-
Notifications
You must be signed in to change notification settings - Fork 5
/
keybase.bash
executable file
·238 lines (217 loc) · 6.49 KB
/
keybase.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
cmd_version() {
echo 'v0.4'
}
cmd_description() {
cat << _EOF
=================================================================
= pass-keybase: Re-encrypt and decrypt pass entries via keybase =
= =
= v0.4 =
= =
= https://github.com/mbauhardt/pass-keybase =
=================================================================
_EOF
}
cmd_help() {
cmd_description
echo
cat << _EOF
Usage:
pass keybase help
Show this help text
pass keybase version
Show the version
pass keybase init keybase-id...
Setup pass-keybase and creates a config file (.extensions/keybase-id) with keybase usernames.
The parameter 'keybase-id...' is a space separated list of keybase usernames.
pass keybase encrypt pass-name
Decrypt temporary the give pass-name via gpg and encrypt it with keybase under the same path but with extension '.keybase'.
pass keybase encrypt-all
Decrypt all gpg encrypted passwords temporary and encrypt everything again via keybase under the the same path but with extension '.keybase'
pass keybase decrypt pass-name
Decrypt the given pass-name with keybase.
pass keybase clip pass-name
Decrypt the given pass-name with keybase and put it on the clipboard.
The clipboard will be cleared in $CLIP_TIME seconds.
pass keybase remove pass-name
Remove the given pass-name from the store.
pass keybase remove-all
Remove all pass-names from the store.
pass keybase report
Print out a report about how many gpg and keybase encrypted entries you have.
pass keybase diff
Print out all entries from the store which are not in sync. Either the content of the GPG and Keybase passwords are not the same
or a GPG password is not encrypted with Keybase.
This command can be run a while, because all entries from your store will be decrypted to make the comparison.
_EOF
}
set_keybase_recipients() {
KEYBASE_RECIPIENTS=( )
local kbid="${XDG_CONFIG_HOME:-$HOME/.config}/pass-keybase/keybase-id"
if [[ ! -f $kbid ]]; then
cat << _EOF
Error: You must run '$PROGRAM keybase init keybase-id...' before you want to use the password store keybase extension.
_EOF
exit 1
fi
local keybase_user
while read -r keybase_user; do
KEYBASE_RECIPIENTS+=( "$keybase_user" )
done < "$kbid"
}
cmd_encrypt() {
set_keybase_recipients
local path="$1"
local passfile="$PREFIX/$path.gpg"
local keybasefile="$PREFIX/$path.keybase"
check_sneaky_paths "$path"
if [[ -f "$passfile" ]]; then
$GPG -d "${GPG_OPTS[@]}" "$passfile" | keybase encrypt -o "$keybasefile" ${KEYBASE_RECIPIENTS[@]}
set_git "$keybasefile"
git_add_file "$keybasefile" "Encrypt $path via keybase for user: ${KEYBASE_RECIPIENTS[@]}"
elif [[ -z "$path" ]]; then
die ""
else
die "Error: $path is not in the password store."
fi
}
cmd_encrypt_all() {
set_keybase_recipients
while read -r -d "" passfile; do
local keybasefile="${passfile%.gpg}.keybase"
$GPG -d "${GPG_OPTS[@]}" "$passfile" | keybase encrypt -o "$keybasefile" ${KEYBASE_RECIPIENTS[@]}
set_git "$keybasefile"
done < <(find "$PREFIX" -iname '*.gpg' -print0)
git_add_file "$PREFIX" "Reencrypt password store using keybase-id ${KEYBASE_RECIPIENTS[@]}"
}
cmd_init() {
mkdir -p "${XDG_CONFIG_HOME:-$HOME/.config}/pass-keybase"
printf "%s\n" "$@" > "${XDG_CONFIG_HOME:-$HOME/.config}/pass-keybase/keybase-id"
}
cmd_remove() {
local path="$1"
local passfile="$PREFIX/$path.keybase"
check_sneaky_paths "$path"
if [[ -f "$passfile" ]]; then
set_git "$passfile"
rm "$passfile"
git -C "$INNER_GIT_DIR" rm -qr "$passfile"
set_git "$passfile"
git_commit "Remove $path from store."
elif [[ -z "$path" ]]; then
die ""
else
die "Error: $path is not in the password store."
fi
}
cmd_remove_all() {
while read -r -d "" passfile; do
git -C "$INNER_GIT_DIR" rm -qr "$passfile"
set_git "$passfile"
done < <(find "$PREFIX" -iname '*.keybase' -print0)
git_commit "Remove all keybase files from store."
}
cmd_decrypt() {
local path="$1"
local passfile="$PREFIX/$path.keybase"
check_sneaky_paths "$path"
if [[ -f "$passfile" ]]; then
keybase decrypt --force -i "$passfile"
elif [[ -z "$path" ]]; then
die ""
else
die "Error: $path is not in the password store."
fi
}
cmd_clip() {
local path="$1"
local passfile="$PREFIX/$path.keybase"
check_sneaky_paths "$path"
if [[ -f "$passfile" ]]; then
local pass="$(keybase decrypt --force -i $passfile 2>/dev/null | head -n 1)"
clip "$pass" "$path"
elif [[ -z "$path" ]]; then
die ""
else
die "Error: $path is not in the password store."
fi
}
cmd_report() {
local gpgcount=0;
local kbcount=0;
echo ''
while read -r -d "" passfile; do
let gpgcount++;
done < <(find "$PREFIX" -iname '*.gpg' -print0)
echo 'Number of GPG encryped files: '$gpgcount
while read -r -d "" passfile; do
let kbcount++;
done < <(find "$PREFIX" -iname '*.keybase' -print0)
echo 'Number of Keybase encryped files: '$kbcount
echo ''
echo 'GPG encrypted passwords which are not encrypted with Keybase:'
echo '*************************************************************'
while read -r -d "" passfile; do
local keytoshow="${passfile%.gpg}"
local keybasefile="${passfile%.gpg}.keybase"
[ ! -f "$keybasefile" ] && echo "${keytoshow#$PREFIX/}"
done < <(find "$PREFIX" -iname '*.gpg' -print0)
}
cmd_diff() {
while read -r -d "" passfile; do
local keytoshow="${passfile%.gpg}"
local keybasefile="${passfile%.gpg}.keybase"
if [[ ! -f "$keybasefile" ]]; then
echo ${keytoshow#$PREFIX/}
else
local md5_gpg=$($GPG -d "${GPG_OPTS[@]}" $passfile | md5sum)
local md5_keybase="$(keybase decrypt --force -i $keybasefile 2> /dev/null | md5sum)"
[[ $md5_gpg != $md5_keybase ]] && echo ${keytoshow#$PREFIX/}
fi
done < <(find $PREFIX -iname '*.gpg' -print0)
}
case "$1" in
help)
cmd_help
;;
version)
cmd_version
;;
init)
shift;
cmd_init "$@"
;;
encrypt)
shift;
cmd_encrypt "$@"
;;
encrypt-all)
shift;
cmd_encrypt_all
;;
decrypt)
shift;
cmd_decrypt "$@"
;;
clip)
shift;
cmd_clip "$@"
;;
remove)
shift;
cmd_remove "$@"
;;
remove-all)
cmd_remove_all
;;
report)
cmd_report
;;
diff)
cmd_diff
;;
*)
cmd_help
;;
esac
exit 0