITOR* environment variable and then re-encrypting it. encrypt [*file*] <*secret*> : Encrypts content from standard input or *file* into *secret* pathname. No spaces @@ -102,18 +100,18 @@ encrypt-batch <*secret*> : Encrypt content, batch mode. genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*] -: Wrapper to generete encryption keypairs, useful for automated key deployment. +: Wrapper to generate encryption key-pairs, useful for automated key deployment. open <*secret*> -: Decrypt a secret into a temporary folder and opening it using xdg-open which - tries to figure out the file type and then calling the associated application. +: Decrypt a secret into a temporary folder and open it using xdg-open, which + tries to figure out the file type and then calls the associated application. After the application exits, keyringer encrypts the temporary decrypted file again into the secret file and deletes the temporary file. recrypt <*secret*> -: Recrypts a secret by decrypting it and recrypting again. Useful when users are added - into recipient configuration. If no *secret* is given, all secrets in the repository +: Re-encrypts a secret by decrypting it and encrypting it again. Useful when users are added + into the recipient configuration. If no *secret* is given, all secrets in the repository are re-encrypted. # CONFIGURATION ACTIONS @@ -122,11 +120,11 @@ commands : List available actions, useful for shell completion and syntax check. options <*ls*|*edit*|*add*> -: List, edit or add miscelaneous *repository* options. +: List, edit or add miscellaneous *repository* options. - Repository options are specific configurations for the keyring which are - saved into the repository, making it available for all users with access to the - repository and hence is a *global* configuration stanza for a given keyring. + Repository options are settings which are saved in the repository as a *global* + configuration stanza for a given keyring, shared by all users with access to + the repository. Options are written using the *KEY=VALUE* syntax. All lines starting with the hash (#) character are interpreted as comments. @@ -134,9 +132,8 @@ options <*ls*|*edit*|*add*> preferences <*ls*|*edit*|*add*> : List, edit or add *user* preferences for a given repository. - User preferences are specific configurations for the keyring which are - saved into the user's keyringer folder (`$HOME/.keyringer/`) hence not - shared with the other users. + User preferences are settings which are saved in the user's keyringer folder + (`$HOME/.keyringer/`), and not shared with the other users. Preferences are written using the *KEY=VALUE* syntax. All lines starting with the hash (#) character are interpreted as comments. @@ -144,24 +141,22 @@ preferences <*ls*|*edit*|*add*> usage : Show keyringer usage information. -recipients <*ls*|*edit*> <*recipient-file*> -: List, create or edit recipient configuration. +recipients <*ls*|*edit*> <*recipients-file*> +: List, create or edit recipients configuration. - Recipient files are lists of OpenPGP public key fingerprints which are used + Recipients files are lists of OpenPGP public key fingerprints which are used by keyringer when encrypting secrets and associated with email aliases. - Keyringer uses a default recipient file and supports custom *recipient-files* which - overrides the default recipient file according to it's matching pathname. + Keyringer uses a default recipients file, but specifying a custom *recipients-file* + pathname will override this default. - For instance, a the *recipient-file* called *accounting* will be used - wherever a user encrypts a secret to a file residing from the *accounting* - folder in the keyring repository. In that case, encrypting a secret into - *accounting/bank-accounts* will result in a file - `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the - public keys listed in `$KEYRING_FOLDER/config/recipients/accounting` config - file. + For instance, if a user encrypts a secret to a file in the keyring repository's + *accounting* folder, a *recipients-file* under *accounting* will be used. + Encrypting a secret into *accounting/bank-accounts* will result in a file + `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the public + keys listed in the config file`$KEYRING_FOLDER/config/recipients/accounting`. - Each line in a recipients file has entries in the form of + Each line in a recipients file has entries in the format 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', where *john@doe.com* is an alias for the GPG public key whose fingerprint is *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.* @@ -171,16 +166,16 @@ recipients <*ls*|*edit*> <*recipient-file*> Parameters to the *recipients* action are: *ls* - : List all existing recipient files. + : List all existing recipients files. *edit* - : Create or edit a recipient-file. + : Create or edit a recipients file. Editing happens using the editor specified by the `$EDITOR` environment variable. - The required parameter *recipient-file* is taken relativelly - from the `$KEYRING_FOLDER/config/recipients/` folder. + The required parameter *recipients-file* is interpreted relative + to the `$KEYRING_FOLDER/config/recipients/` folder. # FILES @@ -199,19 +194,19 @@ $KEYRING_FOLDER/config/options Keyringer currently has the following limitations: 1. Metadata is not encrypted, meaning that an attacker with access to a keyringer - repository knows all public key IDs are used for encryption and which secrets + repository can discover all public key IDs used for encryption, and which secrets are encrypted to which keys. This can be improved in the future by encrypting - the repository configuration with support for *--hidden-recipient* GnuPG + the repository configuration with support for the *--hidden-recipient* GnuPG option. 2. History is not rewritten by default when secrets are removed from a keyringer - repository. After a secret is removed with *del* action, it will still be + repository. After a secret is removed with the *del* action, it will still be available in the repository history even after a commit. This is by design - due to the following reasons: + for the following reasons: - It's the default behavior of the Git content tracker. Forcing the deletion by default could break the expected behavior and hence limit - the repository's backup features, which can be helpful is someone + the repository's backup features, which can be helpful if someone mistakenly overwrites a secret. - History rewriting cannot be considered a security measure against the @@ -219,7 +214,7 @@ Keyringer currently has the following limitations: working copies of the repository. In the case that the secret is a passphrase, the recommended measure - against such attack is to change the passphrase, making useless the + against such attacks is to change the passphrase, making useless the knowledge of the previous secret. Users wishing to edit their repository history should proceed manually -- cgit v1.2.3 From 6ababf8c7d892e065d6adf9316e06a83ea064cc3 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 27 Oct 2013 14:49:06 -0200 Subject: ChangeLog update --- ChangeLog | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 85f121a..7640d9a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,6 @@ -2013-10-18 - Silvio Rhatto +2013-10-27 - Silvio Rhatto + + Manpage enhancements and english review (#5) Strict FHS compliance (closes #18) -- cgit v1.2.3 From 0388ca01ef1c98880977c0a9c55e0ea5f4f5bd20 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 1 Nov 2013 18:02:36 -0200 Subject: Cowbuilder for other archs and distributions --- development.mdwn | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/development.mdwn b/development.mdwn index 8c0c1ad..383ef92 100644 --- a/development.mdwn +++ b/development.mdwn @@ -19,6 +19,12 @@ The following steps needs to be run just once. DIST=sid sudo cowbuilder --create +You can also setup chroots for other archs and distributions: + + mkdir /var/cache/pbuilder/squeeze-amd64 + cowbuilder --create --basepath /var/cache/pbuilder/squeeze-amd64/base.cow \ + --distribution squeeze --debootstrapopts --arch --debootstrapopts amd64 + Environment maintenance ----------------------- -- cgit v1.2.3 From 62dd47517c4ef54c6b6da135ed1ca593dd36572f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 1 Nov 2013 18:54:58 -0200 Subject: Pbuilder and cowbuilder for multiple archs and versions --- development.mdwn | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/development.mdwn b/development.mdwn index 383ef92..cbfa03f 100644 --- a/development.mdwn +++ b/development.mdwn @@ -3,7 +3,7 @@ Development environment ----------------------- -The following steps needs to be run just once. +The following steps needs to be run just once for each arch and distro version. ### Create the `debian/` structure @@ -13,17 +13,11 @@ The following steps needs to be run just once. ### Setup a sid pbuilder chroot - DIST=sid sudo pbuilder create --debootstrapopts --variant=buildd + DIST=sid sudo -E pbuilder create --debootstrapopts --variant=buildd ### Setup a sid cowbuilder chroot - DIST=sid sudo cowbuilder --create - -You can also setup chroots for other archs and distributions: - - mkdir /var/cache/pbuilder/squeeze-amd64 - cowbuilder --create --basepath /var/cache/pbuilder/squeeze-amd64/base.cow \ - --distribution squeeze --debootstrapopts --arch --debootstrapopts amd64 + DIST=sid sudo -E cowbuilder --create Environment maintenance ----------------------- @@ -32,11 +26,11 @@ These steps should be run once in a while to ensure we have an up to date packag ### Pbuilder - DIST=sid sudo pbuilder update + DIST=sid sudo -E pbuilder update ### Cowbuilder - DIST=sid sudo cowbuilder --update + DIST=sid sudo -E cowbuilder --update Release workflow ---------------- -- cgit v1.2.3 From daee316b366cb09a3751301ddb04e28fe339e69d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 7 Nov 2013 14:43:44 -0200 Subject: Changing pbuilder/cowbuilder instructions --- development.mdwn | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/development.mdwn b/development.mdwn index cbfa03f..a6db8da 100644 --- a/development.mdwn +++ b/development.mdwn @@ -13,11 +13,11 @@ The following steps needs to be run just once for each arch and distro version. ### Setup a sid pbuilder chroot - DIST=sid sudo -E pbuilder create --debootstrapopts --variant=buildd + git-pbuilder create ### Setup a sid cowbuilder chroot - DIST=sid sudo -E cowbuilder --create + sudo cowbuilder --create Environment maintenance ----------------------- @@ -26,11 +26,11 @@ These steps should be run once in a while to ensure we have an up to date packag ### Pbuilder - DIST=sid sudo -E pbuilder update + git-pbuilder update ### Cowbuilder - DIST=sid sudo -E cowbuilder --update + sudo cowbuilder --update Release workflow ---------------- -- cgit v1.2.3 From da7b0d3a12c254463f90845566437211682fd647 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 7 Nov 2013 17:44:37 -0200 Subject: Allow slashes on filenames --- lib/keyringer/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 0864b91..e2face1 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -348,7 +348,7 @@ function keyringer_get_new_file { fi # Sanitize and complete file name - FILE="`echo $FILE | sed -e s/[^A-Za-z0-9.]/_/g`" + FILE="`echo $FILE | sed -e s/[^A-Za-z0-9.\/]/_/g`" FILE="$(keyringer_filename "$FILE")" if [ -z "$FILE" ]; then -- cgit v1.2.3 From ee1beb85b4dc8f7f0da9689c88706aeb516e954d Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 10 Nov 2013 20:18:12 -0200 Subject: Usage and setup cosmetics --- keyringer | 2 +- lib/keyringer/functions | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/keyringer b/keyringer index abd0a57..8ba1093 100755 --- a/keyringer +++ b/keyringer @@ -68,7 +68,7 @@ function keyringer_init { touch "$OPTIONS" # Setup README - echo "Keyring repository powered by http://git.sarava.org/?p=keyringer.git;a=summary" > "$BASEDIR/README" + echo "Keyring repository powered by https://keyringer.pw" > "$BASEDIR/README" echo "" >> "$BASEDIR/README" # Set config version diff --git a/lib/keyringer/functions b/lib/keyringer/functions index e2face1..206e0da 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -390,9 +390,10 @@ function keyringer_show_actions { # Usage function keyringer_usage { - printf "Usage: %s [arguments]\n" "$BASENAME" - printf "Available commands: \n" + printf "Usage: %s [arguments]\n\n" "$BASENAME" + printf "Available commands: \n\n" keyringer_show_actions | sed -e 's/^/\t/' + printf "\tinit [remote]\n\n" $BASENAME } # Check recipients -- cgit v1.2.3 From d6ace9471fbeb4c6c57f803d870accd8b11c7d2f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 10 Nov 2013 20:38:46 -0200 Subject: Fixing encryption for files with spaces (closes #20) --- lib/keyringer/actions/encrypt | 10 +++++----- lib/keyringer/functions | 8 ++++++-- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt index cc73b55..6b9c061 100755 --- a/lib/keyringer/actions/encrypt +++ b/lib/keyringer/actions/encrypt @@ -9,12 +9,12 @@ source "$LIB" || exit 1 # Aditional parameters if [ ! -z "$3" ]; then - UNENCRYPTED_FILE="$2" - shift 2 - keyringer_get_new_file "$*" + shift 1 + UNENCRYPTED_FILE="$*" + keyringer_get_new_file $* if [ ! -f "$UNENCRYPTED_FILE" ]; then - echo "Error: cannot encrypted $UNENCRYPTED_FILE: file not found." + echo "Error: cannot encrypt $UNENCRYPTED_FILE: file not found." exit 1 fi else @@ -36,7 +36,7 @@ if [ "$BASENAME" == "encrypt" ]; then fi fi -$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" $UNENCRYPTED_FILE +$GPG --use-agent --armor -e -s $(keyringer_recipients "$RECIPIENTS_FILE") --yes --output "$KEYDIR/$FILE" "$UNENCRYPTED_FILE" err="$?" diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 206e0da..67b5122 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -342,7 +342,6 @@ function keyringer_get_new_file { # File must not contain spaces if [ ! -z "$2" ] ; then FILE="`echo "$*" | sed -e 's/ /_/g'`" - echo "File $* has spaces, secret will be named as $FILE..." else FILE="$1" fi @@ -350,8 +349,13 @@ function keyringer_get_new_file { # Sanitize and complete file name FILE="`echo $FILE | sed -e s/[^A-Za-z0-9.\/]/_/g`" FILE="$(keyringer_filename "$FILE")" + + # Warn user about file name change:w + if [ "`basename "$*"`" != "$FILE" ]; then + echo "Sanitizing destination filename to `basename $FILE`" + fi - if [ -z "$FILE" ]; then + if [ -z "$*" ]; then keyringer_action_usage exit 1 fi -- cgit v1.2.3 From e53aba05b0a18c39b5f75267318694d2073248f2 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 10 Nov 2013 22:44:58 -0200 Subject: Changing encrypt syntax, rebuilding manpage --- lib/keyringer/actions/encrypt | 22 +++++- lib/keyringer/functions | 14 ++-- share/man/keyringer.1 | 166 +++++++++++++++++++++--------------------- share/man/keyringer.1.mdwn | 4 +- 4 files changed, 111 insertions(+), 95 deletions(-) diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt index 6b9c061..d9d8f96 100755 --- a/lib/keyringer/actions/encrypt +++ b/lib/keyringer/actions/encrypt @@ -7,11 +7,27 @@ LIB="`dirname $0`/../functions" source "$LIB" || exit 1 +# Usage +function keyringer_usage_encrypt { + echo "Usage: keyringer $BASENAME [file]" +} + +# Alias for keyringer_usage_encrypt +function keyringer_usage_encrypt_batch { + keyringer_usage_encrypt $* +} + +# Usage +if [ -z "$2" ]; then + keyringer_action_usage + exit 1 +fi + # Aditional parameters if [ ! -z "$3" ]; then - shift 1 + keyringer_get_new_file $2 + shift 2 UNENCRYPTED_FILE="$*" - keyringer_get_new_file $* if [ ! -f "$UNENCRYPTED_FILE" ]; then echo "Error: cannot encrypt $UNENCRYPTED_FILE: file not found." @@ -45,7 +61,7 @@ if [ "$err" != "0" ]; then fi if [ "$UNENCRYPTED_FILE" != "-" ]; then - echo "Now make to wipe the non-encrypted $UNENCRYPTED_FILE." + echo "Done. PLEASE WIPE the non-encrypted $UNENCRYPTED_FILE." fi # Stage diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 67b5122..bf2977d 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -347,14 +347,16 @@ function keyringer_get_new_file { fi # Sanitize and complete file name - FILE="`echo $FILE | sed -e s/[^A-Za-z0-9.\/]/_/g`" - FILE="$(keyringer_filename "$FILE")" + FILE="`echo $FILE | sed -e s/[^A-Za-z0-9.