[PATCH] init: allow using without gpg-id to reencrypt directory

Dominique Martinet asmadeus at codewreck.org
Wed Mar 29 21:19:28 UTC 2023


When using gpg groups in .gpg-id (through gpg.conf), it is useful to
periodically re-encrypt the whole password store without changing the
.gpg-id files in it.

The reencrypt_path helper already expands groups and correctly
identifies when group contents changed to only reencrypt on an as-need
basis, but the function is not otherwise exposed (except through two mv
or cp...) so having this functionality in init would be quite useful.
---
Note: didn't adjust tests, it might make sense to modify
t0300-reencryption.sh to modify a group and test that,
but gpg doesn't seem to provide any command to modify config on the fly
(oh, using `PASSWORD_STORE_GPG_OPTS=--group=groupname=member` seems to
properly be additive, but tests setup clears that variable (as it
should!) and the test script helpers will need adjustments so there's a
bit of work required)

I can look at it if really required, otherwise I've tested locally and
it just works as one would expect.


 man/pass.1            | 5 +++--
 src/password-store.sh | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/man/pass.1 b/man/pass.1
index a555dcb26bc6..eccb3b7faa9c 100644
--- a/man/pass.1
+++ b/man/pass.1
@@ -58,7 +58,7 @@ password names in
 .SH COMMANDS
 
 .TP
-\fBinit\fP [ \fI--path=sub-folder\fP, \fI-p sub-folder\fP ] \fIgpg-id...\fP
+\fBinit\fP [ \fI--path=sub-folder\fP, \fI-p sub-folder\fP ] [ \fIgpg-id...\fP ]
 Initialize new password storage and use
 .I gpg-id
 for encryption. Multiple gpg-ids may be specified, in order to encrypt each
@@ -72,7 +72,8 @@ intervention. If \fI--path\fP or \fI-p\fP is specified, along with an argument,
 a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of
 the password store. If only one \fIgpg-id\fP is given, and it is an empty string,
 then the current \fI.gpg-id\fP file for the specified \fIsub-folder\fP (or root if
-unspecified) is removed.
+unspecified) is removed. If no \fIgpg-id\fP are given, the directory is reencrypted
+without modifying the \fI.gpg-id\fP file.
 .TP
 \fBls\fP \fIsubfolder\fP
 List names of passwords inside the tree at
diff --git a/src/password-store.sh b/src/password-store.sh
index 22e818fd548a..5415f40faf3a 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -328,7 +328,7 @@ cmd_init() {
 		--) shift; break ;;
 	esac done
 
-	[[ $err -ne 0 || $# -lt 1 ]] && die "Usage: $PROGRAM $COMMAND [--path=subfolder,-p subfolder] gpg-id..."
+	[[ $err -ne 0 ]] && die "Usage: $PROGRAM $COMMAND [--path=subfolder,-p subfolder] gpg-id..."
 	[[ -n $id_path ]] && check_sneaky_paths "$id_path"
 	[[ -n $id_path && ! -d $PREFIX/$id_path && -e $PREFIX/$id_path ]] && die "Error: $PREFIX/$id_path exists but is not a directory."
 
@@ -343,7 +343,7 @@ cmd_init() {
 			git_commit "Deinitialize ${gpg_id}${id_path:+ ($id_path)}."
 		fi
 		rmdir -p "${gpg_id%/*}" 2>/dev/null
-	else
+	elif [[ $# -ge 1 ]]; then
 		mkdir -v -p "$PREFIX/$id_path"
 		printf "%s\n" "$@" > "$gpg_id"
 		local id_print="$(printf "%s, " "$@")"
-- 
2.39.2



More information about the Password-Store mailing list