1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
Return-Path: <obnam-dev-bounces@obnam.org>
X-Original-To: distix@pieni.net
Delivered-To: distix@pieni.net
Received: from bagpuss.pepperfish.net (bagpuss.pepperfish.net [148.251.8.16])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by pieni.net (Postfix) with ESMTPS id A6F462389D
for <distix@pieni.net>; Tue, 15 Sep 2015 03:01:28 +0200 (CEST)
Received: from platypus.pepperfish.net (unknown [10.112.100.20])
by bagpuss.pepperfish.net (Postfix) with ESMTP id 521562BE;
Tue, 15 Sep 2015 02:01:28 +0100 (BST)
Received: from ip6-localhost ([::1] helo=platypus.pepperfish.net)
by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian))
id 1Zbeci-00044i-6m; Tue, 15 Sep 2015 02:01:28 +0100
Received: from inmail0 ([10.112.100.10] helo=mx0.pepperfish.net)
by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian))
id 1Zbecg-00044c-LC
for <obnam-dev@obnam.org>; Tue, 15 Sep 2015 02:01:26 +0100
Received: from mail-io0-f181.google.com ([209.85.223.181])
by mx0.pepperfish.net with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128)
(Exim 4.80) (envelope-from <mathstuf@gmail.com>) id 1Zbece-0005BF-Ki
for obnam-dev@obnam.org; Tue, 15 Sep 2015 02:01:26 +0100
Received: by ioiz6 with SMTP id z6so185150411ioi.2
for <obnam-dev@obnam.org>; Mon, 14 Sep 2015 18:01:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=from:to:cc:subject:date:message-id:in-reply-to:references;
bh=n5E0A1ogB7br/Mfoam/NDBDq8XJLXefyvgjY96z2AXY=;
b=Nm4fCggDaoC5VBgZ2neQ+sWpX+lqwIrf1ovyNlsT3tgpVddETGAE29iU3uXskScTup
cswrungZfve29ITa3uDh6RRiTE7bf/kbOBxIYCm6xC51+1SJd/n6jvzeeI+uNdgK87x6
5DOLEmtopfOwk4P7HXTWTCZjkPpB3RvG2qv7umiuzbbsMaTSSRCQV7FdoIeNMrU0D70q
UDb9VdgTD/LgY/aOlfGd2azbBYAP34xxRza7GFehwyqoqUBzC7MDnnECduhnN/9nrikZ
ggk8Vvv/d8FqwcUHDhy/BwW2cODaxz0cPITffJw99RUiQf92j9NhPM7nCMl12n7hMtsc
Q0ww==
X-Received: by 10.107.164.38 with SMTP id n38mr27283916ioe.45.1442278872846;
Mon, 14 Sep 2015 18:01:12 -0700 (PDT)
Received: from localhost (179.sub-70-209-135.myvzw.com. [70.209.135.179])
by smtp.gmail.com with ESMTPSA id b16sm784313iob.39.2015.09.14.18.01.11
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 14 Sep 2015 18:01:11 -0700 (PDT)
From: Ben Boeckel <mathstuf@gmail.com>
To: obnam-dev@obnam.org
Date: Mon, 14 Sep 2015 21:00:57 -0400
Message-Id: <1442278857-352-2-git-send-email-mathstuf@gmail.com>
X-Mailer: git-send-email 2.5.2
In-Reply-To: <1442278857-352-1-git-send-email-mathstuf@gmail.com>
References: <1441948936-12526-1-git-send-email-mathstuf@gmail.com>
<1442278857-352-1-git-send-email-mathstuf@gmail.com>
X-Spam-Score: -0.5
X-Spam-Score-int: -4
X-Spam-Bar: /
X-Scanned-By: pepperfish.net, Tue, 15 Sep 2015 02:01:26 +0100
X-Spam-Report: Content analysis details: (-0.5 points)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 PPF_FROM_CONTAINS_MAIL The From header contains 'mail'
1.2 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(mathstuf[at]gmail.com)
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust [209.85.223.181 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-ACL-Warn: message may be spam
X-Scan-Signature: de97edb17eef4c57d29e13fd2fad1a5b
