From 912a827570fd01d27c8d6bb8b8aaae8c455488b9 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 16 Sep 2013 15:45:10 -0400 Subject: set --trust-model=always when encrypting Otherwise gpg may prompt to verify if we want to encrypt to users who do not have a defined trust level. But, the participants setting explicitly listed them, so we know we want to encrypt to them. closes #3 --- git-remote-gcrypt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'git-remote-gcrypt') diff --git a/git-remote-gcrypt b/git-remote-gcrypt index bb19652..182c5cb 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -313,7 +313,7 @@ CLEAN_FINAL() ENCRYPT() { - gpg --batch --force-mdc --compress-algo none --passphrase-fd 3 -c 3< Date: Tue, 17 Sep 2013 15:30:25 -0400 Subject: add remote..gcrypt-signingkey config This is needed by git-annex assistant when it sets up a gcrypt repository, to ensure that the gpg key it was asked to use to encrypt the repo is the same key used to sign it. If it's not, pulling from the repo won't work, due to git-remote-gcrypt's "Only accepting signatories" check. The user may have a global user.signingkey setting (I do), but be setting up a different special-purpose key for encrypting their git repo. The git-annex assistant cannot mess with the global value, so needs this to override it. --- README.rst | 9 ++++++--- git-remote-gcrypt | 3 ++- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'git-remote-gcrypt') diff --git a/README.rst b/README.rst index f177913..6fc4636 100644 --- a/README.rst +++ b/README.rst @@ -60,10 +60,13 @@ The following ``git-config(1)`` variables are supported: The ``gcrypt-participants`` setting on the remote takes precedence over the repository variable ``gcrypt.participants``. +``remote..gcrypt-signingkey`` + .. ``user.signingkey`` - (From regular git configuration) The key to use for signing. You - should set ``user.signingkey`` if your default signing key is not - part of the participant list. + (The latter from regular git configuration) The key to use for signing. + You should set ``user.signingkey`` if your default signing key is not + part of the participant list. You may use the per-remote version + to sign different remotes using different keys. Environment Variables ===================== diff --git a/git-remote-gcrypt b/git-remote-gcrypt index 182c5cb..bf75777 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -389,7 +389,8 @@ make_new_repo() read_config() { local recp_= r_keyinfo= cap_= conf_part= good_sig= signers_= - Conf_signkey=$(git config --path user.signingkey || :) + Conf_signkey=$(git config --get "remote.$NAME.gcrypt-signingkey" '.+' || + git config --path user.signingkey || :) conf_part=$(git config --get "remote.$NAME.gcrypt-participants" '.+' || git config --get gcrypt.participants '.+' || :) -- cgit v1.2.3 From 4f9883421653a8a3c5ebe3c8f7507af183af0b94 Mon Sep 17 00:00:00 2001 From: Justin Burnham Date: Wed, 18 Sep 2013 23:27:32 -0700 Subject: Better signature validation for subkeys. --- git-remote-gcrypt | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'git-remote-gcrypt') diff --git a/git-remote-gcrypt b/git-remote-gcrypt index bb19652..94e7d58 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -388,7 +388,7 @@ make_new_repo() # $1 return var for goodsig match, $2 return var for signers text read_config() { - local recp_= r_keyinfo= cap_= conf_part= good_sig= signers_= + local recp_= r_keyinfo= r_keyfpr= gpg_list= cap_= conf_part= good_sig= signers_= Conf_signkey=$(git config --path user.signingkey || :) conf_part=$(git config --get "remote.