jigen/git-remote-gcrypt
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Use git config gcrypt.keyring for repository security

Browse source 
To verify signatures, we need a small keyring where the user has
selected just the keys who are allowed to access and update the
repository.
This commit is contained in:
root 2013-02-14 00:00:00 +00:00
parent 3d90c4ab16
commit d03fcad84d
1 changed files with 15 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
git-remote-gcrypt
View file

@ -200,16 +200,20 @@ make_new_repo()
# ascii-encoded string used for symmetric encryption with GnuPG. # ascii-encoded string used for symmetric encryption with GnuPG.
local RECIPIENTS local RECIPIENTS
echo_info "Setting up new repository at $URL" echo_info "Setting up new repository at $URL"
RECIPIENTS="$(gpg --no-default-keyring --keyring "$CONF_KEYRING" \
--with-colons -k | xgrep ^pub | cut -f5 -d:)"
# Split recipients by space, example "a b c" => -R a -R b -R c # Split recipients by space, example "a b c" => -R a -R b -R c
RECIPIENTS=$(git config gcrypt.recipients | sed -e 's/\([^ ]\+\)/-R &/g') RECIPIENTS=$(printf "%s" $RECIPIENTS | sed -e 's/\([^ ]\+\)/-R &/g')
if [ -z "$RECIPIENTS" ] if [ -z "$RECIPIENTS" ]
then then
echo_info "You must configure which GnuPG recipients can access the repository." echo_info "You must configure a keyring for the repository."
echo_info "To setup for all your git repositories, use::" echo_info "Use ::"
echo_info " git config --global gcrypt.recipients KEYID" echo_info " gpg --export KEYID1 > <path-to-keyring>"
echo_info " git config gcrypt.keyring <path-to-keyring>"
exit 1 exit 1
fi fi
PUTREPO "$URL" PUTREPO "$URL"
echo_info "Encrypting to \"$RECIPIENTS\""
echo_info "Generating new master key" echo_info "Generating new master key"
MASTERKEY="$(genkey)" MASTERKEY="$(genkey)"
printf "%s" "$MASTERKEY" | \ printf "%s" "$MASTERKEY" | \
@ -220,6 +224,7 @@ read_config()
{ {
CONF_SIGN_MANIFEST=$(git config --bool gcrypt.signmanifest || :) CONF_SIGN_MANIFEST=$(git config --bool gcrypt.signmanifest || :)
CONF_REQUIRE_SIGN=$(git config --bool gcrypt.requiresign || :) CONF_REQUIRE_SIGN=$(git config --bool gcrypt.requiresign || :)
CONF_KEYRING=$(git config --path gcrypt.keyring || printf "/dev/null")
} }
ensure_connected() ensure_connected()
@ -245,8 +250,13 @@ ensure_connected()
then then
# Use gpg to verify and strip the signature # Use gpg to verify and strip the signature
echo_info "Verifying manifest signature" echo_info "Verifying manifest signature"
STRIPDATA="$(printf "%s" "$MANIFESTDATA" | gpg --batch || { STRIPDATA="$(printf "%s" "$MANIFESTDATA" | \
gpg -q --no-default-keyring --keyring "$CONF_KEYRING" -d || {
echo_info "WARNING: Failed to verify signature from $URL" echo_info "WARNING: Failed to verify signature from $URL"
echo_info "WARNING: Using keyring $CONF_KEYRING"
if [ "$CONF_KEYRING" = "/dev/null" ] ; then
echo_info "WARNING: Please configure gcrypt.keyring"
fi
if [ "$CONF_REQUIRE_SIGN" = "true" ] ; then if [ "$CONF_REQUIRE_SIGN" = "true" ] ; then
echo_info "Exiting per gcrypt.requiresign" && exit 1 echo_info "Exiting per gcrypt.requiresign" && exit 1
fi fi