Merge pull request #256 from roddhjav/gpg-options

Options for GnuPG Key - 2
This commit is contained in:
Jaromil 2017-04-16 11:55:26 +02:00 committed by GitHub
commit 3ffcc74e5b
3 changed files with 34 additions and 41 deletions

View File

@ -0,0 +1,8 @@
# ~/.gnupg/gpg.conf
# Description of options can be found here:
# http://www.gnupg.org/documentation/manuals/gnupg-devel/GPG-Options.html
# GPG Configuration Options
default-key 0B2235E660753AB0475FB3E23DC836481F44B31E
default-recipient-self

View File

@ -196,7 +196,7 @@ test-tomb-recip() {
test-tomb-recip-default() { test-tomb-recip-default() {
notice "wiping all default.tomb* in /tmp" notice "wiping all default.tomb* in /tmp"
rm -f /tmp/default.tomb /tmp/default.tomb.key rm -f /tmp/default.tomb /tmp/default.tomb.key /tmp/default.tmp
notice "Testing tomb with the default recipient" notice "Testing tomb with the default recipient"
res=0 res=0
@ -207,6 +207,8 @@ test-tomb-recip-default() {
tt lock /tmp/default.tomb -k /tmp/default.tomb.key \ tt lock /tmp/default.tomb -k /tmp/default.tomb.key \
--ignore-swap --unsafe -g --ignore-swap --unsafe -g
{ test $? = 0 } || { res=1 } { test $? = 0 } || { res=1 }
gpg -d --status-fd 2 /tmp/default.tomb.key 1> /dev/null 2> /tmp/default.tmp
[[ -z "$(grep 'Tomb Test 2' /tmp/default.tmp)" ]] && { res=1 }
{ test $res = 0 } && { results+=(recip-default SUCCESS) } { test $res = 0 } && { results+=(recip-default SUCCESS) }
} }
@ -236,7 +238,7 @@ test-tomb-shared() {
res=0 res=0
tt dig -s 20 /tmp/shared.tomb tt dig -s 20 /tmp/shared.tomb
{ test $? = 0 } || { res=1 } { test $? = 0 } || { res=1 }
tt forge /tmp/shared.tomb.key -g -r $gpgid_1,$gpgid_2 --shared \ tt forge /tmp/shared.tomb.key -g -r $gpgid_1,$gpgid_2 \
--ignore-swap --unsafe --use-urandom --ignore-swap --unsafe --use-urandom
{ test $? = 0 } || { res=1 } { test $? = 0 } || { res=1 }
tt lock /tmp/shared.tomb -k /tmp/shared.tomb.key \ tt lock /tmp/shared.tomb -k /tmp/shared.tomb.key \
@ -249,17 +251,17 @@ test-tomb-shared() {
{ test $res = 0 } && { results+=(shared SUCCESS) } { test $res = 0 } && { results+=(shared SUCCESS) }
notice "Testing changing recipients on a shared Tomb" notice "Testing changing recipients on a shared Tomb"
tt passwd -k /tmp/shared.tomb.key -g -r $gpgid_2,$gpgid_1 --shared tt passwd -k /tmp/shared.tomb.key -g -r $gpgid_2,$gpgid_1
{ test $? = 0 } && { results+=(shared-passwd SUCCESS) } { test $? = 0 } && { results+=(shared-passwd SUCCESS) }
notice "Testing setkey on a shared Tomb" notice "Testing setkey on a shared Tomb"
rm -f /tmp/new.shared.tomb.key rm -f /tmp/new.shared.tomb.key
res=0 res=0
tt forge /tmp/new.shared.tomb.key -g -r $gpgid_1,$gpgid_2 --shared\ tt forge /tmp/new.shared.tomb.key -g -r $gpgid_1,$gpgid_2 \
--ignore-swap --unsafe --use-urandom --ignore-swap --unsafe --use-urandom
{ test $? = 0 } || { res=1 } { test $? = 0 } || { res=1 }
tt setkey -k /tmp/new.shared.tomb.key /tmp/shared.tomb.key /tmp/shared.tomb \ tt setkey -k /tmp/new.shared.tomb.key /tmp/shared.tomb.key /tmp/shared.tomb \
-g -r $gpgid_2,$gpgid_1 --shared -g -r $gpgid_2,$gpgid_1
{ test $? = 0 } || { res=1 } { test $? = 0 } || { res=1 }
{ test $res = 0 } && { results+=(shared-setkey SUCCESS) } { test $res = 0 } && { results+=(shared-setkey SUCCESS) }
} }

