[PATCH] Add support for QubesOS split-gpg

Sun, 01 Nov 2020 07:24:03 -0800 

Hello!

In this email I've attached git patches to add support for Qubes-OS
split GPG [1] in password-store. With these patches one can have
password store in AppVM and GPG keys in different VM (vault for
example). Then depending on configuration Qubes DOM0 would ask if
accessing GPG in vault is allowed and only when it is, then
password-store/GPG would be able to decrypt passwords.

Naturally I've tested this on my local machine (insert & show).
Setting up test for this was overly complicated, but the change is very
minimal, so I hope you will accept these patches as is.

[1] https://www.qubes-os.org/doc/split-gpg/
--
Aldis Berjoza
https://aldis.berjoza.lv

From e8f587965446013707923e969b8365b0328f0451 Mon Sep 17 00:00:00 2001
From: Aldis Berjoza <[email protected]>
Date: Fri, 23 Oct 2020 17:57:46 +0300
Subject: [PATCH 1/2] Added QubesOS split gpg support

---
 src/password-store.sh | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/password-store.sh b/src/password-store.sh
index 77f3eda..0f47eb5 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -7,9 +7,14 @@ umask "${PASSWORD_STORE_UMASK:-077}"
 set -o pipefail
 
 GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" )
-GPG="gpg"
-export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}"
-which gpg2 &>/dev/null && GPG="gpg2"
+
+if [ "$QUBES_GPG_DOMAIN" != '' ] && which qubes-gpg-client-wrapper &> /dev/null; then
+    GPG="qubes-gpg-client-wrapper"
+else
+    GPG="gpg"
+    export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}"
+    which gpg2 &>/dev/null && GPG="gpg2"
+fi
 [[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch" "--use-agent" )
 
 PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
-- 
2.20.1


From 677730a4927646a31ad5afeaf0fd2ec669fb77c2 Mon Sep 17 00:00:00 2001
From: Aldis Berjoza <[email protected]>
Date: Fri, 23 Oct 2020 18:34:07 +0300
Subject: [PATCH 2/2] Make tests work on QubesOS even when splig-gpg is used

---
 tests/setup.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/setup.sh b/tests/setup.sh
index 5d1e794..4678a8d 100644
--- a/tests/setup.sh
+++ b/tests/setup.sh
@@ -22,6 +22,8 @@ unset PASSWORD_STORE_ENABLE_EXTENSIONS
 unset PASSWORD_STORE_EXTENSIONS_DIR
 unset PASSWORD_STORE_SIGNING_KEY
 unset EDITOR
+# use local GPG for tests even on Qubes-OS
+unset QUBES_GPG_DOMAIN
 
 # We must be called from tests/
 TEST_HOME="$(pwd)"
-- 
2.20.1

Attachment: signature.asc
Description: PGP signature

Reply via email to