GNUPGHOME="$GNUPGHOME_CORE"
export GNUPGHOME
- gpg "$@"
+ gpg --no-greeting --quiet --no-tty "$@"
}
# function to interact with the gpg sphere keyring
GNUPGHOME="$GNUPGHOME_SPHERE"
export GNUPGHOME
- su_monkeysphere_user "gpg $@"
+ su_monkeysphere_user "gpg --no-greeting --quiet --no-tty $@"
}
# output to stdout the core fingerprint from the gpg core secret
# keyring
core_fingerprint() {
log debug "determining core key fingerprint..."
- gpg_core --quiet --list-secret-key \
- --with-colons --fixed-list-mode --with-fingerprint \
+ gpg_core --list-secret-key --with-colons \
+ --fixed-list-mode --with-fingerprint \
| grep ^fpr: | cut -d: -f10
}
gpg_core_sphere_sig_transfer() {
log debug "exporting core local sigs to sphere..."
gpg_core --export-options export-local-sigs --export | \
- gpg_sphere "--import-options import-local-sigs --import" \
- 2>&1 | log debug
+ gpg_sphere "--import-options import-local-sigs --import"
}
########################################################################
# datadir for host functions
MHDATADIR="${SYSDATADIR}/host"
-# temp directory for temp gnupghome directories for add_revoker
-MHTMPDIR="${MHDATADIR}/tmp"
-export MHTMPDIR
-
# host pub key files
HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
# function to interact with the gpg keyring
gpg_host() {
- GNUPGHOME="$GNUPGHOME_HOST" gpg "$@"
+ GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --no-tty "$@"
}
# command to list the info about the host key, in colon format, to
# FIXME: should we supress all the edit script spew? or pipe it
# through log debug?
gpg_host_edit() {
- gpg_host --quiet --command-fd 0 --no-tty --edit-key \
- "0x${HOST_FINGERPRINT}!" "$@" 2>&1 | log debug
+ gpg_host --command-fd 0 --edit-key "0x${HOST_FINGERPRINT}!" "$@"
}
# export the host public key to the monkeysphere gpg pub key file
# gpg host secret key
load_fingerprint_secret() {
HOST_FINGERPRINT=$( \
- gpg_host --quiet --list-secret-key \
- --with-colons --with-fingerprint \
+ gpg_host --list-secret-key --with-colons --with-fingerprint \
| grep '^fpr:' | cut -d: -f10 )
}
check_host_no_key() {
[ -s "$HOST_KEY_FILE" ] \
|| failure "You don't appear to have a Monkeysphere host key on this server.
-Please run 'monkeysphere-host import-key' first."
+Please run 'monkeysphere-host import-key...' first."
}
# output the index of a user ID on the host key
local GNUPGHOME
# tmp gpghome dir
- export GNUPGHOME=$(mktemp -d)
+ export GNUPGHOME=$(msmktempdir)
# trap to remove tmp dir if break
trap "rm -rf $GNUPGHOME" EXIT
head --line="$1" "$2" | tail -1
}
+# make a temporary directly
+msmktempdir() {
+ mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX
+}
+
# this is a wrapper for doing lock functions.
#
# it lets us depend on either lockfile-progs (preferred) or procmail's
)
log verbose "generating subkey..."
- fifoDir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
+ fifoDir=$(msmktempdir)
(umask 077 && mkfifo "$fifoDir/pass")
echo "$editCommands" | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" &
done
log verbose "importing ssh key..."
- fifoDir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
+ fifoDir=$(msmktempdir)
(umask 077 && mkfifo "$fifoDir/pass")
ssh2openpgp | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --import &
You might want to 'monkeysphere gen-subkey'"
fi
- workingdir=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
+ workingdir=$(msmktempdir)
umask 077
mkfifo "$workingdir/passphrase"
keysuccess=1
# core ltsigns the newly imported certifier key
log debug "executing core ltsign script..."
if echo "$ltsignCommand" | \
- gpg_core --quiet --command-fd 0 --no-tty --edit-key "0x${fingerprint}!" \
- 2>&1 | log debug ; then
+ gpg_core --command-fd 0 --edit-key "0x${fingerprint}!" ; then
# transfer the new sigs back to the sphere keyring
gpg_core_sphere_sig_transfer
# update the sphere trustdb
log debug "updating sphere trustdb..."
