diff options
| author | Paul Sokolovsky <paul.sokolovsky@linaro.org> | 2014-03-22 20:43:46 +0200 |
|---|---|---|
| committer | Paul Sokolovsky <paul.sokolovsky@linaro.org> | 2014-03-22 20:43:46 +0200 |
| commit | fef6afe82099a17707d0605772c364dbfc75f498 (patch) | |
| tree | bd2d72c790d6e76e9e9210098fc6c14b6d03ff08 | |
| parent | 30deb3e664b2075c3b1c009e767b06149bc33666 (diff) | |
Add search-keys command to query and import recipient keys from keyserver.
Change .recipient file format to allow it to use specific selectors
(like key ID/fingerprint), while having human-readable comment.
Change-Id: I50f04743836e4a30575d2cbdb51d5fa18323a63c
| -rw-r--r-- | README | 24 | ||||
| -rwxr-xr-x | git-gpgcrypt | 11 |
2 files changed, 26 insertions, 9 deletions
@@ -30,21 +30,29 @@ New repository -------------- 1. git init 2. Create ".recipients" file listing key names of persons who may access -encrypted files in the repository. These may be either key IDs or -substrings of user IDs (e.g., emails). See "How to specify a user ID" in -man gpg for more details. Note that corresponding keys must be already -present in your keyring (TODO: add convenience command to import keys from -keyserver). -3. git gpgcrypt init -4. Review .gitattributes file for file encryption settings (it's not required +encrypted files in the repository. The format for each line is: + +<user sel> [#<comment>] + +User selector can be key IDs, fingerprints, substrings of user IDs (e.g., +emails). See "How to specify a user ID" in man gpg for more details. +3. Corresponding keys must be already present in your keyring. If that's +not the case, your can import keys from keyserver using +"git gpgcrypt search-keys" command. WARNING: You should verify each key +imported thoroughly, by default treating unverified keys as counterfeit. +4. git gpgcrypt init +5. Review .gitattributes file for file encryption settings (it's not required to encrypt all files; in particular, default .gitattributes makes README and some other files plain-text). -5. Add files and use repository as usual. +6. Add files and use repository as usual. Cloned repository ----------------- 1. git clone 2. git gpgcrypt init +3. git gpgcrypt search-keys, if you don't have all recipient keys in your +keyring. WARNING: You should verify each key imported thoroughly, by default +treating unverified keys as counterfeit. Update list of recipients ------------------------- diff --git a/git-gpgcrypt b/git-gpgcrypt index fd830d1..db0bd70 100755 --- a/git-gpgcrypt +++ b/git-gpgcrypt @@ -87,7 +87,7 @@ get_salt() { } encrypt_key() { - echo "$1" | gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr --output .gpgcrypt-key + echo "$1" | gpg -ea --group gr="$(sed -r -e 's/ +#[^#]*//' .recipients | tr '\n' ' ')" -r gr --output .gpgcrypt-key } case "$1" in @@ -97,6 +97,15 @@ case "$1" in update) encrypt_key "$(get_key)" ;; + search-keys) + echo "!!!!! WARNING !!!!!" + echo "Be careful before importing keys and never use a keys whose" + echo "fingerprint you didn't verify directly with the owner." + echo "Press Enter if you are sure you want to continue or Ctrl+C to quit." + echo "!!!!! WARNING !!!!!" + read + sed -r -e 's/ +#[^#]*//' .recipients | xargs -d "\n" -n1 gpg --keyserver keyserver.ubuntu.com --search-keys + ;; clean) #gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr openssl enc -base64 -$CIPHER -S "$(get_salt)" -k "$(get_key)" |