X-Git-Url: https://git.sthu.org/?a=blobdiff_plain;f=caff%2Fcaff;h=fe5fd9778d9e0dee3d99cc3485b07edf8486665b;hb=fe9cce45c625b36a76db49bc6a1b3328bde49878;hp=cb482518f273346dc56a1d606a0f4f53ab6e3045;hpb=4e9bfefa47c7ed2041120169210e644c3df7fd27;p=pgp-tools.git diff --git a/caff/caff b/caff/caff index cb48251..fe5fd97 100755 --- a/caff/caff +++ b/caff/caff @@ -3,7 +3,7 @@ # caff -- CA - Fire and Forget # $Id$ # -# Copyright (c) 2004 Peter Palfrader +# Copyright (c) 2004, 2005 Peter Palfrader # # All rights reserved. # @@ -75,8 +75,9 @@ The configuration file is a perl script that sets values in the hash B<%CONFIG>. Example: - $CONFIG{'owner'} = 'Peter Palfrader'; - $CONFIG{'email'} = 'peter@palfrader.org'; + $CONFIG{owner} = q{Peter Palfrader}; + $CONFIG{email} = q{peter@palfrader.org}; + $CONFIG{keyid} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ]; =head2 Valid keys @@ -118,7 +119,7 @@ Path to the GnuPG binary. Default: B. Path to the GnuPG binary which is used to sign keys. Default: what B is set to. -=item B [string] +=item B [string] Path to the GnuPG binary which is used to split off signatures. This is needed while the upstream GnuPG is not fixed (there are 2 bugs in the @@ -128,12 +129,29 @@ Debian Bug Tracking System). Default: what B is set to. Path to your secret keyring. Default: B<$HOME/.gnupg/secring.gpg>. +=item B [keyid] + +An additional keyid to encrypt messages to. Default: none. + +=item B [boolean] + +If true, then skip the step of fetching keys from the keyserver. +Default: B<0>. + +=item B [boolean] + +If true, then skip the signing step. Default: B<0>. + =back =head1 AUTHOR Peter Palfrader +=head1 WEBSITE + +http://pgp-tools.alioth.debian.org/ + =cut use strict; @@ -153,7 +171,7 @@ my $VERSION = "0.0.0.$REVISION_NUMER"; sub load_config() { my $config = $ENV{'HOME'} . '/.caffrc'; - -f $config or die "No file $config present. See caffrc(5).\n"; + -f $config or die "No file $config present. See caff(1).\n"; unless (scalar eval `cat $config`) { die "Couldn't parse $config: $EVAL_ERROR\n" if $EVAL_ERROR; }; @@ -173,6 +191,8 @@ sub load_config() { $CONFIG{'gpg-sign'} = $CONFIG{'gpg'} unless defined $CONFIG{'gpg-sign'}; $CONFIG{'gpg-delsig'} = $CONFIG{'gpg'} unless defined $CONFIG{'gpg-delsig'}; $CONFIG{'secret-keyring'} = $ENV{'HOME'}.'/.gnupg/secring.gpg' unless defined $CONFIG{'secret-keyring'}; + $CONFIG{'no-download'} = 0 unless defined $CONFIG{'no-download'}; + $CONFIG{'no-sign'} = 0 unless defined $CONFIG{'no-sign'}; }; sub notice($) { @@ -232,21 +252,31 @@ sub readwrite_gpg($$$$$%) { my ($stdout, $stderr, $status) = ("", "", ""); my $exitwhenstatusmatches = $options{'exitwhenstatusmatches'}; - trace("doign stuff until we find $exitwhenstatusmatches") if defined $exitwhenstatusmatches; + trace("doing stuff until we find $exitwhenstatusmatches") if defined $exitwhenstatusmatches; + my $readwrote_stuff_this_time = 0; + my $do_not_wait_on_select = 0; my ($readyr, $readyw, $written); while ($sout->count() > 0 || (defined($sin) && ($sin->count() > 0))) { if (defined $exitwhenstatusmatches) { if ($status =~ /$exitwhenstatusmatches/m) { trace("readwrite_gpg found match on $exitwhenstatusmatches"); - last; + if ($readwrote_stuff_this_time) { + trace("read/write some more\n"); + $do_not_wait_on_select = 1; + } else { + trace("that's it in our while loop.