diff options
Diffstat (limited to 'tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999004.M795209P17339Q148.exolobe1')
-rw-r--r-- | tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999004.M795209P17339Q148.exolobe1 | 265 |
1 files changed, 265 insertions, 0 deletions
diff --git a/tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999004.M795209P17339Q148.exolobe1 b/tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999004.M795209P17339Q148.exolobe1 new file mode 100644 index 0000000..d0e766e --- /dev/null +++ b/tickets/b6df8a5d7d3d4b7e8c2ddf8c95cfc33d/Maildir/new/1455999004.M795209P17339Q148.exolobe1 @@ -0,0 +1,265 @@ +Return-Path: <obnam-dev-bounces@obnam.org> +X-Original-To: distix@pieni.net +Delivered-To: distix@pieni.net +Received: from bagpuss.pepperfish.net (bagpuss.pepperfish.net [148.251.8.16]) + (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) + (No client certificate requested) + by pieni.net (Postfix) with ESMTPS id ABACC2B256 + for <distix@pieni.net>; Fri, 25 Sep 2015 07:38:29 +0200 (CEST) +Received: from platypus.pepperfish.net (unknown [10.112.100.20]) + by bagpuss.pepperfish.net (Postfix) with ESMTP id 676A5BC4; + Fri, 25 Sep 2015 06:38:29 +0100 (BST) +Received: from ip6-localhost ([::1] helo=platypus.pepperfish.net) + by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian)) + id 1ZfLiH-0006xo-9h; Fri, 25 Sep 2015 06:38:29 +0100 +Received: from inmail0 ([10.112.100.10] helo=mx0.pepperfish.net) + by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian)) + id 1ZfLiF-0006xf-KG + for <obnam-dev@obnam.org>; Fri, 25 Sep 2015 06:38:27 +0100 +Received: from mail-ig0-f173.google.com ([209.85.213.173]) + by mx0.pepperfish.net with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) + (Exim 4.80) (envelope-from <mathstuf@gmail.com>) id 1ZfLiD-0005R2-Kr + for obnam-dev@obnam.org; Fri, 25 Sep 2015 06:38:27 +0100 +Received: by igbkq10 with SMTP id kq10so4586157igb.0 + for <obnam-dev@obnam.org>; Thu, 24 Sep 2015 22:38:14 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; + h=from:to:cc:subject:date:message-id:in-reply-to:references; + bh=K+bKOZGoJTfuoDWhxGeQ4roXuZFjyh0PNGNPoa/ArrA=; + b=VHwKJm77Wl+3aqu9kaRV4kKJZ6/igkveIfLRpPAtDnZCeFEBxq15KUej2phUcGii/w + lOQZRluDBjhH60fKxiLh59/4zpiOnk12SWJIqEp+DNGw4jC4w+4srEwMALyvnjJAAxpk + DDpjaCP9QU72NgLtEtbWqeaAhDQEffMCRF4C2QR0UB3C5uqxIRSbCgC5dW7+w0qkW9yl + 0GJRjr5R3P8jdqyG7ng9qF4VXN3jhQIh9OUAZdAicudQVde2tSdvISHQ9/PZUCO04NXu + prde0bF/KqkJAAbC1dm1wbtD3VaZSQboNJzq2ML7C8QE+isUWXYVl+s4oFSf0u4Zlvpp + To4A== +X-Received: by 10.50.43.166 with SMTP id x6mr750850igl.89.1443159494208; + Thu, 24 Sep 2015 22:38:14 -0700 (PDT) +Received: from localhost (26.sub-70-209-128.myvzw.com. [70.209.128.26]) + by smtp.gmail.com with ESMTPSA id r40sm1045015ioe.20.2015.09.24.22.38.12 + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 24 Sep 2015 22:38:13 -0700 (PDT) +From: Ben Boeckel <mathstuf@gmail.com> +To: obnam-dev@obnam.org +Date: Fri, 25 Sep 2015 01:37:54 -0400 +Message-Id: <1443159474-27126-5-git-send-email-mathstuf@gmail.com> +X-Mailer: git-send-email 2.5.3 +In-Reply-To: <1443159474-27126-1-git-send-email-mathstuf@gmail.com> +References: <1441948936-12526-1-git-send-email-mathstuf@gmail.com> + <1443159474-27126-1-git-send-email-mathstuf@gmail.com> +X-Spam-Score: -0.5 +X-Spam-Score-int: -4 +X-Spam-Bar: / +X-Scanned-By: pepperfish.net, Fri, 25 Sep 2015 06:38:27 +0100 +X-Spam-Report: Content analysis details: (-0.5 points) + pts rule name description + ---- ---------------------- -------------------------------------------------- + 1.0 PPF_FROM_CONTAINS_MAIL The From header contains 'mail' + 1.2 FREEMAIL_FROM Sender email is commonly abused enduser mail provider + (mathstuf[at]gmail.com) + -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low + trust [209.85.213.173 