Skip to content

Instantly share code, notes, and snippets.

@jonathonsim

jonathonsim/keychain

Created November 17, 2017 00:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jonathonsim/5f24a006c250a85eeee86b9bb431cc96 to your computer and use it in GitHub Desktop.
Save jonathonsim/5f24a006c250a85eeee86b9bb431cc96 to your computer and use it in GitHub Desktop.
Download ZIP
keychain
Raw
keychain
#!/bin/sh
# Copyright 1999-2005 Gentoo Foundation
# Copyright 2007 Aron Griffis <agriffis@n01se.net>
# Copyright 2009-2010 Funtoo Technologies, LLC
# lockfile() Copyright 2009 Parallels, Inc.
# Distributed under the terms of the GNU General Public License v2
# Originally authored by Daniel Robbins <drobbins@gentoo.org>
# Maintained August 2002 - April 2003 by Seth Chandler <sethbc@gentoo.org>
# Maintained and rewritten April 2004 - July 2007 by Aron Griffis <agriffis@n01se.net>
# Maintained July 2009 - present by Daniel Robbins <drobbins@funtoo.org>
version=2.7.1
PATH="/usr/bin:/bin:/sbin:/usr/sbin:/usr/ucb:${PATH}"
maintainer="drobbins@funtoo.org"
zero=`basename "$0"`
unset mesglog
unset myaction
unset agentsopt
havelock=false
unset hostopt
ignoreopt=false
noaskopt=false
noguiopt=false
nolockopt=false
lockwait=5
openssh=unknown
sunssh=unknown
quickopt=false
quietopt=false
clearopt=false
color=true
inheritwhich=local-once
unset stopwhich
unset timeout
unset ssh_timeout
attempts=1
unset sshavail
unset sshkeys
unset gpgkeys
unset mykeys
keydir="${HOME}/.keychain"
unset envf
evalopt=false
confirmopt=false
unset ssh_confirm
unset GREP_OPTIONS
BLUE=""
CYAN=""
CYANN=""
GREEN=""
RED=""
PURP=""
OFF=""
# GNU awk and sed have regex issues in a multibyte environment. If any locale
# variables are set, then override by setting LC_ALL
unset pinentry_locale
lvars=`locale 2>/dev/null | egrep -v '="?(|POSIX|C)"?$' 2>/dev/null`
if [ -n "$lvars$LANG$LC_ALL" ]; then
# save LC_ALL so that pinentry-curses works right. This has always worked
# correctly for me but peper and kloeri had problems with it.
pinentry_lc_all="$LC_ALL"
LC_ALL=C
export LC_ALL
fi
# synopsis: qprint "message"
qprint() {
$quietopt || echo "$*" >&2
}
# synopsis: mesg "message"
# Prettily print something to stderr, honors quietopt
mesg() {
qprint " ${GREEN}*${OFF} $*"
}
# synopsis: warn "message"
# Prettily print a warning to stderr
warn() {
echo " ${RED}* Warning${OFF}: $*" >&2
}
# synopsis: error "message"
# Prettily print an error
error() {
echo " ${RED}* Error${OFF}: $*" >&2
}
# synopsis: die "message"
# Prettily print an error, then abort
die() {
[ -n "$1" ] && error "$*"
qprint
$evalopt && { echo; echo "false;"; }
exit 1
}
# synopsis: versinfo
# Display the version information
versinfo() {
qprint
qprint " Copyright ${CYANN}2002-2006${OFF} Gentoo Foundation;"
qprint " Copyright ${CYANN}2007${OFF} Aron Griffis;"
qprint " Copyright ${CYANN}2009-2010${OFF} Funtoo Technologies, LLC;"
qprint " lockfile() Copyright ${CYANN}2009${OFF} Parallels, Inc."
qprint
qprint " Keychain is free software: you can redistribute it and/or modify"
qprint " it under the terms of the ${CYANN}GNU General Public License version 2${OFF} as"
qprint " published by the Free Software Foundation."
