Support `yadm.gpg-recipient = ASK`

7 years ago · ea3b2ecfa8
parent 5ad5b2df7e
commit ea3b2ecfa8
4 changed files with 33 additions and 17 deletions
--- a/test/109_accept_encryption.bats
+++ b/test/109_accept_encryption.bats
@ -76,7 +76,7 @@ function validate_archive() {
      foreach {pid spawnid os_error_flag value} [wait] break
 EOF
  else
-    gpg -q -d "$T_YADM_ARCHIVE" || echo 1 | tar t | sort > "$T_TMP/archive_list"
+    gpg -q -d "$T_YADM_ARCHIVE" | tar t | sort > "$T_TMP/archive_list"
  fi

  #; inventory what is expected in the archive
@ -534,7 +534,7 @@ EOF
  run expect <<EOF
    set timeout 2;
    spawn ${T_YADM_Y[*]} encrypt;
-    expect "recipient:" {send "$T_KEY_NAME\n\n"}
+    expect "Enter the user ID" {send "$T_KEY_NAME\n\n"}
    expect "$"
    foreach {pid spawnid os_error_flag value} [wait] break
    exit \$value
--- a/10
+++ b/10
@ -228,10 +228,12 @@ function encrypt() {

  #; Build gpg options for gpg
  GPG_KEY="$(config yadm.gpg-recipient)"
-  if [ "$GPG_KEY" != "" ]; then
-    GPG_OPTS="-er $GPG_KEY"
+  if [ "$GPG_KEY" = "ASK" ]; then
+    GPG_OPTS=("--no-default-recipient" "-e")
+  elif [ "$GPG_KEY" != "" ]; then
+    GPG_OPTS=("-e" "-r $GPG_KEY")
  else
-    GPG_OPTS="-c"
+    GPG_OPTS=("-c")
  fi

  #; build a list of globs from YADM_ENCRYPT
@ -243,7 +245,7 @@ function encrypt() {
  done < "$YADM_ENCRYPT"

  #; encrypt all files which match the globs
-  tar -cv "${GLOBS[@]}" | gpg --yes "$GPG_OPTS" --output "$YADM_ARCHIVE"
+  tar -cv "${GLOBS[@]}" | gpg --yes "${GPG_OPTS[@]}" --output "$YADM_ARCHIVE"
  if [ $? = 0 ]; then
    echo "Wrote new file: $YADM_ARCHIVE"
  else
--- a/yadm.1
+++ b/yadm.1
@ -295,9 +295,12 @@ This feature is enabled by default.
 .TP
 .B yadm.gpg-recipient
 Asymmetrically encrypt files with a gpg public/private key pair.
-Provide a key ID to encrypt against that public key.
+Provide a "key ID" to specify which public key to encrypt with.
+The key must exist in your public keyrings.
 If left blank or not provided, symmetric encryption is used instead.
-This feature is disabled by deafult.
+If set to "ASK", gpg will interactively ask for recipients.
+See the ENCRYPTION section for more details.
+This feature is disabled by default.
 .SH ALTERNATES
 When managing a set of files across different systems, it can be useful to have
 an automated way of choosing an alternate version of a file for a different
@ -403,6 +406,11 @@ and provide the correct password.
 After files are decrypted, permissions are automatically updated as described
 in the PERMISSIONS section.

+Symmetric encryption is used by default, but asymmetric encryption may be
+enabled using the
+.I yadm.gpg-recipient
+configuration.
+
 .BR NOTE :
 It is recommended that you use a private repository when keeping confidential
 files, even though they are encrypted.
--- a/yadm.md
+++ b/yadm.md
@ -181,9 +181,12 @@

       yadm.gpg-recipient
              Asymmetrically encrypt files with a gpg public/private key pair.
-              Provice a key ID to encrypt against that public key.
-              If left blank or not provided, symmetric encryption is used
-              instead. This feature is disabled by deafult.
+              Provide  a "key ID" to specify which public key to encrypt with.
+              The key must exist in your public keyrings.  If  left  blank  or
+              not  provided,  symmetric encryption is used instead.  If set to
+              "ASK", gpg will  interactively  ask  for  recipients.   See  the
+              ENCRYPTION  section  for more details.  This feature is disabled
+              by default.

 ## ALTERNATES
       When managing a set of files across different systems, it can be useful
@ -264,16 +267,19 @@
       provide  the  correct password.  After files are decrypted, permissions
       are automatically updated as described in the PERMISSIONS section.

-       NOTE: It is recommended that you use a private repository when  keeping
+       Symmetric encryption is used by default, but asymmetric encryption  may
+       be enabled using the yadm.gpg-recipient configuration.
+
+       NOTE:  It is recommended that you use a private repository when keeping
       confidential files, even though they are encrypted.

 ## PERMISSIONS
-       When  files  are checked out of a Git repository, their initial permis-
+       When files are checked out of a Git repository, their  initial  permis-
       sions are dependent upon the user's umask. This can result in confiden-
       tial files with lax permissions.

       To prevent this, yadm will automatically update the permissions of con-
-       fidential files.  The "group" and "others" permissions will be  removed
+       fidential  files.  The "group" and "others" permissions will be removed
       from the following files:

       - $HOME/.yadm/files.gpg
@ -285,13 +291,13 @@
       - The GPG directory and files, .gnupg/*

       yadm will automatically update permissions by default. This can be dis-
-       abled using the yadm.auto-perms configuration.  Even if disabled,  per-
+       abled  using the yadm.auto-perms configuration.  Even if disabled, per-
       missions can be manually updated by running yadm perms.  The SSH direc-
       tory processing can be disabled using the yadm.ssh-perms configuration.

 ## FILES
-       The  following are the default paths yadm uses for its own data.  These
-       paths can be altered using universal options.  See the OPTIONS  section
+       The following are the default paths yadm uses for its own data.   These
+       paths  can be altered using universal options.  See the OPTIONS section
       for details.

       $HOME/.yadm