Here's a revised patch.
diff --git a/src/password-store.sh b/src/password-store.sh
index 284eabf..d6a341e 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -6,10 +6,11 @@
umask "${PASSWORD_STORE_UMASK:-077}"
set -o pipefail
-GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none"
"--no-encrypt-to" )
+read -r -a PASSWORD_STORE_GPG_OPTS_ARR <<< "$PASSWORD_STORE_GPG_OPTS"
+GPG_OPTS=( "${PASSWORD_STORE_GPG_OPTS_ARR[@]}" "--quiet" "--yes"
"--compress-algo=none" "--no-encrypt-to" )
GPG="gpg"
export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}"
-which gpg2 &>/dev/null && GPG="gpg2"
+command -v gpg2 &>/dev/null && GPG="gpg2"
[[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch"
"--use-agent" )
PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
@@ -58,7 +59,8 @@ die() {
verify_file() {
[[ -n $PASSWORD_STORE_SIGNING_KEY ]] || return 0
[[ -f $1.sig ]] || die "Signature for $1 does not exist."
- local fingerprints="$($GPG $PASSWORD_STORE_GPG_OPTS --verify
--status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG
\([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')"
+ local fingerprints;
+ fingerprints="$($GPG "${PASSWORD_STORE_GPG_OPTS_ARR[@]}" --verify
--status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG
\([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')"
local fingerprint found=0
for fingerprint in $PASSWORD_STORE_SIGNING_KEY; do
[[ $fingerprint =~ ^[A-F0-9]{40}$ ]] || continue
@@ -106,7 +108,8 @@ set_gpg_recipients() {
reencrypt_path() {
local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
- local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config
--with-colons | grep "^cfg:group:.*")"
+ local groups;
+ groups="$($GPG "${PASSWORD_STORE_GPG_OPTS_ARR[@]}" --list-config
--with-colons | grep "^cfg:group:.*")"
while read -r -d "" passfile; do
[[ -L $passfile ]] && continue
local passfile_dir="${passfile%/*}"
@@ -119,14 +122,15 @@ reencrypt_path() {
set_gpg_recipients "$passfile_dir"
if [[ $prev_gpg_recipients != "${GPG_RECIPIENTS[*]}" ]]; then
for index in "${!GPG_RECIPIENTS[@]}"; do
- local group="$(sed -n "s/^cfg:group:$(sed
's/[\/&]/\\&/g' <<<"${GPG_RECIPIENTS[$index]}"):\\(.*\\)\$/\\1/p" <<<"$groups"
| head -n 1)"
+ local group;
+ group="$(sed -n "s/^cfg:group:$(sed
's/[\/&]/\\&/g' <<<"${GPG_RECIPIENTS[$index]}"):\\(.*\\)\$/\\1/p" <<<"$groups"
| head -n 1)"
[[ -z $group ]] && continue
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' #
http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys
--with-colons "${GPG_RECIPIENTS[@]}" | sed -n
's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p'
| LC_ALL=C sort -u)"
+ gpg_keys="$($GPG "${PASSWORD_STORE_GPG_OPTS_ARR[@]}"
--list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n
's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p'
| LC_ALL=C sort -u)"
fi
- current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v
--no-secmem-warning --no-permission-warning --decrypt --list-only
--keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is
\([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
+ current_keys="$(LC_ALL=C $GPG
"${PASSWORD_STORE_GPG_OPTS_ARR[@]}" -v --no-secmem-warning
--no-permission-warning --decrypt --list-only --keyid-format long "$passfile"
2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
if [[ $gpg_keys != "$current_keys" ]]; then
echo "$passfile_display: reencrypting to
${gpg_keys//$'\n'/ }"
@@ -173,11 +177,13 @@ clip() {
# variable. Specifically, it cannot store nulls nor (non-trivally) store
# trailing new lines.
pkill -f "^$sleep_argv0" 2>/dev/null && sleep 0.5
- local before="$("${paste_cmd[@]}" 2>/dev/null | $BASE64)"
+ local before;
+ before="$("${paste_cmd[@]}" 2>/dev/null | $BASE64)"
echo -n "$1" | "${copy_cmd[@]}" || die "Error: Could not copy data to
the clipboard"
(
( exec -a "$sleep_argv0" bash <<<"trap 'kill %1' TERM; sleep
'$CLIP_TIME' & wait" )
- local now="$("${paste_cmd[@]}" | $BASE64)"
+ local now;
+ now="$("${paste_cmd[@]}" | $BASE64)"
[[ $now != $(echo -n "$1" | $BASE64) ]] && before="$now"
# It might be nice to programatically check to see if klipper
exists,
@@ -232,7 +238,7 @@ tmpdir() {
)"
SECURE_TMPDIR="$(mktemp -d "${TMPDIR:-/tmp}/$template")"
shred_tmpfile() {
- find "$SECURE_TMPDIR" -type f -exec $SHRED {} +
+ find "$SECURE_TMPDIR" -type f -exec "$SHRED" {} +
rm -rf "$SECURE_TMPDIR"
}
trap shred_tmpfile EXIT
@@ -342,14 +348,15 @@ cmd_init() {
rmdir -p "${gpg_id%/*}" 2>/dev/null
else
mkdir -v -p "$PREFIX/$id_path"
- printf "%s\n" "$@" > "$gpg_id"
- local id_print="$(printf "%s, " "$@")"
+ printf "%s\\n" "$@" > "$gpg_id"
+ local id_print;
+ id_print="$(printf "%s, " "$@")"
echo "Password store initialized for ${id_print%, }${id_path:+
($id_path)}"
git_add_file "$gpg_id" "Set GPG id to ${id_print%, }${id_path:+
($id_path)}."
