[Pgp-tools-commit] r860 - in trunk: caff debian
Guilhem Moulin
guilhem-guest at moszumanska.debian.org
Mon Jul 11 22:36:04 UTC 2016
Author: guilhem-guest
Date: 2016-07-11 22:36:04 +0000 (Mon, 11 Jul 2016)
New Revision: 860
Modified:
trunk/caff/caff
trunk/debian/changelog
Log:
Pass safe options from ~/.gnupg/gpg.conf to gpg(1) as command line options.
But only when ~/.caff/gnupghome/gpg.conf does not exist.
Modified: trunk/caff/caff
===================================================================
--- trunk/caff/caff 2016-07-11 22:36:00 UTC (rev 859)
+++ trunk/caff/caff 2016-07-11 22:36:04 UTC (rev 860)
@@ -386,10 +386,10 @@
Therefore the GnuPG options that are intented to be used with caff, such
as C<keyserver> or C<cert-digest-algo>, need to be placed in
-$HOME/.caff/gnupghome/gpg.conf instead. If this file does not exist, a
-temporary file is automatically generated with the GnuPG options found
-in $HOME/.gnupg/gpg.conf that are known to be safe (and useful) for
-caff, such as all certification options.
+$HOME/.caff/gnupghome/gpg.conf instead. If this file does not exist,
+the GnuPG options found in $HOME/.gnupg/gpg.conf that are known to be
+safe (and useful) for caff, are passed to gpg(1) as command-line
+options.
=head1 AUTHORS
@@ -502,7 +502,7 @@
my $GNUPG_VERSION;
sub GnuPG_version($) {
unless (defined $GNUPG_VERSION) { # cache the version
- $GNUPG_VERSION = `$CONFIG{gpg} --with-colons --list-config version` or exit 1;
+ $GNUPG_VERSION = `$CONFIG{gpg} --no-options --with-colons --list-config version` or exit 1;
chomp $GNUPG_VERSION;
$GNUPG_VERSION =~ s/^cfg:version:// or die;
debug "gpg (GnuPG) $GNUPG_VERSION";
@@ -663,9 +663,7 @@
return $template;
};
-my $GPGCONF;
-END { unlink $GPGCONF if defined $GPGCONF; }
-
+my @GNUPGOPTS;
sub load_config() {
my $config = $ENV{'HOME'} . '/.caffrc';
unless (-f $config) {
@@ -736,48 +734,64 @@
# the whole file because the user could have set an option in
# ~/.gnupg/gpg.conf which would break caff.
my $gpgconf = ($ENV{'GNUPGHOME'} // "$ENV{'HOME'}/.gnupg") . '/gpg.conf';
- if ( ! -f "$GNUPGHOME/gpg.conf" and open my $fh, '>', "$GNUPGHOME/gpg.conf" and
- -f $gpgconf and open my $fh2, '<', $gpgconf) {
-
- $GPGCONF = "$GNUPGHOME/gpg.conf";
- notice("Create temporary caff GnuPG configuration file $GPGCONF from $gpgconf");
-
+ if ( ! -f "$GNUPGHOME/gpg.conf" and -f $gpgconf and open my $fh, '<', $gpgconf) {
# the list of options to import from ~/.gnupg/gpg.conf; only
# safe (and useful) options for caff should be listed here
- my @gnupgopts = (
- 'photo-viewer',
- 'exec-path',
- 'pcsc-driver', 'disable-ccid', 'reader-port',
- 'display-charset',
- 'ask-cert-level', 'no-ask-cert-level', 'default-cert-level',
- 'keyserver', 'keyserver-options',
- 'use-agent', 'no-use-agent', 'gpg-agent-info',
- 'limit-card-insert-tries',
- 'no-random-seed-file',
- 'no-greeting',
- 'no-secmem-warning', 'require-secmem', 'no-require-secmem',
- 'no-mdc-warning',
- 'require-cross-certification', 'no-require-cross-certification',
- 'expert', 'no-expert',
- # OpenPGP protocol specific options
- 'force-mdc', 'disable-mdc',
- 'personal-cipher-preferences',
- 'gnupg', 'openpgp', 'rfc4880', 'rfc2440', 'pgp6', 'pgp7', 'pgp8',
- # Doing things one usually doesn't want to do
- 'comment', 'no-comments',
- 'emit-version', 'no-emit-version',
- 'cert-notation', 'set-notation',
- 'cert-policy-url', 'set-policy-url',
- 'cipher-algo', 'cert-digest-algo',
- 'pinentry-mode',
- 'allow-weak-digest-algos', 'weak-digest',
- 'ask-cert-expire', 'no-ask-cert-expire', 'default-cert-expire'
- );
+ my @gnupgopts_n = qw/
+ disable-ccid
+ ask-cert-level no-ask-cert-level
+ use-agent no-use-agent
+ no-random-seed-file
+ no-greeting
+ expert no-expert
+ gnupg no-pgp2 pgp6 no-pgp6 pgp7 no-pgp7 pgp8 no-pgp8
+ rfc2440 rfc4880 openpgp
