My pass installation wanted to reencrypt all files every time since the
list it made of encryption keys associated with public keys included
invalid (expired, revoked) keys as well as those that should be used.
I turned the logic from a sed expression to a function to make it more
readable.
diff --git bin/pass bin/pass
index b17ec580e..6bf21d6a9 100755
--- bin/pass
+++ bin/pass
@@ -108,6 +108,24 @@ set_gpg_recipients() {
done < "$current"
}
+# Take a list of public key ids and return valid encryption keys
associated with them
+list_encryption_keys() {
+ $GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "$@" |
+ while IFS=: read f1_type f2_validity f3 f4 f5_keyid f6 f7 f8 f9 f10
f11 f12_capability
+ do
+ [[ $f1_type = 'sub' ]] || continue
+ case $f2_validity in
+ [-qmfu])
+ : ;; # undefined, marginal, full, ultimate
validity
+ *)
+ continue ;; # expired, invalid, disabled, etc.
+ esac
+ case $f12_capability in
+ *e*) echo "$f5_keyid" ;; # usable for encryption
+ esac
+ done | LC_ALL=C sort -u
+}
+
reencrypt_path() {
local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config
--with-colons | grep "^cfg:group:.*")"
@@ -127,7 +145,7 @@ reencrypt_path() {
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' #
http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons
"${GPG_RECIPIENTS[@]}" | sed -n
's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p'
| LC_ALL=C sort -u)"
+ gpg_keys="$(list_encryption_keys
"${GPG_RECIPIENTS[@]}")"
fi
current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v
--no-secmem-warning --no-permission-warning --decrypt --list-only
--keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is
\([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
--
Kjetil T. Homme
Redpill Linpro - Changing the Game
diff --git bin/pass bin/pass
index b17ec580e..6bf21d6a9 100755
--- bin/pass
+++ bin/pass
@@ -108,6 +108,24 @@ set_gpg_recipients() {
done < "$current"
}
+# Take a list of public key ids and return valid encryption keys associated with them
+list_encryption_keys() {
+ $GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "$@" |
+ while IFS=: read f1_type f2_validity f3 f4 f5_keyid f6 f7 f8 f9 f10 f11 f12_capability
+ do
+ [[ $f1_type = 'sub' ]] || continue
+ case $f2_validity in
+ [-qmfu])
+ : ;; # undefined, marginal, full, ultimate validity
+ *)
+ continue ;; # expired, invalid, disabled, etc.
+ esac
+ case $f12_capability in
+ *e*) echo "$f5_keyid" ;; # usable for encryption
+ esac
+ done | LC_ALL=C sort -u
+}
+
reencrypt_path() {
local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config --with-colons | grep "^cfg:group:.*")"
@@ -127,7 +145,7 @@ reencrypt_path() {
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
+ gpg_keys="$(list_encryption_keys "${GPG_RECIPIENTS[@]}")"
fi
current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
_______________________________________________
Password-Store mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/password-store
