Changeset - a2d092899fd4
[Not reviewed]
0 1 0
Branko Majic (branko) - 4 years ago 2020-06-29 04:17:45
branko@majic.rs
Moved some commonly used GnuPG arguments into array variable.
1 file changed with 9 insertions and 8 deletions:
0 comments (0 inline, 0 general) First comment
openpgp/gitprotect.sh
Show inline comments
 
@@ -185,25 +185,26 @@ shift
 

	
 
# Make sure the command is run from within a git repository.
 
inGit || exit "$ERR_NOTINGIT"
 

	
 
# Set-up some default values.
 
gnupgHome="$(pwd)/.gnupg"
 
gnupgArgs=("--homedir" "$gnupgHome" "--batch")
 

	
 
if [[ $command == "init" ]]; then
 
    if [[ -d $gnupgHome ]]; then
 
        echo "Directory already set-up." >&2
 
        exit 0
 
    fi
 

	
 
    # Create the local .gnupg directory.
 
    mkdir "$gnupgHome"
 
    chmod 700 "$gnupgHome"
 

	
 
    # Initialise the GnuPG files in local directory.
 
    gpg2 --batch --homedir "$gnupgHome" --list-keys 2>/dev/null
 
    gpg2 "${gnupgArgs[@]}" --list-keys 2>/dev/null
 

	
 
    # Set-up a .gitignore file that will exclude some temporary files from being
 
    # tracked, as well as decrypted files.
 
    cat <<EOF >> .gitignore
 
# BEGIN gitprotect.sh
 
.gnupg/pubring.gpg~
 
@@ -243,20 +244,20 @@ elif [[ $command == "addkey" ]]; then
 

	
 
    # Process all the keys specified.
 
    for key in "$@"; do
 
        # First try accessing a file by the given key name. Otherwise treat it
 
        # as key identifier.
 
        if [[ -f $key ]]; then
 
            if ! gpg2 --batch --homedir "$gnupgHome" --import "$key"; then
 
            if ! gpg2 "${gnupgArgs[@]}" --import "$key"; then
 
                echo "ERROR: Failed to add key from file '$key'." >&2
 
            fi
 
        else
 
            if ! gpg2 --batch --list-keys "$key" >/dev/null 2>&1; then
 
                echo "WARN: Key with identifier '$key' not found in user's GnuPG keyring. Skipping." >&2
 
            else
 
                ! gpg2 --batch --armor --export "$key" | gpg2 --batch --homedir "$gnupgHome" --import
 
                ! gpg2 --batch --armor --export "$key" | gpg2 "${gnupgArgs[@]}" --import
 
                if [[ ${PIPESTATUS[0]} != 0 ]]; then
 
                    echo "ERROR: Failed to add key with identifier '$key')." >&2
 
                fi
 
            fi
 
        fi
 
    done
 
@@ -268,21 +269,21 @@ elif [[ $command = "rmkey" ]]; then
 
        echo "ERROR: At least one key file or identifier must be specified" >&2
 
        exit "$ERR_NOKEYARG"
 
    fi
 

	
 
    # Process all the keys specified.
 
    for key in "$@"; do
 
        if ! gpg2 --batch --homedir "$gnupgHome" --list-key "$key" 2>/dev/null; then
 
        if ! gpg2 "${gnupgArgs[@]}" --list-key "$key" 2>/dev/null; then
 
            echo "WARN: Key with identifier '$key' not found in git repository directory's GnuPG keyring. Skipping" >&2
 
        elif ! gpg2 --batch --homedir "$gnupgHome" --yes --delete-key "$key"; then
 
        elif ! gpg2 "${gnupgArgs[@]}" --yes --delete-key "$key"; then
 
            echo "ERROR: Failed to remove the key with identifier '$key'." >&2
 
        fi
 
    done
 
elif [[ $command = "listkeys" ]]; then
 
    gitprotectConfigured || exit "$ERR_NOCONFIG"
 
    gpg2 --batch --homedir "$gnupgHome" --list-public-keys --keyid-format long
 
    gpg2 "${gnupgArgs[@]}" --list-public-keys --keyid-format long
 
elif [[ $command = "encrypt" ]]; then
 
    gitprotectConfigured || exit "$ERR_NOCONFIG"
 

	
 
    # Verify that the directory with unencrypted files exists.
 
    if [[ ! -d "decrypted/" ]]; then
 
        echo "ERROR: Nothing to encrypt. sub-directory 'decrypted' does not exist."
 
@@ -293,13 +294,13 @@ elif [[ $command = "encrypt" ]]; then
 
    # sub-key from the local keyring.
 
    while read key_validity key_id key_capabilities; do
 
        # Only use non-expired sub-keys that have encryption capability.
 
        if [[ $key_validity != e && $key_capabilities =~ .*e.* ]]; then
 
            recipients+=("-r" "$key_id")
 
        fi
 
    done < <(gpg2 --homedir "$gnupgHome" --list-public-keys --with-colons | grep '^sub' | awk 'BEGIN { FS = ":" } ; { print $2, $5, $12 }')
 
    done < <(gpg2 "${gnupgArgs[@]}" --list-public-keys --with-colons | grep '^sub' | awk 'BEGIN { FS = ":" } ; { print $2, $5, $12 }')
 

	
 
    # Make sure that we have at least a single recipient.
 
    if [[ "${#recipients[@]}" == 0 ]]; then
 
        echo "ERROR: No suitable recipients were found in the keyring." >&2
 
        exit "$ERR_NORECIPIENTS"
 
    fi
 
@@ -313,13 +314,13 @@ elif [[ $command = "encrypt" ]]; then
 
        # decrypted file has been changed in any way since it has been
 
        # decrypted. We should skip unchanged files.
 
        if [[ -f $checksumFile ]] && sha256sum --quiet -c "$checksumFile" > /dev/null 2>&1; then
 
            echo "INFO: File decrypted/$filename doesn't seem to have been changed. Skipping."
 
        # The file was changed, so we need to encrypt new version of it.
 
        else
 
            cat "$filePath" | gpg2 --trust-model always --batch --homedir "$gnupgHome" \
 
            cat "$filePath" | gpg2 --trust-model always "${gnupgArgs[@]}" \
 
                --armor "${recipients[@]}" --encrypt > "${filename}.gpg"
 
            sha256sum "decrypted/$filename" > "decrypted/.${filename}.sha256"
 
        fi
 
    done < <(find "decrypted/" -maxdepth 1 -type f ! -name '.*.sha256')
 
elif [[ $command = "decrypt" ]]; then
 
    gitprotectConfigured || exit "$ERR_NOCONFIG"
0 comments (0 inline, 0 general) First comment
You need to be logged in to comment. Login now