qprint
}
# synopsis: helpinfo
# Display the help information. There's no really good way to use qprint for
# this...
helpinfo() {
cat >&1 <<EOHELP
SYNOPSIS
keychain [ ${GREEN}-hkQqV${OFF} ] [ ${GREEN}--clear${OFF} ${GREEN}--help${OFF} ${GREEN}--ignore-missing${OFF} ${GREEN}--noask${OFF}
${GREEN}--nocolor${OFF} ${GREEN}--nogui${OFF} ${GREEN}--nolock${OFF} ${GREEN}--quick${OFF} ${GREEN}--quiet${OFF} ${GREEN}--version${OFF} ]
[ ${GREEN}--agents${OFF} ${CYAN}list${OFF} ] [ ${GREEN}--attempts${OFF} ${CYAN}num${OFF} ] [ ${GREEN}--dir${OFF} ${CYAN}dirname${OFF} ]
[ ${GREEN}--host${OFF} ${CYAN}name${OFF} ] [ ${GREEN}--lockwait${OFF} ${CYAN}seconds${OFF} ]
[ ${GREEN}--stop${OFF} ${CYAN}which${OFF} ] [ ${GREEN}--timeout${OFF} ${CYAN}minutes${OFF} ] [ keys... ]
OPTIONS
${GREEN}--agents${OFF} ${CYAN}list${OFF}
Start the agents listed. By default keychain will build the list
automatically based on the existence of ssh-agent and/or gpg-agent
on the system. The list should be comma-separated, for example
"gpg,ssh"
${GREEN}--attempts${OFF} ${CYAN}num${OFF}
Try num times to add keys before giving up. The default is 1.
${GREEN}--clear${OFF}
Delete all of ssh-agent's keys. Typically this is used in
.bash_profile. The theory behind this is that keychain should assume
that you are an intruder until proven otherwise. However, while this
option increases security, it still allows your cron jobs to use
your ssh keys when you're logged out.
${GREEN}--confirm${OFF}
Keys are subject to interactive confirmation by the SSH_ASKPASS
program before being used for authentication. See the ${GREEN}-c${OFF} option for
ssh-add(1).
${GREEN}--dir${OFF} ${CYAN}dirname${OFF}
Keychain will use dirname rather than \$HOME/.keychain
${GREEN}--eval${OFF}
Keychain will print lines to be evaluated in the shell on stdout. It
respects the SHELL environment variable to determine if Bourne shell
or C shell output is expected.
${GREEN}--env${OFF} ${CYAN}filename${OFF}
After parsing options, keychain will load additional environment
settings from "filename". By default, if "--env" is not given, then
keychain will attempt to load from ~/.keychain/[hostname]-env or
alternatively ~/.keychain/env. The purpose of this file is to
override settings such as PATH, in case ssh is stored in a
non-standard place.
${GREEN}-h${OFF} ${GREEN}--help${OFF}
Show help that looks remarkably like this man-page. As of 2.6.10,
help is sent to stdout so it can be easily piped to a pager.
${GREEN}--host${OFF} ${CYAN}name${OFF}
Set alternate hostname for creation of pidfiles
${GREEN}--ignore-missing${OFF}
Don't warn if some keys on the command-line can't be found. This is
useful for situations where you have a shared .bash_profile, but
your keys might not be available on every machine where keychain is
run.
${GREEN}--inherit${OFF} ${CYAN}which${OFF}
Attempt to inherit agent variables from the environment. This can be
useful in a variety of circumstances, for example when ssh-agent is
started by gdm. The following values are valid for "which":
local Inherit when a pid (e.g. SSH_AGENT_PID) is set in the
environment. This disallows inheriting a forwarded
agent.
any Inherit when a sock (e.g. SSH_AUTH_SOCK) is set in the
environment. This allows inheriting a forwarded agent.
local-once Same as "local", but only inherit if keychain isn't
already providing an agent.
any-once Same as "any", but only inherit if keychain isn't
already providing an agent.