listed in list.dnswl.org] + -0.0 SPF_PASS SPF: sender matches SPF record + -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% + [score: 0.0000] + -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's + domain + 0.1 DKIM_SIGNED Message has a DKIM or DK signature, + not necessarily valid + -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature +X-ACL-Warn: message may be spam +X-Scan-Signature: 9b7708930aaa5da1198bf3074de4387e +Cc: Ben Boeckel <mathstuf@gmail.com> +Subject: [PATCH v4 4/4] encryption_plugin: add a gnupghome configuration + option +X-BeenThere: obnam-dev@obnam.org +X-Mailman-Version: 2.1.5 +Precedence: list +List-Id: Obnam development discussions <obnam-dev-obnam.org> +List-Unsubscribe: <http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org>, + <mailto:obnam-dev-request@obnam.org?subject=unsubscribe> +List-Archive: <http://listmaster.pepperfish.net/pipermail/obnam-dev-obnam.org> +List-Post: <mailto:obnam-dev@obnam.org> +List-Help: <mailto:obnam-dev-request@obnam.org?subject=help> +List-Subscribe: <http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org>, + <mailto:obnam-dev-request@obnam.org?subject=subscribe> +Sender: obnam-dev-bounces@obnam.org +Errors-To: obnam-dev-bounces@obnam.org + +Signed-off-by: Ben Boeckel <mathstuf@gmail.com> +--- + obnam.1.in | 5 +++++ + obnamlib/plugins/encryption_plugin.py | 27 +++++++++++++++++++++------ + yarns/0060-encryption.yarn | 16 ++++++++++++++++ + yarns/9000-implements.yarn | 26 ++++++++++++++++++++++++++ + 4 files changed, 68 insertions(+), 6 deletions(-) + +diff --git a/obnam.1.in b/obnam.1.in +index 08ca79a..8a2de45 100644 +--- a/obnam.1.in ++++ b/obnam.1.in +@@ -426,6 +426,11 @@ and then tell + about it using the + .B \-\-encrypt\-with + option. ++You may optionally use a separate home directory using the ++.B \-\-gnupghome ++option. By default, the default directory for ++.BR gpg(1) ++will be used. + .SS "Configuration files" + .B obnam + will look for configuration files in a number of locations. +diff --git a/obnamlib/plugins/encryption_plugin.py b/obnamlib/plugins/encryption_plugin.py +index ec3bcca..8c8eecf 100644 +--- a/obnamlib/plugins/encryption_plugin.py ++++ b/obnamlib/plugins/encryption_plugin.py +@@ -49,6 +49,12 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + 'size of symmetric key, in bits', + metavar='BITS', + group=encryption_group) ++ self.app.settings.string( ++ ['gnupghome'], ++ 'home directory for GPG', ++ metavar='HOMEDIR', ++ group=encryption_group, ++ default=None) + + self.tag = "encrypt1" + +@@ -87,7 +93,8 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + @property + def pubkey(self): + if self._pubkey is None: +- self._pubkey = obnamlib.get_public_key(self.keyid) ++ self._pubkey = obnamlib.get_public_key(self.keyid, ++ gpghome=self.gnupghome) + return self._pubkey + + @property +@@ -98,6 +105,10 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + return '/dev/random' + + @property ++ def gnupghome(self): ++ return self.app.settings['gnupghome'] ++ ++ @property + def symmetric_key_bits(self): + return int(self.app.settings['symmetric-key-bits'] or '256') + +@@ -127,19 +138,22 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + + def filter_read(self, encrypted, repo, toplevel): + symmetric_key = self.get_symmetric_key(repo, toplevel) +- return obnamlib.decrypt_symmetric(encrypted, symmetric_key) ++ return obnamlib.decrypt_symmetric(encrypted, symmetric_key, ++ gpghome=self.gnupghome) + + def filter_write(self, cleartext, repo, toplevel): + if not self.keyid: + return cleartext + symmetric_key = self.get_symmetric_key(repo, toplevel) +- return obnamlib.encrypt_symmetric(cleartext, symmetric_key) ++ return obnamlib.encrypt_symmetric(cleartext, symmetric_key, ++ gpghome=self.gnupghome) + + def