avoid configuring git signing key when there's no secret key

Also, nice display for --add-key steps
This commit is contained in:
Joey Hess 2014-11-11 13:41:25 -04:00
parent 4c19e8407d
commit e4f9df8404
2 changed files with 24 additions and 10 deletions

View File

@ -8,4 +8,5 @@ To support multiple gpg keys added with --add-key, propellor should
so that this new key can access it. so that this new key can access it.
* When --add-key on behalf of another user, do not modify the signing key for * When --add-key on behalf of another user, do not modify the signing key for
local git. This entails either splitting this command in two, `--add-key` and local git. This entails either splitting this command in two, `--add-key` and
`--set-signing-key`, or adding another command `--add-foreign-key`. `--set-signing-key`, or adding another command `--add-foreign-key`,
or perhaps determining if the key being added has a known secret key.

View File

@ -8,6 +8,7 @@ import Data.Maybe
import Data.List.Utils import Data.List.Utils
import Propellor.PrivData.Paths import Propellor.PrivData.Paths
import Propellor.Message
import Utility.SafeCommand import Utility.SafeCommand
import Utility.Process import Utility.Process
import Utility.Monad import Utility.Monad
@ -19,6 +20,7 @@ type KeyId = String
keyring :: FilePath keyring :: FilePath
keyring = privDataDir </> "keyring.gpg" keyring = privDataDir </> "keyring.gpg"
-- Lists the keys in propellor's keyring.
listPubKeys :: IO [KeyId] listPubKeys :: IO [KeyId]
listPubKeys = parse . lines <$> readProcess "gpg" listopts listPubKeys = parse . lines <$> readProcess "gpg" listopts
where where
@ -36,10 +38,15 @@ useKeyringOpts =
] ]
addKey :: KeyId -> IO () addKey :: KeyId -> IO ()
addKey keyid = exitBool =<< allM id addKey keyid = exitBool =<< allM (uncurry actionMessage)
[ gpg, gitadd keyring, reencryptprivdata, gitconfig, gitcommit ] [ ("adding key to propellor's keyring", addkeyring)
, ("staging propellor's keyring", gitadd keyring)
, ("updating encryption of any privdata", reencryptprivdata)
, ("configuring git signing to use key", gitconfig)
, ("committing changes", gitcommit)
]
where where
gpg = do addkeyring = do
createDirectoryIfMissing True privDataDir createDirectoryIfMissing True privDataDir
boolSystem "sh" boolSystem "sh"
[ Param "-c" [ Param "-c"
@ -59,11 +66,16 @@ addKey keyid = exitBool =<< allM id
, File f , File f
] ]
gitconfig = boolSystem "git" gitconfig = ifM (snd <$> processTranscript "gpg" ["--list-secret-keys", keyid] Nothing)
[ Param "config" ( boolSystem "git"
, Param "user.signingkey" [ Param "config"
, Param keyid , Param "user.signingkey"
] , Param keyid
]
, do
warningMessage $ "Cannot find a secret key for key " ++ keyid ++ ", so not configuring git user.signingkey to use this key."
return True
)
gitcommit = gitCommit gitcommit = gitCommit
[ File keyring [ File keyring
@ -71,7 +83,7 @@ addKey keyid = exitBool =<< allM id
, Param "propellor addkey" , Param "propellor addkey"
] ]
{- Automatically sign the commit if there'a a keyring. -} -- Automatically sign the commit if there'a a keyring.
gitCommit :: [CommandParam] -> IO Bool gitCommit :: [CommandParam] -> IO Bool
gitCommit ps = do gitCommit ps = do
k <- doesFileExist keyring k <- doesFileExist keyring
@ -86,6 +98,7 @@ gpgDecrypt f = ifM (doesFileExist f)
, return "" , return ""
) )
-- Encrypt file to all keys in propellor's keyring.
gpgEncrypt :: FilePath -> String -> IO () gpgEncrypt :: FilePath -> String -> IO ()
gpgEncrypt f s = do gpgEncrypt f s = do
keyids <- listPubKeys keyids <- listPubKeys