diff options
authorPaul Sokolovsky <paul.sokolovsky@linaro.org>2014-03-22 20:43:46 +0200
committerPaul Sokolovsky <paul.sokolovsky@linaro.org>2014-03-22 20:43:46 +0200
commitfef6afe82099a17707d0605772c364dbfc75f498 (patch)
parent30deb3e664b2075c3b1c009e767b06149bc33666 (diff)
Add search-keys command to query and import recipient keys from keyserver.
Change .recipient file format to allow it to use specific selectors (like key ID/fingerprint), while having human-readable comment. Change-Id: I50f04743836e4a30575d2cbdb51d5fa18323a63c
2 files changed, 26 insertions, 9 deletions
diff --git a/README b/README
index cf0b9a2..3162ad7 100644
--- a/README
+++ b/README
@@ -30,21 +30,29 @@ New repository
1. git init
2. Create ".recipients" file listing key names of persons who may access
-encrypted files in the repository. These may be either key IDs or
-substrings of user IDs (e.g., emails). See "How to specify a user ID" in
-man gpg for more details. Note that corresponding keys must be already
-present in your keyring (TODO: add convenience command to import keys from
-3. git gpgcrypt init
-4. Review .gitattributes file for file encryption settings (it's not required
+encrypted files in the repository. The format for each line is:
+<user sel> [#<comment>]
+User selector can be key IDs, fingerprints, substrings of user IDs (e.g.,
+emails). See "How to specify a user ID" in man gpg for more details.
+3. Corresponding keys must be already present in your keyring. If that's
+not the case, your can import keys from keyserver using
+"git gpgcrypt search-keys" command. WARNING: You should verify each key
+imported thoroughly, by default treating unverified keys as counterfeit.
+4. git gpgcrypt init
+5. Review .gitattributes file for file encryption settings (it's not required
to encrypt all files; in particular, default .gitattributes makes README and
some other files plain-text).
-5. Add files and use repository as usual.
+6. Add files and use repository as usual.
Cloned repository
1. git clone
2. git gpgcrypt init
+3. git gpgcrypt search-keys, if you don't have all recipient keys in your
+keyring. WARNING: You should verify each key imported thoroughly, by default
+treating unverified keys as counterfeit.
Update list of recipients
diff --git a/git-gpgcrypt b/git-gpgcrypt
index fd830d1..db0bd70 100755
--- a/git-gpgcrypt
+++ b/git-gpgcrypt
@@ -87,7 +87,7 @@ get_salt() {
encrypt_key() {
- echo "$1" | gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr --output .gpgcrypt-key
+ echo "$1" | gpg -ea --group gr="$(sed -r -e 's/ +#[^#]*//' .recipients | tr '\n' ' ')" -r gr --output .gpgcrypt-key
case "$1" in
@@ -97,6 +97,15 @@ case "$1" in
encrypt_key "$(get_key)"
+ search-keys)
+ echo "!!!!! WARNING !!!!!"
+ echo "Be careful before importing keys and never use a keys whose"
+ echo "fingerprint you didn't verify directly with the owner."
+ echo "Press Enter if you are sure you want to continue or Ctrl+C to quit."
+ echo "!!!!! WARNING !!!!!"
+ read
+ sed -r -e 's/ +#[^#]*//' .recipients | xargs -d "\n" -n1 gpg --keyserver keyserver.ubuntu.com --search-keys
+ ;;
#gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr
openssl enc -base64 -$CIPHER -S "$(get_salt)" -k "$(get_key)"