if [[ -n $PASSWORD_STORE_SIGNING_KEY ]]; then
local signing_keys=( ) key
for key in $PASSWORD_STORE_SIGNING_KEY; do
- signing_keys+=( --default-key $key )
+ signing_keys+=( --default-key "$key" )
done
$GPG "${GPG_OPTS[@]}" "${signing_keys[@]}"
--detach-sign "$gpg_id" || die "Could not sign .gpg_id."
key="$($GPG --verify --status-fd=1 "$gpg_id.sig"
"$gpg_id" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .*
\([A-F0-9]\{40\}\)$/\1/p')"
@@ -385,7 +392,7 @@ cmd_show() {
echo "$pass" | $BASE64 -d
else
[[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location
'$selected_line' is not a number."
- pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n
+${selected_line} | head -n 1)" || exit $?
+ pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n
+"${selected_line}" | head -n 1)" || exit $?
[[ -n $pass ]] || die "There is no password to put on
the clipboard at line ${selected_line}."
if [[ $clip -eq 1 ]]; then
clip "$pass" "$path"
@@ -410,7 +417,8 @@ cmd_show() {
cmd_find() {
[[ $# -eq 0 ]] && die "Usage: $PROGRAM $COMMAND pass-names..."
IFS="," eval 'echo "Search Terms: $*"'
- local terms="*$(printf '%s*|*' "$@")"
+ local terms;
+ terms="*$(printf '%s*|*' "$@")"
tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs
--ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?(
->|$)/\1\2/g'
}
@@ -425,7 +433,7 @@ cmd_grep() {
local passfile_dir="${passfile%/*}/"
[[ $passfile_dir == "${passfile}/" ]] && passfile_dir=""
passfile="${passfile##*/}"
- printf "\e[94m%s\e[1m%s\e[0m:\n" "$passfile_dir" "$passfile"
+ printf "\\e[94m%s\\e[1m%s\\e[0m:\\n" "$passfile_dir" "$passfile"
echo "$grepresults"
done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname '*.gpg'
-print0)
}
@@ -490,7 +498,8 @@ cmd_edit() {
set_git "$passfile"
tmpdir #Defines $SECURE_TMPDIR
- local tmp_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt"
+ local tmp_file;
+ tmp_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt"
local action="Add"
if [[ -f $passfile ]]; then
@@ -533,7 +542,7 @@ cmd_generate() {
[[ $inplace -eq 0 && $force -eq 0 && -e $passfile ]] && yesno "An entry
already exists for $path. Overwrite it?"
- read -r -n $length pass < <(LC_ALL=C tr -dc "$characters" <
/dev/urandom)
+ read -r -n "$length" pass < <(LC_ALL=C tr -dc "$characters" <
/dev/urandom)
[[ ${#pass} -eq $length ]] || die "Could not generate password from
/dev/urandom."
if [[ $inplace -eq 0 ]]; then
echo "$pass" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o
"$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
@@ -555,7 +564,7 @@ cmd_generate() {
elif [[ $qrcode -eq 1 ]]; then
qrcode "$pass" "$path"
else
- printf "\e[1mThe generated password for \e[4m%s\e[24m
is:\e[0m\n\e[1m\e[93m%s\e[0m\n" "$path" "$pass"
+ printf "\\e[1mThe generated password for \\e[4m%s\\e[24m
is:\\e[0m\\n\\e[1m\\e[93m%s\\e[0m\\n" "$path" "$pass"
fi
}
Sincerely,Chiraag -- ಚಿರಾಗ್ ನಟರಾಜ್ Graduate Student at Brown University Email: [email protected] Phone: 610-350-6329 Website: http://chiraag.nataraj.us On 18/05/19 17:22, Oliver Albertini wrote: > > > > I'm surprised that shellcheck didn't complain about lines 26, 58, 73, > > 96, 98, 141 (of the patch, don't know its correspondences with the code). > > > Most of those are inside `[[` tests, so they don't require quoting (word > splitting doesn't happen inside `[[`). The other case is a for loop, which > shellcheck doesn't warn about (in fact if you quote it, it will give > you warning > SC2066 <https://github.com/koalaman/shellcheck/wiki/SC2066>). It assumes > you will rely on word splitting to get a list of args. > > Chiraag, I'm a bit confused why the switch to using array notation for > `$PASSWORD_STORE_GPG_OPTS`. That's not going to be an array, but just a > string that can be set in the environment. Also, the quoting would pass the > users opts as one string, instead of separate strings to `gpg`. Consider > this example: > > $ var="-n foo" > $ echo $var > foo$ echo "$var" > -n foo > > We either want to not quote, or use something like `mapfile` or `read -a` > to put the opts into an array. I hesitate to use `mapfile` since that > wasn't around in bash 3, which is what ships in macOS these days (many are > using bash 5 now!). But `read -a` is a good alternative.
signature.asc
Description: PGP signature
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
