[PATCH] pass generates quite a few errors/warnings with shellcheck
ಚಿರಾಗ್ ನಟರಾಜ್
chiraag.nataraj at gmail.com
Sun May 19 16:42:18 CEST 2019
Here's a revised patch.
diff --git a/src/password-store.sh b/src/password-store.sh
index 284eabf..d6a341e 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -6,10 +6,11 @@
umask "${PASSWORD_STORE_UMASK:-077}"
set -o pipefail
-GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" )
+read -r -a PASSWORD_STORE_GPG_OPTS_ARR <<< "$PASSWORD_STORE_GPG_OPTS"
+GPG_OPTS=( "${PASSWORD_STORE_GPG_OPTS_ARR[@]}" "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" )
GPG="gpg"
export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}"
-which gpg2 &>/dev/null && GPG="gpg2"
+command -v gpg2 &>/dev/null && GPG="gpg2"
[[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch" "--use-agent" )
PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
@@ -58,7 +59,8 @@ die() {
verify_file() {
[[ -n $PASSWORD_STORE_SIGNING_KEY ]] || return 0
[[ -f $1.sig ]] || die "Signature for $1 does not exist."
- local fingerprints="$($GPG $PASSWORD_STORE_GPG_OPTS --verify --status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG \([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')"
+ local fingerprints;
+ fingerprints="$($GPG "${PASSWORD_STORE_GPG_OPTS_ARR[@]}" --verify --status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG \([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')"
local fingerprint found=0
for fingerprint in $PASSWORD_STORE_SIGNING_KEY; do
[[ $fingerprint =~ ^[A-F0-9]{40}$ ]] || continue
@@ -106,7 +108,8 @@ set_gpg_recipients() {
reencrypt_path() {
local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
- local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config --with-colons | grep "^cfg:group:.*")"
+ local groups;
+ groups="$($GPG "${PASSWORD_STORE_GPG_OPTS_ARR[@]}" --list-config --with-colons | grep "^cfg:group:.*")"
while read -r -d "" passfile; do
[[ -L $passfile ]] && continue
local passfile_dir="${passfile%/*}"
@@ -119,14 +122,15 @@ reencrypt_path() {
set_gpg_recipients "$passfile_dir"
if [[ $prev_gpg_recipients != "${GPG_RECIPIENTS[*]}" ]]; then
for index in "${!GPG_RECIPIENTS[@]}"; do
- local group="$(sed -n "s/^cfg:group:$(sed 's/[\/&]/\\&/g' <<<"${GPG_RECIPIENTS[$index]}"):\\(.*\\)\$/\\1/p" <<<"$groups" | head -n 1)"
+ local group;
+ group="$(sed -n "s/^cfg:group:$(sed 's/[\/&]/\\&/g' <<<"${GPG_RECIPIENTS[$index]}"):\\(.*\\)\$/\\1/p" <<<"$groups" | head -n 1)"
[[ -z $group ]] && continue
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
+ gpg_keys="$($GPG "${PASSWORD_STORE_GPG_OPTS_ARR[@]}" --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
fi
- current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
+ current_keys="$(LC_ALL=C $GPG "${PASSWORD_STORE_GPG_OPTS_ARR[@]}" -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
if [[ $gpg_keys != "$current_keys" ]]; then
echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }"
@@ -173,11 +177,13 @@ clip() {
# variable. Specifically, it cannot store nulls nor (non-trivally) store
# trailing new lines.
pkill -f "^$sleep_argv0" 2>/dev/null && sleep 0.5
- local before="$("${paste_cmd[@]}" 2>/dev/null | $BASE64)"
+ local before;
+ before="$("${paste_cmd[@]}" 2>/dev/null | $BASE64)"
echo -n "$1" | "${copy_cmd[@]}" || die "Error: Could not copy data to the clipboard"
(
( exec -a "$sleep_argv0" bash <<<"trap 'kill %1' TERM; sleep '$CLIP_TIME' & wait" )
- local now="$("${paste_cmd[@]}" | $BASE64)"
+ local now;
+ now="$("${paste_cmd[@]}" | $BASE64)"
[[ $now != $(echo -n "$1" | $BASE64) ]] && before="$now"
# It might be nice to programatically check to see if klipper exists,
@@ -232,7 +238,7 @@ tmpdir() {
)"
SECURE_TMPDIR="$(mktemp -d "${TMPDIR:-/tmp}/$template")"
shred_tmpfile() {
- find "$SECURE_TMPDIR" -type f -exec $SHRED {} +
+ find "$SECURE_TMPDIR" -type f -exec "$SHRED" {} +
rm -rf "$SECURE_TMPDIR"
}
trap shred_tmpfile EXIT
@@ -342,14 +348,15 @@ cmd_init() {
rmdir -p "${gpg_id%/*}" 2>/dev/null
else
mkdir -v -p "$PREFIX/$id_path"
- printf "%s\n" "$@" > "$gpg_id"
- local id_print="$(printf "%s, " "$@")"
+ printf "%s\\n" "$@" > "$gpg_id"
+ local id_print;
+ id_print="$(printf "%s, " "$@")"
echo "Password store initialized for ${id_print%, }${id_path:+ ($id_path)}"
git_add_file "$gpg_id" "Set GPG id to ${id_print%, }${id_path:+ ($id_path)}."
