diff options
author | Aaron Jones <aaronmdjones@gmail.com> | 2019-06-16 14:20:10 +0000 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-06-16 21:59:52 +0200 |
commit | 5a52772156b44ef9785e91ab78ab2e1c3b1e510e (patch) | |
tree | 975a7af2c51eae883218f02fe2b28504b4fc632f | |
parent | ee9faa9df54555337738dfd88b355e23fbef6a30 (diff) |
Exclude invalid, disabled and revoked subkeys from subkey selection
When rotating encryption subkeys, and revoking the old one,
`pass init keyid` would re-encrypt your stored credentials to the
(now revoked) old subkey(s) in addition to the new one too.
It would also mistakenly encrypt to keys that have been disabled,
and keys that were never validly signed by their master (certify) key.
Fix all of these cases. It was decided NOT to also exclude expired
subkeys.
Signed-off-by: Aaron Jones <aaronmdjones@gmail.com>
-rwxr-xr-x | src/password-store.sh | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/password-store.sh b/src/password-store.sh index 284eabf..b99460c 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -124,7 +124,7 @@ reencrypt_path() { IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190 unset "GPG_RECIPIENTS[$index]" done - gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" + gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" fi current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)" |