jigen/git-remote-gcrypt
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Require signed masterkey (REPO FORMAT CHANGE)

Browse source
This commit is contained in:
root 2013-02-14 00:00:00 +00:00
parent d03fcad84d
commit a0e16ce7df
1 changed files with 36 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
git-remote-gcrypt
View file

@ -174,6 +174,11 @@ CLEARSIGN()
fi fi
} }
CHECKSIGN()
{
gpg -q --no-default-keyring --keyring "$CONF_KEYRING" -d
}
DECRYPT() DECRYPT()
{ {
(printf "%s" "$MASTERKEY" | \ (printf "%s" "$MASTERKEY" | \
@ -199,6 +204,7 @@ make_new_repo()
# The MASTERKEY is encrypted to all RECIPIENTS. The key is a long # The MASTERKEY is encrypted to all RECIPIENTS. The key is a long
# ascii-encoded string used for symmetric encryption with GnuPG. # ascii-encoded string used for symmetric encryption with GnuPG.
local RECIPIENTS local RECIPIENTS
local KEYSIGN
echo_info "Setting up new repository at $URL" echo_info "Setting up new repository at $URL"
RECIPIENTS="$(gpg --no-default-keyring --keyring "$CONF_KEYRING" \ RECIPIENTS="$(gpg --no-default-keyring --keyring "$CONF_KEYRING" \
--with-colons -k | xgrep ^pub | cut -f5 -d:)" --with-colons -k | xgrep ^pub | cut -f5 -d:)"
@ -216,10 +222,37 @@ make_new_repo()
echo_info "Encrypting to \"$RECIPIENTS\"" echo_info "Encrypting to \"$RECIPIENTS\""
echo_info "Generating new master key" echo_info "Generating new master key"
MASTERKEY="$(genkey)" MASTERKEY="$(genkey)"
printf "%s" "$MASTERKEY" | \ KEYSIGN=$(printf "%s\n" "$MASTERKEY" | gpg --output - --clearsign)
gpg --compress-algo none -e $RECIPIENTS | PUT "$URL" masterkey TMPMASTERKEY_ENC="$LOCALDIR/masterenc.$$"
trap 'rm -f "$TMPMASTERKEY_ENC"' EXIT
printf "%s" "$KEYSIGN" | gpg --no-default-keyring \
--keyring "$CONF_KEYRING" --compress-algo none -e $RECIPIENTS \
> "$TMPMASTERKEY_ENC"
PUT "$URL" masterkey < "$TMPMASTERKEY_ENC"
rm -f "$TMPMASTERKEY_ENC"
trap EXIT
} }
get_masterkey()
{
TMPMASTERKEY_ENC="$LOCALDIR/masterenc.$$"
trap 'rm -f "$TMPMASTERKEY_ENC"' EXIT
echo_info "Verifying masterkey signature"
GET "$URL" masterkey 2>/dev/null > "$TMPMASTERKEY_ENC" || return 0
#echo_info "Opening Master Key"
gpg -q -d < "$TMPMASTERKEY_ENC" | CHECKSIGN || {
echo_info "Opening of master key failed!"
echo_info "Using keyring $CONF_KEYRING"
if [ "$CONF_KEYRING" = "/dev/null" ] ; then
echo_info "Please configure gcrypt.keyring"
fi
exit 1
}
rm -f "$TMPMASTERKEY_ENC"
trap EXIT
}
read_config() read_config()
{ {
CONF_SIGN_MANIFEST=$(git config --bool gcrypt.signmanifest || :) CONF_SIGN_MANIFEST=$(git config --bool gcrypt.signmanifest || :)
@ -250,8 +283,7 @@ ensure_connected()
then then
# Use gpg to verify and strip the signature # Use gpg to verify and strip the signature
echo_info "Verifying manifest signature" echo_info "Verifying manifest signature"
STRIPDATA="$(printf "%s" "$MANIFESTDATA" | \ STRIPDATA="$(printf "%s" "$MANIFESTDATA" | CHECKSIGN || {
gpg -q --no-default-keyring --keyring "$CONF_KEYRING" -d || {
echo_info "WARNING: Failed to verify signature from $URL" echo_info "WARNING: Failed to verify signature from $URL"
echo_info "WARNING: Using keyring $CONF_KEYRING" echo_info "WARNING: Using keyring $CONF_KEYRING"
if [ "$CONF_KEYRING" = "/dev/null" ] ; then if [ "$CONF_KEYRING" = "/dev/null" ] ; then
@ -269,11 +301,6 @@ ensure_connected()
PACKLIST=$(printf "%s\n" "$MANIFESTDATA" | xgrep "^$PACKPFX") PACKLIST=$(printf "%s\n" "$MANIFESTDATA" | xgrep "^$PACKPFX")
} }
get_masterkey()
{
GET "$URL" masterkey 2>/dev/null | gpg -q -d || :
}
do_capabilities() do_capabilities()
{ {
echo fetch echo fetch