$NAME.gcrypt-participants" '.+' || git config --get gcrypt.participants '.+' || :) @@ -406,16 +406,21 @@ read_config() for recp_ in $conf_part do - filter_to @r_keyinfo "pub*" \ - "$(gpg --with-colons --fast-list -k "$recp_")" + gpg_list=$(gpg --with-colons --fast-list --fingerprint -k "$recp_") + filter_to @r_keyinfo "pub*" "$gpg_list" + filter_to @r_keyfpr "fpr*" "$gpg_list" isnull "$r_keyinfo" || isnonnull "${r_keyinfo##*"$Newline"*}" || echo_info "WARNING: '$recp_' matches multiple keys, using one" + isnull "$r_keyfpr" || isnonnull "${r_keyfpr##*"$Newline"*}" || + echo_info "WARNING: '$recp_' matches multiple fingerprints, using one" r_keyinfo=${r_keyinfo%%"$Newline"*} + r_keyfpr=${r_keyfpr%%"$Newline"*} keyid_=$(xfeed "$r_keyinfo" cut -f 5 -d :) + fprid_=$(xfeed "$r_keyfpr" cut -f 10 -d :) - isnonnull "$keyid_" && + isnonnull "$fprid_" && signers_="$signers_ $keyid_" && - append_to @good_sig "^\[GNUPG:\] GOODSIG $keyid_" || { + append_to @good_sig "^\[GNUPG:\] VALIDSIG .*$fprid_$" || { echo_info "WARNING: Skipping missing key $recp_" continue } -- cgit v1.2.3 From 83d519179f5611641802b5de2b5f3f155798f61a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 19 Sep 2013 12:03:33 -0400 Subject: --check option to see if a repo exists and can be decrypted This is to allow programs to determine if a repo uses gcrypt, per #6. Since this program already knows the name of the manifest file and how to download it and decrypt it, it makes sense to do the check here rather than in, eg, git-annex. --- README.rst | 11 +++++++++++ git-remote-gcrypt | 33 +++++++++++++++++++++++++-------- 2 files changed, 36 insertions(+), 8 deletions(-) (limited to 'git-remote-gcrypt') diff --git a/README.rst b/README.rst index 6fc4636..3922376 100644 --- a/README.rst +++ b/README.rst @@ -173,6 +173,17 @@ Each item extends until newline, and matches one of the following: ``extn ...`` Extension field, preserved but unused. +Detecting gcrypt repos +====================== + +To detect if a git url is a gcrypt repo, use: git-remote-gcrypt --check url +Exit status if 0 if the repo exists and can be decrypted, 1 if the repo +uses gcrypt but could not be decrypted, and 100 if the repo does not +exist or could not be accessed. + +Note that this has to fetch the repo contents into the local git +repository, the same as is done when using a gcrypt repo. + See Also ======== diff --git a/git-remote-gcrypt b/git-remote-gcrypt index bf75777..67b0f67 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -779,14 +779,8 @@ cleanup_tmpfiles() rm -r -f -- "${Tempdir}" >&2 } -# handle git-remote-helpers protocol -gcrypt_main_loop() +setup() { - local input_= input_inner= r_args= temp_key= - - NAME=$1 # Remote name - URL=$2 # Remote URL - mkdir -p "$Localdir" # Set up a subdirectory in /tmp @@ -798,6 +792,17 @@ gcrypt_main_loop() trap 'exit 1' 1 2 3 15 echo_info "Development version -- Repository format MAY CHANGE" +} + +# handle git-remote-helpers protocol +gcrypt_main_loop() +{ + local input_= input_inner= r_args= temp_key= + + NAME=$1 # Remote name + URL=$2 # Remote URL + + setup while read input_ do @@ -849,4 +854,16 @@ gcrypt_main_loop() done } -gcrypt_main_loop "$@" +if [ "x$1" = x--check ] +then + NAME=dummy-gcrypt-check + URL=$2 + setup + ensure_connected + if iseq "$Did_find_repo" "no" + then + exit 100 + fi +else + gcrypt_main_loop "$@" +fi -- cgit v1.2.3 From b0174432a0a4842127560af87e1e0cc7b52581c0 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 