\/\-]/_/g`" - # Warn user about file name change:w - if [ "`basename "$*"`" != "$FILE" ]; then + # Warn user about file name change + if [ "`basename $*`" != "`basename $FILE`" ]; then echo "Sanitizing destination filename to `basename $FILE`" fi - + + # Complete file name + FILE="$(keyringer_filename "$FILE")" + if [ -z "$*" ]; then keyringer_action_usage exit 1 @@ -365,7 +367,7 @@ function keyringer_get_new_file { function keyringer_get_command { # Aditional parameters COMMAND="$1" - + if [ -z "$COMMAND" ]; then keyringer_action_usage command exit 1 diff --git a/share/man/keyringer.1 b/share/man/keyringer.1 index 0f6e62d..c3fbc54 100644 --- a/share/man/keyringer.1 +++ b/share/man/keyringer.1 @@ -10,22 +10,22 @@ keyringer <\f[I]keyring\f[]> <\f[I]action\f[]> [\f[I]options\f[]]... Keyringer lets you manage and share secrets using GnuPG and Git in a distributed fashion. .PP -It has custom commands to encrypt, decrypt and recrypt secrets as well -as create key pairs and supports encryption to multiple recipients and -groups of different recipients to ensure the same repository can be -shared with a workgroup but allowing to keep some secrets available just -to subsets of that group. -.PP -Secrets are encrypted using GPG and added to a git tree so later then -can be synced with remote branches. +It has custom commands to create key-pairs and to encrypt, decrypt and +re-encrypt secrets. +It also supports encryption to multiple recipients and groups of +recipients, to allow a workgroup to share access to a single repository +while restricting some secrets to subsets of the group. +.PP +Secrets are encrypted using GPG and added to a Git tree so that they can +be synced with remote branches later. .SH ACTIONS .PP Keyringer has three types of actions: .IP "1." 3 -Repository lookup and manipulation actions, which handles repository +Repository lookup and manipulation actions, which handle repository initialization, content tracking and navigation. .IP "2." 3 -Secret manipulation actions, which takes care of encrypting, decrypting +Secret manipulation actions, which take care of encrypting, decrypting and other read/write operations on secrets. .IP "3." 3 Configuration actions, handling repository metadata. @@ -41,14 +41,14 @@ After initialization, \f[I]path\f[] will contain a folder structure for storing secrets and metadata (user aka recipients, groups of recipients, etc). .PP -Also, an entry on \f[C]$HOME/.keyringer/config\f[] will be added -allowing keyringer to find the keyring by it\[aq]s alias. +Also, an entry will be added to \f[C]$HOME/.keyringer/config\f[] +allowing keyringer to find the keyring by its alias. .RE .TP .B git <\f[I]action\f[]> <\f[I]options\f[]> Git wrapper that operates from the toplevel keyring repository. -You can issue any \f[I]GIT(1)\f[] subcommand with this action that it -will be applied into the keyring repository. +You can issue any \f[I]GIT(1)\f[] subcommand with this action to have it +applied in the keyring repository. .RS .RE .TP @@ -61,11 +61,11 @@ command. .RE .SH SECRET MANIPULATION ACTIONS .PP -All secret manipulation actions operates upon a \f[I]secret\f[] which is -the pathname of an encrypted file relative to keyring with optional +All secret manipulation actions operate upon a \f[I]secret\f[] which is +the pathname of an encrypted file relative to the keyring with optional \f[C]\&.asc\f[] extension. .PP -If the \f[C]\&.asc\f[] extension is ommited, keyringer will add it in +If the \f[C]\&.asc\f[] extension is omitted, keyringer will add it at the end of the pathname. .PP No spaces are allowed in the secret name. @@ -92,27 +92,27 @@ Decrypts a secret into standard output. .RE .TP .B del <\f[I]secret\f[]> -Removes a secret using git. +Removes a secret using Git. After deleting a secret a git commit and push is still needed to update remote repositories. .RS .PP Please note that this command \f[B]does not remove the secret from the -git history.\f[] To completely remove a file from a keyring, you should -also rewrite the git history by yourself. +Git history.\f[] To completely remove a file from a keyring, you should +also rewrite the Git history yourself. .RE .TP .B edit <\f[I]secret\f[]> Edit a secret by temporarily decrypting it, opening the decrypted copy into the text editor defined by the \f[I]$EDITOR\f[] environment -variable and then recrypting it again. +variable and then re-encrypting it. .RS .RE .TP -.B encrypt [\f[I]file\f[]] <\f[I]secret\f[]> +.B encrypt <\f[I]secret\f[]> [\f[I]file\f[]] Encrypts content from standard input or \f[I]file\f[] into \f[I]secret\f[] pathname. -No spaces are supported in the \f[I]file\f[] name. +No spaces are supported in the \f[I]secret\f[] name. .RS .RE .TP @@ -123,24 +123,24 @@ Encrypt content, batch mode. .TP .B genpair <\f[I]ssh\f[]|\f[I]gpg\f[]|\f[I]ssl\f[]|\f[I]ssl-self\f[]> [\f[I]options\f[]] -Wrapper to generete encryption keypairs, useful for automated key +Wrapper to generate encryption key-pairs, useful for automated key deployment. .RS .RE .TP .B open <\f[I]secret\f[]> -Decrypt a secret into a temporary folder and opening it using xdg-open -which then tries to figure out the file type and calling the associated +Decrypt a secret into a temporary folder and open it using xdg-open, +which tries to figure out the file type and then calls the associated application. .RS .PP After the application exits, keyringer encrypts the temporary decrypted -file again into the secret file. +file again into the secret file and deletes the temporary file. .RE .TP .B recrypt <\f[I]secret\f[]> -Recrypts a secret by decrypting it and recrypting again. -Useful when users are added into recipient configuration. +Re-encrypts a secret by decrypting it and encrypting it again. +Useful when users are added into the recipient configuration. If no \f[I]secret\f[] is given, all secrets in the repository are re-encrypted. .RS @@ -153,13 +153,12 @@ List available actions, useful for shell completion and syntax check. .RE .TP .B options <\f[I]ls\f[]|\f[I]edit\f[]|\f[I]add\f[]> -List, edit or add miscelaneous \f[I]repository\f[] options. +List, edit or add miscellaneous \f[I]repository\f[] options. .RS .PP -Repository options are specific configurations for the keyring which are -saved into the repository, making it available for all users with access -to the repository and hence is a \f[I]global\f[] configuration stanza -for a given keyring. +Repository options are settings which are saved in the repository as a +\f[I]global\f[] configuration stanza for a given keyring, shared by all +users with access to the repository. .PP Options are written using the \f[I]KEY=VALUE\f[] syntax. All lines starting with the hash (#) character are interpreted as @@ -170,9 +169,9 @@ comments. List, edit or add \f[I]user\f[] preferences for a given repository. .RS .PP -User preferences are specific configurations for the keyring which are -saved into the user\[aq]s keyringer folder (\f[C]$HOME/.keyringer/\f[]) -hence not shared with the other users. +User preferences are settings which are saved in the user\[aq]s +keyringer folder (\f[C]$HOME/.keyringer/\f[]), and not shared with the +other users. .PP Preferences are written using the \f[I]KEY=VALUE\f[] syntax. All lines starting with the hash (#) character are interpreted as @@ -184,53 +183,51 @@ Show keyringer usage information. .RS .RE .TP -.B recipients <\f[I]ls\f[]|\f[I]edit\f[]> <\f[I]recipient-file\f[]> -List, create or edit recipient configuration. +.B recipients <\f[I]ls\f[]|\f[I]edit\f[]> <\f[I]recipients-file\f[]> +List, create or edit recipients configuration. .RS .PP -Recipient files are lists of OpenPGP public key fingerprints which are +Recipients files are lists of OpenPGP public key fingerprints which are used by keyringer when encrypting secrets and associated with email aliases. .PP -Keyringer uses a default recipient file and supports custom -\f[I]recipient-files\f[] which overrides the default recipient file -according to it\[aq]s matching pathname. -.PP -For instance, a the \f[I]recipient-file\f[] called \f[I]accounting\f[] -will be used wherever a user encrypts a secret to a file residing from -the \f[I]accounting\f[] folder in the keyring repository. -In that case, encrypting a secret into \f[I]accounting/bank-accounts\f[] -will result in a file -\f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[] encrypted -using the public keys listed in -\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[] config file. -.PP -Each line in a recipients file has entries in the form of -\[aq]john\@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq], where -\f[I]john\@doe.com\f[] is an alias for the GPG public key whose -fingerprint is \f[I]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.