Improve key encryption/decryption using GPG key.

Decryption/Encryption works without these improvment, however, there
are needed in order to have clean key (without empty line).

Moreover, tests showed not doing cause troubles when changing the GPG key
used to encrypt a tomb key.
This commit is contained in:
Alexandre Pujol 2017-02-02 23:24:45 +00:00
parent 8f8dc0a0d4
commit 5a35ab9668

61
tomb
View File

@ -947,14 +947,24 @@ gpg_decrypt() {
# fix for gpg 1.4.11 where the --status-* options don't work ;^/ # fix for gpg 1.4.11 where the --status-* options don't work ;^/
local gpgver=$(gpg --version --no-permission-warning | awk '/^gpg/ {print $3}') local gpgver=$(gpg --version --no-permission-warning | awk '/^gpg/ {print $3}')
local gpgpass="$1\n$TOMBKEY" local gpgpass="$1\n$TOMBKEY"
local gpgstatus local tmpres ret
local tmpres typeset -a gpgopt
gpgpopt=(--passphrase-fd 0)
{ option_is_set -r } && {
local gpgkey=`option_value -r`
_verbose "using $gpgkey to decrypt a tomb key"
{ ! is_valid_recipients "$gpgkey" } && {
_failure "You set an invalid GPG ID."
}
gpgpass="$TOMBKEY"
gpgpopt=()
}
[[ $gpgver == "1.4.11" ]] && { [[ $gpgver == "1.4.11" ]] && {
_verbose "GnuPG is version 1.4.11 - adopting status fix." _verbose "GnuPG is version 1.4.11 - adopting status fix."
TOMBSECRET=`print - "$gpgpass" | \ TOMBSECRET=`print - "$gpgpass" | \
gpg --batch --passphrase-fd 0 --no-tty --no-options` gpg --batch ${gpgpopt[@]} --no-tty --no-options`
ret=$? ret=$?
unset gpgpass unset gpgpass
return $ret return $ret
@ -963,12 +973,10 @@ gpg_decrypt() {
_tmp_create _tmp_create
tmpres=$TOMBTMP tmpres=$TOMBTMP
TOMBSECRET=`print - "$gpgpass" | \ TOMBSECRET=`print - "$gpgpass" | \
gpg --batch --passphrase-fd 0 --no-tty --no-options \ gpg --batch ${gpgpopt[@]} --no-tty --no-options \
--status-fd 2 --no-mdc-warning --no-permission-warning \ --status-fd 2 --no-mdc-warning --no-permission-warning \
--no-secmem-warning 2> $tmpres` --no-secmem-warning 2> $tmpres`
unset gpgpass unset gpgpass
ret=1 ret=1
for i in ${(f)"$(cat $tmpres)"}; do for i in ${(f)"$(cat $tmpres)"}; do
_verbose "$i" _verbose "$i"
@ -1158,11 +1166,24 @@ gen_key() {
# -o is the --cipher-algo to use (string taken by GnuPG) # -o is the --cipher-algo to use (string taken by GnuPG)
local algopt="`option_value -o`" local algopt="`option_value -o`"
local algo="${algopt:-AES256}" local algo="${algopt:-AES256}"
local gpgpass opt
typeset -a gpgopt
# here user is prompted for key password # here user is prompted for key password
tombpass="" tombpass=""
tombpasstmp="" tombpasstmp=""
{ ! option_is_set -r } && { { option_is_set -r } && {
local gpgkey=`option_value -r`
_verbose "using $gpgkey to encrypt a tomb key"
{ is_valid_recipients "$gpgkey" } || {
_failure "You set an invalid GPG ID."
}
# Set gpg inputs and options
gpgpass="$TOMBSECRET"
gpgopt=(--encrypt --recipient "$gpgkey")
opt=''
} || {
if [ "$1" = "" ]; then if [ "$1" = "" ]; then
while true; do while true; do
# 3 tries to write two times a matching password # 3 tries to write two times a matching password
@ -1219,26 +1240,20 @@ gen_key() {
} }
} }
print $header print $header
# Set gpg inputs and options
gpgpass="${tombpass}\n$TOMBSECRET"
gpgopt=(--passphrase-fd 0 --symmetric)
opt='-n'
} }
_tmp_create _tmp_create
local tmpres=$TOMBTMP local tmpres=$TOMBTMP
print $opt - "$gpgpass" \
if option_is_set -r; then
local gpgkey="`option_value -r`"
{ is_valid_recipients "$gpgkey" } || {
_failure "You set an invalid GPG ID."
}
print -n - "${tombpass}\n$TOMBSECRET" \
| gpg --openpgp --force-mdc --cipher-algo ${algo} --batch \ | gpg --openpgp --force-mdc --cipher-algo ${algo} --batch \
--no-options --no-tty --recipient "$gpgkey" \ --no-options --no-tty ${gpgopt[@]} \
--status-fd 2 -o - --encrypt --armor 2> $tmpres --status-fd 2 -o - --armor 2> $tmpres
else unset gpgpass
print -n - "${tombpass}\n$TOMBSECRET" \
| gpg --openpgp --force-mdc --cipher-algo ${algo} --batch \
--no-options --no-tty --passphrase-fd 0 \
--status-fd 2 -o - --symmetric --armor 2> $tmpres
fi
# check result of gpg operation # check result of gpg operation
for i in ${(f)"$(cat $tmpres)"}; do for i in ${(f)"$(cat $tmpres)"}; do
_verbose "$i" _verbose "$i"