Set gcrypt-publish-participants when setting up a gcrypt repository, to avoid unncessary passphrase prompts.
This is a security/usability tradeoff. To avoid exposing the gpg key ids who can decrypt the repository, users can unset gcrypt-publish-participants. The gcrypt-publish-participants option is available in my fork of git-remote-gcrypt. This commit was sponsored by Christopher Kernahan.
This commit is contained in:
Joey Hess
parent
925e1db85b
commit
ec5ed2af9d
4 changed files with 23 additions and 2 deletions
|
|
@ -263,10 +263,14 @@ shellOrRsync r ashell arsync = case method of
|
|||
- participants, which gcrypt requires is the case, and may not be
|
||||
- depending on system configuration.
|
||||
-
|
||||
- (For shared encryption, gcrypt's default behavior is used.) -}
|
||||
- (For shared encryption, gcrypt's default behavior is used.)
|
||||
-
|
||||
- Also, sets gcrypt-publish-participants to avoid unncessary gpg
|
||||
- passphrase prompts.
|
||||
-}
|
||||
setGcryptEncryption :: RemoteConfig -> String -> Annex ()
|
||||
setGcryptEncryption c remotename = do
|
||||
let participants = ConfigKey $ Git.GCrypt.remoteParticipantConfigKey remotename
|
||||
let participants = remoteconfig Git.GCrypt.remoteParticipantConfigKey
|
||||
case extractCipher c of
|
||||
Nothing -> noCrypto
|
||||
Just (EncryptedCipher _ _ (KeyIds { keyIds = ks})) -> do
|
||||
|
|
@ -278,6 +282,10 @@ setGcryptEncryption c remotename = do
|
|||
(k:_) -> setConfig signingkey k
|
||||
Just (SharedCipher _) ->
|
||||
unsetConfig participants
|
||||
setConfig (remoteconfig Git.GCrypt.remotePublishParticipantConfigKey)
|
||||
(Git.Config.boolConfig True)
|
||||
where
|
||||
remoteconfig n = ConfigKey $ n remotename
|
||||
|
||||
store :: Remote -> Remote.Rsync.RsyncOpts -> (Cipher, Key) -> Key -> MeterUpdate -> Annex Bool
|
||||
store r rsyncopts (cipher, enck) k p
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue