monkeysphere (0.35~pre) upstream;
* Remove reference to USE_VALIDATION_AGENT.
- * Fix ssh_proxycommand for marginal hosts.
+ * Fix ssh_proxycommand for marginal hosts (closes MS #2593)
+ * GnuPG should always behave as --fixed-list-mode (closes MS #2587)
-- Jameson Rollins <jrollins@finestructure.net> Fri, 29 Oct 2010 20:21:54 -0400
# user gpg command to define common options
gpg_user() {
- LC_ALL=C gpg --no-greeting --quiet --no-tty "$@"
+ LC_ALL=C gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@"
}
# output the ssh fingerprint of a gpg key
case "$#" in
0)
- gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:')
+ gpgSecOut=$(gpg_user --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:')
;;
1)
- gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure
+ gpgSecOut=$(gpg_user --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure
;;
*)
failure "You must specify only a single primary key ID."
# check that a valid authentication key does not already exist
IFS=$'\n'
- for line in $(gpg_user --fixed-list-mode --list-keys --with-colons "$keyID") ; do
+ for line in $(gpg_user --list-keys --with-colons "$keyID") ; do
type=$(echo "$line" | cut -d: -f1)
validity=$(echo "$line" | cut -d: -f2)
usage=$(echo "$line" | cut -d: -f12)
GNUPGHOME="$GNUPGHOME_CORE"
export GNUPGHOME
- gpg --no-greeting --quiet --no-tty "$@"
+ gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@"
}
# function to interact with the gpg sphere keyring
GNUPGHOME="$GNUPGHOME_SPHERE"
export GNUPGHOME
- su_monkeysphere_user "gpg --no-greeting --quiet --no-tty $@"
+ su_monkeysphere_user "gpg --fixed-list-mode --no-greeting --quiet --no-tty $@"
}
# output to stdout the core fingerprint from the gpg core secret
core_fingerprint() {
log debug "determining core key fingerprint..."
gpg_core --list-secret-key --with-colons \
- --fixed-list-mode --with-fingerprint \
+ --with-fingerprint \
| grep ^fpr: | cut -d: -f10
}
# function to interact with the gpg keyring
gpg_host() {
- GNUPGHOME="$GNUPGHOME_HOST" LC_ALL=C gpg --no-auto-check-trustdb --trust-model=always --no-greeting --quiet --no-tty "$@"
+ GNUPGHOME="$GNUPGHOME_HOST" LC_ALL=C gpg --no-auto-check-trustdb --trust-model=always --no-greeting --quiet --no-tty --fixed-list-mode "$@"
}
# list the info about the a key, in colon format, to stdout
gpg_host_list_keys() {
if [ "$1" ] ; then
- gpg_host --list-keys --with-colons --fixed-list-mode \
+ gpg_host --list-keys --with-colons \
--with-fingerprint --with-fingerprint \
"$1"
else
- gpg_host --list-keys --with-colons --fixed-list-mode \
+ gpg_host --list-keys --with-colons \
--with-fingerprint --with-fingerprint
fi
}
gpg_fetch_userid "$userID"
# output gpg info for (exact) userid and store
- gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
+ gpgOut=$(gpg --list-key --fixed-list-mode --with-colons \
--with-fingerprint --with-fingerprint \
="$userID" 2>/dev/null) || returnCode="$?"
fi
# get the gpg info for userid
- gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \
+ gpgOut=$(gpg_user --list-key --with-colons \
--with-fingerprint --with-fingerprint \
="$userID" 2>/dev/null)
else
# get list of secret keys
# (to work around bug https://bugs.g10code.com/gnupg/issue945):
- secretkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \
+ secretkeys=$(gpg_user --list-secret-keys --with-colons \
--fingerprint | \
grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }')
You might want to run 'gpg --gen-key'."
fi
- authsubkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \
+ authsubkeys=$(gpg_user --list-secret-keys --with-colons \
--fingerprint --fingerprint $secretkeys | \
cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \
grep '^fpr::' | cut -f3 -d: | sort -u)
for subkey in $authsubkeys; do
# test that the subkey has proper capability
- capability=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \
+ capability=$(gpg_user --list-secret-keys --with-colons \
--fingerprint --fingerprint "0x${subkey}!" \
| egrep -B 1 "^fpr:::::::::${subkey}:$" | grep "^ssb:" | cut -d: -f12)
if ! check_capability "$capability" 'a' ; then
# fingerprint, but filtering out all / characters to make sure
# the filename is legit.
- primaryuid=$(gpg_user --with-colons --list-key "0x${subkey}!" | grep '^pub:' | cut -f10 -d: | tr -d /)
+ # FIXME: this assumes that the first listed uid is the primary
+ # UID. does gpg guarantee that? is there some better way to
+ # get this info?
+ primaryuid=$(gpg_user --with-colons --list-key "0x${subkey}!" | grep '^uid:' | head -n1 | cut -f10 -d: | tr -d /)
#kname="[monkeysphere] $primaryuid"
kname="$primaryuid"
# sshd_config lives?
sshd_config=/etc/ssh/sshd_config
-seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons --fixed-list-mode)
+seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons)
keysfound=$(echo "$seckey" | grep -c ^sec:)
curdate=$(date +%s)
# warn when anything is 2 months away from expiration
# fingerprint, the trust depth, the trust level (60 == marginal, 120
# == full), and the domain regex (if any):
-gpg_sphere --fingerprint --with-colons --fixed-list-mode --check-sigs | \
+gpg_sphere --fingerprint --with-colons --check-sigs | \
cut -f 1,2,5,8,9,10 -d: | \
egrep '^(fpr:::::|uat:|uid:|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
# our preferences are reasonable (i.e. 3 marginal OR 1 fully
# trusted certifications are sufficient to grant full validity.
log debug "checking trust model for authentication ..."
- local TRUST_MODEL=$(gpg_sphere "--with-colons --fixed-list-mode --list-keys" 2>/dev/null \
+ local TRUST_MODEL=$(gpg_sphere "--with-colons --list-keys" 2>/dev/null \
| head -n1 | grep "^tru:" | cut -d: -f3,6,7)
log debug "sphere trust model: $TRUST_MODEL"
if [ "$TRUST_MODEL" != '1:3:1' ] ; then
default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 ZLIB BZIP2 ZIP AES256 AES192 AES CAST5 3DES
cert-digest-algo SHA256
list-options show-uid-validity,show-unusable-uids
+fixed-list-mode
EOF
# generate a key
echo "##################################################"
echo "### retrieving key timestamp..."
-timestamp=$(gpg --list-key --with-colons --fixed-list-mode | \
+timestamp=$(gpg --list-key --with-colons | \
grep ^pub: | cut -d: -f6)
echo "##################################################"
sig:!::1:$KEYID:$timestamp::::monkeymonkey:13x:
EOF
-diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons --fixed-list-mode | grep -v ^tru)
+diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons | grep -v ^tru)
echo "##################################################"
echo "### sleeping to avoid test suite breakage on fast"
EOF
-diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons --fixed-list-mode | grep -v ^tru)
+diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons | grep -v ^tru)
echo "##################################################"
EOF
echo "test: diff expected gpg list output"
-diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons --fixed-list-mode | grep -v ^tru)
+diff -u "$TEMPDIR"/expectedout <(gpg --check-sigs --with-colons | grep -v ^tru)
sort >"$TEMPDIR"/expectedout <<EOF
$KEYFPR
projects / monkeysphere.git / commitdiff