/
pius
executable file
·369 lines (334 loc) · 10.8 KB
/
pius
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
#!/usr/bin/env python3
"""A utility to sign all UIDs on a list of PGP keys and PGP/Mime encrypt-email
them to the respective emails."""
# vim:shiftwidth=4:tabstop=4:expandtab:textwidth=80:softtabstop=4:ai:
#
# Copyright (c) 2008 - present Phil Dibowitz (phil@ipom.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, version 2.
#
# Note that we only import pexpect if -i is specified. In order to do this
# in a relatively clean way (if you just import it it will only be local), we
# use a trick that pylint will complain about. I'm quite alright with that.
#
# TODO:
# - Offer ability to "pick up where we left off"
#
import os
import sys
from optparse import OptionParser
from libpius import mailer as pmailer
from libpius import signer as psigner
from libpius.util import PiusUtil, MyOption, check_email
from libpius.constants import (
DEFAULT_GPG_PATH,
DEFAULT_KEYRING,
DEFAULT_MIME_EMAIL_TEXT,
DEFAULT_NON_MIME_EMAIL_TEXT,
DEFAULT_OUT_DIR,
DEFAULT_TMP_DIR,
VERSION,
)
from libpius.exceptions import MailSendError
from libpius.state import SignState
def print_default_email(no_mime):
"""Print the default email that is sent out."""
interpolation_dict = {}
for p in ("keyid", "signer", "email"):
interpolation_dict[p] = "%(" + p + ")s"
print(
" The default email text is below. To specify your own, simply use\n"
" %(keyid)s %(signer)s and %(email)s in the body and they will be\n"
" replaced with the relevant strings.\n"
)
print(" DEFAULT EMAIL TEXT:\n")
if not no_mime:
print(DEFAULT_MIME_EMAIL_TEXT % interpolation_dict)
else:
print(DEFAULT_NON_MIME_EMAIL_TEXT % interpolation_dict)
def check_options(parser, options, args):
"""Given the parsed options, sanity check them."""
if options.debug == True:
print("Setting debug")
PiusUtil.DEBUG_ON = True
if not os.path.exists(options.gpg_path):
parser.error("GnuPG binary not found at %s." % options.gpg_path)
if not options.signer:
parser.error("You must specify a keyid to sign with.")
if options.keyring:
options.keyring = os.path.expanduser(options.keyring)
if not os.path.exists(options.keyring):
parser.error("Keyring %s doesn't exist" % options.keyring)
if not options.all_keys:
if not args:
parser.error("Keyid (or -A) required")
elif not options.keyring:
parser.error("The -A options requires the -r option")
if (
options.mail
and options.mail_no_pgp_mime
and not options.encrypt_outfiles
):
print("NOTE: -O and -m are present, turning on -e")
options.encrypt_outfiles = True
if options.mail_user and not (options.mail_tls or options.mail_ssl):
print("NOTE: -u (SMTPAUTH) is present, enabling TLS. Either TLS or SSL is required with SMTPAUTH")
options.mail_tls = True
if options.mail_tls and options.mail_ssl:
parser.error("ERROR: TLS and SSL cannot be used at the same time.")
if options.mail_text and not options.mail:
parser.error("ERROR: -M requires -m")
for mydir in (options.tmp_dir, options.out_dir):
if os.path.exists(mydir) and not os.path.isdir(mydir):
parser.error(
"%s exists but isn't a directory. It must not exist or be\n"
"a directory." % mydir
)
if not os.path.exists(mydir):
os.mkdir(mydir, 0o700)
def warn_if_short_keyids(ids):
for keyid in ids:
if len(keyid) == 8:
print(
"WARNING: You passed in short keyids. Short keyids are forgable"
" and should be avoided."
)
ans = input('Type "I understand" to continue: ')
if ans == "I understand":
return
else:
print("ERROR: Danger not acknowledged, exiting.")
sys.exit(1)
def main():
"""Main."""
