Support `yadm.gpg-recipient = ASK`

This commit is contained in:
Tim Byrne 2016-04-21 07:59:43 -05:00
parent 5ad5b2df7e
commit ea3b2ecfa8
4 changed files with 33 additions and 17 deletions

View File

@ -76,7 +76,7 @@ function validate_archive() {
foreach {pid spawnid os_error_flag value} [wait] break
EOF
else
gpg -q -d "$T_YADM_ARCHIVE" || echo 1 | tar t | sort > "$T_TMP/archive_list"
gpg -q -d "$T_YADM_ARCHIVE" | tar t | sort > "$T_TMP/archive_list"
fi
#; inventory what is expected in the archive
@ -534,7 +534,7 @@ EOF
run expect <<EOF
set timeout 2;
spawn ${T_YADM_Y[*]} encrypt;
expect "recipient:" {send "$T_KEY_NAME\n\n"}
expect "Enter the user ID" {send "$T_KEY_NAME\n\n"}
expect "$"
foreach {pid spawnid os_error_flag value} [wait] break
exit \$value

10
yadm
View File

@ -228,10 +228,12 @@ function encrypt() {
#; Build gpg options for gpg
GPG_KEY="$(config yadm.gpg-recipient)"
if [ "$GPG_KEY" != "" ]; then
GPG_OPTS="-er $GPG_KEY"
if [ "$GPG_KEY" = "ASK" ]; then
GPG_OPTS=("--no-default-recipient" "-e")
elif [ "$GPG_KEY" != "" ]; then
GPG_OPTS=("-e" "-r $GPG_KEY")
else
GPG_OPTS="-c"
GPG_OPTS=("-c")
fi
#; build a list of globs from YADM_ENCRYPT
@ -243,7 +245,7 @@ function encrypt() {
done < "$YADM_ENCRYPT"
#; encrypt all files which match the globs
tar -cv "${GLOBS[@]}" | gpg --yes "$GPG_OPTS" --output "$YADM_ARCHIVE"
tar -cv "${GLOBS[@]}" | gpg --yes "${GPG_OPTS[@]}" --output "$YADM_ARCHIVE"
if [ $? = 0 ]; then
echo "Wrote new file: $YADM_ARCHIVE"
else

12
yadm.1
View File

@ -295,9 +295,12 @@ This feature is enabled by default.
.TP
.B yadm.gpg-recipient
Asymmetrically encrypt files with a gpg public/private key pair.
Provide a key ID to encrypt against that public key.
Provide a "key ID" to specify which public key to encrypt with.
The key must exist in your public keyrings.
If left blank or not provided, symmetric encryption is used instead.
This feature is disabled by deafult.
If set to "ASK", gpg will interactively ask for recipients.
See the ENCRYPTION section for more details.
This feature is disabled by default.
.SH ALTERNATES
When managing a set of files across different systems, it can be useful to have
an automated way of choosing an alternate version of a file for a different
@ -403,6 +406,11 @@ and provide the correct password.
After files are decrypted, permissions are automatically updated as described
in the PERMISSIONS section.
Symmetric encryption is used by default, but asymmetric encryption may be
enabled using the
.I yadm.gpg-recipient
configuration.
.BR NOTE :
It is recommended that you use a private repository when keeping confidential
files, even though they are encrypted.

24
yadm.md
View File

@ -181,9 +181,12 @@
yadm.gpg-recipient
Asymmetrically encrypt files with a gpg public/private key pair.
Provice a key ID to encrypt against that public key.
If left blank or not provided, symmetric encryption is used
instead. This feature is disabled by deafult.
Provide a "key ID" to specify which public key to encrypt with.
The key must exist in your public keyrings. If left blank or
not provided, symmetric encryption is used instead. If set to
"ASK", gpg will interactively ask for recipients. See the
ENCRYPTION section for more details. This feature is disabled
by default.
## ALTERNATES
When managing a set of files across different systems, it can be useful
@ -264,16 +267,19 @@
provide the correct password. After files are decrypted, permissions
are automatically updated as described in the PERMISSIONS section.
NOTE: It is recommended that you use a private repository when keeping
Symmetric encryption is used by default, but asymmetric encryption may
be enabled using the yadm.gpg-recipient configuration.
NOTE: It is recommended that you use a private repository when keeping
confidential files, even though they are encrypted.
## PERMISSIONS
When files are checked out of a Git repository, their initial permis-
When files are checked out of a Git repository, their initial permis-
sions are dependent upon the user's umask. This can result in confiden-
tial files with lax permissions.
To prevent this, yadm will automatically update the permissions of con-
fidential files. The "group" and "others" permissions will be removed
fidential files. The "group" and "others" permissions will be removed
from the following files:
- $HOME/.yadm/files.gpg
@ -285,13 +291,13 @@
- The GPG directory and files, .gnupg/*
yadm will automatically update permissions by default. This can be dis-
abled using the yadm.auto-perms configuration. Even if disabled, per-
abled using the yadm.auto-perms configuration. Even if disabled, per-
missions can be manually updated by running yadm perms. The SSH direc-
tory processing can be disabled using the yadm.ssh-perms configuration.
## FILES
The following are the default paths yadm uses for its own data. These
paths can be altered using universal options. See the OPTIONS section
The following are the default paths yadm uses for its own data. These
paths can be altered using universal options. See the OPTIONS section
for details.
$HOME/.yadm