get_symmetric_key(self, repo, toplevel): + key = self._symkeys.get(repo, toplevel) + if key is None: + encoded = repo.get_fs().cat(os.path.join(toplevel, 'key')) +- key = obnamlib.decrypt_with_secret_keys(encoded) ++ key = obnamlib.decrypt_with_secret_keys(encoded, ++ gpghome=self.gnupghome) + self._symkeys.put(repo, toplevel, key) + return key + +@@ -222,7 +236,8 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + def _get_key_string(self, keyid): + verbose = self.app.settings['key-details'] + if verbose: +- user_ids = obnamlib.get_public_key_user_ids(keyid) ++ user_ids = obnamlib.get_public_key_user_ids(keyid, ++ gpghome=self.gnupghome) + if user_ids: + return "%s (%s)" % (keyid, ", ".join(user_ids)) + return str(keyid) +@@ -260,7 +275,7 @@ class EncryptionPlugin(obnamlib.ObnamPlugin): + self.app.settings.require('keyid') + repo = self.app.get_repository_object() + keyid = self.app.settings['keyid'] +- key = obnamlib.get_public_key(keyid) ++ key = obnamlib.get_public_key(keyid, gpghome=self.gnupghome) + clients = self._find_clientdirs(repo, args) + for toplevel in repo.get_shared_directories() + clients: + self.add_to_userkeys(repo, toplevel, key) +diff --git a/yarns/0060-encryption.yarn b/yarns/0060-encryption.yarn +index acbade8..6985f1f 100644 +--- a/yarns/0060-encryption.yarn ++++ b/yarns/0060-encryption.yarn +@@ -46,6 +46,22 @@ that encryption is done at the I/O abstraction level. + AND user U restores their latest generation in repository R into X + THEN L, restored to X, matches manifest M + ++Keys provided by a custom directory ++----------------------------------- ++ ++We'll make a simple backup and restore using encryption. If this ++works, we can probably assume that any other normal repository ++operations (those not part of encryption management) also work, given ++that encryption is done at the I/O abstraction level. ++ ++ SCENARIO encrypted backup and restore with a separate keyring ++ GIVEN user U separately uses encryption key "Test Key One" from test-data/keyring-1 ++ AND 128kB of new data in directory L ++ AND a manifest of L in M ++ WHEN user U backs up directory L to repository R ++ AND user U restores their latest generation in repository R into X ++ THEN L, restored to X, matches manifest M ++ + Adding and removing keys to clients + ----------------------------------- + +diff --git a/yarns/9000-implements.yarn b/yarns/9000-implements.yarn +index 204611c..4a03f3d 100644 +--- a/yarns/9000-implements.yarn ++++ b/yarns/9000-implements.yarn +@@ -231,6 +231,32 @@ use. We store that. + + add_to_config "$MATCH_1" encrypt-with "$MATCH_2" + ++Scenarios involving encryption may also use a private keyring directory. ++ ++ IMPLEMENTS GIVEN user (\S+) separately uses encryption key "(.*)" from (\S+) ++ if [ ! -e "$DATADIR/$MATCH_1.gnupg" ] ++ then ++ mkdir "$DATADIR/$MATCH_1.gnupg" ++ cp -a "$SRCDIR/$MATCH_3/." "$DATADIR/$MATCH_1.gnupg/." ++ add_to_config "$MATCH_1" gnupghome "$DATADIR/$MATCH_1.gnupg" ++ else ++ # Export public and secret keys from new keyring. ++ export GNUPGHOME="$SRCDIR/$MATCH_3" ++ gpg --export "$MATCH_2" > "$DATADIR/public.key" ++ gpg --export-secret-keys "$MATCH_2" > "$DATADIR/secret.key" ++ ++ # Import into the keyring uses for tests. ++ export GNUPGHOME="$DATADIR/$MATCH_1.gnupg" ++ gpg --import "$DATADIR/public.key" ++ gpg --import "$DATADIR/secret.key" ++ ++ # Use the configuration rather than the environment. ++ add_to_config "$MATCH_1" gnupghome "$GNUPGHOME" ++ unset GNUPGHOME ++ fi ++ ++ add_to_config "$MATCH_1" encrypt-with "$MATCH_2" ++ + Encryption scenarions, at least, also need users that pretend to be + someone else. + +-- +2.5.3 + + +_______________________________________________ +obnam-dev mailing list +obnam-dev@obnam.org +http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org |