aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/password-store.sh
diff options
context:
space:
mode:
authorAaron Jones <aaronmdjones@gmail.com>2019-06-16 14:20:10 +0000
committerJason A. Donenfeld <Jason@zx2c4.com>2019-06-16 21:59:52 +0200
commit5a52772156b44ef9785e91ab78ab2e1c3b1e510e (patch)
tree975a7af2c51eae883218f02fe2b28504b4fc632f /src/password-store.sh
parentemacs: Delete duplicate entries from password-store-list (diff)
downloadpassword-store-5a52772156b44ef9785e91ab78ab2e1c3b1e510e.tar.xz
password-store-5a52772156b44ef9785e91ab78ab2e1c3b1e510e.zip
Exclude invalid, disabled and revoked subkeys from subkey selection
When rotating encryption subkeys, and revoking the old one, `pass init keyid` would re-encrypt your stored credentials to the (now revoked) old subkey(s) in addition to the new one too. It would also mistakenly encrypt to keys that have been disabled, and keys that were never validly signed by their master (certify) key. Fix all of these cases. It was decided NOT to also exclude expired subkeys. Signed-off-by: Aaron Jones <aaronmdjones@gmail.com>
Diffstat (limited to 'src/password-store.sh')
-rwxr-xr-xsrc/password-store.sh2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/password-store.sh b/src/password-store.sh
index 284eabf..b99460c 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -124,7 +124,7 @@ reencrypt_path() {
IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190
unset "GPG_RECIPIENTS[$index]"
done
- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
+ gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
fi
current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"