new pa-rekey

Author: arcxio

contrib/pa-rekey

@@ -0,0 +1,53 @@
+#!/bin/sh
+#
+# rotate keys and reencrypt passwords
+
+set -e
+
+# Complete any pending
+# recipients synchronization.
+pa l >/dev/null
+
+: "${PA_DIR:=${XDG_DATA_HOME:-$HOME/.local/share}/pa}"
+
+suffix=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom |
+    dd ibs=1 obs=1 count=10 2>/dev/null)
+
+[ "$suffix" ]
+
+tmpdir=$PA_DIR/rekey.$suffix
+
+mkdir "$tmpdir"
+
+trap 'rm -rf "$tmpdir/identities" "$tmpdir/recipients" "$tmpdir/passwords"
+rmdir "$tmpdir"' EXIT
+
+cp -p "$PA_DIR/identities" "$tmpdir/identities"
+
+# Generate recipients for current identities.
+PA_DIR=$tmpdir PA_NOGIT='' pa l >/dev/null
+
+grep -v '^#' "$tmpdir/recipients" >"$tmpdir/passwords/.recipients"
+
+# Filter out recipients corresponding to current identities.
+awk 'FNR==NR{f[$0]=1;next}f[$0]{if(r!~/^#/&&r)print r;r="";next}r{print r}{r=$0}
+END{if(r)print r}' "$tmpdir/passwords/.recipients" "$PA_DIR/recipients" \
+    >"$tmpdir/recipients"
+
+rm -f "$tmpdir/identities"
+
+# Generate a brand new key pair.
+PA_DIR=$tmpdir PA_NOGIT='' pa l >/dev/null
+
+# Ensure that recipients for identites to be retired were removed.
+grep -v '^#' "$PA_DIR/recipients" | grep -Fxvf "$tmpdir/recipients" - >/dev/null
+
+# Recipients are now ready to use.
+mv "$tmpdir/recipients" "$PA_DIR/recipients"
+
+# Reencrypt all passwords
+# for new recipients.
+printf n | pa l >/dev/null 2>&1
+
+# New identity is now ready to use.
+mv "$tmpdir/identities" "$PA_DIR/identities"

pa

@@ -91,12 +91,12 @@ pw_list() {
     find . -type f -name \*.age | sed 's/..//;s/\.age$//' | sort
 }
 
-change_keys() {
+change_recipients() {
     cmp -s "$recipients_file" "$recipients_sync" && return
 
     # Compare recipients files to show new remotely added recipients.
-    grep -Fxvf "$recipients_file" "$recipients_sync" 2>/dev/null &&
-        if yn "add these new recipients?"; then
+    grep -Fxvf "$recipients_file" "$recipients_sync" >&2 2>/dev/null &&
+        if yn "do you trust these recipients?"; then
             tmp=$(mkstemp) ||
                 die "couldn't create a shared memory filename"
 
@@ -108,7 +108,7 @@ change_keys() {
 
             rm -f "$tmp"
         else
-            # Purge git repository to prevent leaks for unwanted recipients.
+            # Purge git repository to prevent leaks for untrusted recipients.
             [ -d .git ] && find .git ! -name config -type f -exec rm -f {} +
         fi
 
@@ -128,7 +128,7 @@ change_keys() {
     cp "$recipients_file" "$recipients_sync"
 
     if $git_enabled && [ -d .git ]; then
-        git init -q && git_add_and_commit . "change keys"
+        git init -q && git_add_and_commit . "change recipients"
     fi
 }
 
@@ -146,7 +146,7 @@ mkstemp() {
     # have non-standard methods of setup/access.
     [ -w /dev/shm ] || tmpdir=/tmp
 
-    printf '%s/pa.%s' $tmpdir "$(rand_chars 10 'A-Za-z0-9')"
+    printf "$tmpdir/pa.%s" "$(rand_chars 10 'A-Za-z0-9')"
 }
 
 rand_chars() {
@@ -165,7 +165,7 @@ rand_chars() {
 }
 
 yn() {
-    printf '%s [y/N]: ' "$1"
+    printf '%s [y/N]: ' "$1" >&2
 
     # Enable raw input to allow for a single byte to be read from
     # stdin without needing to wait for the user to press Return.
@@ -179,7 +179,7 @@ yn() {
     # have found it.
     [ -t 0 ] && stty echo icanon
 
-    printf '%s\n' "$answer"
+    printf '%s\n' "$answer" >&2
 
     # Handle the answer here directly, enabling this function's
     # return status to be used in place of checking for '[yY]'
@@ -188,7 +188,7 @@ yn() {
 }
 
 sread() {
-    printf '%s: ' "$2"
+    printf '%s: ' "$2" >&2
 
     # Disable terminal printing while the user inputs their
     # password. POSIX 'read' has no '-s' flag which would
@@ -197,7 +197,7 @@ sread() {
     read -r "$1"
     [ -t 0 ] && stty echo
 