By default, keychain-2.5.0 and later will behave as if "--inherit
local-once" is specified. You should specify "--noinherit" if you
want the older behavior.
${GREEN}--lockwait${OFF} ${CYAN}seconds${OFF}
How long to wait for the lock to become available. Defaults to 5
seconds. Specify a value of zero or more. If the lock cannot be
acquired within the specified number of seconds, then this keychain
process will forcefully acquire the lock.
${GREEN}--noask${OFF}
This option tells keychain do everything it normally does (ensure
ssh-agent is running, set up the ~/.keychain/[hostname]-{c}sh files)
except that it will not prompt you to add any of the keys you
specified if they haven't yet been added to ssh-agent.
${GREEN}--nocolor${OFF}
Disable color hilighting for non ANSI-compatible terms.
${GREEN}--nogui${OFF}
Don't honor SSH_ASKPASS, if it is set. This will cause ssh-add to
prompt on the terminal instead of using a graphical program.
${GREEN}--noinherit${OFF}
Don't inherit any agent processes, overriding the default "--inherit
local-once"
${GREEN}--nolock${OFF}
Don't attempt to use a lockfile while manipulating files, pids and
keys.
${GREEN}-k${OFF} ${GREEN}--stop${OFF} ${CYAN}which${OFF}
Kill currently running agent processes. The following values are
valid for "which":
all Kill all agent processes and quit keychain immediately.
Prior to keychain-2.5.0, this was the behavior of the bare
"--stop" option.
others Kill agent processes other than the one keychain is
providing. Prior to keychain-2.5.0, keychain would do this
automatically. The new behavior requires that you specify
it explicitly if you want it.
mine Kill keychain's agent processes, leaving other agents
alone.
${GREEN}-Q${OFF} ${GREEN}--quick${OFF}
If an ssh-agent process is running then use it. Don't verify the
list of keys, other than making sure it's non-empty. This option
avoids locking when possible so that multiple terminals can be
opened simultaneously without waiting on each other.
${GREEN}-q${OFF} ${GREEN}--quiet${OFF}
Only print messages in case of warning, error or required
interactivity. As of version 2.6.10, this also suppresses
"Identities added" messages for ssh-agent.
${GREEN}--timeout${OFF} ${CYAN}minutes${OFF}
Set a timeout in minutes on your keys. This is conveyed to ssh-agent
which does the actual timing out of keys since keychain doesn't run
continuously.
${GREEN}-V${OFF} ${GREEN}--version${OFF}
Show version information.
EOHELP
}
# synopsis: testssh
# Figure out which ssh is in use, set the global boolean $openssh and $sunssh
testssh() {
# Query local host for SSH application, presently supporting
# OpenSSH, Sun SSH, and ssh.com
openssh=false
sunssh=false
case "`ssh -V 2>&1`" in
*OpenSSH*) openssh=true ;;
*Sun?SSH*) sunssh=true ;;
esac
}
# synopsis: getuser
# Set the global string $me
getuser() {
# whoami gives euid, which might be different from USER or LOGNAME
me=`whoami` || die "Who are you? whoami doesn't know..."
}
# synopsis: getos
# Set the global string $OSTYPE
getos() {
OSTYPE=`uname` || die 'uname failed'
}
# synopsis: verifykeydir
# Make sure the key dir is set up correctly. Exits on error.
verifykeydir() {
# Create keydir if it doesn't exist already
if [ -f "${keydir}" ]; then
die "${keydir} is a file (it should be a directory)"
# Solaris 9 doesn't have -e; using -d....
elif [ ! -d "${keydir}" ]; then
( umask 0077 && mkdir "${keydir}"; ) || die "can't create ${keydir}"
