aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Sokolovsky <paul.sokolovsky@linaro.org>2014-03-22 20:43:46 +0200
committerPaul Sokolovsky <paul.sokolovsky@linaro.org>2014-03-22 20:43:46 +0200
commitfef6afe82099a17707d0605772c364dbfc75f498 (patch)
treebd2d72c790d6e76e9e9210098fc6c14b6d03ff08
parent30deb3e664b2075c3b1c009e767b06149bc33666 (diff)
downloadgit-gpgcrypt-fef6afe82099a17707d0605772c364dbfc75f498.tar.gz
Add search-keys command to query and import recipient keys from keyserver.
Change .recipient file format to allow it to use specific selectors (like key ID/fingerprint), while having human-readable comment. Change-Id: I50f04743836e4a30575d2cbdb51d5fa18323a63c
-rw-r--r--README24
-rwxr-xr-xgit-gpgcrypt11
2 files changed, 26 insertions, 9 deletions
diff --git a/README b/README
index cf0b9a2..3162ad7 100644
--- a/README
+++ b/README
@@ -30,21 +30,29 @@ New repository
--------------
1. git init
2. Create ".recipients" file listing key names of persons who may access
-encrypted files in the repository. These may be either key IDs or
-substrings of user IDs (e.g., emails). See "How to specify a user ID" in
-man gpg for more details. Note that corresponding keys must be already
-present in your keyring (TODO: add convenience command to import keys from
-keyserver).
-3. git gpgcrypt init
-4. Review .gitattributes file for file encryption settings (it's not required
+encrypted files in the repository. The format for each line is:
+
+<user sel> [#<comment>]
+
+User selector can be key IDs, fingerprints, substrings of user IDs (e.g.,
+emails). See "How to specify a user ID" in man gpg for more details.
+3. Corresponding keys must be already present in your keyring. If that's
+not the case, your can import keys from keyserver using
+"git gpgcrypt search-keys" command. WARNING: You should verify each key
+imported thoroughly, by default treating unverified keys as counterfeit.
+4. git gpgcrypt init
+5. Review .gitattributes file for file encryption settings (it's not required
to encrypt all files; in particular, default .gitattributes makes README and
some other files plain-text).
-5. Add files and use repository as usual.
+6. Add files and use repository as usual.
Cloned repository
-----------------
1. git clone
2. git gpgcrypt init
+3. git gpgcrypt search-keys, if you don't have all recipient keys in your
+keyring. WARNING: You should verify each key imported thoroughly, by default
+treating unverified keys as counterfeit.
Update list of recipients
-------------------------
diff --git a/git-gpgcrypt b/git-gpgcrypt
index fd830d1..db0bd70 100755
--- a/git-gpgcrypt
+++ b/git-gpgcrypt
@@ -87,7 +87,7 @@ get_salt() {
}
encrypt_key() {
- echo "$1" | gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr --output .gpgcrypt-key
+ echo "$1" | gpg -ea --group gr="$(sed -r -e 's/ +#[^#]*//' .recipients | tr '\n' ' ')" -r gr --output .gpgcrypt-key
}
case "$1" in
@@ -97,6 +97,15 @@ case "$1" in
update)
encrypt_key "$(get_key)"
;;
+ search-keys)
+ echo "!!!!! WARNING !!!!!"
+ echo "Be careful before importing keys and never use a keys whose"
+ echo "fingerprint you didn't verify directly with the owner."
+ echo "Press Enter if you are sure you want to continue or Ctrl+C to quit."
+ echo "!!!!! WARNING !!!!!"
+ read
+ sed -r -e 's/ +#[^#]*//' .recipients | xargs -d "\n" -n1 gpg --keyserver keyserver.ubuntu.com --search-keys
+ ;;
clean)
#gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr
openssl enc -base64 -$CIPHER -S "$(get_salt)" -k "$(get_key)"