- gpg_sphere "--check-trustdb" 2>&1 | log debug
+ gpg_sphere "--check-trustdb"
log info "Identity certifier added."
else
fi
# delete the requested key from the sphere keyring
-# FIXME: should this be a revokation instead of a removal?
if gpg_sphere "--delete-key --batch --yes 0x${keyID}!" ; then
# delete key from core keyring as well
gpg_core --delete-key --batch --yes "0x${keyID}!"
# update the trustdb for the authentication keyring
gpg_sphere "--check-trustdb"
- log info ""
log info "Identity certifier removed."
else
failure "Problem removing identity certifier."
log debug "generating monkeysphere authentication trust core key ($CORE_KEYLENGTH bits)..."
PEM2OPENPGP_USAGE_FLAGS=certify \
PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" \
- | gpg_core --import 2>&1 | log debug \
+ | gpg_core --import \
|| failure "Could not import new key for Monkeysphere authentication trust core"
# get fingerprint of core key. should definitely not be empty at this point
# export the core key to the sphere keyring
log debug "exporting core pub key to sphere keyring..."
- gpg_core --quiet --export | gpg_sphere "--quiet --import"
+ gpg_core --export | gpg_sphere "--import"
# ensure that the authentication sphere checker has absolute ownertrust on the expected key.
log debug "setting ultimate owner trust on core key in gpg_sphere..."
- printf "%s:6:\n" "$CORE_FPR" | gpg_sphere "--quiet --import-ownertrust"
- gpg_sphere "--export-ownertrust" 2>&1 | log debug
+ printf "%s:6:\n" "$CORE_FPR" | gpg_sphere "--import-ownertrust"
+ gpg_sphere "--export-ownertrust"
# check the owner trust
log debug "checking gpg_sphere owner trust set properly..."
local ORIG_TRUST
- if ORIG_TRUST=$(gpg_sphere "--quiet --export-ownertrust" | grep '^[^#]') ; then
+ if ORIG_TRUST=$(gpg_sphere "--export-ownertrust" | grep '^[^#]') ; then
if [ "${CORE_FPR}:6:" != "$ORIG_TRUST" ] ; then
failure "Monkeysphere authentication trust sphere should explicitly trust the core. It does not have proper ownertrust settings."
fi
# our preferences are reasonable (i.e. 3 marginal OR 1 fully
# trusted certifications are sufficient to grant full validity.
log debug "checking trust model for authentication ..."
- local TRUST_MODEL=$(gpg_sphere "--quiet --with-colons --fixed-list-mode --list-keys" \
+ local TRUST_MODEL=$(gpg_sphere "--with-colons --fixed-list-mode --list-keys" \
| head -n1 | grep "^tru:" | cut -d: -f3,6,7)
log debug "sphere trust model: $TRUST_MODEL"
if [ "$TRUST_MODEL" != '1:3:1' ] ; then
fi
else
# create a temporary directory for storing the downloaded key
- TMPLOC=$(mktemp -d "${MHTMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
+ TMPLOC=$(msmktempdir) || failure "Could not create temporary directory!"
# download the key from the keyserver as the monkeysphere user
su_monkeysphere_user \
- "GNUPGHOME=$TMPLOC gpg --keyserver $KEYSERVER --recv-key 0x${keyID}!"
+ "GNUPGHOME=$TMPLOC gpg --quiet --keyserver $KEYSERVER --recv-key 0x${keyID}!"
# export the new key to the host keyring
- su_monkeysphere_user "GNUPGHOME=$TMPLOC gpg --export 0x${keyID}!" \
+ su_monkeysphere_user "GNUPGHOME=$TMPLOC gpg --quiet --export 0x${keyID}!" \
| gpg_host --import
fi
# create host home
mkdir -p "${MHDATADIR}"
-mkdir -p "${MHTMPDIR}"
mkdir -p "${GNUPGHOME_HOST}"
chmod 700 "${GNUPGHOME_HOST}"
log verbose "importing ssh key..."
# translate ssh key to a private key
PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
- | gpg_host --import 2>&1 | log debug
+ | gpg_host --import
# load the new host fpr into the fpr variable. this is so we can
# create the gpg pub key file. we have to do this from the secret key
fi
# create a temporary gnupg directory from which to publish the key
-export GNUPGHOME=$(mktemp -d)
+export GNUPGHOME=$(msmktempdir)
# trap to remove tmp dir if break
trap "rm -rf $GNUPGHOME" EXIT
projects / monkeysphere.git / commitdiff