Cc: Ben Boeckel <mathstuf@gmail.com>
Subject: [PATCH v2] encryption_plugin: add a gnupghome configuration option
X-BeenThere: obnam-dev@obnam.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Obnam development discussions <obnam-dev-obnam.org>
List-Unsubscribe: <http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org>,
<mailto:obnam-dev-request@obnam.org?subject=unsubscribe>
List-Archive: <http://listmaster.pepperfish.net/pipermail/obnam-dev-obnam.org>
List-Post: <mailto:obnam-dev@obnam.org>
List-Help: <mailto:obnam-dev-request@obnam.org?subject=help>
List-Subscribe: <http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org>,
<mailto:obnam-dev-request@obnam.org?subject=subscribe>
Sender: obnam-dev-bounces@obnam.org
Errors-To: obnam-dev-bounces@obnam.org
Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
---
obnam.1.in | 5 +++++
obnamlib/plugins/encryption_plugin.py | 22 ++++++++++++++++++----
yarns/0060-encryption.yarn | 16 ++++++++++++++++
yarns/9000-implements.yarn | 26 ++++++++++++++++++++++++++
4 files changed, 65 insertions(+), 4 deletions(-)
diff --git a/obnam.1.in b/obnam.1.in
index bb9bd0e..65567ba 100644
--- a/obnam.1.in
+++ b/obnam.1.in
@@ -426,6 +426,11 @@ and then tell
about it using the
.B \-\-encrypt\-with
option.
+You may optionally use a separate home directory using the
+.B \-\-gnupghome
+option. By default, the default directory for
+.BR gpg(1)
+will be used.
.SS "Configuration files"
.B obnam
will look for configuration files in a number of locations.
diff --git a/obnamlib/plugins/encryption_plugin.py b/obnamlib/plugins/encryption_plugin.py
index ec3bcca..3c3ad94 100644
--- a/obnamlib/plugins/encryption_plugin.py
+++ b/obnamlib/plugins/encryption_plugin.py
@@ -49,6 +49,12 @@ class EncryptionPlugin(obnamlib.ObnamPlugin):
'size of symmetric key, in bits',
metavar='BITS',
group=encryption_group)
+ self.app.settings.string(
+ ['gnupghome'],
+ 'home directory for GPG',
+ metavar='HOMEDIR',
+ group=encryption_group,
+ default=None)
self.tag = "encrypt1"
@@ -87,7 +93,8 @@ class EncryptionPlugin(obnamlib.ObnamPlugin):
@property
def pubkey(self):
if self._pubkey is None:
- self._pubkey = obnamlib.get_public_key(self.keyid)
+ self._pubkey = obnamlib.get_public_key(self.keyid,
+ gpghome=self.gnupghome)
return self._pubkey
@property
@@ -98,6 +105,11 @@ class EncryptionPlugin(obnamlib.ObnamPlugin):
return '/dev/random'
@property
+ def gnupghome(self):
+ print 'gnupghome', self.app.settings['gnupghome']
+ return self.app.settings['gnupghome']
+
+ @property
def symmetric_key_bits(self):
return int(self.app.settings['symmetric-key-bits'] or '256')
@@ -139,7 +151,8 @@ class EncryptionPlugin(obnamlib.ObnamPlugin):
key = self._symkeys.get(repo, toplevel)
if key is None:
encoded = repo.get_fs().cat(os.path.join(toplevel, 'key'))
- key = obnamlib.decrypt_with_secret_keys(encoded)
+ key = obnamlib.decrypt_with_secret_keys(encoded,
+ gpghome=self.gnupghome)
self._symkeys.put(repo, toplevel, key)
return key
@@ -222,7 +235,8 @@ class EncryptionPlugin(obnamlib.ObnamPlugin):
def _get_key_string(self, keyid):
verbose = self.app.settings['key-details']
if verbose:
- user_ids = obnamlib.get_public_key_user_ids(keyid)