26 Sep 2013 15:56:56 -0400 Subject: stop passing --fast-list For unknown reasons, it makes --list-keys sometimes not show fingerprints of certian keys. --- git-remote-gcrypt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'git-remote-gcrypt') diff --git a/git-remote-gcrypt b/git-remote-gcrypt index 87db2a1..22f19dd 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -407,7 +407,7 @@ read_config() for recp_ in $conf_part do - gpg_list=$(gpg --with-colons --fast-list --fingerprint -k "$recp_") + gpg_list=$(gpg --with-colons --fingerprint -k "$recp_") filter_to @r_keyinfo "pub*" "$gpg_list" filter_to @r_keyfpr "fpr*" "$gpg_list" isnull "$r_keyinfo" || isnonnull "${r_keyinfo##*"$Newline"*}" || -- cgit v1.2.3 From c826c392088ab12bedc1b549b58c7a7a91e2153c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 27 Sep 2013 16:47:43 -0400 Subject: remove any git config for dummy-gcrypt-check remote The gcrypt-id is cached to there when running --check --- git-remote-gcrypt | 1 + 1 file changed, 1 insertion(+) (limited to 'git-remote-gcrypt') diff --git a/git-remote-gcrypt b/git-remote-gcrypt index 22f19dd..0a382e2 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -865,6 +865,7 @@ then URL=$2 setup ensure_connected + git remote remove $NAME 2>/dev/null || true if iseq "$Did_find_repo" "no" then exit 100 -- cgit v1.2.3 From 8b619df24a503fae088174824e9041d54caf011d Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 15 May 2014 14:27:56 -0400 Subject: Fix to work when there is no controlling terminal, but GPG_AGENT_INFO is set. Pass --no-tty to gpg in this situation. This is needed to interoperate with the git-annex assistant, which often runs without a controlling terminal, and will in a new version always do so. Conflicts: debian/changelog --- git-remote-gcrypt | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) (limited to 'git-remote-gcrypt') diff --git a/git-remote-gcrypt b/git-remote-gcrypt index 0a382e2..8c1efa6 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -18,7 +18,6 @@ # See README.rst for usage instructions set -e # errexit -set -u # nounset set -f # noglob set -C # noclobber @@ -313,14 +312,14 @@ CLEAN_FINAL() ENCRYPT() { - gpg --batch --force-mdc --compress-algo none --trust-model=always --passphrase-fd 3 -c 3<&1 && - status_=$(gpg --status-fd 3 -q -d 3>&1 1>&4) && + status_=$(rungpg --status-fd 3 -q -d 3>&1 1>&4) && xfeed "$status_" grep "^\[GNUPG:\] ENC_TO " >/dev/null && (xfeed "$status_" grep -e "$1" >/dev/null || { echo_info "Failed to verify manifest signature!" && @@ -353,17 +352,29 @@ PRIVDECRYPT() # Generate $1 random bytes genkey() { - gpg --armor --gen-rand 1 "$1" + rungpg --armor --gen-rand 1 "$1" } gpg_hash() { local hash_= - hash_=$(gpg --with-colons --print-md "$1" | tr A-F a-f) + hash_=$(rungpg --with-colons --print-md "$1" | tr A-F a-f) hash_=${hash_#:*:} xecho "${hash_%:}" } +rungpg() +{ + # gpg will fail to run when there is no controlling tty, + # due to trying to print messages to it, even if a gpg agent is set + # up. --no-tty fixes this. + if [ "x$GPG_AGENT_INFO" != "x" ]; then + gpg --no-tty "$@" + else + gpg "$@" + fi +} + # Pass the branch/ref by pipe to git safe_git_rev_parse() { @@ -407,7 +418,7 @@ read_config() for recp_ in $conf_part do - gpg_list=$(gpg --with-colons --fingerprint -k "$recp_") + gpg_list=$(rungpg --with-colons --fingerprint -k "$recp_") filter_to @r_keyinfo "pub*" "$gpg_list" filter_to @r_keyfpr "fpr*" "$gpg_list" isnull "$r_keyinfo" || isnonnull "${r_keyinfo##*"$Newline"*}" || -- cgit v1.2.3 From 