If true, then skip the signing step. Default: B<0>.
+=item B<ask-sign> [boolean]
+
+If true, then pause before continuing to the signing step.
+This is useful for offline signing. Default: B<0>.
+
=item B<export-sig-age> [seconds]
Don't export UIDs by default, on which your latest signature is older
die ("keyid is not defined.\n") unless defined $CONFIG{'keyid'};
die ("keyid is not an array ref\n") unless (ref $CONFIG{'keyid'} eq 'ARRAY');
for my $keyid (@{$CONFIG{'keyid'}}) {
- $keyid =~ /^[A-Fa-z0-9]{16}$/ or die ("key $keyid is not a long (16 digit) keyid.\n");
+ $keyid =~ /^[A-F0-9]{16}$/i or die ("key $keyid is not a long (16 digit) keyid.\n");
};
@{$CONFIG{'keyid'}} = map { uc } @{$CONFIG{'keyid'}};
$CONFIG{'export-sig-age'}= 24*60*60 unless defined $CONFIG{'export-sig-age'};
$OUT .= "\t".$uid."\n";
};} of your key {$key} signed by me.
-Note that I did not upload your key to any keyservers. If you want this
-new signature to be available to others, please upload it yourself.
-With GnuPG this can be done using
+Note that I did not upload your key to any keyservers.
+If you have multiple user ids, I sent the signature for each user id
+separately to that user id's associated email address. You can import
+the signatures by running each through `gpg --import`.
+
+If you want this new signature to be available to others, please upload
+it yourself. With GnuPG this can be done using
gpg --keyserver subkeys.pgp.net --send-key {$key}
If you have any questions, don't hesitate to ask.
sub ask($$;$$) {
my ($question, $default, $forceyes, $forceno) = @_;
- return $default if $forceyes and $forceno;
- return 1 if $forceyes;
- return 0 if $forceno;
my $answer;
while (1) {
print $question,' ',($default ? '[Y/n]' : '[y/N]'), ' ';
+ if ($forceyes && $forceno) {
+ print "$default (from config/command line)\n";
+ return $default;
+ };
+ if ($forceyes) {
+ print "YES (from config/command line)\n";
+ return 1;
+ };
+ if ($forceno) {
+ print "NO (from config/command line)\n";
+ return 0;
+ };
+
$answer = <STDIN>;
chomp $answer;
last if ((defined $answer) && (length $answer <= 1));
my $gpg = GnuPG::Interface->new();
$gpg->call( $CONFIG{'gpg'} );
- $gpg->options->hash_init(
- 'homedir' => $gnupghome,
- 'armor' => 1 );
+ if (defined $gnupghome) {
+ $gpg->options->hash_init(
+ 'homedir' => $gnupghome,
+ 'extra_args' => [ qw{ --no-auto-check-trustdb --trust-model=always } ],
+ 'armor' => 1 );
+ } else {
+ $gpg->options->hash_init(
+ 'extra_args' => [ qw{ --no-auto-check-trustdb --trust-model=always } ],
+ 'armor' => 1 );
+ };
$gpg->options->meta_interactive( 0 );
my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds();
my $pid = $gpg->export_keys(handles => $handles, command_args => [ $keyid ]);
my $gpg = GnuPG::Interface->new();
$gpg->call( $CONFIG{'gpg'} );
- $gpg->options->hash_init( 'homedir' => $gnupghome );
+ $gpg->options->hash_init(
+ 'homedir' => $gnupghome,
+ 'extra_args' => [ qw{ --no-auto-check-trustdb --trust-model=always } ] );
$gpg->options->meta_interactive( 0 );
my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds();
my $pid = $gpg->import_keys(handles => $handles);
my $gpg = GnuPG::Interface->new();
$gpg->call( $CONFIG{'gpg'} );
$gpg->options->hash_init( 'homedir' => $GNUPGHOME,
- 'extra_args' => '--always-trust',
+ 'extra_args' => [ qw{ --no-auto-check-trustdb --trust-model=always } ],
'armor' => 1 );
$gpg->options->meta_interactive( 0 );
my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds();
if ($params->{'local-user'}) {
$USER = $params->{'local-user'};
$USER =~ s/^0x//i;
- unless ($USER =~ /^([A-Z0-9]{8}|[A-Z0-9]{16}|[A-Z0-9]{40})$/i) {
+ unless ($USER =~ /^([A-F0-9]{8}|[A-F0-9]{16}|[A-F0-9]{40})$/i) {
print STDERR "-u $USER is not a keyid.\n";
usage(\*STDERR, 1);
};
for my $keyid (@ARGV) {
$keyid =~ s/^0x//i;
- unless ($keyid =~ /^([A-Z0-9]{8}|[A-Z0-9]{16}||[A-Z0-9]{40})$/i) {
+ unless ($keyid =~ /^([A-F0-9]{8}|[A-F0-9]{16}||[A-F0-9]{40})$/i) {
+ if ($keyid =~ /^[A-F0-9]{32}$/) {
+ info("Ignoring v3 fingerprint $keyid. v3 keys are obsolete.");
+ next;
+ };
print STDERR "$keyid is not a keyid.\n";
usage(\*STDERR, 1);
};
#################
# import own keys
#################
+for my $keyid (@{$CONFIG{'keyid'}}) {
my $gpg = GnuPG::Interface->new();
$gpg->call( $CONFIG{'gpg'} );
$gpg->options->hash_init(
'homedir' => $GNUPGHOME,
- 'extra_args' => '--keyserver='.$CONFIG{'keyserver'} );
+ 'extra_args' => [ qw{ --no-auto-check-trustdb --trust-model=always --with-colons --fixed-list-mode --fast-list-mode } ] );
$gpg->options->meta_interactive( 0 );
my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds();
- $gpg->options->hash_init( 'extra_args' => [ '--with-colons', '--fixed-list-mode' ] );
- my $pid = $gpg->list_public_keys(handles => $handles, command_args => $CONFIG{'keyid'});
+ my $pid = $gpg->list_public_keys(handles => $handles, command_args => $keyid);
my ($stdout, $stderr, $status) = readwrite_gpg('', $inputfd, $stdoutfd, $stderrfd, $statusfd);
waitpid $pid, 0;
+
if ($stdout eq '') {
- warn ("No data from gpg for list-key\n");
- next;
+ warn ("No data from gpg for list-key\n"); # There should be at least 'tru:' everywhere.