if [[ -n $PASSWORD_STORE_SIGNING_KEY ]]; then
local signing_keys=( ) key
for key in $PASSWORD_STORE_SIGNING_KEY; do
- signing_keys+=( --default-key $key )
+ signing_keys+=( --default-key "$key" )
done
$GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --detach-sign "$gpg_id" || die "Could not sign .gpg_id."
key="$($GPG --verify --status-fd=1 "$gpg_id.sig" "$gpg_id" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .* \([A-F0-9]\{40\}\)$/\1/p')"
@@ -385,7 +392,7 @@ cmd_show() {
echo "$pass" | $BASE64 -d
else
[[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number."
- pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $?
+ pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +"${selected_line}" | head -n 1)" || exit $?
[[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}."
if [[ $clip -eq 1 ]]; then
clip "$pass" "$path"
@@ -410,7 +417,8 @@ cmd_show() {
cmd_find() {
[[ $# -eq 0 ]] && die "Usage: $PROGRAM $COMMAND pass-names..."
IFS="," eval 'echo "Search Terms: $*"'
- local terms="*$(printf '%s*|*' "$@")"
+ local terms;
+ terms="*$(printf '%s*|*' "$@")"
tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs --ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g'
}
@@ -425,7 +433,7 @@ cmd_grep() {
local passfile_dir="${passfile%/*}/"
[[ $passfile_dir == "${passfile}/" ]] && passfile_dir=""
passfile="${passfile##*/}"
- printf "\e[94m%s\e[1m%s\e[0m:\n" "$passfile_dir" "$passfile"
+ printf "\\e[94m%s\\e[1m%s\\e[0m:\\n" "$passfile_dir" "$passfile"
echo "$grepresults"
done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname '*.gpg' -print0)
}
@@ -490,7 +498,8 @@ cmd_edit() {
set_git "$passfile"
tmpdir #Defines $SECURE_TMPDIR
- local tmp_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt"
+ local tmp_file;
+ tmp_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt"
local action="Add"
if [[ -f $passfile ]]; then
@@ -533,7 +542,7 @@ cmd_generate() {
[[ $inplace -eq 0 && $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?"
- read -r -n $length pass < <(LC_ALL=C tr -dc "$characters" < /dev/urandom)
+ read -r -n "$length" pass < <(LC_ALL=C tr -dc "$characters" < /dev/urandom)
[[ ${#pass} -eq $length ]] || die "Could not generate password from /dev/urandom."
if [[ $inplace -eq 0 ]]; then
echo "$pass" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
@@ -555,7 +564,7 @@ cmd_generate() {
elif [[ $qrcode -eq 1 ]]; then
qrcode "$pass" "$path"
else
- printf "\e[1mThe generated password for \e[4m%s\e[24m is:\e[0m\n\e[1m\e[93m%s\e[0m\n" "$path" "$pass"
+ printf "\\e[1mThe generated password for \\e[4m%s\\e[24m is:\\e[0m\\n\\e[1m\\e[93m%s\\e[0m\\n" "$path" "$pass"
fi
}
Sincerely,
Chiraag
--
ಚಿರಾಗ್ ನಟರಾಜ್
Graduate Student at Brown University
Email: chiraag.nataraj at gmail.com
Phone: 610-350-6329
Website: http://chiraag.nataraj.us
On 18/05/19 17:22, Oliver Albertini wrote:
> >
> > I'm surprised that shellcheck didn't complain about lines 26, 58, 73,
> > 96, 98, 141 (of the patch, don't know its correspondences with the code).
>
>
> Most of those are inside `[[` tests, so they don't require quoting (word
> splitting doesn't happen inside `[[`). The other case is a for loop, which
> shellcheck doesn't warn about (in fact if you quote it, it will give
> you warning
> SC2066 <https://github.com/koalaman/shellcheck/wiki/SC2066>). It assumes
> you will rely on word splitting to get a list of args.
>
> Chiraag, I'm a bit confused why the switch to using array notation for
> `$PASSWORD_STORE_GPG_OPTS`. That's not going to be an array, but just a
> string that can be set in the environment. Also, the quoting would pass the
> users opts as one string, instead of separate strings to `gpg`. Consider
> this example:
>
> $ var="-n foo"
> $ echo $var
> foo$ echo "$var"
> -n foo
>
> We either want to not quote, or use something like `mapfile` or `read -a`
> to put the opts into an array. I hesitate to use `mapfile` since that
> wasn't around in bash 3, which is what ships in macOS these days (many are
> using bash 5 now!). But `read -a` is a good alternative.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20190519/16100b12/attachment.asc>
More information about the Password-Store
mailing list