+ user_ids = obnamlib.get_public_key_user_ids(keyid,
+ gpghome=self.gnupghome)
if user_ids:
return "%s (%s)" % (keyid, ", ".join(user_ids))
return str(keyid)
@@ -260,7 +274,7 @@ class EncryptionPlugin(obnamlib.ObnamPlugin):
self.app.settings.require('keyid')
repo = self.app.get_repository_object()
keyid = self.app.settings['keyid']
- key = obnamlib.get_public_key(keyid)
+ key = obnamlib.get_public_key(keyid, gpghome=self.gnupghome)
clients = self._find_clientdirs(repo, args)
for toplevel in repo.get_shared_directories() + clients:
self.add_to_userkeys(repo, toplevel, key)
diff --git a/yarns/0060-encryption.yarn b/yarns/0060-encryption.yarn
index acbade8..6985f1f 100644
--- a/yarns/0060-encryption.yarn
+++ b/yarns/0060-encryption.yarn
@@ -46,6 +46,22 @@ that encryption is done at the I/O abstraction level.
AND user U restores their latest generation in repository R into X
THEN L, restored to X, matches manifest M
+Keys provided by a custom directory
+-----------------------------------
+
+We'll make a simple backup and restore using encryption. If this
+works, we can probably assume that any other normal repository
+operations (those not part of encryption management) also work, given
+that encryption is done at the I/O abstraction level.
+
+ SCENARIO encrypted backup and restore with a separate keyring
+ GIVEN user U separately uses encryption key "Test Key One" from test-data/keyring-1
+ AND 128kB of new data in directory L
+ AND a manifest of L in M
+ WHEN user U backs up directory L to repository R
+ AND user U restores their latest generation in repository R into X
+ THEN L, restored to X, matches manifest M
+
Adding and removing keys to clients
-----------------------------------
diff --git a/yarns/9000-implements.yarn b/yarns/9000-implements.yarn
index 204611c..4a03f3d 100644
--- a/yarns/9000-implements.yarn
+++ b/yarns/9000-implements.yarn
@@ -231,6 +231,32 @@ use. We store that.
add_to_config "$MATCH_1" encrypt-with "$MATCH_2"
+Scenarios involving encryption may also use a private keyring directory.
+
+ IMPLEMENTS GIVEN user (\S+) separately uses encryption key "(.*)" from (\S+)
+ if [ ! -e "$DATADIR/$MATCH_1.gnupg" ]
+ then
+ mkdir "$DATADIR/$MATCH_1.gnupg"
+ cp -a "$SRCDIR/$MATCH_3/." "$DATADIR/$MATCH_1.gnupg/."
+ add_to_config "$MATCH_1" gnupghome "$DATADIR/$MATCH_1.gnupg"
+ else
+ # Export public and secret keys from new keyring.
+ export GNUPGHOME="$SRCDIR/$MATCH_3"
+ gpg --export "$MATCH_2" > "$DATADIR/public.key"
+ gpg --export-secret-keys "$MATCH_2" > "$DATADIR/secret.key"
+
+ # Import into the keyring uses for tests.
+ export GNUPGHOME="$DATADIR/$MATCH_1.gnupg"
+ gpg --import "$DATADIR/public.key"
+ gpg --import "$DATADIR/secret.key"
+
+ # Use the configuration rather than the environment.
+ add_to_config "$MATCH_1" gnupghome "$GNUPGHOME"
+ unset GNUPGHOME
+ fi
+
+ add_to_config "$MATCH_1" encrypt-with "$MATCH_2"
+
Encryption scenarions, at least, also need users that pretend to be
someone else.
--
2.5.2
_______________________________________________
obnam-dev mailing list
obnam-dev@obnam.org
http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org
|