-    printf '\n'
+    printf '\n' >&2
 }
 
 glob() {
@@ -269,10 +269,10 @@ main() {
         [ -s "$identities_file" ] ||
             if command -v age-plugin-yubikey >/dev/null &&
                 yn "generate yubikey identity?"; then
-                age-plugin-yubikey -g --pin-policy never --touch-policy always \
-                    --name "pa identity" >"$identities_file"
+                age-plugin-yubikey --generate --name "pa identity" \
+                    --pin-policy never --touch-policy always >"$identities_file"
             else
-                $age_keygen -o "$identities_file" 2>/dev/null
+                $age_keygen >"$identities_file" 2>/dev/null
             fi ||
             die "couldn't generate an identity"
 
@@ -286,9 +286,10 @@ main() {
         fi ||
             die "couldn't generate recipients"
 
-        : "${PA_EMAIL:=$(id -u -n)@$(uname -n)}"
+        : "${PA_EMAIL:=${EMAIL:-$(id -un)@$(uname -n)}}"
 
-        printf '# %s\n%s\n' "$PA_EMAIL" "$new_recipients" >>"$recipients_file"
+        printf '# %s %s\n%s\n' "$(date -u +%Y-%m-%dT%H:%M:%SZ)" "$PA_EMAIL" \
+            "$new_recipients" >>"$recipients_file"
     }
 
     git_enabled=false
@@ -297,7 +298,7 @@ main() {
     $git_enabled && [ ! -d .git ] && {
         # Make sure recipients synchronization
         # file is included in the initial commit.
-        change_keys
+        change_recipients
 
         git init -q
 
@@ -306,7 +307,7 @@ main() {
         # Put something in user config if it's not set globally,
         # because git doesn't allow to commit without it.
         git config user.email >/dev/null ||
-            git config user.email "${PA_EMAIL:-$(id -u -n)@$(uname -n)}"
+            git config user.email "${PA_EMAIL:-${EMAIL:-$(id -un)@$(uname -n)}}"
 
         # Configure diff driver for age encrypted files that treats them as
         # binary and decrypts them when a human-readable diff is requested.
@@ -326,11 +327,11 @@ main() {
     shift
 
     glob "$command" 'g*' && {
-        git "$@" && change_keys
+        git "$@" && change_recipients
         exit $?
     }
 
-    change_keys
+    change_recipients
 
     # Combine the rest of positional arguments into
     # a name and remove control characters from it

test

@@ -92,13 +92,13 @@ test "$(./pa show test)" = "secret" ||
 cmp -s "$PA_DIR/recipients" "$PA_DIR/passwords/.recipients" ||
     fail "both recipients files should be equal"
 
-git -C "$PA_DIR/passwords" log | grep -q "change keys" ||
-    fail "git log should have line: change keys"
+git -C "$PA_DIR/passwords" log | grep -q "change recipients" ||
+    fail "git log should have line: change recipients"
 
 # incoming recipients sync
 ex -sc '1,$-1d|x' "$PA_DIR/recipients"
 
-printf y | ./pa list 2>&1 | grep -q "add these new recipients?" ||
+printf y | ./pa list 2>&1 | grep -q "do you trust these recipients?" ||
     fail "pa should ask to add incoming recipients"
 
 cmp -s "$PA_DIR/recipients" "$PA_DIR/passwords/.recipients" ||
@@ -109,7 +109,7 @@ test "$(grep -c ^age1 "$PA_DIR/recipients")" = 2 ||
 
 ex -sc '1,$-1d|x' "$PA_DIR/recipients"
 
-printf n | ./pa list 2>&1 | grep -q "add these new recipients?" ||
+printf n | ./pa list 2>&1 | grep -q "do you trust these recipients?" ||
     fail "pa should ask to add incoming recipients"
 
 cmp -s "$PA_DIR/recipients" "$PA_DIR/passwords/.recipients" ||
@@ -118,8 +118,8 @@ cmp -s "$PA_DIR/recipients" "$PA_DIR/passwords/.recipients" ||
 test "$(grep -c ^age1 "$PA_DIR/recipients")" = 1 ||
     fail "a recipients file should contain 1 recipient"
 
-test "$(git -C "$PA_DIR/passwords" log --format=%s)" = "change keys" ||
-    fail "git repository should have a single commit titled change keys"
+test "$(git -C "$PA_DIR/passwords" log --format=%s)" = "change recipients" ||
+    fail "git repository should have a single commit titled change recipients"
 
 # print info & exit w/ correct status
 printf "\ntotal failures: %d\n" "$failures"