m-chrzan.xyz
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAaron Jones <aaronmdjones@gmail.com>2019-06-16 14:20:10 +0000
committerJason A. Donenfeld <Jason@zx2c4.com>2019-06-16 21:59:52 +0200
commit5a52772156b44ef9785e91ab78ab2e1c3b1e510e (patch)
tree975a7af2c51eae883218f02fe2b28504b4fc632f
parentee9faa9df54555337738dfd88b355e23fbef6a30 (diff)
Exclude invalid, disabled and revoked subkeys from subkey selection
When rotating encryption subkeys, and revoking the old one, `pass init keyid` would re-encrypt your stored credentials to the (now revoked) old subkey(s) in addition to the new one too. It would also mistakenly encrypt to keys that have been disabled, and keys that were never validly signed by their master (certify) key. Fix all of these cases. It was decided NOT to also exclude expired subkeys. Signed-off-by: Aaron Jones <aaronmdjones@gmail.com>
-rwxr-xr-xsrc/password-store.sh2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/password-store.sh b/src/password-store.sh
index 284eabf..b99460c 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -124,7 +124,7 @@ reencrypt_path() {
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
+ gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
fi
current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"