Fix for stripping a single hyphen from shell name

This is a fix for the regex that strips one or more hyphens from the shell name that could be present when encpass.sh is invoked. Typically this occurs when it is invoked from a login shell. Thanks to @whalehub for the PR!

Support multiple invocations of CLI commands from scripts

This release adds support for invoking CLI commands multiple times (e.g. importing multiple secrets from a shell script)

Example:

. encpass.sh

encpass_cmd_import -fop secret1.enc
encpass_cmd_import -fop secret2.enc

It also reduces the number of calls to encpass_checks and addresses an issue (#24) where the shell name (or script name) might contain a hyphen. All preceding hyphens are now stripped from argument 0 that corresponds to the invoking shell or script name.

Fix help documentation on macOS

This release fixes an issue (#19) with the help command not displaying on macOS. It also now falls back to outputting directly to less when man is not available on a system.

Add command line completion for version command

Added command line completion for the bash shell for the version command.

Fix shell check errors for version command

Fixed minor quoting and argument errors that were being reported by shell check for the new version command.

Add version command

Added support for a version command, which will output the tag version for encpass.sh and the SHA256 checksums (if sha256sum is available) for encpass.sh and any enabled extension.

$ encpass.sh version
tag version: v4.1.0
SHA256 Checksum: d4e57f32106a8820901b43cd6398e8a42f9df96010a3074d57bde7ffd0e781e7  /usr/local/bin/encpass.sh
SHA256 Checksum: 5f8a0bcad3033322f9ffbf78cf58d7f02ec599712a0d57e2f83690fc22d43ba6  /usr/local/bin/encpass-keybase.sh

The tag version corresponds to the git commit that is tagged with that same version number. It is possible that the script on your local could contain additional changes beyond that particular tag version (e.g. you pulled it directly from the master branch), but those changes would only at most go up to just before the next tag version number.

You can determine if your version of encpass.sh is identical to a specific commit or tag in the official repo by computing the SHA256 checksum of a particular commit of the encpass.sh script. To find the SHA256 checksum of an encpass.sh commit or tag from the git repo, just curl the raw script to your local and pipe it into sha256sum:

curl --silent https://raw.githubusercontent.com/plyint/encpass.s/93d42340c24e62132049430dd26c26736697e440/encpass.sh | sha256sum

Security, Extension support, and Import/Export

This release contains a lot of changes that have been accumulating on the master branch.

From a security standpoint the default implementation with OpenSSL has improved through the use of named pipes. Previously, there was a very small window of time where the secret is passed to the openssl command that a user on the same machine might be able to discover the secret. By using a named pipe this is no longer possible. Of course, this does not prevent the root user from accessing secrets/keys, so always exercise caution if you don't trust who has root access to the machine you are using.

encpass.sh also has support for adding extensions now. The first extension that exists is the encpass-keybase.sh extension. This extension replaces the default OpenSSL encryption backend and instead uses Keybase's Saltpack encryption as well as Keybase per-user and per-team keys and encrypted git repos. This makes it easy to share and manage secrets with any team on Keybase. See the extension documentation for details.

The third big feature added is import/export commands. This allows the keys/secrets to be exported to a gzipped tar archive, which allows you to easily move or replicate your secrets to different machines or share secrets with a colleague. The compressed archive can also be encrypted with a password to add additional security.

Below is the consolidated list of all updates:

• Use named pipes to more securely pass secrets to OpenSSL
• Added extension support to encpass.sh
• Added a Keybase extension (encpass-keybase.sh)
• Added Import/Export commands
• Added rekey command that can generate a new key for a bucket and automatically re-encrypt any existing secrets
• Added lite command that can create a truncated version of encpass.sh without the CLI
• Added more detailed examples and a sample backup script
• Added ls subcommand to dir command to parse ENCPASS_DIR_LIST environment variable for multiple directories
• Updated README.md documentation and documentation for the Keybase extension
• Various fixes

Enforce password value when locking keys

A password value was not being enforced when locking keys; however, when unlocking keys a password value was required to be provided. This could lead to an issue where the keys could not be unlocked. The logic has now been made consistent.

Fixed error scenarios for locking

Fixed error scenarios for locking/unlocking where failed attempts to unlock a file could later cause corruption via subsequent unlocking or locking attempts. Also, improved error messaging for locking.

The README file has also been updated with the description on how to invoke shellcheck for testing.

Shellcheck and various fixes

Shellcheck is now fully integrated as part of encpass.sh development process and has been run on encpass.sh and all current issues have been addressed. There are some instances where we want globbing to occur to allow bulk operations to be performed with encpass.sh and those warnings are now properly suppressed in encpass.sh.

Along with shellcheck various other items were completed. Here is the full list:

• New "make check" command added to the Makefile to run shellcheck via the docker image
• All current shellcheck errors have been fixed or ignored if globbing is required
• Locking logic has been simplified and should work better under various error scenarios
• Added a "dir" convenience command to display the current setting of $ENCPASS_HOME_DIR
• Cleaned up various error outputting, including nicer display messages when secrets are locked, but the show command is called
• Updated example.sh to make the output clearer when run