[PATCH] Filter out expired signing keys
Kjetil Torgrim Homme
kjetil.homme at redpill-linpro.com
Wed Jan 8 18:19:45 CET 2020
On 07/01/2020 17.27, Kjetil Torgrim Homme wrote:
> My pass installation wanted to reencrypt all files every time since the
> list it made of encryption keys associated with public keys included
> invalid (expired, revoked) keys as well as those that should be used.
>
> I turned the logic from a sed expression to a function to make it more
> readable.
actually my checking for usable keys was inaccurate - but to my defense
so was the code I based the patch on, ie. version 1.7.3
commit 5a52772156b44ef9785e91ab78ab2e1c3b1e510e changes the filtering by
validity to exclude "i" (invalid), "d" (disabled) and "r" (revoked).
the problem which motivated my patch was the status "e" for expired. my
patch takes the reverse approach and lists what values to allow rather
than what not to allow. I don't have a very strong opinion on which
approach is better. neither am I sure if it is correct to include keys
which have unknown or undefined validity.
the inaccuracy alluded to in the introduction refers to field 12,
capability. it needs to check for D for disabled and accept capital E
for encryption.
the new patch uses [[ ]] instead of a sequence of case statements to
make the logic clearer. the patch is now relative to master.
commit b037317f547e103b273e63a4d18025eac4a5c34f
Author: Kjetil Torgrim Homme <kjetil.homme at redpill-linpro.com>
Date: Wed Jan 8 18:13:06 2020 +0100
only use encryption keys which are valid and enabled
see
https://github.com/gpg/gnupg/blob/master/doc/DETAILS#description-of-the-fields
old version would encrypt to expired keys (field 2) and disabled
keys (field 12)
diff --git src/password-store.sh src/password-store.sh
index 77f3eda..eb2e038 100755
--- src/password-store.sh
+++ src/password-store.sh
@@ -105,6 +105,21 @@ set_gpg_recipients() {
done < "$current"
}
+# Take a list of public key ids and return valid encryption keys
associated with them
+list_encryption_keys() {
+ $GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "$@" |
+ while IFS=: read f1_type f2_validity f3 f4 f5_keyid f6 f7 f8 f9 f10
f11 f12_capability fN
+ do
+ if [[ $f1_type == 'sub' && $f2_validity == [-qmfu] ]]; then
+ # validity is undefined, marginal, full or ultimate
+ if [[ $f12_capability != *D* && $f12_capability == *[eE]* ]]; then
+ # not disabled, usable for encryption
+ echo "$f5_keyid"
+ fi
+ fi
+ done | LC_ALL=C sort -u
+}
+
reencrypt_path() {
local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config
--with-colons | grep "^cfg:group:.*")"
@@ -125,7 +140,7 @@ reencrypt_path() {
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' #
http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons
"${GPG_RECIPIENTS[@]}" | sed -n
's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p'
| LC_ALL=C sort -u)"
+ gpg_keys="$(list_encryption_keys "${GPG_RECIPIENTS[@]}")"
fi
current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v
--no-secmem-warning --no-permission-warning --decrypt --list-only
--keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is
\([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
--
Kjetil T. Homme
Redpill Linpro - Changing the Game
-------------- next part --------------
A non-text attachment was scrubbed...
Name: filter-expired.patch
Type: text/x-patch
Size: 2084 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20200108/b43bf198/attachment.bin>
More information about the Password-Store
mailing list