response

2018-07-19 13:11:18 -04:00 · 2018-07-19 13:11:18 -04:00 · c16e571e36
commit c16e571e36
parent 8cbe9b7dd3
2 changed files with 63 additions and 0 deletions
--- a/doc/forum/Future_proofing_47_disaster_recovery_with_an_encrypted_special_remote/comment_10_2eb2f05477a86f1352e734d163301ffa._comment
+++ b/doc/forum/Future_proofing_47_disaster_recovery_with_an_encrypted_special_remote/comment_10_2eb2f05477a86f1352e734d163301ffa._comment
@ -0,0 +1,44 @@
 [[!comment format=mdwn
 username="joey"
 subject="""comment 10"""
 date="2018-07-19T16:16:14Z"
 content="""
@oliv5 sharedpubkey's cipher has the same newline problem as pubkey does,
 as discussed above. Unlike pubkey, it has to be base64-decoded first,
 and then the extra newline appended to that.
 	                # Pull out MAC cipher from beginning of cipher
 	                if [ \"$encryption\" = \"hybrid\" ] ; then
 	                        cipher=\"$(echo -n \"$cipher\" | head  -c 256 )\"
 	                elif [ \"$encryption\" = \"shared\" ] ; then
 	                        cipher=\"$(echo -n \"$cipher\" | base64 -d | head  -c 256 )\"
 	                elif [ \"$encryption\" = \"pubkey\" ] ; then
 	                        cipher=\"$cipher
 	\"
 	                elif [ \"$encryption\" = \"sharedpubkey\" ] ; then
 	                        cipher=\"$(echo -n \"$cipher\" | base64 -d)\"
 				cipher=\"$cipher
 	\"
 			fi
 Note that base64 -d does emit the newline (verified with hexdump);
 again the shell is shooting you in the foot by eliminating it.
 BTW, a very simple code hack that makes it easy to dump out the cipher git-annex
 is using:
 	diff --git a/Remote/Helper/Encryptable.hs b/Remote/Helper/Encryptable.hs
 	index 97e55a415..c4d252912 100644
 	--- a/Remote/Helper/Encryptable.hs
 	+++ b/Remote/Helper/Encryptable.hs
 	@@ -192,7 +192,7 @@ describeCipher :: StorableCipher -> String
 	 describeCipher c = case c of
 		(SharedCipher _) -> \"encryption key stored in git repository\"
 	 	(EncryptedCipher _ _ ks) -> showkeys ks
 	-	(SharedPubKeyCipher _ ks) -> showkeys ks
 	+	(SharedPubKeyCipher c ks) -> show c ++ \" \" ++ showkeys ks
 	   where
 	 	showkeys (KeyIds { keyIds = ks }) = \"to gpg keys: \" ++ unwords ks
 Then git-annex info remote will display it. Obviously, this patch is insecure.
 """]]
--- a/doc/forum/Shared_pubkeys58_decrypting_files_in_special_remotes_without_git-annex/comment_7_eb448e997e4dc77c845bc4a9462ee128._comment
+++ b/doc/forum/Shared_pubkeys58_decrypting_files_in_special_remotes_without_git-annex/comment_7_eb448e997e4dc77c845bc4a9462ee128._comment
@ -0,0 +1,19 @@
 [[!comment format=mdwn
 username="joey"
 subject="""comment 7"""
 date="2018-07-19T16:57:22Z"
 content="""
 I have addressed the sharedpubkey thing in the other thread.
 Chunk keys may have a -S as well as the -C, if the special remote was
 set up with new-style chunking enabled.
 A remote can have several different chunk sizes over its
 lifetime; the chunk size used for a given key is in the .log.cnk file
 in the git-annex branch, documented in [[internals]].
 The easy way to test if you are generating
 the right key, prior to HMAC encrypting it, is to set up a non-encrypted
 special remote with the same chunking configuration, and look at the chunk
 keys used when files are stored in it.
 """]]