On 07/01/2020 17.27, Kjetil Torgrim Homme wrote:
My pass installation wanted to reencrypt all files every time since the
list it made of encryption keys associated with public keys included
invalid (expired, revoked) keys as well as those that should be used.
I turned the logic from a sed expression to a function to make it more
readable.
actually my checking for usable keys was inaccurate - but to my defense
so was the code I based the patch on, ie. version 1.7.3
commit 5a52772156b44ef9785e91ab78ab2e1c3b1e510e changes the filtering by
validity to exclude "i" (invalid), "d" (disabled) and "r" (revoked).
the problem which motivated my patch was the status "e" for expired. my
patch takes the reverse approach and lists what values to allow rather
than what not to allow. I don't have a very strong opinion on which
approach is better. neither am I sure if it is correct to include keys
which have unknown or undefined validity.
the inaccuracy alluded to in the introduction refers to field 12,
capability. it needs to check for D for disabled and accept capital E
for encryption.
the new patch uses [[ ]] instead of a sequence of case statements to
make the logic clearer. the patch is now relative to master.
commit b037317f547e103b273e63a4d18025eac4a5c34f
Author: Kjetil Torgrim Homme <[email protected]>
Date: Wed Jan 8 18:13:06 2020 +0100
only use encryption keys which are valid and enabled
see
https://github.com/gpg/gnupg/blob/master/doc/DETAILS#description-of-the-fields
old version would encrypt to expired keys (field 2) and disabled
keys (field 12)
diff --git src/password-store.sh src/password-store.sh
index 77f3eda..eb2e038 100755
--- src/password-store.sh
+++ src/password-store.sh
@@ -105,6 +105,21 @@ set_gpg_recipients() {
done < "$current"
}
+# Take a list of public key ids and return valid encryption keys
associated with them
+list_encryption_keys() {
+ $GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "$@" |
+ while IFS=: read f1_type f2_validity f3 f4 f5_keyid f6 f7 f8 f9 f10
f11 f12_capability fN
+ do
+ if [[ $f1_type == 'sub' && $f2_validity == [-qmfu] ]];
then
+ # validity is undefined, marginal, full or
ultimate
+ if [[ $f12_capability != *D* && $f12_capability
== *[eE]* ]]; then
+ # not disabled, usable for encryption
+ echo "$f5_keyid"
+ fi
+ fi
+ done | LC_ALL=C sort -u
+}
+
reencrypt_path() {
local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config
--with-colons | grep "^cfg:group:.*")"
@@ -125,7 +140,7 @@ reencrypt_path() {
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' #
http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons
"${GPG_RECIPIENTS[@]}" | sed -n
's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p'
| LC_ALL=C sort -u)"
+ gpg_keys="$(list_encryption_keys
"${GPG_RECIPIENTS[@]}")"
fi
current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v
--no-secmem-warning --no-permission-warning --decrypt --list-only
--keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is
\([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
--
Kjetil T. Homme
Redpill Linpro - Changing the Game
commit b037317f547e103b273e63a4d18025eac4a5c34f
Author: Kjetil Torgrim Homme <[email protected]>
Date: Wed Jan 8 18:13:06 2020 +0100
only use encryption keys which are valid and enabled
see https://github.com/gpg/gnupg/blob/master/doc/DETAILS#description-of-the-fields
old version would encrypt to expired keys (field 2) and disabled keys (field 12)
diff --git src/password-store.sh src/password-store.sh
index 77f3eda..eb2e038 100755
--- src/password-store.sh
+++ src/password-store.sh
@@ -105,6 +105,21 @@ set_gpg_recipients() {
done < "$current"
}
+# Take a list of public key ids and return valid encryption keys associated with them
+list_encryption_keys() {
+ $GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "$@" |
+ while IFS=: read f1_type f2_validity f3 f4 f5_keyid f6 f7 f8 f9 f10 f11 f12_capability fN
+ do
+ if [[ $f1_type == 'sub' && $f2_validity == [-qmfu] ]]; then
+ # validity is undefined, marginal, full or ultimate
+ if [[ $f12_capability != *D* && $f12_capability == *[eE]* ]]; then
+ # not disabled, usable for encryption
+ echo "$f5_keyid"
+ fi
+ fi
+ done | LC_ALL=C sort -u
+}
+
reencrypt_path() {
local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config --with-colons | grep "^cfg:group:.*")"
@@ -125,7 +140,7 @@ reencrypt_path() {
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
+ gpg_keys="$(list_encryption_keys "${GPG_RECIPIENTS[@]}")"
fi
current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
_______________________________________________
Password-Store mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/password-store
