/ 2004-01-25 11:06:08 -0700
\ s. keeling:
> > This sounds like an ideal job for the combination of the rather
> > appropriately named tools fetchmail and procmail, which - to no big
> > surprise - are suitable to fetch and process mail.
>
> Agreed. Add on gnupg for signature verification and decryption
> (perhaps callable by procmail).
>
> I'm not surprised there isn't one monolithic tool to do what you ask;
> you're asking a lot. Chaining one existing specific tool after
> another to build up your overall system is the way to go.
maybe below helps ;)
Lars Ellenberg
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#!/bin/bash
# Example proof of concept script to sign and encrypt a bash script,
# decrypt it, and execute it when it verifies ok.
#
# you obviously want to add some error handling, archive and log functionality,
# and work in some exclusive, (maybe `mktemp -d`ed ?) directory.
#
# of course you want to have more than one key, and a more
# interessting passphrase ...
#
# copyleft today, no rights reserved ;)
#
KEYRING=./foo
GPGOP="--no-default-keyring --keyring $KEYRING.pub --secret-keyring
$KEYRING.sec"
MANTRA=abc
REALNAME="Joe Tester"
EMAIL="[EMAIL PROTECTED]"
COMMENT="with stupid passphrase"
SAMPLE_SCRIPT=./dummy-script
umask 077
export LANG=
export PATH=/bin:/usr/bin
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
#
# CAREFULL! this does rm $KEYRING.*
#
gen_key()
{
rm "$KEYRING".*
cat <<-___ > $KEYRING.mantra
$MANTRA
___
cat <<-___ | gpg --batch --gen-key
%echo Generating a standard key
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: $REALNAME
Name-Comment: $COMMENT
Name-Email: $EMAIL
Expire-Date: 0
Passphrase: $MANTRA
%pubring $KEYRING.pub
%secring $KEYRING.sec
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
___
}
encrypt()
{
10<$KEYRING.mantra \
gpg $GPGOP --passphrase-fd 10 --no-encrypt-to --batch \
-u "$REALNAME" -r "$REALNAME" \
--sign --encrypt --armor --output - "$1"
}
decrypt()
{
10<$KEYRING.mantra \
gpg $GPGOP --passphrase-fd 10 --decrypt --batch "$1"
}
# gen_key # <<=== uncomment for the first run
PUBID=`gpg $GPGOP --with-colons --list-keys "$REALNAME" | grep ^pub: | head -1
| cut -d: -f 5`
SECID=`gpg $GPGOP --with-colons --list-keys "$REALNAME" | grep ^sub: | head -1
| cut -d: -f 5`
GPGOP="$GPGOP --trusted-key $SECID"
#
# this is used later to verify the authenticity of the message.
# you may need to adjust it if your gpg version has a different
# output format. This is for "gpg (GnuPG) 1.0.7"
#
CREATION_DATE="*" # put here the creation data, if you like
EXPECTED_GPG_OUTPUT="\
gpg: encrypted with 1024-bit ELG-E key, ID ${SECID: -8}, created $CREATION_DATE
\"$REALNAME ($COMMENT) <$EMAIL>\"
gpg: Signature made * using DSA key ID ${PUBID: -8}
gpg: Good signature from \"$REALNAME ($COMMENT) <$EMAIL>\"\
"
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
#
# prepare a demo script
#
rm "$SAMPLE_SCRIPT"{,.asc,.clear}
cat <<-'___' > "$SAMPLE_SCRIPT"
echo "executing dummy-script"
echo " as $0 $*"
echo "done."
___
#
# encrypt it
#
encrypt "$SAMPLE_SCRIPT" > "$SAMPLE_SCRIPT".asc
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
# mail it: mail -s "asdf" "$TARGET" < "$SAMPLE_SCRIPT".asc
# the nice thing about gpg -se --armor is, that the gpg --decrypt
# later ignores the additional mail headers...
#
# receive it: fetchmail ...
#
# if you choose to let fetchmail deliver into maildir, you
# can simply have a daemon process check ./new/ every so often,
# then process every single file, and move it to ./cur/ if you are
# done with it...
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
# now:
#
# decrypt it, capture the gpg output
#
OUTPUT=`decrypt "$SAMPLE_SCRIPT".asc 2>&1 > "$SAMPLE_SCRIPT".clear`
if [[ $OUTPUT == $EXPECTED_GPG_OUTPUT ]] ; then
# maybe you rather choose to:
# /bin/bash -e "$SAMPLE_SCRIPT".clear
/bin/bash "$SAMPLE_SCRIPT".clear
# don't forget to cleanup now
exit 0
else
exec 1>&2
echo =============
echo "$OUTPUT"
echo =============
echo FAILED
# don't forget to cleanup now
exit 77 # which according to /usr/include/sysexits.h is EX_NOPERM
fi
