diff options
Diffstat (limited to 'tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999003.M588228P17339Q136.exolobe1')
| -rw-r--r-- | tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999003.M588228P17339Q136.exolobe1 | 247 |
1 files changed, 247 insertions, 0 deletions
diff --git a/tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999003.M588228P17339Q136.exolobe1 b/tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999003.M588228P17339Q136.exolobe1 new file mode 100644 index 0000000..52a07dc --- /dev/null +++ b/tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999003.M588228P17339Q136.exolobe1 @@ -0,0 +1,247 @@ +Return-Path: <obnam-dev-bounces@obnam.org> +X-Original-To: distix@pieni.net +Delivered-To: distix@pieni.net +Received: from bagpuss.pepperfish.net (bagpuss.pepperfish.net [148.251.8.16]) + (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) + (No client certificate requested) + by pieni.net (Postfix) with ESMTPS id E8E0C2B875 + for <distix@pieni.net>; Fri, 18 Sep 2015 06:04:52 +0200 (CEST) +Received: from platypus.pepperfish.net (unknown [10.112.100.20]) + by bagpuss.pepperfish.net (Postfix) with ESMTP id A652C5E6; + Fri, 18 Sep 2015 05:04:52 +0100 (BST) +Received: from ip6-localhost ([::1] helo=platypus.pepperfish.net) + by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian)) + id 1Zcmuq-0003Yf-Gz; Fri, 18 Sep 2015 05:04:52 +0100 +Received: from inmail0 ([10.112.100.10] helo=mx0.pepperfish.net) + by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian)) + id 1Zcmuo-0003YY-QA + for <obnam-dev@obnam.org>; Fri, 18 Sep 2015 05:04:50 +0100 +Received: from mail-ig0-f171.google.com ([209.85.213.171]) + by mx0.pepperfish.net with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) + (Exim 4.80) (envelope-from <mathstuf@gmail.com>) id 1Zcmum-0003Qe-L7 + for obnam-dev@obnam.org; Fri, 18 Sep 2015 05:04:50 +0100 +Received: by igxx6 with SMTP id x6so9583131igx.1 + for <obnam-dev@obnam.org>; Thu, 17 Sep 2015 21:04:37 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; + h=from:to:cc:subject:date:message-id:in-reply-to:references; + bh=SZPlbnFoz2WA1Y7aYBNRmUBHpoPalHx4dGrkIkZ2Xic=; + b=pZuoVX9uqWU4Hgx6TYHWSH1/gN/lmxM09JxbK+ozItYp1w9WDUj0THw4mGHFuzvBrK + nBhM3sRBwLQNwP3/YLvmFFTgJW5hi2Jdx5WH48V7mQBfPBB/OPRpQnpZgQtfxwAapLYc + 21ED9ItgwobDsx7OWmzaJnGfKOaKTDwFGY/PqB4/JW8FcMCXcNa+OEax0xVR+ZW4jUJU + RjvDHiTRv+J83XPl/VQl4Ike9p0iCKfUAqCsccdSw2ENllIQC2GLI8a5ouJhXUpHEbTf + t19mobI9n1jck4MdbQdQtVhZtd9zW+0C2Gnz2SgSBczxBHWmcpdXfvwb7XEjwqidqPeB + fK4g== +X-Received: by 10.50.147.100 with SMTP id tj4mr12187146igb.65.1442549077079; + Thu, 17 Sep 2015 21:04:37 -0700 (PDT) +Received: from localhost (142.sub-70-209-132.myvzw.com. [70.209.132.142]) + by smtp.gmail.com with ESMTPSA id 10sm2869684ios.28.2015.09.17.21.04.34 + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 17 Sep 2015 21:04:35 -0700 (PDT) +From: Ben Boeckel <mathstuf@gmail.com> +To: obnam-dev@obnam.org +Date: Fri, 18 Sep 2015 00:04:31 -0400 +Message-Id: <1442549071-18185-1-git-send-email-mathstuf@gmail.com> +X-Mailer: git-send-email 2.5.2 +In-Reply-To: <1441948936-12526-1-git-send-email-mathstuf@gmail.com> +References: <1441948936-12526-1-git-send-email-mathstuf@gmail.com> +X-Spam-Score: -0.5 +X-Spam-Score-int: -4 +X-Spam-Bar: / +X-Scanned-By: pepperfish.net, Fri, 18 Sep 2015 05:04:50 +0100 +X-Spam-Report: Content analysis details: (-0.5 points) + pts rule name description + ---- ---------------------- -------------------------------------------------- + 1.0 PPF_FROM_CONTAINS_MAIL The From header contains 'mail' + 1.2 