Support yadm.gpg-recipient = ASK

test/109_accept_encryption.bats

@@ -76,7 +76,7 @@ function validate_archive() {
       foreach {pid spawnid os_error_flag value} [wait] break
 EOF
   else
-    gpg -q -d "$T_YADM_ARCHIVE" || echo 1 | tar t | sort > "$T_TMP/archive_list"
+    gpg -q -d "$T_YADM_ARCHIVE" | tar t | sort > "$T_TMP/archive_list"
   fi
 
   #; inventory what is expected in the archive
@@ -534,7 +534,7 @@ EOF
   run expect <<EOF
     set timeout 2;
     spawn ${T_YADM_Y[*]} encrypt;
-    expect "recipient:" {send "$T_KEY_NAME\n\n"}
+    expect "Enter the user ID" {send "$T_KEY_NAME\n\n"}
     expect "$"
     foreach {pid spawnid os_error_flag value} [wait] break
     exit \$value

yadm

@@ -228,10 +228,12 @@ function encrypt() {
 
   #; Build gpg options for gpg
   GPG_KEY="$(config yadm.gpg-recipient)"
-  if [ "$GPG_KEY" != "" ]; then
+  if [ "$GPG_KEY" = "ASK" ]; then
-    GPG_OPTS="-er $GPG_KEY"
+    GPG_OPTS=("--no-default-recipient" "-e")
+  elif [ "$GPG_KEY" != "" ]; then
+    GPG_OPTS=("-e" "-r $GPG_KEY")
   else
-    GPG_OPTS="-c"
+    GPG_OPTS=("-c")
   fi
 
   #; build a list of globs from YADM_ENCRYPT
@@ -243,7 +245,7 @@ function encrypt() {
   done < "$YADM_ENCRYPT"
 
   #; encrypt all files which match the globs
-  tar -cv "${GLOBS[@]}" | gpg --yes "$GPG_OPTS" --output "$YADM_ARCHIVE"
+  tar -cv "${GLOBS[@]}" | gpg --yes "${GPG_OPTS[@]}" --output "$YADM_ARCHIVE"
   if [ $? = 0 ]; then
     echo "Wrote new file: $YADM_ARCHIVE"
   else

yadm.1

@@ -295,9 +295,12 @@ This feature is enabled by default.
 .TP
 .B yadm.gpg-recipient
 Asymmetrically encrypt files with a gpg public/private key pair.
-Provide a key ID to encrypt against that public key.
+Provide a "key ID" to specify which public key to encrypt with.
+The key must exist in your public keyrings.
 If left blank or not provided, symmetric encryption is used instead.
-This feature is disabled by deafult.
+If set to "ASK", gpg will interactively ask for recipients.
+See the ENCRYPTION section for more details.
+This feature is disabled by default.
 .SH ALTERNATES
 When managing a set of files across different systems, it can be useful to have
 an automated way of choosing an alternate version of a file for a different
@@ -403,6 +406,11 @@ and provide the correct password.
 After files are decrypted, permissions are automatically updated as described
 in the PERMISSIONS section.
 
+Symmetric encryption is used by default, but asymmetric encryption may be
+enabled using the
+.I yadm.gpg-recipient
+configuration.
+
 .BR NOTE :
 It is recommended that you use a private repository when keeping confidential
 files, even though they are encrypted.

yadm.md

@@ -181,9 +181,12 @@
 
        yadm.gpg-recipient
               Asymmetrically encrypt files with a gpg public/private key pair.
-              Provice a key ID to encrypt against that public key.
+              Provide  a "key ID" to specify which public key to encrypt with.
-              If left blank or not provided, symmetric encryption is used
+              The key must exist in your public keyrings.  If  left  blank  or
-              instead. This feature is disabled by deafult.
+              not  provided,  symmetric encryption is used instead.  If set to
+              "ASK", gpg will  interactively  ask  for  recipients.   See  the
+              ENCRYPTION  section  for more details.  This feature is disabled
+              by default.
 
 ## ALTERNATES
        When managing a set of files across different systems, it can be useful
@@ -264,16 +267,19 @@
        provide  the  correct password.  After files are decrypted, permissions
        are automatically updated as described in the PERMISSIONS section.
 
-       NOTE: It is recommended that you use a private repository when  keeping
+       Symmetric encryption is used by default, but asymmetric encryption  may
+       be enabled using the yadm.gpg-recipient configuration.
+
+       NOTE:  It is recommended that you use a private repository when keeping
        confidential files, even though they are encrypted.
 
 ## PERMISSIONS
-       When  files  are checked out of a Git repository, their initial permis-
+       When files are checked out of a Git repository, their  initial  permis-
        sions are dependent upon the user's umask. This can result in confiden-
        tial files with lax permissions.
 
        To prevent this, yadm will automatically update the permissions of con-
-       fidential files.  The "group" and "others" permissions will be  removed
+       fidential  files.  The "group" and "others" permissions will be removed
        from the following files:
 
        - $HOME/.yadm/files.gpg
@@ -285,13 +291,13 @@
        - The GPG directory and files, .gnupg/*
 
        yadm will automatically update permissions by default. This can be dis-
-       abled using the yadm.auto-perms configuration.  Even if disabled,  per-
+       abled  using the yadm.auto-perms configuration.  Even if disabled, per-
        missions can be manually updated by running yadm perms.  The SSH direc-
        tory processing can be disabled using the yadm.ssh-perms configuration.
 
 ## FILES
-       The  following are the default paths yadm uses for its own data.  These
+       The following are the default paths yadm uses for its own data.   These
-       paths can be altered using universal options.  See the OPTIONS  section
+       paths  can be altered using universal options.  See the OPTIONS section
        for details.
 
        $HOME/.yadm