53
tomb
View File

@ -655,7 +655,6 @@ usage() {
_print " -g use a GnuPG key to encrypt a tomb key" _print " -g use a GnuPG key to encrypt a tomb key"
_print " -r provide GnuPG recipients (separated by coma)" _print " -r provide GnuPG recipients (separated by coma)"
_print " -R provide GnuPG hidden recipients (separated by coma)" _print " -R provide GnuPG hidden recipients (separated by coma)"
_print " --shared active sharing feature"
[[ $KDF == 1 ]] && { [[ $KDF == 1 ]] && {
_print " --kdf forge keys armored against dictionary attacks" _print " --kdf forge keys armored against dictionary attacks"
} }
@ -944,12 +943,7 @@ _load_key() {
[[ -z $keyfile ]] && { [[ -z $keyfile ]] && {
_failure "This operation requires a key file to be specified using the -k option." } _failure "This operation requires a key file to be specified using the -k option." }
if option_is_set -g; then if [[ $keyfile == "-" ]]; then
_verbose "load_key key encrypted with a GnuPG Key"
_message "Key encrypted with a GnuPG Key"
TOMBKEYFILE=$keyfile
TOMBKEY="${mapfile[$TOMBKEYFILE]}"
elif [[ $keyfile == "-" ]]; then
_verbose "load_key reading from stdin." _verbose "load_key reading from stdin."
_message "Waiting for the key to be piped from stdin... " _message "Waiting for the key to be piped from stdin... "
TOMBKEYFILE=stdin TOMBKEYFILE=stdin
@ -996,7 +990,7 @@ gpg_decrypt() {
local gpgpass="$1\n$TOMBKEY" local gpgpass="$1\n$TOMBKEY"
local tmpres ret local tmpres ret
typeset -a gpgopt typeset -a gpgopt
gpgpopt=(--batch --no-tty --passphrase-fd 0) gpgpopt=(--batch --no-tty --passphrase-fd 0 --no-options)
{ option_is_set -g } && { { option_is_set -g } && {
gpgpass="$TOMBKEY" gpgpass="$TOMBKEY"
@ -1016,7 +1010,7 @@ gpg_decrypt() {
[[ $gpgver == "1.4.11" ]] && { [[ $gpgver == "1.4.11" ]] && {
_verbose "GnuPG is version 1.4.11 - adopting status fix." _verbose "GnuPG is version 1.4.11 - adopting status fix."
TOMBSECRET=`print - "$gpgpass" | \ TOMBSECRET=`print - "$gpgpass" | \
gpg --decrypt ${gpgpopt[@]} --no-options` gpg --decrypt ${gpgpopt[@]}`
ret=$? ret=$?
unset gpgpass unset gpgpass
return $ret return $ret
@ -1025,7 +1019,7 @@ gpg_decrypt() {
_tmp_create _tmp_create
tmpres=$TOMBTMP tmpres=$TOMBTMP
TOMBSECRET=`print - "$gpgpass" | \ TOMBSECRET=`print - "$gpgpass" | \
gpg --decrypt ${gpgpopt[@]} --no-options \ gpg --decrypt ${gpgpopt[@]} \
--status-fd 2 --no-mdc-warning --no-permission-warning \ --status-fd 2 --no-mdc-warning --no-permission-warning \
--no-secmem-warning 2> $tmpres` --no-secmem-warning 2> $tmpres`
unset gpgpass unset gpgpass
@ -1250,22 +1244,16 @@ gen_key() {
recipients_opt="--hidden-recipient" recipients_opt="--hidden-recipient"
} }
[ "${#recipients}" -gt 1 ] && { { is_valid_recipients $recipients } || {
if option_is_set --shared; then _failure "You set an invalid GPG ID."
_warning "You are going to encrypt a tomb key with ${#recipients} recipients." }
_warning "It is your responsibility to check the fingerprint of these recipients."
_warning "You are going to encrypt a tomb key with ${#recipients} recipient(s)."
_warning "It is your responsibility to check these fingerprints."
_warning "The fingerprints are:" _warning "The fingerprints are:"
for gpg_id in ${recipients[@]}; do for gpg_id in ${recipients[@]}; do
_warning " `_fingerprint "$gpg_id"`" _warning " `_fingerprint "$gpg_id"`"
done done
else
_failure "You need to use the option '--shared' to enable sharing support"
fi
}
{ is_valid_recipients $recipients } || {
_failure "You set an invalid GPG ID."
}
