Fix creation of backup key
This commit is contained in:
parent
50d99f06eb
commit
8e77c68ac0
|
@ -157,6 +157,7 @@ if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
|
|||
userdel -r $ADD_USERNAME
|
||||
exit 7
|
||||
fi
|
||||
gpg_allow_tty $ADD_USERNAME
|
||||
|
||||
# add a monkeysphere subkey
|
||||
#echo $'Adding monkeysphere subkey'
|
||||
|
|
|
@ -1646,36 +1646,14 @@ function configure_gpg {
|
|||
fi
|
||||
MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg
|
||||
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
|
||||
|
||||
if grep -q "install_email" $COMPLETION_FILE; then
|
||||
if ! grep -q $"Change your GPG password" /home/$MY_USERNAME/README; then
|
||||
echo '' >> /home/$MY_USERNAME/README
|
||||
echo '' >> /home/$MY_USERNAME/README
|
||||
echo $'# Change your GPG password' >> /home/$MY_USERNAME/README
|
||||
echo $"It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README
|
||||
echo $"if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README
|
||||
echo $'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README
|
||||
echo $'You can change the it with:' >> /home/$MY_USERNAME/README
|
||||
echo '' >> /home/$MY_USERNAME/README
|
||||
echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
|
||||
echo ' passwd' >> /home/$MY_USERNAME/README
|
||||
echo ' save' >> /home/$MY_USERNAME/README
|
||||
echo ' quit' >> /home/$MY_USERNAME/README
|
||||
fi
|
||||
if ! grep -q $"Publish your GPG public key" /home/$MY_USERNAME/README; then
|
||||
echo '' >> /home/$MY_USERNAME/README
|
||||
echo '' >> /home/$MY_USERNAME/README
|
||||
echo $'# Publish your GPG public key' >> /home/$MY_USERNAME/README
|
||||
echo $'So that others can send emails to you securely you should' >> /home/$MY_USERNAME/README
|
||||
echo $'publish your GPG public key with the command:' >> /home/$MY_USERNAME/README
|
||||
echo '' >> /home/$MY_USERNAME/README
|
||||
echo " gpg --send-keys $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
|
||||
fi
|
||||
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
|
||||
chmod 600 /home/$MY_USERNAME/README
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -d /root/.gnupg ]; then
|
||||
cp -r /home/$MY_USERNAME/.gnupg /root/
|
||||
fi
|
||||
gpg_allow_tty root
|
||||
gpg_allow_tty $MY_USERNAME
|
||||
|
||||
mark_completed $FUNCNAME
|
||||
}
|
||||
|
||||
|
|
|
@ -51,22 +51,6 @@ function restart_site {
|
|||
SUSPENDED_SITE=
|
||||
}
|
||||
|
||||
function backup_create_password {
|
||||
BACKUP_PASSWORD_FILE=$(mktemp /tmp/fileXXXXX)
|
||||
# Note: this doesn't need to be secure, it's just a way of
|
||||
# getting around the forced interactivity of the gpg agent
|
||||
echo -n "$BACKUP_DUMMY_PASSWORD" > $BACKUP_PASSWORD_FILE
|
||||
}
|
||||
|
||||
function backup_remove_password {
|
||||
if [ ! $BACKUP_PASSWORD_FILE ]; then
|
||||
return
|
||||
fi
|
||||
if [ -f $BACKUP_PASSWORD_FILE ]; then
|
||||
shred -zu $BACKUP_PASSWORD_FILE
|
||||
fi
|
||||
}
|
||||
|
||||
function configure_backup_key {
|
||||
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
||||
return
|
||||
|
@ -104,20 +88,17 @@ function configure_backup_key {
|
|||
fi
|
||||
fi
|
||||
|
||||
backup_create_password
|
||||
|
||||
MY_BACKUP_KEY_ID=$(su -c "gpg --list-keys \"$MY_NAME (backup key)\"" - $MY_USERNAME | sed -n '2p' | sed 's/^[ \t]*//')
|
||||
echo "Backup key: $MY_BACKUP_KEY_ID"
|
||||
MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key
|
||||
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME
|
||||
su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_private.asc --armor --passphrase-fd $BACKUP_PASSWORD_FILE --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
|
||||
su -m root -c "echo '$BACKUP_DUMMY_PASSWORD' | gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_private.asc --armor --batch --passphrase-fd 0 --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
|
||||
|
||||
if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then
|
||||
backup_remove_password
|
||||
echo 'Public backup key could not be exported'
|
||||
exit 36829
|
||||
fi
|
||||
if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then
|
||||
backup_remove_password
|
||||
echo 'Private backup key could not be exported'
|
||||
exit 29235
|
||||
fi
|
||||
|
@ -128,7 +109,6 @@ function configure_backup_key {
|
|||
|
||||
shred -zu ${MY_BACKUP_KEY}_public.asc
|
||||
shred -zu ${MY_BACKUP_KEY}_private.asc
|
||||
backup_remove_password
|
||||
|
||||
mark_completed $FUNCNAME
|
||||
}
|
||||
|
|
|
@ -28,6 +28,25 @@
|
|||
# You should have received a copy of the GNU Affero General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
function gpg_allow_tty {
|
||||
gpg_username=$1
|
||||
|
||||
if [[ $gpg_username == 'root' ]]; then
|
||||
if ! grep -q 'GPG_TTY' /root/.bashrc; then
|
||||
echo '' >> /root/.bashrc
|
||||
echo 'GPG_TTY=$(tty)' >> /root/.bashrc
|
||||
echo 'export GPG_TTY' >> /root/.bashrc
|
||||
fi
|
||||
else
|
||||
if ! grep -q 'GPG_TTY' /home/$gpg_username/.bashrc; then
|
||||
echo '' >> /home/$gpg_username/.bashrc
|
||||
echo 'GPG_TTY=$(tty)' >> /home/$gpg_username/.bashrc
|
||||
echo 'export GPG_TTY' >> /home/$gpg_username/.bashrc
|
||||
chown $gpg_username:$gpg_username /home/$gpg_username/.bashrc
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function gpg_pubkey_from_email {
|
||||
key_owner_username=$1
|
||||
key_email_address=$2
|
||||
|
|
Loading…
Reference in New Issue