\n"); + last; + } }; }; + $readwrote_stuff_this_time = 0; trace("select waiting for ".($sout->count())." fds."); - ($readyr, $readyw, undef) = IO::Select::select($sout, $sin, undef, 1); + ($readyr, $readyw, undef) = IO::Select::select($sout, $sin, undef, $do_not_wait_on_select ? 0 : 1); trace("ready: write: ".(defined $readyw ? scalar @$readyw : 0 )."; read: ".(defined $readyr ? scalar @$readyr : 0)); for my $wfd (@$readyw) { + $readwrote_stuff_this_time = 1; if (length($in) != $offset) { trace("writing to $wfd."); $written = $wfd->syswrite($in, length($in) - $offset, $offset); @@ -266,6 +296,7 @@ sub readwrite_gpg($$$$$%) { next unless (defined(@$readyr)); # Wait some more. for my $rfd (@$readyr) { + $readwrote_stuff_this_time = 1; if ($rfd->eof) { trace("reading from $rfd done."); $sout->remove($rfd); @@ -322,7 +353,7 @@ my $KEYEDIT_KEYEDIT_OR_DELSIG_PROMPT = '^\[GNUPG:\] (GET_BOOL keyedit.delsig|GET my $KEYEDIT_DELSUBKEY_PROMPT = '^\[GNUPG:\] GET_BOOL keyedit.remove.subkey'; load_config; -my $USER_AGENT = "caff $VERSION - (c) 2004 Peter Palfrader"; +my $USER_AGENT = "caff $VERSION - (c) 2004, 2005 Peter Palfrader"; my $KEYSBASE = $CONFIG{'caffhome'}.'/keys'; my $GNUPGHOME = $CONFIG{'caffhome'}.'/gnupghome'; @@ -336,8 +367,8 @@ my $DATE_STRING = sprintf("%04d-%02d-%02d", $year+1900, $mon+1, $mday); sub usage() { - print STDERR "caff $VERSION - (c) 2004 Peter Palfrader\n"; - print STDERR "Usage: $PROGRAM_NAME [-u [ ...]\n"; + print STDERR "caff $VERSION - (c) 2004, 2005 Peter Palfrader\n"; + print STDERR "Usage: $PROGRAM_NAME [-u ] [ ...]\n"; exit 1; }; @@ -437,7 +468,7 @@ $CONFIG{'owner'} $message_entity->head->add("Subject", "Your signed PGP key 0x$key_id"); $message_entity->head->add("To", $address); - $message_entity->head->add("From", $CONFIG{'owner'}.' <'.$CONFIG{'email'}.'>'); + $message_entity->head->add("From", '"'.$CONFIG{'owner'}.'" <'.$CONFIG{'email'}.'>'); $message_entity->head->add("User-Agent", $USER_AGENT); $message_entity->send(); $message_entity->stringify(); @@ -446,7 +477,8 @@ $CONFIG{'owner'} sub sanitize_uid($) { my ($uid) = @_; - my $good_uid =~ tr#/:\\#_#; + my $good_uid = $uid; + $good_uid =~ tr#/:\\#_#; trace2("[sanitize_uid] changed UID from $uid to $good_uid.\n") if $good_uid ne $uid; return $good_uid; }; @@ -459,6 +491,7 @@ if ($ARGV[0] eq '-u') { usage() unless scalar @ARGV >= 3; shift @ARGV; $USER = shift @ARGV; + $USER =~ s/^0x//i; unless ($USER =~ /^[A-Za-z0-9]{8,8}([A-Za-z0-9]{8})?$/) { print STDERR "-u $USER is not a keyid.\n"; usage(); @@ -466,6 +499,7 @@ if ($ARGV[0] eq '-u') { $USER = uc($USER); }; for my $keyid (@ARGV) { + $keyid =~ s/^0x//i; unless ($keyid =~ /^[A-Za-z0-9]{8}([A-Za-z0-9]{8})?$/) { print STDERR "$keyid is not a keyid.\n"; usage(); @@ -474,49 +508,96 @@ for my $keyid (@ARGV) { }; + +################# +# import own keys +################# + my $gpg = GnuPG::Interface->new(); + $gpg->call( $CONFIG{'gpg'} ); + $gpg->options->hash_init( + 'homedir' => $GNUPGHOME, + 'extra_args' => '--keyserver='.