usage = (
"%prog [options] -s <signer_keyid> <keyid> [<keyid> ...]\n"
" %prog [options] -A -r <keyring_path> -s <signer_keyid>"
)
parser = OptionParser(
usage=usage, version="%%prog %s" % VERSION, option_class=MyOption
)
parser.set_defaults(
gpg_path=DEFAULT_GPG_PATH,
out_dir=DEFAULT_OUT_DIR,
tmp_dir=DEFAULT_TMP_DIR,
keyring=DEFAULT_KEYRING,
sort_keyring=True,
)
parser.add_option(
"-A",
"--all-keys",
action="store_true",
dest="all_keys",
help="Sign all keys on the keyring. Requires -r.",
)
parser.add_option(
"-b",
"--gpg-path",
dest="gpg_path",
metavar="PATH",
nargs=1,
type="not_another_opt",
help="Path to gpg binary. [default: %default]",
)
parser.add_option(
"-e",
"--encrypt-outfiles",
action="store_true",
dest="encrypt_outfiles",
help="Encrypt output files with respective keys.",
)
parser.add_option(
"-d",
"--debug",
action="store_true",
dest="debug",
help="Enable debugging output.",
)
parser.add_option(
"-I",
"--import",
action="store_true",
dest="import_keyring",
help="Also import the unsigned keys from the keyring"
" into the default keyring. Ignored if -r is not"
" specified, or if it's the same as the default"
" keyring.",
)
parser.add_option(
"-m",
"--mail",
dest="mail",
metavar="EMAIL",
nargs=1,
type="email",
help="Email the encrypted, signed keys to the"
" respective email addresses. EMAIL is the address"
" to send from. See also -H and -P.",
)
parser.add_option(
"-N",
"--no-sort-keyring",
dest="sort_keyring",
action="store_false",
help="Do not sort the keyring by name.",
)
parser.add_option(
"-o",
"--out-dir",
dest="out_dir",
metavar="OUTDIR",
nargs=1,
type="not_another_opt",
help="Directory to put signed keys in. [default: %default]",
)
parser.add_option(
"-r",
"--keyring",
dest="keyring",
metavar="KEYRING",
nargs=1,
type="not_another_opt",
help="The keyring to use. Be sure to specify full or"
" relative path. Use a path: Just a filename may cause"
" GPG to assume relative to ~/.gnupg and cause"
" unexpected results. [default: %default]",
)
parser.add_option(
"-s",
"--signer",
dest="signer",
nargs=1,
type="keyid",
help="The keyid to sign with (required).",
)
parser.add_option(
"-f",
"--force-signer",
dest="force_signer",
type="keyid",
help="Force GnuPG to use this exact keyid to sign (do not"
" guess subkey)",
)
parser.add_option(
"-t",
"--tmp-dir",
dest="tmp_dir",
nargs=1,
type="not_another_opt",
help="Directory to put temporary stuff in. [default:" " %default]",
)
parser.add_option(
"-T",
"--print-default-email",
dest="print_default_email",
action="store_true",
help="Print the default email.",
)
parser.add_option(
"-U",
"--policy-url",
dest="policy_url",
help="Policy URL to include in each signature",
)
parser.add_option(
"-v",
"--verbose",
dest="verbose",
action="store_true",
help="Be more verbose.",
)
pmailer.PiusMailer.add_options(parser)
# Check for extra options in the ~/.pius file
all_opts = PiusUtil.parse_dotfile(parser)
# Note that by putting this at the end we allow the command line to override
# options specified in the config file, BUT if any options conflict, the first
# wins, so the config file wins. Meh.
all_opts.extend(sys.argv[1:])
(options, args) = parser.parse_args(all_opts)
print("Welcome to PIUS, the PGP Individual UID Signer.\n")
# The easy thing first...
if options.print_default_email:
print_default_email(options.mail_no_pgp_mime)
sys.exit(0)
# Check input to make sure users want sane things
check_options(parser, options, args)
# Check to see if the user wants to send email if they didn't specify
if not options.mail:
ans = input(
"Would you like to automatically send the signed UIDs to"
" their owners using\nPGP/Mime encryption as you sign each"
" one? "
)
if ans in ("y", "Y", "yes", "YES", "Yes"):
ans = input("What email address should we send from? ")
check_email(parser, "-m", ans)
options.mail = ans
print()
if options.mail:
mailer = pmailer.PiusMailer(
options.mail,
options.display_name,
options.mail_host,
options.mail_port,
options.mail_user,
options.mail_tls,
options.mail_ssl,
options.mail_no_pgp_mime,
options.mail_override,
options.mail_text,
options.tmp_dir,
)
else:
mailer = None
signer = psigner.PiusSigner(
options.signer,
options.force_signer,
options.keyring,
options.gpg_path,
options.tmp_dir,
options.out_dir,
options.encrypt_outfiles,
options.mail,
mailer,
options.verbose,
options.sort_keyring,
options.policy_url,
options.mail_host,
)
if options.all_keys:
key_list = signer.get_all_keyids()
if len(key_list) == 0:
print("ERROR: Failed to find keys on this keyring\n")
sys.exit(1)
if args:
key_list.extend(args)
else:
warn_if_short_keyids(args)
key_list = args
# The actual signing
signed_keys = {}
state = SignState()
for key in key_list:
retval = signer.check_fingerprint(key)
if retval == False:
continue
print("Signing all UIDs on key %s" % key)
if signer.sign_all_uids(key, retval):
state.update_outbound(key, SignState.kSIGNED)
print("")
# If the user asked, import the keys
if options.import_keyring:
if (not options.keyring) or (options.keyring == DEFAULT_KEYRING):
print(
"WARNING: Ignoring -I: Either -r wasn't specified, or it was"
" the same as the default keyring."
)
else:
signer.import_unsigned_keys()
signer.cleanup()
state.save()
if __name__ == "__main__":
main()