\f[] -.PP -All lines starting with the hash (#) character are interpreted as -comments. -.PP -Parameters to the \f[I]recipients\f[] action are: -.TP -.B \f[I]ls\f[] -List all existing recipient files. -.RS +Keyringer uses a default recipients file, but specifying a custom +\f[I]recipients-file\f[] pathname will override this default. +For instance, if a user encrypts a secret to a file in the keyring +repository\[aq]s \f[I]accounting\f[] folder, a \f[I]recipients-file\f[] +under \f[I]accounting\f[] will be used. +Encrypting a secret into \f[I]accounting/bank-accounts\f[] will result +in a file .RE -.TP -.B \f[I]edit\f[] -Create or edit a recipient-file. -.RS .PP -Editing happens using the editor specified by the \f[C]$EDITOR\f[] -environment variable. -.PP -The required parameter \f[I]recipient-file\f[] is taken relativelly from -the \f[C]$KEYRING_FOLDER/config/recipients/\f[] folder. -.RE -.RE +\f[C]$KEYRING_FOLDER/keys/accounting/bank-accounts.asc\f[] encrypted +using the public keys listed in the config +file\f[C]$KEYRING_FOLDER/config/recipients/accounting\f[]. +.IP +.nf +\f[C] +Each\ line\ in\ a\ recipients\ file\ has\ entries\ in\ the\ format +\[aq]john\@doe.com\ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\[aq],\ where\ *john\@doe.com* +is\ an\ alias\ for\ the\ GPG\ public\ key\ whose\ fingerprint\ is +*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.* + +All\ lines\ starting\ with\ the\ hash\ (#)\ character\ are\ interpreted\ as\ comments. + +Parameters\ to\ the\ *recipients*\ action\ are: + +\ \ *ls* +\ \ :\ \ \ List\ all\ existing\ recipients\ files. + +\ \ *edit* +\ \ :\ \ \ Create\ or\ edit\ a\ recipients\ file. + +\ \ \ \ \ \ Editing\ happens\ using\ the\ editor\ specified\ by\ the\ `$EDITOR` +\ \ \ \ \ \ environment\ variable. + +\ \ \ \ \ \ The\ required\ parameter\ *recipients-file*\ is\ interpreted\ relative +\ \ \ \ \ \ to\ the\ `$KEYRING_FOLDER/config/recipients/`\ folder. +\f[] +.fi .SH FILES .PP $HOME/.keyringer/config : User\[aq]s main configuration file used to map @@ -246,21 +243,22 @@ applied for all users that use the keyringer repository. Keyringer currently has the following limitations: .IP "1." 3 Metadata is not encrypted, meaning that an attacker with access to a -keyringer repository knows all public key IDs are used for encryption -and which secrets are encrypted to which keys. +keyringer repository can discover all public key IDs used for +encryption, and which secrets are encrypted to which keys. This can be improved in the future by encrypting the repository -configuration with support for \f[I]--hidden-recipient\f[] GnuPG option. +configuration with support for the \f[I]--hidden-recipient\f[] GnuPG +option. .IP "2." 3 History is not rewritten by default when secrets are removed from a keyringer repository. -After a secret is removed with \f[I]del\f[] action, it will still be +After a secret is removed with the \f[I]del\f[] action, it will still be available in the repository history even after a commit. -This is by design due to the following reasons: +This is by design for the following reasons: .IP \[bu] 2 It\[aq]s the default behavior of the Git content tracker. Forcing the deletion by default could break the expected behavior and hence limit the repository\[aq]s backup features, which can be helpful -is someone mistakenly overwrites a secret. +if someone mistakenly overwrites a secret. .IP \[bu] 2 History rewriting cannot be considered a security measure against the unauthorized access to a secret as it doesn\[aq]t automatically update @@ -268,7 +266,7 @@ all working copies of the repository. .RS 2 .PP In the case that the secret is a passphrase, the recommended measure -against such attack is to change the passphrase, making useless the +against such attacks is to change the passphrase, making useless the knowledge of the previous secret. .PP Users wishing to edit their repository history should proceed manually diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index 396e44d..ee035e3 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -92,9 +92,9 @@ edit <*secret*> : Edit a secret by temporarily decrypting it, opening the decrypted copy into the text editor defined by the *$EDITOR* environment variable and then re-encrypting it. -encrypt [*file*] <*secret*> +encrypt <*secret*> [*file*] : Encrypts content from standard input or *file* into *secret* pathname. No spaces - are supported in the *file* name. + are supported in the *secret* name. encrypt-batch <*secret*> : Encrypt content, batch mode. -- cgit v1.2.3 From dd83d98974d3a632f1d097d78f19a39d24083a24 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 10 Nov 2013 22:45:55 -0200 Subject: ChangeLog update --- ChangeLog | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7640d9a..bf7fdd6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ -2013-10-27 - Silvio Rhatto +2013-11-10 - Silvio Rhatto + + Changed encrypt syntax + + Fix handing of file names with spaces (#20) Manpage enhancements and english review (#5) -- cgit v1.2.3 From e5bde4205e18334754027b3c6cc2f12ce0ffbaa8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 10 Nov 2013 22:50:12 -0200 Subject: Doc update --- index.mdwn | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/index.mdwn b/index.mdwn index a26f903..148da07 100644 --- a/index.mdwn +++ b/index.mdwn @@ -86,28 +86,28 @@ secrets with lines such as: emma - /dev/hda : : secret2 Or you may also have a different encrypted file for each secret, e.g. a file called -emma.root that contains the root passphrase for the server named emma and -another called emma.hda with the passphrase to decrypt /dev/hda on emma. +emma.root that contains the root passphrase for the server named `emma` and +another called emma.hda with the passphrase to decrypt `/dev/hda` on `emma`. Encrypting a secret - keyringer encrypt + keyringer encrypt Encrypting a secret from a file - keyringer encrypt + keyringer encrypt Decrypting a secret (only to stdout) - keyringer decrypt + keyringer decrypt Re-encrypting a secret or the whole repository - keyringer recrypt [file] + keyringer recrypt [secret] Appending information to a secret - keyringer append + keyringer append Editing a secret -- cgit v1.2.3 From 16abc738ad06e2a39fc14a40f39f9a21ae9bec43 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 10 Nov 2013 22:56:11 -0200 Subject: Development: test environment --- development.mdwn | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/development.mdwn b/development.mdwn index a6db8da..edd41ed 100644 --- a/development.mdwn +++ b/development.mdwn @@ -100,6 +100,19 @@ When adding a new subcommand or changing subcommand behavior, ensure: * Manpage is updated. * Shell completions are updated. +Test environment +---------------- + +Setup: + + keyringer test init ~/code/tests/keyringer + +Teardown: + + rm -rf ~/code/tests/keyringer + rm ~/.keyringer/test + sed -i -e '/^test=/d' ~/.keyringer/config + References ---------- -- cgit v1.2.3 From f51ab08305fe8aea78925468911756a672005396 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 10 Nov 2013 23:23:38 -0200 Subject: Adding keyringer.pot --- development.mdwn | 8 + share/man/keyringer.pot | 603 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 611 insertions(+) create mode 100644 share/man/keyringer.pot diff --git a/development.mdwn b/development.mdwn index edd41ed..43aeedb 100644 --- a/development.mdwn +++ b/development.mdwn @@ -113,6 +113,14 @@ Teardown: rm ~/.keyringer/test sed -i -e '/^test=/d' ~/.keyringer/config +Translation +----------- + +Run just once: + + cd share/man + po4a-gettextize -f text -m keyringer.1.mdwn -p keyringer.pot + References ---------- diff --git a/share/man/keyringer.pot b/share/man/keyringer.pot new file mode 100644 index 0000000..4078028 --- /dev/null +++ b/share/man/keyringer.pot @@ -0,0 +1,603 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Free Software Foundation, Inc. +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2013-11-10 23:20-0100\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. type: Plain text +#: keyringer.1.mdwn:4 +msgid "" +"% KEYRINGER(1) Keyringer User Manual % Silvio Rhatto % " +"Oct 25, 2013" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:6 +msgid "# NAME" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:8 +msgid "keyringer - encrypted and distributed secret sharing software" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:10 +msgid "# SYNOPSIS" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:12 +msgid "keyringer <*keyring*> <*action*> [*options*]..." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:14 +msgid "# DESCRIPTION" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:17 +msgid "" +"Keyringer lets you manage and share secrets using GnuPG and Git in a " +"distributed fashion." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:22 +msgid "" +"It has custom commands to create key-pairs and to encrypt, decrypt and " +"re-encrypt secrets. It also supports encryption to multiple recipients and " +"groups of recipients, to allow a workgroup to share access to a single " +"repository while restricting some secrets to subsets of the group." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:25 +msgid "" +"Secrets are encrypted using GPG and added to a Git tree so that they can be " +"synced with remote branches later." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:27 +msgid "# ACTIONS" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:29 +msgid "Keyringer has three types of actions:" +msgstr "" + +#. type: Bullet: '1. ' +#: keyringer.1.mdwn:32 +msgid "" +"Repository lookup and manipulation actions, which handle repository " +"initialization, content tracking and navigation." +msgstr "" + +#. type: Bullet: '2. ' +#: keyringer.1.mdwn:35 +msgid "" +"Secret manipulation actions, which take care of encrypting, decrypting and " +"other read/write operations on secrets." +msgstr "" + +#. type: Bullet: '3. ' +#: keyringer.1.mdwn:37 +msgid "Configuration actions, handling repository metadata." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:39 +msgid "# REPOSITORY LOOKUP AND MANIPULATION ACTIONS" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:43 +#, no-wrap +msgid "" +"init <*path*> [*remote*]\n" +": Initialize a new keyringer repository. If a *remote* URL is specified, " +"keyringer will\n" +" clone an existing repository.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:46 +#, no-wrap +msgid "" +" After initialization, *path* will contain a folder structure for storing " +"secrets\n" +" and metadata (user aka recipients, groups of recipients, etc).\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:49 +#, no-wrap +msgid "" +" Also, an entry will be added to `$HOME/.keyringer/config` allowing " +"keyringer to\n" +" find the keyring by its alias.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:53 +#, no-wrap +msgid "" +"git <*action*> <*options*>\n" +": Git wrapper that operates from the toplevel keyring repository. You can " +"issue any\n" +" *GIT(1)* subcommand with this action to have it applied in the keyring " +"repository.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:58 +#, no-wrap +msgid "" +"ls <*path*>\n" +": List contents from the toplevel repository *keys* folder or from " +"relative paths\n" +" if *path* is specified. Like the git wrapper, this is a wrapper around " +"the *LS(1)*\n" +" command.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:60 +msgid "# SECRET MANIPULATION ACTIONS" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:63 +msgid "" +"All secret manipulation actions operate upon a *secret* which is the " +"pathname of an encrypted file relative to the keyring with optional `.asc` " +"extension." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:66 +msgid "" +"If the `.asc` extension is omitted, keyringer will add it at the end of the " +"pathname." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:68 +msgid "No spaces are allowed in the secret name." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:72 +msgid "" +"Secret manipulation actions do not commit changes into the secret " +"repository. Instead, the user has to manually commit the changes using the " +"git wrapper action." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:76 +#, no-wrap +msgid "" +"append <*secret*>\n" +": Append contents into a secret by decrypting the secret, appending lines " +"read\n" +" from the standard input and encrypting again.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:79 +#, no-wrap +msgid "" +"append-batch <*secret*>\n" +": Append contents into a secret, batch mode.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:82 +#, no-wrap +msgid "" +"decrypt <*secret*>\n" +": Decrypts a secret into standard output.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:86 +#, no-wrap +msgid "" +"del <*secret*>\n" +": Removes a secret using Git. After deleting a secret a git commit and " +"push is still\n" +" needed to update remote repositories.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:90 +#, no-wrap +msgid "" +" Please note that this command **does not remove the secret from the Git " +"history.**\n" +" To completely remove a file from a keyring, you should also rewrite the " +"Git\n" +" history yourself.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:94 +#, no-wrap +msgid "" +"edit <*secret*>\n" +": Edit a secret by temporarily decrypting it, opening the decrypted copy " +"into the \n" +" text editor defined by the *$EDITOR* environment variable and then " +"re-encrypting it.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:98 +#, no-wrap +msgid "" +"encrypt <*secret*> [*file*]\n" +": Encrypts content from standard input or *file* into *secret* " +"pathname. No spaces\n" +" are supported in the *secret* name.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:101 +#, no-wrap +msgid "" +"encrypt-batch <*secret*>\n" +": Encrypt content, batch mode.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:104 +#, no-wrap +msgid "" +"genpair <*ssh*|*gpg*|*ssl*|*ssl-self*> [*options*]\n" +": Wrapper to generate encryption key-pairs, useful for automated key " +"deployment.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:108 +#, no-wrap +msgid "" +"open <*secret*>\n" +": Decrypt a secret into a temporary folder and open it using xdg-open, " +"which\n" +" tries to figure out the file type and then calls the associated " +"application.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:111 +#, no-wrap +msgid "" +" After the application exits, keyringer encrypts the temporary decrypted " +"file\n" +" again into the secret file and deletes the temporary file.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:116 +#, no-wrap +msgid "" +"recrypt <*secret*>\n" +": Re-encrypts a secret by decrypting it and encrypting it again. Useful " +"when users are added\n" +" into the recipient configuration. If no *secret* is given, all secrets " +"in the repository\n" +" are re-encrypted.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:118 +msgid "# CONFIGURATION ACTIONS" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:121 +#, no-wrap +msgid "" +"commands\n" +": List available actions, useful for shell completion and syntax check.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:124 +#, no-wrap +msgid "" +"options <*ls*|*edit*|*add*>\n" +": List, edit or add miscellaneous *repository* options.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:128 +#, no-wrap +msgid "" +" Repository options are settings which are saved in the repository as a " +"*global*\n" +" configuration stanza for a given keyring, shared by all users with " +"access to\n" +" the repository.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:131 +#, no-wrap +msgid "" +" Options are written using the *KEY=VALUE* syntax. All lines starting " +"with the\n" +" hash (#) character are interpreted as comments.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:134 +#, no-wrap +msgid "" +"preferences <*ls*|*edit*|*add*>\n" +": List, edit or add *user* preferences for a given repository.