$CONFIG{'keyserver'} ); + $gpg->options->meta_interactive( 0 ); + my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds(); + $gpg->options->hash_init( 'extra_args' => [ '--with-colons', '--fixed-list-mode' ] ); + my $pid = $gpg->list_public_keys(handles => $handles, command_args => $CONFIG{'keyid'}); + my ($stdout, $stderr, $status) = readwrite_gpg('', $inputfd, $stdoutfd, $stderrfd, $statusfd); + waitpid $pid, 0; + if ($stdout eq '') { + warn ("No data from gpg for list-key\n"); + next; + }; + foreach my $keyid (@{$CONFIG{'keyid'}}) { + unless ($stdout =~ /^pub:(?:[^:]*:){3,3}$keyid:/m) { + info("Importing $keyid"); + system "gpg --export $keyid | gpg --import --homedir $GNUPGHOME"; + } + } + ############################# # receive keys from keyserver ############################# -my $gpg = GnuPG::Interface->new(); -$gpg->call( $CONFIG{'gpg'} ); -$gpg->options->hash_init( - 'homedir' => $GNUPGHOME, - 'extra_args' => '--keyserver='.$CONFIG{'keyserver'} ); -$gpg->options->meta_interactive( 0 ); -my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds(); -my $pid = $gpg->recv_keys(handles => $handles, command_args => [ @KEYIDS ]); -my ($stdout, $stderr, $status) = readwrite_gpg('', $inputfd, $stdoutfd, $stderrfd, $statusfd); -waitpid $pid, 0; - my @keyids_ok; my @keyids_failed; +if ($CONFIG{'no-download'}) { + @keyids_ok = @KEYIDS; +} else { + my $gpg = GnuPG::Interface->new(); + $gpg->call( $CONFIG{'gpg'} ); + $gpg->options->hash_init( + 'homedir' => $GNUPGHOME, + 'extra_args' => '--keyserver='.$CONFIG{'keyserver'} ); + $gpg->options->meta_interactive( 0 ); + my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds(); + + my @local_keyids = @KEYIDS; + for my $keyid (@local_keyids) { + info ("fetching $keyid..."); + my $pid = $gpg->recv_keys(handles => $handles, command_args => [ $keyid ]); + my ($stdout, $stderr, $status) = readwrite_gpg('', $inputfd, $stdoutfd, $stderrfd, $statusfd); + waitpid $pid, 0; + # [GNUPG:] IMPORT_OK 0 5B00C96D5D54AEE1206BAF84DE7AAF6E94C09C7F # [GNUPG:] NODATA 1 # [GNUPG:] NODATA 1 # [GNUPG:] IMPORT_OK 0 25FC1614B8F87B52FF2F99B962AF4031C82E0039 -for my $line (split /\n/, $status) { - if ($line =~ /^\[GNUPG:\] IMPORT_OK/) { - push @keyids_ok, shift @KEYIDS; - } elsif ($line =~ /^\[GNUPG:\] NODATA/) { - push @keyids_failed, shift @KEYIDS; + my $handled = 0; + for my $line (split /\n/, $status) { + if ($line =~ /^\[GNUPG:\] IMPORT_OK/) { + push @keyids_ok, shift @KEYIDS; + $handled = 1; + last; + } elsif ($line =~ /^\[GNUPG:\] NODATA/) { + push @keyids_failed, shift @KEYIDS; + $handled = 1; + last; + }; + }; + unless ($handled) { + notice ("Huh, what's up with $keyid?"); + push @keyids_failed, shift @KEYIDS; + }; }; -} -die ("Still keys in \@KEYIDS. This should not happen.") if scalar @KEYIDS; -notice ("Import failed for: ". (join ' ', @keyids_failed).".") if scalar @keyids_failed; + die ("Still keys in \@KEYIDS. This should not happen.") if scalar @KEYIDS; + notice ("Import failed for: ". (join ' ', @keyids_failed).".") if scalar @keyids_failed; +}; ########### # sign keys ########### -info("Sign the following keys according to your policy..."); -for my $keyid (@keyids_ok) { - my @command; - push @command, $CONFIG{'gpg-sign'}; - push @command, '--local-user', $USER if (defined $USER); - push @command, "--homedir=$GNUPGHOME"; - push @command, '--secret-keyring', $CONFIG{'secret-keyring'}; - push @command, '--sign-key', $keyid; - print join(' ', @command),"\n"; - system (@command); +unless ($CONFIG{'no-sign'}) { + info("Sign the following keys according to your policy, then exit gpg with 'save' after signing each key"); + for my $keyid (@keyids_ok) { + my @command; + push @command, $CONFIG{'gpg-sign'}; + push @command, '--local-user', $USER if (defined $USER); + push @command, "--homedir=$GNUPGHOME"; + push @command, '--secret-keyring', $CONFIG{'secret-keyring'}; + push @command, '--edit', $keyid; + push @command, 'sign'; + print join(' ', @command),"\n"; + system (@command); + }; }; ################## @@ -526,14 +607,14 @@ KEYS: for my $keyid (@keyids_ok) { # get key listing ################# - $gpg = GnuPG::Interface->new(); + my $gpg = GnuPG::Interface->new(); $gpg->call( $CONFIG{'gpg'} ); $gpg->options->hash_init( 'homedir' => $GNUPGHOME ); $gpg->options->meta_interactive( 0 ); - ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds(); + my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds(); $gpg->options->hash_init( 'extra_args' => [ '--with-colons', '--fixed-list-mode' ] ); - $pid = $gpg->list_public_keys(handles => $handles, command_args => [ $keyid ]); - ($stdout, $stderr, $status) = readwrite_gpg('', $inputfd, $stdoutfd, $stderrfd, $statusfd); + my $pid = $gpg->list_public_keys(handles => $handles, command_args => [ $keyid ]); + my ($stdout, $stderr, $status) = readwrite_gpg('', $inputfd, $stdoutfd, $stderrfd, $statusfd); waitpid $pid, 0; if ($stdout eq '') { warn ("No data from gpg for list-key $keyid\n"); @@ -561,7 +642,7 @@ for my $keyid (@keyids_ok) { while (1) { my $this_uid_text = ''; $uid_number++; - info("Doing key $keyid, uid $uid_number"); + debug("Doing key $keyid, uid $uid_number"); # import into temporary gpghome ############################### @@ -630,6 +711,7 @@ for my $keyid (@keyids_ok) { next; }; unless ($have_one) { + debug("Uid ".($uid_number-1)." was the last, there is no $uid_number."); info("key $keyid done."); last; }; @@ -659,18 +741,26 @@ for my $keyid (@keyids_ok) { while($status =~ /$KEYEDIT_DELSIG_PROMPT/m) { # sig:?::17:EA2199412477CAF8:1058095214:::::13x: my @sigline = grep { /^sig/ } (split /\n/, $stdout); + $stdout =~ s/\n/\\n/g; + notice("[sigremoval] why are there ".(scalar @sigline)." siglines in that part of the dialog!? got: $stdout") if scalar @sigline >= 2; # XXX my $line = pop @sigline; my $answer = "no"; if (defined $line) { # only if we found a sig here - we never remove revocation packets for instance + debug("[sigremoval] doing line $line."); my ($dummy1, $dummy2, $dummy3, $dummy4, $signer, $created, $dummy7, $dummy8, $dummy9) = split /:/, $line; if ($signer eq $longkeyid) { + debug("[sigremoval] selfsig ($signer)."); $answer = "no"; } elsif (grep { $signer eq $_ } @{$CONFIG{'keyid'}}) { + debug("[sigremoval] signed by us ($signer)."); $answer = "no"; $signed_by_me = $signed_by_me > $created ? $signed_by_me : $created; } else { + debug("[sigremoval] not interested in that sig ($signer)."); $answer = "yes"; }; + } else { + debug("[sigremoval] no sig line here, only got: ".$stdout); }; ($stdout, $stderr, $status) = readwrite_gpg($answer."\n", $inputfd, $stdoutfd, $stderrfd, $statusfd, exitwhenstatusmatches => $KEYEDIT_KEYEDIT_OR_DELSIG_PROMPT, nocloseinput => 1); @@ -713,7 +803,7 @@ for my $keyid (@keyids_ok) { trace("UID: $uid->{'text'}\n"); unless ($uid->{'text'} =~ /@/) { my $attach = ask("UID $uid->{'text'} is no email address, attach it to every email sent?", 1); - push @attached, $uid; + push @attached, $uid if $attach; }; };