Add GPG default key support for key encryption

If the option -r is not set, use the gpg default key to encrypt
a tomb key
This commit is contained in:
Alexandre Pujol 2017-03-03 20:36:50 +00:00
parent 0644ebe951
commit 6352a1d417
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
2 changed files with 44 additions and 22 deletions

View File

@ -59,7 +59,7 @@ typeset -A results
tests=(dig forge lock badpass open close passwd chksum bind setkey recip-dig
recip-forge recip-lock recip-open recip-close recip-passwd recip-resize
recip-setkey shared shared-passwd shared-setkey)
recip-setkey shared shared-passwd shared-setkey recip-default)
{ test $RESIZER = 1 } && { tests+=(resize) }
{ test $KDF = 1 } && { tests+=(kdforge kdfpass kdflock kdfopen) }
@ -193,6 +193,23 @@ test-tomb-recip() {
tt close recip
}
test-tomb-default() {
notice "wiping all default.tomb* in /tmp"
rm -f /tmp/default.tomb /tmp/default.tomb.key
notice "Testing tomb with the default recipient"
res=0
tt dig -s 20 /tmp/default.tomb
{ test $? = 0 } || { res=1 }
tt forge /tmp/default.tomb.key -g --ignore-swap --unsafe --use-urandom
{ test $? = 0 } || { res=1 }
tt lock /tmp/default.tomb -k /tmp/default.tomb.key \
--ignore-swap --unsafe -g
{ test $? = 0 } || { res=1 }
{ test $res = 0 } && { results+=(recip-default SUCCESS) }
}
test-tomb-shared() {
notice "wiping all shared.tomb* in /tmp"
@ -364,6 +381,7 @@ startloops=(`sudo losetup -a |cut -d: -f1`)
# isolated function (also called with source)
test-tomb-create
test-tomb-recip
test-tomb-default
test-tomb-shared
notice "Testing open with wrong password"

44
tomb
View File

@ -1236,32 +1236,36 @@ gen_key() {
tombpasstmp=""
{ option_is_set -g } && {
{ option_is_set -r } || {
_failure "A GPG recipient needs to be specified using -r."
}
gpgopt=(--encrypt)
typeset -a recipients
recipients=(${(s:,:)$(option_value -r)})
[ "${#recipients}" -gt 1 ] && {
if option_is_set --shared; then
_warning "You are going to encrypt a tomb key with ${#recipients} recipients."
_warning "It is your responsibility to check the fingerprint of these recipients."
_warning "The fingerprints are:"
for gpg_id in ${recipients[@]}; do
_warning " `_fingerprint "$gpg_id"`"
done
else
_failure "You need to use the option '--shared' to enable sharing support"
fi
}
{ option_is_set -r } && {
typeset -a recipients
recipients=(${(s:,:)$(option_value -r)})
[ "${#recipients}" -gt 1 ] && {
if option_is_set --shared; then
_warning "You are going to encrypt a tomb key with ${#recipients} recipients."
_warning "It is your responsibility to check the fingerprint of these recipients."
_warning "The fingerprints are:"
for gpg_id in ${recipients[@]}; do
_warning " `_fingerprint "$gpg_id"`"
done
else
_failure "You need to use the option '--shared' to enable sharing support"
fi
}
{ is_valid_recipients $recipients } || {
_failure "You set an invalid GPG ID."
{ is_valid_recipients $recipients } || {
_failure "You set an invalid GPG ID."
}
gpgopt+=(`_recipients_arg "--hidden-recipient" $recipients`)
} || {
_message "No recipient specified, using default GPG key."
gpgopt+=("--default-recipient-self")
}
# Set gpg inputs and options
gpgpass="$TOMBSECRET"
gpgopt=(--encrypt `_recipients_arg "--hidden-recipient" $recipients`)
opt=''
} || {
if [ "$1" = "" ]; then