commit c9ece957849dee78a7aeb3e5b3e2b9cfbdd0aecb
parent 5bc77b4d946b6cb4e7afc8c3c2f925ddfcd17e0e
Author: Mark Feller <mark@mfeller.io>
Date: Thu, 16 Dec 2021 18:51:34 -0700
convert pash to use age instead of gpg
Diffstat:
1 file changed, 12 insertions(+), 26 deletions(-)
diff --git a/dots/.local/bin/pash b/dots/.local/bin/pash
@@ -32,22 +32,14 @@ pw_add() {
[ "$pass" ] || die "Failed to generate a password"
- # Mimic the use of an array for storing arguments by... using
- # the function's argument list. This is very apt isn't it?
- if [ "$PASH_KEYID" ]; then
- set -- --trust-model always -aer "$PASH_KEYID"
- else
- set -- -c
- fi
-
- # Use 'gpg' to store the password in an encrypted file.
+ # Use 'age' to store the password in an encrypted file.
# A heredoc is used here instead of a 'printf' to avoid
# leaking the password through the '/proc' filesystem.
#
# Heredocs are sometimes implemented via temporary files,
# however this is typically done using 'mkstemp()' which
# is more secure than a leak in '/proc'.
- "$gpg" "$@" -o "$name.gpg" <<-EOF &&
+ "$age" -o "$name.age" -R ~/.ssh/id_ed25519.pub <<-EOF &&
$pass
EOF
printf '%s\n' "Saved '$name' to the store."
@@ -55,7 +47,7 @@ pw_add() {
pw_del() {
yn "Delete pass file '$1'?" && {
- rm -f "$1.gpg"
+ rm -f "$1.age"
# Remove empty parent directories of a password
# entry. It's fine if this fails as it means that
@@ -65,7 +57,7 @@ pw_del() {
}
pw_show() {
- "$gpg" -dq "$1.gpg"
+ "$age" -d -i ~/.ssh/id_rsa "$1.age" 2> /dev/null || "$age" -d -i ~/.ssh/id_ed25519 "$1.age"
}
pw_copy() {
@@ -90,14 +82,14 @@ pw_copy() {
}
pw_list() {
- find . -type f -name \*.gpg | sed 's/..//;s/\.gpg$//'
+ find . -type f -name \*.age | sed 's/..//;s/\.age$//'
}
pw_tree() {
command -v tree >/dev/null 2>&1 ||
die "'tree' command not found"
- tree --noreport | sed 's/\.gpg$//'
+ tree --noreport | sed 's/\.age$//'
}
yn() {
@@ -175,13 +167,11 @@ exit 0
main() {
: "${PASH_DIR:=${XDG_DATA_HOME:=$HOME/.local/share}/pash}"
- # Look for both 'gpg' and 'gpg2',
- # preferring 'gpg2' if it is available.
- command -v gpg >/dev/null 2>&1 && gpg=gpg
- command -v gpg2 >/dev/null 2>&1 && gpg=gpg2
+ # Look for 'age',
+ command -v age >/dev/null 2>&1 && age=age
- [ "$gpg" ] ||
- die "GPG not found"
+ [ "$age" ] ||
+ die "age not found"
mkdir -p "$PASH_DIR" ||
die "Couldn't create password directory"
@@ -192,10 +182,10 @@ main() {
glob "$1" '[acds]*' && [ -z "$2" ] &&
die "Missing [name] argument"
- glob "$1" '[cds]*' && [ ! -f "$2.gpg" ] &&
+ glob "$1" '[cds]*' && [ ! -f "$2.age" ] &&
die "Pass file '$2' doesn't exist"
- glob "$1" 'a*' && [ -f "$2.gpg" ] &&
+ glob "$1" 'a*' && [ -f "$2.age" ] &&
die "Pass file '$2' already exists"
glob "$2" '*/*' && glob "$2" '*../*' &&
@@ -207,10 +197,6 @@ main() {
glob "$2" '*/*' && { mkdir -p "${2%/*}" ||
die "Couldn't create category '${2%/*}'"; }
- # Set 'GPG_TTY' to the current 'TTY' if it
- # is unset. Fixes a somewhat rare `gpg` issue.
- export GPG_TTY=${GPG_TTY:-$(tty)}
-
# Restrict permissions of any new files to
# only the current user.
umask 077
