diff options
author | root <root@localhost> | 2013-02-14 00:00:00 +0000 |
---|---|---|
committer | root <root@localhost> | 2013-02-14 00:00:00 +0000 |
commit | d96f17b02d0690879538a836739153154682ff70 (patch) | |
tree | f986ba024cf45c07acd1f5beaa706101464f7c36 /git-remote-gcrypt | |
parent | 111217465157807848f95ac8f951bc6a3773c793 (diff) | |
download | git-remote-gcrypt-d96f17b02d0690879538a836739153154682ff70.tar.gz |
When decrypting or verifying the master key, check input type
We rely on gpg to exit with success, but we also check the status output
to verify that the expected action (decrypt with privkey or verify) was
performed.
Diffstat (limited to 'git-remote-gcrypt')
-rwxr-xr-x | git-remote-gcrypt | 45 |
1 files changed, 34 insertions, 11 deletions
diff --git a/git-remote-gcrypt b/git-remote-gcrypt index dd5fff0..7f8df61 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -164,6 +164,14 @@ ENCRYPT() --passphrase-fd 0 --output - -c /dev/fd/3) 3<&0 } +DECRYPT() +{ + (printf "%s" "$MASTERKEY" | \ + gpg -q --batch --no-default-keyring --secret-keyring /dev/null \ + --keyring /dev/null \ + --passphrase-fd 0 --output - -d /dev/fd/3) 3<&0 +} + CLEARSIGN() { if [ "$CONF_SIGN_MANIFEST" = "true" ] @@ -175,20 +183,28 @@ CLEARSIGN() fi } -CHECKSIGN() +# Require both gpg success and status word $1 +gpg_check_status() { - gpg -q --batch --no-default-keyring \ + local STATUS + local ARG + ARG=$1 ; shift; + STATUS=$(gpg --status-fd 3 "$@" 3>&1 1>&4) 4>&1 && + printf "%s" "$STATUS" | grep "^\[GNUPG:\] $ARG " >/dev/null +} + +VERIFYSIGN() +{ + gpg_check_status "GOODSIG" -q --batch --no-default-keyring \ --secret-keyring /dev/null --keyring "$CONF_KEYRING" -d } -DECRYPT() +PRIVDECRYPT() { - (printf "%s" "$MASTERKEY" | \ - gpg -q --batch --no-default-keyring --secret-keyring /dev/null \ - --keyring /dev/null \ - --passphrase-fd 0 --output - -d /dev/fd/3) 3<&0 + gpg_check_status "ENC_TO" -q -d } + # Append $2 to $1 with a newline separator append() { @@ -239,12 +255,19 @@ make_new_repo() get_masterkey() { + # The master key and its clearsigned versions are safe to keep + # as text in variables + local MASTERKEYDEC TMPMASTERKEY_ENC="$LOCALDIR/masterenc.$$" trap 'rm -f "$TMPMASTERKEY_ENC"' EXIT GET "$URL" masterkey 2>/dev/null > "$TMPMASTERKEY_ENC" || return 0 + MASTERKEYDEC=$(PRIVDECRYPT < "$TMPMASTERKEY_ENC") || { + echo_info "Decryption of master key failed!" + exit 1 + } echo_info "Verifying master key signature" - gpg -q -d < "$TMPMASTERKEY_ENC" | CHECKSIGN || { - echo_info "Opening of master key failed!" + printf "%s" "$MASTERKEYDEC" | VERIFYSIGN || { + echo_info "Failed to verify master key signature!" echo_info "Using keyring $CONF_KEYRING" if [ "$CONF_KEYRING" = "/dev/null" ] ; then echo_info "Please configure gcrypt.keyring" @@ -286,8 +309,8 @@ ensure_connected() then # Use gpg to verify and strip the signature echo_info "Verifying manifest signature" - STRIPDATA="$(printf "%s" "$MANIFESTDATA" | CHECKSIGN || { - echo_info "WARNING: Failed to verify signature from $URL" + STRIPDATA="$(printf "%s" "$MANIFESTDATA" | VERIFYSIGN || { + echo_info "WARNING: Failed to verify manifest signature" echo_info "WARNING: Using keyring $CONF_KEYRING" if [ "$CONF_KEYRING" = "/dev/null" ] ; then echo_info "WARNING: Please configure gcrypt.keyring" |