[pass] reencryption: only happens when required now
Jason A. Donenfeld
Jason at zx2c4.com
Fri Apr 18 01:29:14 CEST 2014
Hey folks,
We've gained some optimizations for "pass init -e", "pass mv -e", and
"pass cp -e". We now only reencrypt passwords for files that are encrypted
with a different set of gpg ids than those specified in .gpg-id or
elsewhere.
Here's the commit:
http://git.zx2c4.com/password-store/commit/?id=ebd57647fa54721ec64aba47c79819ad270b3a63
The relevant part is:
set_gpg_recipients "$passfile_dir"
[[ $prev_gpg_recipients != "${GPG_RECIPIENTS[@]}" ]] && \
gpg_keys="$(gpg --list-keys --keyid-format long "${GPG_RECIPIENTS[@]}" |
sed -n 's/sub *.*\/\([A-F0-9]\{16\}\) .*/\1/p' | sort | uniq)"
current_keys="$($GPG -v --list-only --keyid-format long "$passfile" 2>&1 |
cut -d ' ' -f 5 | sort | uniq)"
if [[ $gpg_keys != "$current_keys" ]]; then
echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }"
$GPG -d $GPG_OPTS "$passfile" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o
"$passfile.new.$fake_uniqueness_safety" $GPG_OPTS &&
mv "$passfile.new.$fake_uniqueness_safety" "$passfile"
fi
prev_gpg_recipients="${GPG_RECIPIENTS[@]}"
That's prettttttyyy ugly, and perhaps prone to breaking, so if you feel
motivated to test out this new code in a variety of settings, please do so.
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140418/949ff092/attachment-0001.html>
More information about the Password-Store
mailing list