[PATCH] Filter out expired signing keys
Kjetil Torgrim Homme
kjetil.homme at redpill-linpro.com
Tue Jan 7 17:27:33 CET 2020
My pass installation wanted to reencrypt all files every time since the
list it made of encryption keys associated with public keys included
invalid (expired, revoked) keys as well as those that should be used.
I turned the logic from a sed expression to a function to make it more
readable.
diff --git bin/pass bin/pass
index b17ec580e..6bf21d6a9 100755
--- bin/pass
+++ bin/pass
@@ -108,6 +108,24 @@ set_gpg_recipients() {
done < "$current"
}
+# Take a list of public key ids and return valid encryption keys
associated with them
+list_encryption_keys() {
+ $GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "$@" |
+ while IFS=: read f1_type f2_validity f3 f4 f5_keyid f6 f7 f8 f9 f10
f11 f12_capability
+ do
+ [[ $f1_type = 'sub' ]] || continue
+ case $f2_validity in
+ [-qmfu])
+ : ;; # undefined, marginal, full, ultimate validity
+ *)
+ continue ;; # expired, invalid, disabled, etc.
+ esac
+ case $f12_capability in
+ *e*) echo "$f5_keyid" ;; # usable for encryption
+ esac
+ done | LC_ALL=C sort -u
+}
+
reencrypt_path() {
local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config
--with-colons | grep "^cfg:group:.*")"
@@ -127,7 +145,7 @@ reencrypt_path() {
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' #
http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons
"${GPG_RECIPIENTS[@]}" | sed -n
's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p'
| LC_ALL=C sort -u)"
+ gpg_keys="$(list_encryption_keys "${GPG_RECIPIENTS[@]}")"
fi
current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v
--no-secmem-warning --no-permission-warning --decrypt --list-only
--keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is
\([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
--
Kjetil T. Homme
Redpill Linpro - Changing the Game
-------------- next part --------------
A non-text attachment was scrubbed...
Name: filter-expired-keys.patch
Type: text/x-patch
Size: 1651 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20200107/b7ed0a14/attachment.bin>
More information about the Password-Store
mailing list