+ default-comment no-comments
+ emit-version no-emit-version no-version
+ allow-weak-digest-algos
+ ask-cert-expire no-ask-cert-expire
+ utf8-strings no-utf8-strings
+ /;
+ my @gnupgopts_i = qw/
+ default-cert-level
+ limit-card-insert-tries
+ /;
+ my @gnupgopts_s = qw/
+ photo-viewer
+ exec-path
+ pcsc-driver
+ reader-port
+ display-charset charset
+ keyserver keyserver-options
+ gpg-agent-info
+ personal-cipher-preferences personal-digest-preferences
+ comment
+ cert-notation set-notation
+ cert-policy-url set-policy-url
+ cipher-algo cert-digest-algo
+ pinentry-mode
+ weak-digest
+ default-cert-expire
+ disable-cipher-algo disable-pubkey-algo
+ agent-program dirmngr-program
+ /;
- while (<$fh2>) {
- print $fh $_ if /\A\s*([0-9a-zA-Z\-]+)(?:\s.*)?\n\z/ and grep { $_ eq $1 } @gnupgopts;
+ push @GNUPGOPTS, '--no-options';
+ notice("Importing GnuPG options from $gpgconf:");
+ while (<$fh>) {
+ s/(?:\r\n|\r|\n)\z// or next;
+ if (/\A\s*([0-9a-zA-Z\-]+)\z/ and grep { $_ eq $1 } @gnupgopts_n) {
+ push @GNUPGOPTS, "--$1";
+ } elsif (/\A\s*([0-9a-zA-Z\-]+)\s+(\d+)\z/ and grep { $_ eq $1 } @gnupgopts_i) {
+ push @GNUPGOPTS, "--$1=$2";
+ } elsif (/\A\s*([0-9a-zA-Z\-]+)\s+(\P{Control}+)\z/ and grep { $_ eq $1 } @gnupgopts_s) {
+ push @GNUPGOPTS, "--$1=$2";
+ } else {
+ next;
+ }
+ notice(" $_");
}
- close $_ for ($fh, $fh2);
+ close $fh;
}
# depreacted options, will be removed in a future release
@@ -795,6 +809,7 @@
$h{always_trust} //= 1;
$h{extra_args} //= [];
+ push @{$h{extra_args}}, @GNUPGOPTS if @GNUPGOPTS and defined $h{homedir};
push @{$h{extra_args}}, '--no-auto-check-trustdb';
push @{$h{extra_args}}, '--fixed-list-mode' if GnuPG_version('2.0.0') < 0;
push @{$h{extra_args}}, '--no-autostart' if GnuPG_version('2.1.0') >= 0; # never autostart
@@ -1674,10 +1689,11 @@
notice("Sign the following keys according to your policy, then exit gpg with 'save' after signing each key");
foreach my $local_user (@LOCAL_USER) {
my @command = ($CONFIG{'gpg'});
- push @command, '--local-user', $local_user;
push @command, "--homedir=$GNUPGHOME";
+ push @command, @GNUPGOPTS if @GNUPGOPTS;
push @command, '--secret-keyring', $CONFIG{'secret-keyring'} if GnuPG_version('2.1.0') < 0;
push @command, qw/--no-auto-check-trustdb --trust-model=always/;
+ push @command, '--local-user', $local_user;
push @command, '--edit-key', $keyid;
push @command, 'showphoto' if $CONFIG{'show-photos'};
push @command, $CONFIG{'gpg-sign-type'}.'sign';
@@ -1824,9 +1840,9 @@
########################
foreach my $local_user (@LOCAL_USER) {
my @command = ($CONFIG{'gpg'});
- push @command, '--local-user', $local_user;
push @command, '--secret-keyring', $CONFIG{'secret-keyring'} if GnuPG_version('2.1.0') < 0;
push @command, qw/--no-auto-check-trustdb --trust-model=always/;
+ push @command, '--local-user', $local_user;
push @command, '--edit-key', $keyid;
push @command, 'showphoto' if $CONFIG{'show-photos'};
push @command, 'lsign';
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2016-07-11 22:36:00 UTC (rev 859)
+++ trunk/debian/changelog 2016-07-11 22:36:04 UTC (rev 860)
@@ -10,6 +10,11 @@
+ With GnuPG 2.1.13 or later, use gpgconf(1) to determine the socket
paths. (It is not used on earlier gpg since earlier gpgconf do not
support --homedir.) This fixes compatibility with GnuPG 2.1.13.
+ + When ~/.caff/gnupghome/gpg.conf does not exist, instead of creating a
+ temporary file (as it's done since signing-party 2.3), parse
+ ~/.gnup/gpg.conf and pass the GnuPG options that are known to be safe
+ (and useful) for caff to gpg(1) using command line options. This soves
+ the problem of lingering configuration files in case caff is killed.
* d/source.lintian-overrides: Add 'debian-watch-file-is-missing' as we're
upstream.
More information about the Pgp-tools-commit
mailing list