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:137 +#, no-wrap +msgid "" +" User preferences are settings which are saved in the user's keyringer " +"folder\n" +" (`$HOME/.keyringer/`), and not shared with the other users.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:140 +#, no-wrap +msgid "" +" Preferences are written using the *KEY=VALUE* syntax. All lines starting " +"with the\n" +" hash (#) character are interpreted as comments.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:143 +#, no-wrap +msgid "" +"usage\n" +": Show keyringer usage information.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:146 +#, no-wrap +msgid "" +"recipients <*ls*|*edit*> <*recipients-file*>\n" +": List, create or edit recipients configuration.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:149 +#, no-wrap +msgid "" +" Recipients files are lists of OpenPGP public key fingerprints which are " +"used\n" +" by keyringer when encrypting secrets and associated with email " +"aliases.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:152 +#, no-wrap +msgid "" +" Keyringer uses a default recipients file, but specifying a custom " +"*recipients-file*\n" +" pathname will override this default.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:158 +#, no-wrap +msgid "" +" For instance, if a user encrypts a secret to a file in the keyring " +"repository's\n" +" *accounting* folder, a *recipients-file* under *accounting* will be " +"used.\n" +" Encrypting a secret into *accounting/bank-accounts* will result in a " +"file\n" +" `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the " +"public\n" +" keys listed in the config " +"file`$KEYRING_FOLDER/config/recipients/accounting`.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:163 +#, no-wrap +msgid "" +" Each line in a recipients file has entries in the format\n" +" 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', where " +"*john@doe.com*\n" +" is an alias for the GPG public key whose fingerprint is\n" +" *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.*\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:165 +#, no-wrap +msgid "" +" All lines starting with the hash (#) character are interpreted as " +"comments.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:167 +#, no-wrap +msgid " Parameters to the *recipients* action are:\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:170 +#, no-wrap +msgid "" +" *ls*\n" +" : List all existing recipients files.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:173 +#, no-wrap +msgid "" +" *edit*\n" +" : Create or edit a recipients file.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:176 +#, no-wrap +msgid "" +" Editing happens using the editor specified by the `$EDITOR`\n" +" environment variable.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:179 +#, no-wrap +msgid "" +" The required parameter *recipients-file* is interpreted relative\n" +" to the `$KEYRING_FOLDER/config/recipients/` folder.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:181 +msgid "# FILES" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:184 +msgid "" +"$HOME/.keyringer/config : User's main configuration file used to map alias " +"names to keyrings." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:187 +msgid "" +"$HOME/.keyringer/*keyring* : User preferences for the keyringer aliased " +"*keyring* keyring." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:191 +#, no-wrap +msgid "" +"$KEYRING_FOLDER/config/options\n" +": Custom keyring options which will be applied for all users that use\n" +" the keyringer repository.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:193 +msgid "# LIMITATIONS" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:195 +msgid "Keyringer currently has the following limitations:" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:201 +#, no-wrap +msgid "" +"1. Metadata is not encrypted, meaning that an attacker with access to a " +"keyringer\n" +" repository can discover all public key IDs used for encryption, and which " +"secrets\n" +" are encrypted to which keys. This can be improved in the future by " +"encrypting\n" +" the repository configuration with support for the *--hidden-recipient* " +"GnuPG\n" +" option.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:206 +#, no-wrap +msgid "" +"2. History is not rewritten by default when secrets are removed from a " +"keyringer\n" +" repository. After a secret is removed with the *del* action, it will still " +"be\n" +" available in the repository history even after a commit. This is by " +"design\n" +" for the following reasons:\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:211 +#, no-wrap +msgid "" +" - It's the default behavior of the Git content tracker. Forcing the\n" +" deletion by default could break the expected behavior and hence limit\n" +" the repository's backup features, which can be helpful if someone\n" +" mistakenly overwrites a secret.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:215 +#, no-wrap +msgid "" +" - History rewriting cannot be considered a security measure against the\n" +" unauthorized access to a secret as it doesn't automatically update " +"all\n" +" working copies of the repository.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:219 +#, no-wrap +msgid "" +" In the case that the secret is a passphrase, the recommended measure\n" +" against such attacks is to change the passphrase, making useless the\n" +" knowledge of the previous secret.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:222 +#, no-wrap +msgid "" +" Users wishing to edit their repository history should proceed " +"manually\n" +" using the *git* action.\n" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:224 +msgid "# SEE ALSO" +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:226 +msgid "The *README* file distributed with Keyringer contains full documentation." +msgstr "" + +#. type: Plain text +#: keyringer.1.mdwn:228 +msgid "" +"The Keyringer source code and all documentation may be downloaded from " +"." +msgstr "" -- cgit v1.2.3 From 4bf0e9291000e9dae057b887c00a4a167f17ffa4 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 10 Nov 2013 23:34:43 -0200 Subject: Updating ChangeLog and .pot description --- ChangeLog | 2 ++ share/man/keyringer.pot | 19 +++++++++---------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index bf7fdd6..37e520f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2013-11-10 - Silvio Rhatto + Added keyringer.pot for easy manpage translation (closes #5). + Changed encrypt syntax Fix handing of file names with spaces (#20) diff --git a/share/man/keyringer.pot b/share/man/keyringer.pot index 4078028..2e32952 100644 --- a/share/man/keyringer.pot +++ b/share/man/keyringer.pot @@ -1,19 +1,18 @@ -# SOME DESCRIPTIVE TITLE -# Copyright (C) YEAR Free Software Foundation, Inc. -# This file is distributed under the same license as the PACKAGE package. -# FIRST AUTHOR , YEAR. +# Keyringer translation source +# Copyright (C) 2013 Keyringer Developers +# This file is distributed under the same license as the keyringer package. +# Silvio Rhatto , 2013. # -#, fuzzy msgid "" msgstr "" -"Project-Id-Version: PACKAGE VERSION\n" +"Project-Id-Version: Keyringer\n" "POT-Creation-Date: 2013-11-10 23:20-0100\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" +"PO-Revision-Date: 2013-11-10 23:20-0100\n" +"Last-Translator: Keyringer Developers \n" +"Language-Team: Keyringer Developers \n" "Language: \n" "MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=CHARSET\n" +"Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: Plain text -- cgit v1.2.3 From b4db27a6442bd76450f6465310d662f1e0418f8f Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 11 Nov 2013 18:45:03 -0200 Subject: Minor change --- development.