FREEMAIL_FROM Sender email is commonly abused enduser mail provider + (mathstuf[at]gmail.com) + -0.0 SPF_PASS SPF: sender matches SPF record + -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low + trust [209.85.213.171 listed in list.dnswl.org] + -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% + [score: 0.0000] + -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's + domain + 0.1 DKIM_SIGNED Message has a DKIM or DK signature, + not necessarily valid + -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature +X-ACL-Warn: message may be spam +X-Scan-Signature: 3a65bd579f2b3171584e0b992ac633f6 +Cc: Ben Boeckel <mathstuf@gmail.com> +Subject: [PATCH v3] encryption_plugin: add a gnupghome configuration option +X-BeenThere: obnam-dev@obnam.org +X-Mailman-Version: 2.1.5 +Precedence: list +List-Id: Obnam development discussions <obnam-dev-obnam.org> +List-Unsubscribe: <http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org>, + <mailto:obnam-dev-request@obnam.org?subject=unsubscribe> +List-Archive: <http://listmaster.pepperfish.net/pipermail/obnam-dev-obnam.org> +List-Post: <mailto:obnam-dev@obnam.org> +List-Help: <mailto:obnam-dev-request@obnam.org?subject=help> +List-Subscribe: <http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org>, + <mailto:obnam-dev-request@obnam.org?subject=subscribe> +Sender: obnam-dev-bounces@obnam.org +Errors-To: obnam-dev-bounces@obnam.org + +Signed-off-by: Ben Boeckel <mathstuf@gmail.com> +--- + obnam.1.in | 5 +++++ + obnamlib/plugins/encryption_plugin.py | 21 +++++++++++++++++---- + yarns/0060-encryption.yarn | 16 ++++++++++++++++ + yarns/9000-implements.yarn | 26 ++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+), 4 deletions(-) + +diff --git a/obnam.1.in b/obnam.1.in +index bb9bd0e..65567ba 100644 +--- a/obnam.1.in ++++ b/obnam.1.in +@@ -426,6 +426,11 @@ and then tell + about it using the + .B \-\-encrypt\-with + option. ++You may optionally use a separate home directory using the ++.B \-\-gnupghome ++option. By default, the default directory for ++.BR gpg(1) ++will be used. + .SS "Configuration files" + .B obnam + will look for configuration files in a number of locations. +diff --git a/obnamlib/plugins/encryption_plugin.py b/obnamlib/plugins/encryption_plugin.py +index ec3bcca..9565b7e 100644 +--- a/obnamlib/plugins/encryption_plugin.py ++++ b/obnamlib/plugins/encryption_plugin.py +@@ -49,6 +49,12 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + 'size of symmetric key, in bits', + metavar='BITS', + group=encryption_group) ++ self.app.settings.string( ++ ['gnupghome'], ++ 'home directory for GPG', ++ metavar='HOMEDIR', ++ group=encryption_group, ++ default=None) + + self.tag = "encrypt1" + +@@ -87,7 +93,8 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + @property + def pubkey(self): + if self._pubkey is None: +- self._pubkey = obnamlib.get_public_key(self.keyid) ++ self._pubkey = obnamlib.get_public_key(self.keyid, ++ gpghome=self.gnupghome) + return self._pubkey + + @property +@@ -98,6 +105,10 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + return '/dev/random' + + @property ++ def gnupghome(self): ++ return self.app.settings['gnupghome'] ++ ++ @property + def symmetric_key_bits(self): + return int(self.app.settings['symmetric-key-bits'] or '256') + +@@ -139,7 +150,8 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + key = self._symkeys.get(repo, toplevel) + if key is None: + encoded = repo.get_fs().cat(os.path.join(toplevel, 'key')) +- key = obnamlib.decrypt_with_secret_keys(encoded) ++ key = obnamlib.decrypt_with_secret_keys(encoded, ++ gpghome=self.gnupghome) + self._symkeys.put(repo, toplevel, key) + return key + +@@ -222,7 +234,8 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + def _get_key_string(self, keyid): + verbose = self.app.settings['key-details'] + if verbose: +- user_ids = obnamlib.get_public_key_user_ids(keyid) ++ user_ids = obnamlib.get_public_key_user_ids(keyid, ++ gpghome=self.gnupghome) + if user_ids: + return "%s (%s)" % (keyid, ", ".join(user_ids)) + return str(keyid) +@@ -260,7 +273,7 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + self.app.settings.require('keyid') + repo = self.app.get_repository_object() + keyid = self.app.settings['keyid'] +- key = obnamlib.get_public_key(keyid) ++ key = obnamlib.get_public_key(keyid, gpghome=self.gnupghome) + clients = self._find_clientdirs(repo, args) + for toplevel in repo.get_shared_directories() + clients: + self.add_to_userkeys(repo, toplevel, key) +diff --git a/yarns/0060-encryption.yarn b/yarns/0060-encryption.yarn +index acbade8..6985f1f 100644 +--- a/yarns/0060-encryption.yarn ++++ b/yarns/0060-encryption.yarn +@@ -46,6 +46,22 @@ that encryption is done at the I/O abstraction level. + AND user U restores their latest generation in repository R into X + THEN L, restored to X, matches manifest M + ++Keys provided by a custom directory ++----------------------------------- ++ ++We'll make a simple backup and restore using encryption. If this ++works, we can probably assume that any other normal repository ++operations (those not part of encryption management) also work, given ++that encryption is done at the I/O abstraction level. ++ ++ SCENARIO encrypted backup and restore with a separate keyring ++ GIVEN user U separately uses encryption key "Test Key One" from test-data/keyring-1 ++ AND 128kB of new data in directory L ++ AND a manifest of L in M ++ WHEN user U backs up directory L to repository R ++ AND user U restores their latest generation in repository R into X ++ THEN L, restored to X, matches manifest M ++ + Adding and removing keys to clients + ----------------------------------- + +diff --git a/yarns/9000-implements.yarn b/yarns/9000-implements.yarn +index 204611c..4a03f3d 100644 +--- a/yarns/9000-implements.yarn ++++ b/yarns/9000-implements.yarn +@@ -231,6 +231,32 @@ use. We store that. + + add_to_config "$MATCH_1" encrypt-with "$MATCH_2" + ++Scenarios involving encryption may also use a private keyring directory. ++ ++ IMPLEMENTS GIVEN user (\S+) separately uses encryption key "(.*)" from (\S+) ++ if [ ! -e "$DATADIR/$MATCH_1.gnupg" ] ++ then ++ mkdir "$DATADIR/$MATCH_1.gnupg" ++ cp -a "$SRCDIR/$MATCH_3/." "$DATADIR/$MATCH_1.gnupg/." ++ add_to_config "$MATCH_1" gnupghome "$DATADIR/$MATCH_1.gnupg" ++ else ++ # Export public and secret keys from new keyring. ++ export GNUPGHOME="$SRCDIR/$MATCH_3" ++ gpg --export "$MATCH_2" > "$DATADIR/public.key" ++ gpg --export-secret-keys "$MATCH_2" > "$DATADIR/secret.key" ++ ++ # Import into the keyring uses for tests. ++ export GNUPGHOME="$DATADIR/$MATCH_1.gnupg" ++ gpg --import "$DATADIR/public.key" ++ gpg --import "$DATADIR/secret.key" ++ ++ # Use the configuration rather than the environment. ++ add_to_config "$MATCH_1" gnupghome "$GNUPGHOME" ++ unset GNUPGHOME ++ fi ++ ++ add_to_config "$MATCH_1" encrypt-with "$MATCH_2" ++ + Encryption scenarions, at least, also need users that pretend to be + someone else. + +-- +2.5.2 + + +_______________________________________________ +obnam-dev mailing list +obnam-dev@obnam.org +http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org |