From 658b20d919d3498111efd5a6e901d3ab19d8e669 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 11 Nov 2010 17:29:27 -0500 Subject: [PATCH] universalize and consolidate on --fixed-list-mode --- Changelog | 3 ++- src/monkeysphere | 8 ++++---- src/monkeysphere-authentication | 6 +++--- src/monkeysphere-host | 6 +++--- src/share/common | 2 +- src/share/m/ssh_proxycommand | 2 +- src/share/m/subkey_to_ssh_agent | 11 +++++++---- src/share/ma/diagnostics | 2 +- src/share/ma/list_certifiers | 2 +- src/share/ma/setup | 2 +- tests/keytrans | 9 +++++---- 11 files changed, 29 insertions(+), 24 deletions(-) diff --git a/Changelog b/Changelog index 90514a0..7e0cd81 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,8 @@ monkeysphere (0.35~pre) upstream; * Remove reference to USE_VALIDATION_AGENT. - * Fix ssh_proxycommand for marginal hosts. + * Fix ssh_proxycommand for marginal hosts (closes MS #2593) + * GnuPG should always behave as --fixed-list-mode (closes MS #2587) -- Jameson Rollins Fri, 29 Oct 2010 20:21:54 -0400 diff --git a/src/monkeysphere b/src/monkeysphere index 9d0685b..cf7752a 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -62,7 +62,7 @@ EOF # user gpg command to define common options gpg_user() { - LC_ALL=C gpg --no-greeting --quiet --no-tty "$@" + LC_ALL=C gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@" } # output the ssh fingerprint of a gpg key @@ -78,10 +78,10 @@ check_gpg_sec_key_id() { case "$#" in 0) - gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:') + gpgSecOut=$(gpg_user --list-secret-keys --with-colons 2>/dev/null | egrep '^sec:') ;; 1) - gpgSecOut=$(gpg_user --fixed-list-mode --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure + gpgSecOut=$(gpg_user --list-secret-keys --with-colons "$1" | egrep '^sec:') || failure ;; *) failure "You must specify only a single primary key ID." @@ -119,7 +119,7 @@ check_gpg_authentication_subkey() { # check that a valid authentication key does not already exist IFS=$'\n' - for line in $(gpg_user --fixed-list-mode --list-keys --with-colons "$keyID") ; do + for line in $(gpg_user --list-keys --with-colons "$keyID") ; do type=$(echo "$line" | cut -d: -f1) validity=$(echo "$line" | cut -d: -f2) usage=$(echo "$line" | cut -d: -f12) diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication index 99b818d..46f349a 100755 --- a/src/monkeysphere-authentication +++ b/src/monkeysphere-authentication @@ -73,7 +73,7 @@ gpg_core() { GNUPGHOME="$GNUPGHOME_CORE" export GNUPGHOME - gpg --no-greeting --quiet --no-tty "$@" + gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@" } # function to interact with the gpg sphere keyring @@ -81,7 +81,7 @@ gpg_sphere() { GNUPGHOME="$GNUPGHOME_SPHERE" export GNUPGHOME - su_monkeysphere_user "gpg --no-greeting --quiet --no-tty $@" + su_monkeysphere_user "gpg --fixed-list-mode --no-greeting --quiet --no-tty $@" } # output to stdout the core fingerprint from the gpg core secret @@ -89,7 +89,7 @@ gpg_sphere() { core_fingerprint() { log debug "determining core key fingerprint..." gpg_core --list-secret-key --with-colons \ - --fixed-list-mode --with-fingerprint \ + --with-fingerprint \ | grep ^fpr: | cut -d: -f10 } diff --git a/src/monkeysphere-host b/src/monkeysphere-host index ff56e98..a49823d 100755 --- a/src/monkeysphere-host +++ b/src/monkeysphere-host @@ -71,17 +71,17 @@ EOF # function to interact with the gpg keyring gpg_host() { - GNUPGHOME="$GNUPGHOME_HOST" LC_ALL=C gpg --no-auto-check-trustdb --trust-model=always --no-greeting --quiet --no-tty "$@" + GNUPGHOME="$GNUPGHOME_HOST" LC_ALL=C gpg --no-auto-check-trustdb --trust-model=always --no-greeting --quiet --no-tty --fixed-list-mode "$@" } # list the info about the a key, in colon format, to stdout gpg_host_list_keys() { if [ "$1" ] ; then - gpg_host --list-keys --with-colons --fixed-list-mode \ + gpg_host --list-keys --with-colons \ --with-fingerprint --with-fingerprint \ "$1" else - gpg_host --list-keys --with-colons --fixed-list-mode \ + gpg_host --list-keys --with-colons \ --with-fingerprint --with-fingerprint fi } diff --git a/src/share/common b/src/share/common index b9a20ef..baf4270 100644 --- a/src/share/common +++ b/src/share/common @@ -654,7 +654,7 @@ process_user_id() { gpg_fetch_userid "$userID" # output gpg info for (exact) userid and store - gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ + gpgOut=$(gpg --list-key --fixed-list-mode --with-colons \ --with-fingerprint --with-fingerprint \ ="$userID" 2>/dev/null) || returnCode="$?" diff --git a/src/share/m/ssh_proxycommand b/src/share/m/ssh_proxycommand index 3ac70e1..8c71870 100644 --- a/src/share/m/ssh_proxycommand +++ b/src/share/m/ssh_proxycommand @@ -217,7 +217,7 @@ output_no_valid_key() { fi # get the gpg info for userid - gpgOut=$(gpg_user --list-key --fixed-list-mode --with-colon \ + gpgOut=$(gpg_user --list-key --with-colons \ --with-fingerprint --with-fingerprint \ ="$userID" 2>/dev/null) diff --git a/src/share/m/subkey_to_ssh_agent b/src/share/m/subkey_to_ssh_agent index 36eab4f..79291b1 100644 --- a/src/share/m/subkey_to_ssh_agent +++ b/src/share/m/subkey_to_ssh_agent @@ -47,7 +47,7 @@ subkey_to_ssh_agent() { else # get list of secret keys # (to work around bug https://bugs.g10code.com/gnupg/issue945): - secretkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + secretkeys=$(gpg_user --list-secret-keys --with-colons \ --fingerprint | \ grep '^fpr:' | cut -f10 -d: | awk '{ print "0x" $1 "!" }') @@ -56,7 +56,7 @@ subkey_to_ssh_agent() { You might want to run 'gpg --gen-key'." fi - authsubkeys=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + authsubkeys=$(gpg_user --list-secret-keys --with-colons \ --fingerprint --fingerprint $secretkeys | \ cut -f1,5,10,12 -d: | grep -A1 '^ssb:[^:]*::[^:]*a[^:]*$' | \ grep '^fpr::' | cut -f3 -d: | sort -u) @@ -78,7 +78,7 @@ You might want to run 'monkeysphere gen-subkey'." for subkey in $authsubkeys; do # test that the subkey has proper capability - capability=$(gpg_user --list-secret-keys --with-colons --fixed-list-mode \ + capability=$(gpg_user --list-secret-keys --with-colons \ --fingerprint --fingerprint "0x${subkey}!" \ | egrep -B 1 "^fpr:::::::::${subkey}:$" | grep "^ssb:" | cut -d: -f12) if ! check_capability "$capability" 'a' ; then @@ -91,7 +91,10 @@ You might want to run 'monkeysphere gen-subkey'." # fingerprint, but filtering out all / characters to make sure # the filename is legit. - primaryuid=$(gpg_user --with-colons --list-key "0x${subkey}!" | grep '^pub:' | cut -f10 -d: | tr -d /) + # FIXME: this assumes that the first listed uid is the primary + # UID. does gpg guarantee that? is there some better way to + # get this info? + primaryuid=$(gpg_user --with-colons --list-key "0x${subkey}!" | grep '^uid:' | head -n1 | cut -f10 -d: | tr -d /) #kname="[monkeysphere] $primaryuid" kname="$primaryuid" diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics index 8eca586..fadb70d 100644 --- a/src/share/ma/diagnostics +++ b/src/share/ma/diagnostics @@ -51,7 +51,7 @@ fi # sshd_config lives? sshd_config=/etc/ssh/sshd_config -seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons --fixed-list-mode) +seckey=$(gpg_core --list-secret-keys --fingerprint --with-colons) keysfound=$(echo "$seckey" | grep -c ^sec:) curdate=$(date +%s) # warn when anything is 2 months away from expiration diff --git a/src/share/ma/list_certifiers b/src/share/ma/list_certifiers index 56d52da..0a8f4df 100644 --- a/src/share/ma/list_certifiers +++ b/src/share/ma/list_certifiers @@ -38,7 +38,7 @@ authgrip=$(core_fingerprint | cut -b 25-40) # fingerprint, the trust depth, the trust level (60 == marginal, 120 # == full), and the domain regex (if any): -gpg_sphere --fingerprint --with-colons --fixed-list-mode --check-sigs | \ +gpg_sphere --fingerprint --with-colons --check-sigs | \ cut -f 1,2,5,8,9,10 -d: | \ egrep '^(fpr:::::|uat:|uid:|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \ while IFS=: read -r type validity grip trustparams trustdomain fpr ; do diff --git a/src/share/ma/setup b/src/share/ma/setup index 5cc3aab..9a047aa 100644 --- a/src/share/ma/setup +++ b/src/share/ma/setup @@ -110,7 +110,7 @@ EOF # our preferences are reasonable (i.e. 3 marginal OR 1 fully # trusted certifications are sufficient to grant full validity. log debug "checking trust model for authentication ..." - local TRUST_MODEL=$(gpg_sphere "--with-colons --fixed-list-mode --list-keys" 2>/dev/null \ + local TRUST_MODEL=$(gpg_sphere "--with-colons --list-keys" 2>/dev/null \ | head -n1 | grep "^tru:" | cut -d: -f3,6,7) log debug "sphere trust model: $TRUST_MODEL" if [ "$TRUST_MODEL" != '1:3:1' ] ; then diff --git a/tests/keytrans b/tests/keytrans index 3aaed50..0c465c3 100755 --- a/tests/keytrans +++ b/tests/keytrans @@ -66,6 +66,7 @@ cat > "$TEMPDIR"/gpg.conf <"$TEMPDIR"/expectedout <