response

2018-07-19 13:11:18 -04:00 · 2018-07-19 13:11:18 -04:00 · c16e571e36
commit c16e571e36
parent 8cbe9b7dd3
2 changed files with 63 additions and 0 deletions
--- a/doc/forum/Future_proofing_47_disaster_recovery_with_an_encrypted_special_remote/comment_10_2eb2f05477a86f1352e734d163301ffa._comment
+++ b/doc/forum/Future_proofing_47_disaster_recovery_with_an_encrypted_special_remote/comment_10_2eb2f05477a86f1352e734d163301ffa._comment
@ -0,0 +1,44 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 10"""
+ date="2018-07-19T16:16:14Z"
+ content="""
+@oliv5 sharedpubkey's cipher has the same newline problem as pubkey does,
+as discussed above. Unlike pubkey, it has to be base64-decoded first,
+and then the extra newline appended to that.
+
+	                # Pull out MAC cipher from beginning of cipher
+	                if [ \"$encryption\" = \"hybrid\" ] ; then
+	                        cipher=\"$(echo -n \"$cipher\" | head  -c 256 )\"
+	                elif [ \"$encryption\" = \"shared\" ] ; then
+	                        cipher=\"$(echo -n \"$cipher\" | base64 -d | head  -c 256 )\"
+	                elif [ \"$encryption\" = \"pubkey\" ] ; then
+	                        cipher=\"$cipher
+	\"
+	                elif [ \"$encryption\" = \"sharedpubkey\" ] ; then
+	                        cipher=\"$(echo -n \"$cipher\" | base64 -d)\"
+				cipher=\"$cipher
+	\"
+			fi
+
+Note that base64 -d does emit the newline (verified with hexdump);
+again the shell is shooting you in the foot by eliminating it.
+
+BTW, a very simple code hack that makes it easy to dump out the cipher git-annex
+is using:
+
+	diff --git a/Remote/Helper/Encryptable.hs b/Remote/Helper/Encryptable.hs
+	index 97e55a415..c4d252912 100644
+	--- a/Remote/Helper/Encryptable.hs
+	+++ b/Remote/Helper/Encryptable.hs
+	@@ -192,7 +192,7 @@ describeCipher :: StorableCipher -> String
+	 describeCipher c = case c of
+ 		(SharedCipher _) -> \"encryption key stored in git repository\"
+	 	(EncryptedCipher _ _ ks) -> showkeys ks
+	-	(SharedPubKeyCipher _ ks) -> showkeys ks
+	+	(SharedPubKeyCipher c ks) -> show c ++ \" \" ++ showkeys ks
+	   where
+	 	showkeys (KeyIds { keyIds = ks }) = \"to gpg keys: \" ++ unwords ks
+
+Then git-annex info remote will display it. Obviously, this patch is insecure.
+"""]]
--- a/doc/forum/Shared_pubkeys58_decrypting_files_in_special_remotes_without_git-annex/comment_7_eb448e997e4dc77c845bc4a9462ee128._comment
+++ b/doc/forum/Shared_pubkeys58_decrypting_files_in_special_remotes_without_git-annex/comment_7_eb448e997e4dc77c845bc4a9462ee128._comment
@ -0,0 +1,19 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 7"""
+ date="2018-07-19T16:57:22Z"
+ content="""
+I have addressed the sharedpubkey thing in the other thread.
+
+Chunk keys may have a -S as well as the -C, if the special remote was
+set up with new-style chunking enabled.
+
+A remote can have several different chunk sizes over its
+lifetime; the chunk size used for a given key is in the .log.cnk file
+in the git-annex branch, documented in [[internals]].
+
+The easy way to test if you are generating
+the right key, prior to HMAC encrypting it, is to set up a non-encrypted
+special remote with the same chunking configuration, and look at the chunk
+keys used when files are stored in it.
+"""]]