0ce768c4ddc4f28d18f0b00dd6798f19fd1f7f8e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 19 May 2014 18:20:51 -0400 Subject: fix on OSX set -e causes the xecho to not run if the xgrep fails. At least with OSX's /bin/sh, which is: GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13) This didn't happen on Linux with: GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu) Possibly a bug in bash, or an OSX-specific bug. However, disabling set -e in the subshell seems a good idea anyway. fixes https://github.com/blake2-ppc/git-remote-gcrypt/issues/15 --- git-remote-gcrypt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'git-remote-gcrypt') diff --git a/git-remote-gcrypt b/git-remote-gcrypt index 8c1efa6..2295111 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -176,8 +176,10 @@ update_tree() { local tab_=" " # $2 is a filename from the repo format - (git ls-tree "$1" | xgrep -v -E '\b'"$2"'$'; - xecho "100644 blob $3$tab_$2") | git mktree + (set +e; + git ls-tree "$1" | xgrep -v -E '\b'"$2"'$'; + xecho "100644 blob $3$tab_$2" + ) | git mktree } # Put giturl $1, file $2 -- cgit v1.2.3 From 5dcc77f507d497fe4023e94a47b6a7a1f1146bce Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 15 Jul 2014 17:16:32 -0400 Subject: added gcrypt.publish-participants configuration Fixes https://github.com/blake2-ppc/git-remote-gcrypt/issues/9 --- README.rst | 12 ++++++++++++ git-remote-gcrypt | 10 +++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) (limited to 'git-remote-gcrypt') diff --git a/README.rst b/README.rst index fedd6b0..ba06259 100644 --- a/README.rst +++ b/README.rst @@ -60,6 +60,17 @@ The following ``git-config(1)`` variables are supported: The ``gcrypt-participants`` setting on the remote takes precedence over the repository variable ``gcrypt.participants``. +``remote..gcrypt-publish-participants`` + .. +``gcrypt.publish-participants`` + By default, the gpg key ids of the participants are obscured by + encrypting using `gpg -R`. Setting this option to `true` disables + that security measure. + + The problem with using `gpg -R` is that to decrypt, gpg tries each + available secret key in turn until it finds a usable key. + This can result in unncessary passphrase prompts. + ``remote..gcrypt-signingkey`` .. ``user.signingkey`` @@ -68,6 +79,7 @@ The following ``git-config(1)`` variables are supported: part of the participant list. You may use the per-remote version to sign different remotes using different keys. + Environment Variables ===================== diff --git a/git-remote-gcrypt b/git-remote-gcrypt index 2295111..8d68669 100755 --- a/git-remote-gcrypt +++ b/git-remote-gcrypt @@ -406,6 +406,8 @@ read_config() git config --path user.signingkey || :) conf_part=$(git config --get "remote.$NAME.gcrypt-participants" '.+' || git config --get gcrypt.participants '.+' || :) + Conf_pubish_participants=$(git config --get --bool "remote.$NAME.gcrypt-publish-participants" '.+' || + git config --get --bool gcrypt.publish-participants || :) # Figure out which keys we should encrypt to or accept signatures from if isnull "$conf_part" || iseq "$conf_part" simple @@ -440,7 +442,13 @@ read_config() } # Check 'E'ncrypt capability cap_=$(xfeed "$r_keyinfo" cut -f 12 -d :) - iseq "${cap_#*E}" "$cap_" || Recipients="$Recipients -R $keyid_" + if ! iseq "${cap_#*E}" "$cap_"; then + if [ "$Conf_pubish_participants" = true ]; then + Recipients="$Recipients -r $keyid_" + else + Recipients="$Recipients -R $keyid_" + fi + fi done if isnull "$Recipients" -- cgit v1.2.3