[Pgp-tools-commit] r833 - in trunk: caff debian
Guilhem Moulin
guilhem-guest at moszumanska.debian.org
Wed Feb 17 21:42:18 UTC 2016
Author: guilhem-guest
Date: 2016-02-17 21:42:18 +0000 (Wed, 17 Feb 2016)
New Revision: 833
Modified:
trunk/caff/caff
trunk/debian/changelog
trunk/debian/copyright
Log:
caff: generate ~/.caff/gnupghome/gpg.conf from ~/.gnup/gpg.conf .
(When it doesn't exist. And only consider options that are known to be
safe and useful for caff, such as the certification options.)
Modified: trunk/caff/caff
===================================================================
--- trunk/caff/caff 2016-02-17 21:42:13 UTC (rev 832)
+++ trunk/caff/caff 2016-02-17 21:42:18 UTC (rev 833)
@@ -5,7 +5,7 @@
#
# Copyright (c) 2004, 2005, 2006 Peter Palfrader <peter at palfrader.org>
# Copyright (c) 2005, 2006 Christoph Berg <cb at df7cb.de>
-# Copyright (c) 2014, 2015 Guilhem Moulin <guilhem at guilhem.org>
+# Copyright (c) 2014-2016 Guilhem Moulin <guilhem at guilhem.org>
#
# All rights reserved.
#
@@ -138,7 +138,7 @@
=item $HOME/.caff/gnupghome/ - caff's working directory for gpg
-=item $HOME/.caff/gnupghome/gpg.conf - gpg configuration
+=item $HOME/.caff/gnupghome/gpg.conf - gpg configuration (see B<NOTES> below)
useful options include use-agent, keyserver, keyserver-options, default-cert-level, etc.
@@ -377,6 +377,22 @@
=back
+=head1 NOTES
+
+As noted above caff uses its own GnuPGHOME and GnuPG configuration file.
+In fact it only needs its own keyring for the signing work, but it would
+be unsafe to reuse the same GnuPG configuration file because the user
+could have set an option in $HOME/.gnupg/gpg.conf which would break caff.
+
+Therefore the GnuPG options that are intented to be used with caff, such
+as C<keyserver> or C<cert-digest-algo>, need to be placed in
+$HOME/.caff/gnupghome/gpg.conf instead. If this file does not exist, a
+temporary file is automatically generated with the GnuPG options found
+in $HOME/.gnupg/gpg.conf that are known to be safe (and useful) for
+caff, such as all certification options.
+
+=back
+
=head1 AUTHORS
=over
@@ -625,6 +641,9 @@
return $template;
};
+my $GPGCONF;
+END { unlink $GPGCONF if defined $GPGCONF; }
+
sub load_config() {
my $config = $ENV{'HOME'} . '/.caffrc';
unless (-f $config) {
@@ -690,7 +709,55 @@
info => '',
success => 'green',
fail => 'yellow'
- };
+ };
+
+ # Import some options from ~/.gnupghome/gpg.conf. We don't symlink
+ # the whole file because the user could have set an option in
+ # ~/.gnupg/gpg.conf which would break caff.
+ my $gpgconf = ($ENV{'GNUPGHOME'} // "$ENV{'HOME'}/.gnupg") . '/gpg.conf';
+ if ( ! -f "$GNUPGHOME/gpg.conf" and open my $fh, '>', "$GNUPGHOME/gpg.conf" and
+ -f $gpgconf and open my $fh2, '<', $gpgconf) {
+
+ $GPGCONF = "$GNUPGHOME/gpg.conf";
+ notice("Create caff's GnuPG configuration file $GPGCONF from $gpgconf");
+
+ # the list of options to import from ~/.gnupg/gpg.conf; only
+ # safe (and useful) options for caff should be listed here
+ my @gnupgopts = (
+ 'photo-viewer',
+ 'exec-path',
+ 'pcsc-driver', 'disable-ccid', 'reader-port',
+ 'display-charset',
+ 'ask-cert-level', 'no-ask-cert-level', 'default-cert-level',
+ 'keyserver', 'keyserver-options',
+ 'use-agent', 'no-use-agent', 'gpg-agent-info',
+ 'limit-card-insert-tries',
+ 'no-random-seed-file',
+ 'no-greeting',
+ 'no-secmem-warning', 'require-secmem', 'no-require-secmem',
+ 'no-mdc-warning',
+ 'require-cross-certification', 'no-require-cross-certification',
+ 'expert', 'no-expert',
+ # OpenPGP protocol specific options
+ 'force-mdc', 'disable-mdc',
+ 'personal-cipher-preferences',
+ 'gnupg', 'openpgp', 'rfc4880', 'rfc2440', 'pgp6', 'pgp7', 'pgp8',
+ # Doing things one usually doesn't want to do
+ 'comment', 'no-comments',
+ 'emit-version', 'no-emit-version',
+ 'cert-notation', 'set-notation',
+ 'cert-policy-url', 'set-policy-url',
+ 'cipher-algo', 'cert-digest-algo',
+ 'pinentry-mode',
+ 'allow-weak-digest-algos', 'weak-digest',
+ 'ask-cert-expire', 'no-ask-cert-expire', 'default-cert-expire'
+ );
+
+ while (<$fh2>) {
+ print $fh $_ if /\A\s*([0-9a-zA-Z\-]+)(?:\s.*)?\n\z/ and grep { $_ eq $1 } @gnupgopts;
+ }
+ close $_ for ($fh, $fh2);
+ }
};
# Create a new GnuPG::Interface object with common options
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2016-02-17 21:42:13 UTC (rev 832)
+++ trunk/debian/changelog 2016-02-17 21:42:18 UTC (rev 833)
@@ -11,6 +11,13 @@
default) instead. GnuPG 2.1 delegates network access to another
process (dirmngr), hence for 2.1 the keyserver should be set in
~/.gnupg/dirmngr.conf instead.
+ + When caff's own GnuPG configuration file (~/.caff/gnupghome/gpg.conf)
+ does not exist, automatically generate it with the GnuPG options found
+ in ~/.gnup/gpg.conf that are known to be safe (and useful) for caff.
+ This includes "keyserver", "keyserver-options", "ask-cert-level" and
+ "cert-digest-algo" (among many others). Hence in the absence of its own
+ GnuPG configuration file caff now uses the certification options from
+ the user's GnuPG configuration file.
* gpgsigs, gpg-key2latex:
+ Use "Noto Mono" as default font when compiling with XeLaTeX or LuaLaTeX;
and "Noto Sans Mono CJK" as CJK font when compiling with XeLaTeX.
Modified: trunk/debian/copyright
===================================================================
--- trunk/debian/copyright 2016-02-17 21:42:13 UTC (rev 832)
+++ trunk/debian/copyright 2016-02-17 21:42:18 UTC (rev 833)
@@ -12,7 +12,7 @@
Files: caff/*
Copyright: © 2004-2006 Peter Palfrader <peter at palfrader.org>
© 2005-2006 Christoph Berg <cb at df7cb.de>
- © 2014-2015 Guilhem Moulin <guilhem at guilhem.org>
+ © 2014-2016 Guilhem Moulin <guilhem at guilhem.org>
License: BSD-3-clause
Files: gpgdir/*
More information about the Pgp-tools-commit
mailing list