};
- foreach my $keyid (@{$CONFIG{'keyid'}}) {
- unless ($stdout =~ /^pub:(?:[^:]*:){3,3}$keyid:/m) {
- info("Importing $keyid");
- system "gpg --export $keyid | gpg --import --homedir $GNUPGHOME";
- }
+ unless ($stdout =~ /^pub:(?:[^:]*:){3,3}$keyid:/m) {
+ info("Key $keyid not found in caff's home. Getting it from your normal GnuPGHome.");
+ my $key = export_key(undef, $keyid);
+ if (!defined $key || $key eq '') {
+ warn ("Did not get key $keyid from your normal GnuPGHome\n");
+ next;
+ };
+ my $result = import_key($GNUPGHOME, $key);
+ unless ($result) {
+ warn ("Could not import $keyid into caff's gnupghome.\n");
+ next;
+ };
}
+}
#############################
# receive keys from keyserver
$gpg->call( $CONFIG{'gpg'} );
$gpg->options->hash_init(
'homedir' => $GNUPGHOME,
- 'extra_args' => '--keyserver='.$CONFIG{'keyserver'} );
+ 'extra_args' => [ qw{ --no-auto-check-trustdb --trust-model=always }, '--keyserver='.$CONFIG{'keyserver'} ] );
$gpg->options->meta_interactive( 0 );
my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds();
my $pid = $gpg->recv_keys(handles => $handles, command_args => [ @KEYIDS ]);
###########
# sign keys
###########
+if ($CONFIG{'ask-sign'} && ! $CONFIG{'no-sign'}) {
+ $CONFIG{'no-sign'} = ! ask("Continue with signing?", 1);
+}
+
unless ($CONFIG{'no-sign'}) {
info("Sign the following keys according to your policy, then exit gpg with 'save' after signing each key");
for my $keyid (@keyids_ok) {
push @command, '--local-user', $USER if (defined $USER);
push @command, "--homedir=$GNUPGHOME";
push @command, '--secret-keyring', $CONFIG{'secret-keyring'};
+ push @command, '--no-auto-check-trustdb';
+ push @command, '--trust-model=always';
push @command, '--edit', $keyid;
push @command, 'sign';
push @command, split ' ', $CONFIG{'gpg-sign-args'} || "";
#################
my $gpg = GnuPG::Interface->new();
$gpg->call( $CONFIG{'gpg'} );
- $gpg->options->hash_init( 'homedir' => $GNUPGHOME );
+ $gpg->options->hash_init(
+ 'homedir' => $GNUPGHOME,
+ 'extra_args' => [ qw{ --no-auto-check-trustdb --trust-model=always --with-colons --fixed-list-mode } ] );
$gpg->options->meta_interactive( 0 );
my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds();
- $gpg->options->hash_init( 'extra_args' => [ '--with-colons', '--fixed-list-mode' ] );
my $pid = $gpg->list_public_keys(handles => $handles, command_args => [ $keyid ]);
my ($stdout, $stderr, $status) = readwrite_gpg('', $inputfd, $stdoutfd, $stderrfd, $statusfd);
waitpid $pid, 0;
$gpg->call( $CONFIG{'gpg-delsig'} );
$gpg->options->hash_init(
'homedir' => $tempdir,
- 'extra_args' => [ '--with-colons', '--fixed-list-mode', '--command-fd=0', '--no-tty' ] );
+ 'extra_args' => [ qw{ --no-auto-check-trustdb --trust-model=always --with-colons --fixed-list-mode --command-fd=0 --no-tty } ] );
($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds();
$pid = $gpg->wrap_call(
commands => [ '--edit' ],
if (!$uid->{'is_uat'} && ($uid->{'text'} =~ /@/)) {
my $address = $uid->{'text'};
$address =~ s/.*<(.*)>.*/$1/;
- if (ask("Send mail to '$address' for $uid->{'text'}?", 1, $CONFIG{'mail'})) {
+ if (ask("Mail signature for $uid->{'text'} to '$address'?", 1, $CONFIG{'mail'})) {
my $mail = send_mail($address, $can_encrypt, $longkeyid, $uid, @attached);
my $keydir = "$KEYSBASE/$DATE_STRING";
projects / pgp-tools.git / blobdiff