# Authors: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
# Jameson Rollins <jrollins@fifthhorseman.net>
-
-cleanup() {
- echo -n "removing temp gpg home... " 1>&2
- rm -rf "$TMPPRIVATE"
- echo "done." 1>&2
-}
-
explanation() {
- echo -n "The basic strategy of seckey2sshagent is to dump your
-OpenPGP authentication key(s) into your agent.
+ cat <<EOF
+Usage: $0 [GPGID [FILE]]
+
+The basic strategy of seckey2sshagent is to dump your OpenPGP
+authentication key(s) into your agent or a file. With no arguments,
+it will add all secret keys in your keyring to the agent. With one
+argument, it adds only the specified key to the agent. With two
+arguments, it dumps the specified key to FILE, with the pub key in
+FILE.pub.
This script is a gross hack at the moment. It is done by creating a
new, temporary private keyring, letting the user remove the
ssh-add -l
-"
+EOF
+}
+
+cleanup() {
+ echo -n "removing temp gpg home... " 1>&2
+ rm -rf "$TMPPRIVATE"
+ echo "done." 1>&2
+}
+
+export_sec_key() {
+ gpg --export-secret-key "$GPGID" | GNUPGHOME="$TMPPRIVATE" gpg --import
+ GNUPGHOME="$TMPPRIVATE" gpg --edit-key "$GPGID"
+
+ # idea to script the password stuff. not working.
+ # read -s -p "enter gpg password: " PASSWD; echo
+ # cmd=$(cat <<EOF
+ # passwd
+ # $PASSWD
+ # \n
+ # \n
+ # \n
+ # yes
+ # save
+ # EOF
+ # )
+ # echo -e "$cmd" | GNUPGHOME="$TMPPRIVATE" gpg --command-fd 0 --edit-key $GPGID
+
+ # export secret key to file
+ GNUPGHOME="$TMPPRIVATE" gpg --export-secret-keys "$GPGID" | \
+ openpgp2ssh "$GPGID"
}
# if no hex string is supplied, just print an explanation.
exit
fi
-trap cleanup EXIT
+# set the file creation umask
+umask 077
GPGIDS="$1"
+if [ "$2" -a ! -e "$2" ] ; then
+ FILE="$2"
+fi
if [ -z "$GPGIDS" ]; then
# hack: we need to get the list of secret keys, because if you
# --list-secret-keys with no arguments, GPG fails to print the
# capability flags (i've just filed this as
# https://bugs.g10code.com/gnupg/issue945)
- KEYIDS=$(gpg2 --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:)
+ KEYIDS=$(gpg --with-colons --list-secret-keys | grep ^sec | cut -f5 -d:)
# default to using all fingerprints of authentication-enabled keys
- GPGIDS=$(gpg --with-colons --fingerprint --fingerprint --list-secret-keys $KEYIDS | egrep -A1 '^(ssb|sec):.*:[^:]*a[^:]*:$' | grep ^fpr: | cut -d: -f10)
+ GPGIDS=$(gpg --with-colons --fingerprint --fingerprint --list-secret-keys $KEYIDS | egrep -A1 '^(ssb|sec):.*:[^:]*a[^:]*:$' | grep ^fpr: | cut -d: -f10)
fi
+trap cleanup EXIT
+
for GPGID in $GPGIDS; do
TMPPRIVATE=$(mktemp -d)
- gpg --export-secret-key "$GPGID" | GNUPGHOME="$TMPPRIVATE" gpg --import
-
-# idea to script the password stuff. not working.
-# read -s -p "enter gpg password: " PASSWD; echo
-# cmd=$(cat <<EOF
-# passwd
-# $PASSWD
-# \n
-# \n
-# \n
-# yes
-# save
-# EOF
-# )
-# echo -e "$cmd" | GNUPGHOME="$TMPPRIVATE" gpg --command-fd 0 --edit-key $GPGID
-
- GNUPGHOME="$TMPPRIVATE" gpg --edit-key "$GPGID"
-
- KEYNAME='MonkeySphere Key '$(echo "$GPGID" | tr -c -d '0-9a-fA-F')''
-# creating this alias so the key is named "monkeysphere-key" in the
-# comment stored by the agent, while never being written to disk in
-# SSH form:
- ln -s /dev/stdin "$TMPPRIVATE/$KEYNAME"
-
- GNUPGHOME="$TMPPRIVATE" gpg --export-secret-keys "$GPGID" | \
- openpgp2ssh $GPGID | (cd "$TMPPRIVATE" && ssh-add -c "$KEYNAME")
+ # if specified, write key to fail and passprotect
+ if [ "$FILE" ] ; then
+ # export secret key to file
+ export_sec_key > "$TMPPRIVATE/key"
+ # passprotect file
+ ssh-keygen -f "${TMPPRIVATE}/key" -p
+ # move into place
+ mv "${TMPPRIVATE}/key" "$FILE"
+
+ # export public key
+ gpg --export "$GPGID" | openpgp2ssh "$GPGID" > "${FILE}.pub"
+
+ # otherwise add to agent
+ else
+ KEYNAME='MonkeySphere Key '$(echo "$GPGID" | tr -c -d '0-9a-fA-F')''
+
+ # creating this alias so the key is named "monkeysphere-key" in the
+ # comment stored by the agent, while never being written to disk in
+ # SSH form:
+ ln -s /dev/stdin "${TMPPRIVATE}/${KEYNAME}"
+
+ # export secret key to agent
+ export_sec_key | (cd "$TMPPRIVATE" && ssh-add -c "$KEYNAME")
+ fi
- cleanup
done
-
-