Enable OpenPGP support via pinentry #142
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eed3si9n
reviewed
Aug 13, 2018
.gitignore
Outdated
| @@ -4,3 +4,4 @@ boot/ | |||
| .classpath | |||
| .project | |||
| .scala_dependencies | |||
| .idea/ | |||
There was a problem hiding this comment.
This should go to global gitignore - https://help.github.com/articles/ignoring-files/
eed3si9n
reviewed
Aug 13, 2018
wsargent
commented
Aug 13, 2018
| val pinentryargs: Seq[String] = Seq("--pinentry-mode", "loopback") | ||
| val passargs: Seq[String] = (optPassphrase map { passArray => passArray mkString "" } map { pass => Seq("--passphrase", pass) }) getOrElse Seq.empty | ||
| val keyargs: Seq[String] = optKey map (k => Seq("--default-key", "0x%x" format(k))) getOrElse Seq.empty | ||
| val args = passargs ++ pinentryargs ++ Seq("--detach-sign", "--armor") ++ (if(agent) Seq("--use-agent") else Seq.empty) ++ keyargs |
There was a problem hiding this comment.
agent is pretty much required here
wsargent
commented
Aug 13, 2018
| @@ -28,6 +28,7 @@ object PgpKeys { | |||
| val gpgCommand = SettingKey[String]("gpg-command", "The path of the GPG command to run", BSetting) | |||
| val useGpg = SettingKey[Boolean]("use-gpg", "If this is set to true, the GPG command line will be used.", ASetting) | |||
| val useGpgAgent = SettingKey[Boolean]("use-gpg-agent", "If this is set to true, the GPG command line will expect a GPG agent for the password.", BSetting) | |||
| val useGpgPinentry = SettingKey[Boolean]("use-gpg-pinentry", "If this is set to true, the GPG command line will expect pinentry will be used with gpg-agent.", ASetting) | |||
There was a problem hiding this comment.
What is ASetting vs BSetting?
There was a problem hiding this comment.
The rank is optional, and it affects the help display iirc. We should probably refactor it to sbt 0.13/1.x settingKey[Boolean] style.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a pinentry option to sbt-pgp, by using the
--pinentry-mode loopbackoption specified in https://wiki.archlinux.org/index.php/GnuPG#Unattended_passphraseAdds a
useGpgPinentryboolean key that if set withuseGpganduseGpgAgentset, will use a specialized signerCommandLineGpgPinentrySigner.This is useful when using GPG with gpg-agent and a smartcard device with OpenPGP support. In this situation, there is no local secring on the hard drive, and the secret key is kept on the card itself.
TODO
Testing
This is currently missing ways to effectively test for pinentry. https://lists.gnupg.org/pipermail/gnupg-users/2017-July/058741.html suggests PINENTRY_USER_DATA and fake-pinentries.
Right now I'm testing this locally:
and then killing gpg-agent to ensure that the PIN is not cached, and running
publishLocalSigned:gpgconf --kill gpg-agent && gpgconf --launch gpg-agent sbt publishLocalSigned