gpgopt+=(`_recipients_arg "$recipients_opt" $recipients`) gpgopt+=(`_recipients_arg "$recipients_opt" $recipients`)
} || { } || {
@ -1336,15 +1324,15 @@ gen_key() {
# Set gpg inputs and options # Set gpg inputs and options
gpgpass="${tombpass}\n$TOMBSECRET" gpgpass="${tombpass}\n$TOMBSECRET"
gpgopt=(--passphrase-fd 0 --symmetric) gpgopt=(--passphrase-fd 0 --symmetric --no-options)
opt='-n' opt='-n'
} }
_tmp_create _tmp_create
local tmpres=$TOMBTMP local tmpres=$TOMBTMP
print $opt - "$gpgpass" \ print $opt - "$gpgpass" \
| gpg --openpgp --force-mdc --cipher-algo ${algo} --batch \ | gpg --openpgp --force-mdc --cipher-algo ${algo} \
--no-options --no-tty ${gpgopt[@]} \ --batch --no-tty ${gpgopt[@]} \
--status-fd 2 -o - --armor 2> $tmpres --status-fd 2 -o - --armor 2> $tmpres
unset gpgpass unset gpgpass
# check result of gpg operation # check result of gpg operation
@ -1639,13 +1627,12 @@ dig_tomb() {
# Step two -- Create a detached key to lock a tomb with # Step two -- Create a detached key to lock a tomb with
# #
# Synopsis: forge_key [destkey|-k destkey] [-o cipher] [-r gpgid] [--shared] # Synopsis: forge_key [destkey|-k destkey] [-o cipher] [-r|-R gpgid]
# #
# Arguments: # Arguments:
# -k path to destination keyfile # -k path to destination keyfile
# -o Use an alternate algorithm # -o Use an alternate algorithm
# -r GPG recipients to be used # -r GPG recipients to be used
# --shared Activate sharing capability
# #
forge_key() { forge_key() {
# can be specified both as simple argument or using -k # can be specified both as simple argument or using -k
@ -1708,11 +1695,7 @@ forge_key() {
# Here the global variable TOMBSECRET contains the naked secret # Here the global variable TOMBSECRET contains the naked secret
{ option_is_set -g } && { { option_is_set -g } && {
{ option_is_set --shared } && { _success "Using GnuPG key(s) to encrypt your key: ::1 tomb key::" $TOMBKEYFILE
_success "Using GnuPG keys to encrypt and share your key: ::1 tomb key::" $TOMBKEYFILE
} || {
_success "Using the GnuPG key ::1:: to encrypt the key: ::2 tomb key::" `option_value -r` $TOMBKEYFILE
}
} || { } || {
_success "Choose the password of your key: ::1 tomb key::" $TOMBKEYFILE _success "Choose the password of your key: ::1 tomb key::" $TOMBKEYFILE
} }
@ -2769,13 +2752,13 @@ main() {
subcommands_opts[create]="" # deprecated, will issue warning subcommands_opts[create]="" # deprecated, will issue warning
# -o in forge and lock is used to pass an alternate cipher. # -o in forge and lock is used to pass an alternate cipher.
subcommands_opts[forge]="-ignore-swap k: -kdf: o: -tomb-pwd: -use-urandom r: R: -shared " subcommands_opts[forge]="-ignore-swap k: -kdf: o: -tomb-pwd: -use-urandom r: R: "
subcommands_opts[dig]="-ignore-swap s: -size=s " subcommands_opts[dig]="-ignore-swap s: -size=s "
subcommands_opts[lock]="-ignore-swap k: -kdf: o: -tomb-pwd: r: R: " subcommands_opts[lock]="-ignore-swap k: -kdf: o: -tomb-pwd: r: R: "
subcommands_opts[setkey]="k: -ignore-swap -kdf: -tomb-old-pwd: -tomb-pwd: r: R: -shared " subcommands_opts[setkey]="k: -ignore-swap -kdf: -tomb-old-pwd: -tomb-pwd: r: R: "
subcommands_opts[engrave]="k: " subcommands_opts[engrave]="k: "
subcommands_opts[passwd]="k: -ignore-swap -kdf: -tomb-old-pwd: -tomb-pwd: r: R: -shared " subcommands_opts[passwd]="k: -ignore-swap -kdf: -tomb-old-pwd: -tomb-pwd: r: R: "
subcommands_opts[close]="" subcommands_opts[close]=""
subcommands_opts[help]="" subcommands_opts[help]=""
subcommands_opts[slam]="" subcommands_opts[slam]=""