[PATCH] Filter out expired signing keys

Kjetil Torgrim Homme kjetil.homme at redpill-linpro.com
Wed Jan 8 18:19:45 CET 2020

On 07/01/2020 17.27, Kjetil Torgrim Homme wrote:
> My pass installation wanted to reencrypt all files every time since the 
> list it made of encryption keys associated with public keys included 
> invalid (expired, revoked) keys as well as those that should be used.
> I turned the logic from a sed expression to a function to make it more 
> readable.

actually my checking for usable keys was inaccurate - but to my defense 
so was the code I based the patch on, ie. version 1.7.3

commit 5a52772156b44ef9785e91ab78ab2e1c3b1e510e changes the filtering by 
validity to exclude "i" (invalid), "d" (disabled) and "r" (revoked). 
the problem which motivated my patch was the status "e" for expired.  my 
patch takes the reverse approach and lists what values to allow rather 
than what not to allow.  I don't have a very strong opinion on which 
approach is better.  neither am I sure if it is correct to include keys 
which have unknown or undefined validity.

the inaccuracy alluded to in the introduction refers to field 12, 
capability.  it needs to check for D for disabled and accept capital E 
for encryption.

the new patch uses [[ ]] instead of a sequence of case statements to 
make the logic clearer.  the patch is now relative to master.

commit b037317f547e103b273e63a4d18025eac4a5c34f
Author: Kjetil Torgrim Homme <kjetil.homme at redpill-linpro.com>
Date:   Wed Jan 8 18:13:06 2020 +0100

     only use encryption keys which are valid and enabled


     old version would encrypt to expired keys (field 2) and disabled 
keys (field 12)

diff --git src/password-store.sh src/password-store.sh
index 77f3eda..eb2e038 100755
--- src/password-store.sh
+++ src/password-store.sh
@@ -105,6 +105,21 @@ set_gpg_recipients() {
  	done < "$current"

+# Take a list of public key ids and return valid encryption keys 
associated with them
+list_encryption_keys() {
+	$GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "$@" |
+		while IFS=: read f1_type f2_validity f3 f4 f5_keyid f6 f7 f8 f9 f10 
f11 f12_capability fN
+		do
+			if [[ $f1_type == 'sub' && $f2_validity == [-qmfu] ]]; then
+				# validity is undefined, marginal, full or ultimate
+				if [[ $f12_capability != *D* && $f12_capability == *[eE]* ]]; then
+					# not disabled, usable for encryption
+					echo "$f5_keyid"
+				fi
+			fi
+		done | LC_ALL=C sort -u
  reencrypt_path() {
  	local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile
  	local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config 
--with-colons | grep "^cfg:group:.*")"
@@ -125,7 +140,7 @@ reencrypt_path() {
  				IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # 
  				unset "GPG_RECIPIENTS[$index]"
-			gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons 
"${GPG_RECIPIENTS[@]}" | sed -n 
| LC_ALL=C sort -u)"
+			gpg_keys="$(list_encryption_keys "${GPG_RECIPIENTS[@]}")"
  		current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v 
--no-secmem-warning --no-permission-warning --decrypt --list-only 
--keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is 
\([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"

Kjetil T. Homme
Redpill Linpro - Changing the Game
-------------- next part --------------
A non-text attachment was scrubbed...
Name: filter-expired.patch
Type: text/x-patch
Size: 2084 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20200108/b43bf198/attachment.bin>

More information about the Password-Store mailing list