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/development.mdwn b/development.mdwn index 43aeedb..2eae39a 100644 --- a/development.mdwn +++ b/development.mdwn @@ -119,7 +119,7 @@ Translation Run just once: cd share/man - po4a-gettextize -f text -m keyringer.1.mdwn -p keyringer.pot + po4a-gettextize -f text -m keyringer.1.mdwn -p keyringer.pot References ---------- -- cgit v1.2.3 From ed00f6872b654cdef1f7eba1e5d08020cbb91bd8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 12 Nov 2013 15:02:07 -0200 Subject: Updated doc on development environment --- development.mdwn | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/development.mdwn b/development.mdwn index 2eae39a..5c771c9 100644 --- a/development.mdwn +++ b/development.mdwn @@ -13,11 +13,11 @@ The following steps needs to be run just once for each arch and distro version. ### Setup a sid pbuilder chroot - git-pbuilder create + DIST=sid git-pbuilder create ### Setup a sid cowbuilder chroot - sudo cowbuilder --create + DIST=sid sudo cowbuilder --create Environment maintenance ----------------------- @@ -26,11 +26,11 @@ These steps should be run once in a while to ensure we have an up to date packag ### Pbuilder - git-pbuilder update + DIST=sid git-pbuilder update ### Cowbuilder - sudo cowbuilder --update + DIST=sid sudo cowbuilder --update Release workflow ---------------- -- cgit v1.2.3 From ee608b62742a05721256e50d4759da32f8be46fa Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 10:41:59 -0200 Subject: Enhancing shell completion for 'encrypt' action --- lib/keyringer/completions/bash/keyringer | 18 ++++++++++++++---- lib/keyringer/completions/zsh/_keyringer | 3 +++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/lib/keyringer/completions/bash/keyringer b/lib/keyringer/completions/bash/keyringer index 875e6ab..7bfa62f 100644 --- a/lib/keyringer/completions/bash/keyringer +++ b/lib/keyringer/completions/bash/keyringer @@ -42,6 +42,15 @@ _keyringer_git_complete() { fi } +# Path completion +function _keyringer_path_complete() { + # Thanks http://unix.stackexchange.com/questions/55520/create-bash-completion-script-to-autocomplete-paths-after-is-equal-sign + cur=${1//\\ / } + [[ ${cur} == "~/"* ]] && cur=${cur/\~/$HOME} + + echo ${cur} +} + _keyringer() { # Standard stuff local cur prev command config path keyrings instances instance opts @@ -94,10 +103,7 @@ _keyringer() { opts="$(_keyringer_git_complete ${cur})" ;; init) - # Thanks http://unix.stackexchange.com/questions/55520/create-bash-completion-script-to-autocomplete-paths-after-is-equal-sign - cur=${cur//\\ / } - [[ ${cur} == "~/"* ]] && cur=${cur/\~/$HOME} - + cur="$(_keyringer_path_complete ${cur})" opts="$(compgen -o dirnames ${cur})" ;; *) @@ -115,6 +121,10 @@ _keyringer() { # TODO opts="$(_keyringer_git_complete ${prev} ${cur})" ;; + encrypt|encrypt-batch) + cur="$(_keyringer_path_complete ${cur})" + opts="$(compgen -o dirnames ${cur})" + ;; *) ;; esac diff --git a/lib/keyringer/completions/zsh/_keyringer b/lib/keyringer/completions/zsh/_keyringer index 119d26d..50ff433 100644 --- a/lib/keyringer/completions/zsh/_keyringer +++ b/lib/keyringer/completions/zsh/_keyringer @@ -77,6 +77,9 @@ _keyringer() { git) compadd "$@" $(_keyringer_git_complete $words[4] $words[5]) ;; + encrypt|encrypt-batch) + _files + ;; *) ;; esac -- cgit v1.2.3 From e6f22ac9ccb5112f13d45d99e2ffb173237c4e1c Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 10:54:55 -0200 Subject: Show available keyrings on usage --- lib/keyringer/functions | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index bf2977d..d1bbb1c 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -396,10 +396,16 @@ function keyringer_show_actions { # Usage function keyringer_usage { + local keyrings="$(ls --color=never `dirname $CONFIG` | sed -e 's/config//' | xargs)" + printf "Usage: %s [arguments]\n\n" "$BASENAME" printf "Available commands: \n\n" keyringer_show_actions | sed -e 's/^/\t/' printf "\tinit [remote]\n\n" $BASENAME + + if [ ! -z "$keyrings" ]; then + printf "Available keyrings: %s \n" "$keyrings" + fi } # Check recipients -- cgit v1.2.3 From 8b05cfce978dbed626f0e3b100c64d36d52550a4 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 10:56:24 -0200 Subject: Development: index --- development.mdwn | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/development.mdwn b/development.mdwn index 5c771c9..b03ecbc 100644 --- a/development.mdwn +++ b/development.mdwn @@ -1,5 +1,10 @@ [[!meta title="Keyringer: development guidelines and workflow"]] +Index +----- + +[[!toc levels=4]] + Development environment ----------------------- -- cgit v1.2.3 From 8857d60617c00553aaab7f06153b17699c860e96 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 11:15:32 -0200 Subject: Edit default recipients during initialization --- keyringer | 10 +++++++++- lib/keyringer/functions | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/keyringer b/keyringer index 8ba1093..7aad6a0 100755 --- a/keyringer +++ b/keyringer @@ -90,8 +90,16 @@ function keyringer_init { # Init if ! keyringer_is_git "$BASEDIR"; then keyringer_exec git "$BASEDIR" init + + # Edit default recipients + echo "Now you have to edit the default recipient configuration to be able to encrypt secrets." + echo "Press any key to proceed editing..." + read key + keyringer $KEYRING recipients edit default + + # Stage and commit keyringer_exec git "$BASEDIR" add . - keyringer_exec git "$BASEDIR" commit -m Importing + keyringer_exec git "$BASEDIR" commit -m Initializing fi } diff --git a/lib/keyringer/functions b/lib/keyringer/functions index d1bbb1c..b39b8ec 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -517,7 +517,7 @@ function keyringer_set_new_recipients { function keyringer_create_new_recipients { if [ ! -e "$1" ]; then mkdir -p "`dirname $1`" - echo "# Use entries in the form of 'john@doe.com XXXXXXXX'" > "$1" + echo "# Use entries in the form of 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'" > "$1" echo "" >> "$1" fi } -- cgit v1.2.3 From 1340e329768f8f022c6d5cd91e512380d883a5ac Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 14:36:46 -0200 Subject: Set file extension for encrypted files --- lib/keyringer/actions/edit | 8 +++++++- lib/keyringer/actions/encrypt | 17 ++++++++++++++++- lib/keyringer/functions | 9 ++++++--- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit index 54d0fec..f6477bf 100755 --- a/lib/keyringer/actions/edit +++ b/lib/keyringer/actions/edit @@ -16,8 +16,13 @@ keyringer_set_recipients "$FILE" # Warn user echo "Make sure that $BASEDIR is atop of an encrypted volume." +# Get original file EXTENSION +FILENAME="$(basename "$FILE" .asc)" +FILENAME="$(basename "$FILENAME")" +EXTENSION="${FILENAME##*.}" + # Set a tmp file -keyringer_set_tmpfile edit +keyringer_set_tmpfile $BASENAME.$EXTENSION # Decrypt the information to the file $GPG --yes -o "$TMPWORK" --use-agent -d "$KEYDIR/$FILE" @@ -26,6 +31,7 @@ if [ "$BASENAME" == "edit" ]; then APP="$EDITOR" elif [ "$BASENAME" == "open" ]; then if which xdg-open &> /dev/null; then + # TODO: set TMPWORK depending on the MIME type (`file -i` or `xdg-mime query filetype`) APP="xdg-open" else echo "You should have xdg-open application to perform this action, aborting." diff --git a/lib/keyringer/actions/encrypt b/lib/keyringer/actions/encrypt index d9d8f96..aadb9fa 100755 --- a/lib/keyringer/actions/encrypt +++ b/lib/keyringer/actions/encrypt @@ -25,10 +25,25 @@ fi # Aditional parameters if [ ! -z "$3" ]; then - keyringer_get_new_file $2 + # Set secret name and original file + FILE="$2" shift 2 UNENCRYPTED_FILE="$*" + # Get original file EXTENSION + FILENAME="$(basename "$UNENCRYPTED_FILE")" + EXTENSION="${FILENAME##*.}" + + # Append file extension in the secret name + # + # Useful when opening files and the application needs the + # extension to guess the file type. + if ! echo $FILE | grep -q -e "\.$EXTENSION$"; then + FILE="$FILE.$EXTENSION" + fi + + keyringer_get_new_file $FILE + if [ ! -f "$UNENCRYPTED_FILE" ]; then echo "Error: cannot encrypt $UNENCRYPTED_FILE: file not found." exit 1 diff --git a/lib/keyringer/functions b/lib/keyringer/functions index b39b8ec..40e13aa 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -118,13 +118,16 @@ function keyringer_set_tmpfile { exit 1 fi + # Set base temp folder + local tmp="$BASEDIR/tmp" + if [ -z "$1" ]; then - template="$BASEDIR/tmp/keyringer.XXXXXXXXXX" + template="$tmp/keyringer.XXXXXXXXXX" else - template="$BASEDIR/tmp/$1.XXXXXXXXXX" + template="$tmp/XXXXXXXXXX.