[pass] [PATCH] Add support for signing passwords

Chris Perelstein chris.perelstein at gmail.com
Sat Jan 18 01:45:19 CET 2014 

As part of the init command, a signing id can be specified in order to
sign files with a signing key. This could potentially be useful if a
remote repo is hosted on an untrusted server (VPS, BitBucket, etc...).
---
 man/pass.1            |  9 ++++++---
 src/password-store.sh | 39 +++++++++++++++++++++++++++++----------
 2 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/man/pass.1 b/man/pass.1
index efb5d9b..ce014af 100644
--- a/man/pass.1
+++ b/man/pass.1
@@ -51,12 +51,15 @@ password names in
 .SH COMMANDS

 .TP
-\fBinit\fP [ \fI--reencrypt\fP, \fI-e\fP ] \fIgpg-id\fP
+\fBinit\fP [ \fI--reencrypt\fP, \fI-e\fP ] \fIgpg-id\fP [ \fIsign-id\fP ]
 Initialize new password storage and use
 .I gpg-id
-for encryption. This command must be run first before a password store can be
+for encryption, optionally
+.I sign-id
+for signing. This command must be run first before a password store can be
 used. If \fI--reencrypt\fP or \fI-e\fP is specified, reencrypt all existing
-passwords in the password store using \fIgpg-id\fP. Note that use of
+passwords in the password store using \fIgpg-id\fP and optionally sign with
+\fIsign-id\fP. Note that use of
 .BR gpg-agent (1)
 is recommended so that the batch decryption does not require as much user
 intervention.
diff --git a/src/password-store.sh b/src/password-store.sh
index 2500253..b47343b 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -7,6 +7,7 @@ umask 077

 PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
 ID="$PREFIX/.gpg-id"
+SIGN_ID="$PREFIX/.sign-id"
 GIT_DIR="${PASSWORD_STORE_GIT:-$PREFIX}/.git"
 GPG_OPTS="--quiet --yes --batch"

@@ -30,9 +31,10 @@ usage() {
  cat <<_EOF

 Usage:
-    $program init [--reencrypt,-e] gpg-id
+    $program init [--reencrypt,-e] gpg-id [sign-id]
         Initialize new password storage and use gpg-id for encryption.
         Optionally reencrypt existing passwords using new gpg-id.
+        Optionally use sign-id for signing passwords.
     $program [ls] [subfolder]
         List passwords.
     $program [show] [--clip,-c] pass-name
@@ -134,6 +136,12 @@ else
  command="show"
 fi

+if [[ -f $SIGN_ID ]]; then
+ sign_opts="-s -u $(head -n 1 "$SIGN_ID")"
+else
+ sign_opts=""
+fi
+
 case "$command" in
  init)
  reencrypt=0
@@ -146,23 +154,34 @@ case "$command" in
  --) shift; break ;;
  esac done

- if [[ $# -ne 1 ]]; then
+ if [[ $# -ne 1 && $# -ne 2 ]]; then
  echo "Usage: $program $command [--reencrypt,-e] gpg-id"
  exit 1
  fi

  gpg_id="$1"
+ signing_id="$2"
  mkdir -v -p "$PREFIX"
+
+ if [[ $signing_id != '' ]]; then
+ echo "$signing_id" > "$SIGN_ID"
+ git_add_file "$SIGN_ID" "Set GPG signing id to $signing_id."
+ sign_opts="-s -u $signing_id"
+ sign_msg=" and signing id $signing_id"
+ else
+ sign_msg=""
+ fi
+
  echo "$gpg_id" > "$ID"
- echo "Password store initialized for $gpg_id."
+ echo "Password store initialized for $gpg_id$sign_msg."
  git_add_file "$ID" "Set GPG id to $gpg_id."

  if [[ $reencrypt -eq 1 ]]; then
  find "$PREFIX/" -iname '*.gpg' | while read passfile; do
- gpg2 -d $GPG_OPTS "$passfile" | gpg2 -e -r "$gpg_id" -o
"$passfile.new" $GPG_OPTS &&
+ gpg2 -d $GPG_OPTS "$passfile" | gpg2 -e -r "$gpg_id" $sign_opts -o
"$passfile.new" $GPG_OPTS &&
  mv -v "$passfile.new" "$passfile"
  done
- git_add_file "$PREFIX" "Reencrypted entire store using new GPG id $gpg_id."
+ git_add_file "$PREFIX" "Reencrypted entire store using new GPG id
$gpg_id$sign_msg."
  fi
  exit 0
  ;;
@@ -257,7 +276,7 @@ case "$command" in
  if [[ $multiline -eq 1 ]]; then
  echo "Enter contents of $path and press Ctrl+D when finished:"
  echo
- gpg2 -e -r "$ID" -o "$passfile" $GPG_OPTS
+ gpg2 -e -r "$ID" $sign_opts -o "$passfile" $GPG_OPTS
  elif [[ $noecho -eq 1 ]]; then
  while true; do
  read -r -p "Enter password for $path: " -s password
@@ -265,7 +284,7 @@ case "$command" in
  read -r -p "Retype password for $path: " -s password_again
  echo
  if [[ $password == "$password_again" ]]; then
- gpg2 -e -r "$ID" -o "$passfile" $GPG_OPTS <<<"$password"
+ gpg2 -e -r "$ID" $sign_opts -o "$passfile" $GPG_OPTS <<<"$password"
  break
  else
  echo "Error: the entered passwords do not match."
@@ -273,7 +292,7 @@ case "$command" in
  done
  else
  read -r -p "Enter password for $path: " -e password
- gpg2 -e -r "$ID" -o "$passfile" $GPG_OPTS <<<"$password"
+ gpg2 -e -r "$ID" $sign_opts -o "$passfile" $GPG_OPTS <<<"$password"
  fi
  git_add_file "$passfile" "Added given password for $path to store."
  ;;
@@ -299,7 +318,7 @@ case "$command" in
  action="Edited"
  fi
  ${EDITOR:-vi} "$tmp_file"
- while ! gpg2 -e -r "$ID" -o "$passfile" $GPG_OPTS "$tmp_file"; do
+ while ! gpg2 -e -r "$ID" $sign_opts -o "$passfile" $GPG_OPTS "$tmp_file"; do
  echo "GPG encryption failed. Retrying."
  sleep 1
  done
@@ -337,7 +356,7 @@ case "$command" in

  pass="$(pwgen -s $symbols $length 1)"
  [[ -n $pass ]] || exit 1
- gpg2 -e -r "$ID" -o "$passfile" $GPG_OPTS <<<"$pass"
+ gpg2 -e -r "$ID" $sign_opts -o "$passfile" $GPG_OPTS <<<"$pass"
  git_add_file "$passfile" "Added generated password for $path to store."

  if [[ $clip -eq 0 ]]; then
-- 
1.8.4.5

More information about the Password-Store mailing list