summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexandre Pujol <alexandre@pujol.io>2017-02-02 23:24:45 (GMT)
committer Alexandre Pujol <alexandre@pujol.io>2017-02-03 23:57:52 (GMT)
commit5a35ab9668e5613f731baaaf089a002ddd9f4db7 (patch)
tree3d8cc73ef7ea5fdd3491f8a46ed7aceeda449718
parent8f8dc0a0d4a088d77159d791d85e3cd8df434ec2 (diff)
Improve key encryption/decryption using GPG key.
Decryption/Encryption works without these improvment, however, there are needed in order to have clean key (without empty line). Moreover, tests showed not doing cause troubles when changing the GPG key used to encrypt a tomb key.
-rwxr-xr-xtomb69
1 files changed, 42 insertions, 27 deletions
diff --git a/tomb b/tomb
index 52dd73c..da2c70b 100755
--- a/tomb
+++ b/tomb
@@ -947,14 +947,24 @@ gpg_decrypt() {
# fix for gpg 1.4.11 where the --status-* options don't work ;^/
local gpgver=$(gpg --version --no-permission-warning | awk '/^gpg/ {print $3}')
local gpgpass="$1\n$TOMBKEY"
- local gpgstatus
- local tmpres
-
+ local tmpres ret
+ typeset -a gpgopt
+ gpgpopt=(--passphrase-fd 0)
+
+ { option_is_set -r } && {
+ local gpgkey=`option_value -r`
+ _verbose "using $gpgkey to decrypt a tomb key"
+ { ! is_valid_recipients "$gpgkey" } && {
+ _failure "You set an invalid GPG ID."
+ }
+ gpgpass="$TOMBKEY"
+ gpgpopt=()
+ }
+
[[ $gpgver == "1.4.11" ]] && {
_verbose "GnuPG is version 1.4.11 - adopting status fix."
-
TOMBSECRET=`print - "$gpgpass" | \
- gpg --batch --passphrase-fd 0 --no-tty --no-options`
+ gpg --batch ${gpgpopt[@]} --no-tty --no-options`
ret=$?
unset gpgpass
return $ret
@@ -963,12 +973,10 @@ gpg_decrypt() {
_tmp_create
tmpres=$TOMBTMP
TOMBSECRET=`print - "$gpgpass" | \
- gpg --batch --passphrase-fd 0 --no-tty --no-options \
+ gpg --batch ${gpgpopt[@]} --no-tty --no-options \
--status-fd 2 --no-mdc-warning --no-permission-warning \
--no-secmem-warning 2> $tmpres`
-
unset gpgpass
-
ret=1
for i in ${(f)"$(cat $tmpres)"}; do
_verbose "$i"
@@ -1158,11 +1166,24 @@ gen_key() {
# -o is the --cipher-algo to use (string taken by GnuPG)
local algopt="`option_value -o`"
local algo="${algopt:-AES256}"
+ local gpgpass opt
+ typeset -a gpgopt
# here user is prompted for key password
tombpass=""
tombpasstmp=""
- { ! option_is_set -r } && {
+ { option_is_set -r } && {
+ local gpgkey=`option_value -r`
+ _verbose "using $gpgkey to encrypt a tomb key"
+ { is_valid_recipients "$gpgkey" } || {
+ _failure "You set an invalid GPG ID."
+ }
+
+ # Set gpg inputs and options
+ gpgpass="$TOMBSECRET"
+ gpgopt=(--encrypt --recipient "$gpgkey")
+ opt=''
+ } || {
if [ "$1" = "" ]; then
while true; do
# 3 tries to write two times a matching password
@@ -1219,26 +1240,20 @@ gen_key() {
}
}
print $header
- }
- _tmp_create
- local tmpres=$TOMBTMP
+ # Set gpg inputs and options
+ gpgpass="${tombpass}\n$TOMBSECRET"
+ gpgopt=(--passphrase-fd 0 --symmetric)
+ opt='-n'
+ }
- if option_is_set -r; then
- local gpgkey="`option_value -r`"
- { is_valid_recipients "$gpgkey" } || {
- _failure "You set an invalid GPG ID."
- }
- print -n - "${tombpass}\n$TOMBSECRET" \
- | gpg --openpgp --force-mdc --cipher-algo ${algo} --batch \
- --no-options --no-tty --recipient "$gpgkey" \
- --status-fd 2 -o - --encrypt --armor 2> $tmpres
- else
- print -n - "${tombpass}\n$TOMBSECRET" \
- | gpg --openpgp --force-mdc --cipher-algo ${algo} --batch \
- --no-options --no-tty --passphrase-fd 0 \
- --status-fd 2 -o - --symmetric --armor 2> $tmpres
- fi
+ _tmp_create
+ local tmpres=$TOMBTMP
+ print $opt - "$gpgpass" \
+ | gpg --openpgp --force-mdc --cipher-algo ${algo} --batch \
+ --no-options --no-tty ${gpgopt[@]} \
+ --status-fd 2 -o - --armor 2> $tmpres
+ unset gpgpass
# check result of gpg operation
for i in ${(f)"$(cat $tmpres)"}; do
_verbose "$i"