$1" fi - mkdir -p "$BASEDIR/tmp" + mkdir -p "$tmp" keyringer_git_ignore 'tmp/*' if [ "$2" == "-d" ]; then -- cgit v1.2.3 From d5071621ef59e20fe1a0052ec237503afbf0b444 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 14:44:28 -0200 Subject: TODO cleanup (#28) --- lib/keyringer/actions/edit | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit index f6477bf..c539846 100755 --- a/lib/keyringer/actions/edit +++ b/lib/keyringer/actions/edit @@ -31,7 +31,6 @@ if [ "$BASENAME" == "edit" ]; then APP="$EDITOR" elif [ "$BASENAME" == "open" ]; then if which xdg-open &> /dev/null; then - # TODO: set TMPWORK depending on the MIME type (`file -i` or `xdg-mime query filetype`) APP="xdg-open" else echo "You should have xdg-open application to perform this action, aborting." -- cgit v1.2.3 From 63a0ffbc05c17805cf400d83ab895923a7d95e4b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 14:45:59 -0200 Subject: ChangeLog update --- ChangeLog | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 37e520f..00ec1a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,10 @@ -2013-11-10 - Silvio Rhatto +2013-11-14 - Silvio Rhatto + + Encrypt/open improvements (closes #9). + + Initialization now asks user to edit the default preferences file. + + Usage improvements. Added keyringer.pot for easy manpage translation (closes #5). -- cgit v1.2.3 From 4f05749d3bec1ce121372dbaa7eccdaa0dc4b5ab Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 14:46:17 -0200 Subject: ChangeLog update (2) --- ChangeLog | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 00ec1a6..629d2b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,12 +1,12 @@ 2013-11-14 - Silvio Rhatto - Encrypt/open improvements (closes #9). + Encrypt/open improvements (closes #9) - Initialization now asks user to edit the default preferences file. + Initialization now asks user to edit the default preferences file - Usage improvements. + Usage improvements - Added keyringer.pot for easy manpage translation (closes #5). + Added keyringer.pot for easy manpage translation (closes #5) Changed encrypt syntax -- cgit v1.2.3 From 6c08cb89106d0ab22749993ef860f593bb60b344 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 15:01:01 -0200 Subject: Adding keyringer_shred (closes #27) --- lib/keyringer/functions | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 40e13aa..fcec045 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -144,13 +144,42 @@ function keyringer_set_tmpfile { trap "keyringer_unset_tmpfile $TMPWORK; exit" INT TERM EXIT } +# Shred files +function keyringer_shred { + local path="$1" + local tool + + if [ -z "$path" ]; then + return + fi + + # Get shred implementation + if which wipe &> /dev/null; then + tool="wipe" + elif which shred &> /dev/null; then + tool="shred" + else + # Worst implementation + tool="rm" + fi + + echo "Removing $path using $tool..." + + if [ -d "$path" ]; then + find $path -exec $tool -f {} \; + rmdir $path + elif [ -e "$path" ]; then + $tool -f "$path" + fi +} + # Remove a temporary file function keyringer_unset_tmpfile { if [ -z "$1" ]; then echo "No tmp file set" fi - rm -f "$1" + keyringer_shred "$1" if [ "$?" != "0" ]; then echo "Warning: could not delete file $1. Please delete it manually as it might have sensitive information." -- cgit v1.2.3 From c10fdd5e50d1543196e0aeb29ee8032f0ad5aa0b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 15:02:56 -0200 Subject: Warn user if keyringer_shred is using rm --- lib/keyringer/functions | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index fcec045..4d97f34 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -148,6 +148,7 @@ function keyringer_set_tmpfile { function keyringer_shred { local path="$1" local tool + local message="Removing" if [ -z "$path" ]; then return @@ -160,10 +161,11 @@ function keyringer_shred { tool="shred" else # Worst implementation + message="WARNING $message" tool="rm" fi - echo "Removing $path using $tool..." + echo "$message $path using $tool..." if [ -d "$path" ]; then find $path -exec $tool -f {} \; -- cgit v1.2.3 From d892fb9997a98d12d9a09b12d3179242c48a07c9 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 15:06:24 -0200 Subject: ChangeLog update and minor keyringer_shred improvement --- ChangeLog | 2 ++ lib/keyringer/functions | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 629d2b5..b14e95a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2013-11-14 - Silvio Rhatto + Shred of temporary files (closes #27) + Encrypt/open improvements (closes #9) Initialization now asks user to edit the default preferences file diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 4d97f34..d02b1d8 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -152,6 +152,8 @@ function keyringer_shred { if [ -z "$path" ]; then return + elif [ ! -e "$path" ]; then + return fi # Get shred implementation @@ -170,7 +172,7 @@ function keyringer_shred { if [ -d "$path" ]; then find $path -exec $tool -f {} \; rmdir $path - elif [ -e "$path" ]; then + else $tool -f "$path" fi } -- cgit v1.2.3 From d7b631b470aa0fde1f6d768632ee5d643aede320 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 16:05:17 -0200 Subject: Ramdisk check (closes #13) --- lib/keyringer/actions/edit | 3 --- lib/keyringer/functions | 50 +++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 49 insertions(+), 4 deletions(-) diff --git a/lib/keyringer/actions/edit b/lib/keyringer/actions/edit index c539846..9a3e488 100755 --- a/lib/keyringer/actions/edit +++ b/lib/keyringer/actions/edit @@ -13,9 +13,6 @@ keyringer_get_file "$2" # Set recipients file keyringer_set_recipients "$FILE" -# Warn user -echo "Make sure that $BASEDIR is atop of an encrypted volume." - # Get original file EXTENSION FILENAME="$(basename "$FILE" .asc)" FILENAME="$(basename "$FILENAME")" diff --git a/lib/keyringer/functions b/lib/keyringer/functions index d02b1d8..7570a94 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -111,16 +111,64 @@ function keyringer_is_git { fi } +# Check the security of a temporary folder +function keyringer_check_tmp { + local path="$1" + local minor + local mode + + if [ -z "$path" ]; then + return + fi + + # Mode check + if [ "`stat -c "%A" $path`" != "drwxrwxrwt" ]; then + return 1 + fi + + # Ramdisk check + if [ -x "/sbin/udevadm" ]; then + minor="$(/sbin/udevadm info --device-id-of-file "$path" | cut -d : -f 1)" + elif which mountpoint &> /dev/null; then + minor="$(mountpoint -d $(df "$path" | sed -n '$p' | awk '{print $NF}') | cut -d : -f 1)" + fi + + if [ ! -z "$minor" ]; then + return $minor + else + return 1 + fi +} + # Setup a temporary file function keyringer_set_tmpfile { + local tmp + local candidate + local candidates="/tmp /run/shm $TMP" + if [ -z "$BASEDIR" ]; then echo "Please set BASEDIR before creating a tmp file" exit 1 fi + # Ramdisk check + for candidate in $candidates; do + if keyringer_check_tmp $candidate; then + tmp="$candidate/keyringer.`whoami`" + break + fi + done + # Set base temp folder - local tmp="$BASEDIR/tmp" + if [ -z "$tmp" ]; then + echo "WARNING: neither one of $candidates is mounted in a tmpfs/ramdisk, using $BASEDIR/tmp as fallback." + echo "Make sure that $BASEDIR is atop of an encrypted volume." + echo "Press any key to continue, Ctrl-C to abort" + read key + tmp="$BASEDIR/tmp" + fi + # Determine template if [ -z "$1" ]; then template="$tmp/keyringer.XXXXXXXXXX" else -- cgit v1.2.3 From 3fd3851b600f18b19ed201693a270bb29dcfc4ff Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 16:20:54 -0200 Subject: ChangeLog update --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index b14e95a..222936d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2013-11-14 - Silvio Rhatto + Ramdisk check for temporary folders (closes #13) + Shred of temporary files (closes #27) Encrypt/open improvements (closes #9) -- cgit v1.2.3 From 9cd7165a5a63a5824a327920b428eeed8aec528e Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Nov 2013 18:36:04 -0200 Subject: Keyringer 0.2.7 --- ChangeLog | 2 +- development.mdwn | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 222936d..b66f924 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -2013-11-14 - Silvio Rhatto +2013-11-14 - 0.2.7 Silvio Rhatto Ramdisk check for temporary folders (closes #13) diff --git a/development.mdwn b/development.mdwn index b03ecbc..26a865c 100644 --- a/development.mdwn +++ b/development.mdwn @@ -51,6 +51,7 @@ Prepare the source code: Commit and tag a release: + VERSION="X.Y.Z" git commit -a -m "Keyringer $VERSION" git tag -s $VERSION -m "Keyringer $VERSION" -- cgit v1.2.3