fi
}
lockfile() {
# This function originates from Parallels Inc.'s OpenVZ vpsreboot script
# Description: This function attempts to acquire the lock. If it succeeds,
# it returns 0. If it fails, it returns 1. This function retuns immediately
# and only tries to acquire the lock once.
local tmpfile="$lockf.$$"
echo $$ >"$tmpfile" 2>/dev/null || exit
if ln "$tmpfile" "$lockf" 2>/dev/null; then
rm -f "$tmpfile"
havelock=true && return 0
fi
if kill -0 `cat $lockf 2>/dev/null` 2>/dev/null; then
rm -f "$tmpfile"
return 1
fi
if ln "$tmpfile" "$lockf" 2>/dev/null; then
rm -f "$tmpfile"
havelock=true && return 0
fi
rm -f "$tmpfile" "$lockf" && return 1
}
takelock() {
# Description: This function calls lockfile() multiple times if necessary
# to try to acquire the lock. It returns 0 on success and 1 on failure.
# Change in behavior: if timeout expires, we will forcefully acquire lock.
[ "$havelock" = "true" ] && return 0
[ "$nolockopt" = "true" ] && return 0
# First attempt:
lockfile && return 0
local counter=0
mesg "Waiting $lockwait seconds for lock..."
while [ "$counter" -lt "$(( $lockwait * 2 ))" ]
do
lockfile && return 0
sleep 0.5; counter=$(( $counter + 1 ))
done
rm -f "$lockf" && lockfile && return 0
return 1
}
# synopsis: droplock
# Drops the lock if we're holding it.
droplock() {
$havelock && [ -n "$lockf" ] && rm -f "$lockf"
}
# synopsis: findpids [prog]
# Returns a space-separated list of agent pids.
# prog can be ssh or gpg, defaults to ssh. Note that if another prog is ever
# added, need to pay attention to the length for Solaris compatibility.
findpids() {
fp_prog=${1-ssh}
unset fp_psout
# Different systems require different invocations of ps. Try to generalize
# the best we can. The only requirement is that the agent command name
# appears in the line, and the PID is the first item on the line.
[ -n "$OSTYPE" ] || getos
# Try systems where we know what to do first
case "$OSTYPE" in
AIX|*bsd*|*BSD*|CYGWIN|darwin*|Linux|linux-gnu|OSF1)
fp_psout=`ps x 2>/dev/null` ;; # BSD syntax
HP-UX)
fp_psout=`ps -u $me 2>/dev/null` ;; # SysV syntax
SunOS)
case `uname -r` in
[56]*)
fp_psout=`ps -u $me 2>/dev/null` ;; # SysV syntax
*)
fp_psout=`ps x 2>/dev/null` ;; # BSD syntax
esac ;;
GNU|gnu)
fp_psout=`ps -g 2>/dev/null` ;; # GNU Hurd syntax
esac
# If we didn't get a match above, try a list of possibilities...
# The first one will probably fail on systems supporting only BSD syntax.
if [ -z "$fp_psout" ]; then
fp_psout=`UNIX95=1 ps -u $me -o pid,comm 2>/dev/null | grep '^ *[0-9]'`
[ -z "$fp_psout" ] && fp_psout=`ps x 2>/dev/null`
fi
# Return the list of pids; ignore case for Cygwin.
# Check only 8 characters since Solaris truncates at that length.
# Ignore defunct ssh-agents (bug 28599)
if [ -n "$fp_psout" ]; then
echo "$fp_psout" | \
awk "BEGIN{IGNORECASE=1} /defunct/{next}
/$fp_prog-[a]gen/{print \$1}" | xargs
return 0
fi
# If none worked, we're stuck
error "Unable to use \"ps\" to scan for $fp_prog-agent processes"
error "Please report to $maintainer via http://bugs.gentoo.org"
return 1
}
# synopsis: stopagent [prog]
# --stop tells keychain to kill the existing agent(s)
# prog can be ssh or gpg, defaults to ssh.
stopagent() {
stop_prog=${1-ssh}
eval stop_except=\$\{${stop_prog}_agent_pid\}
stop_mypids=`findpids "$stop_prog"`
[ $? = 0 ] || die
if [ -z "$stop_mypids" ]; then
mesg "No $stop_prog-agent(s) found running"
return 0
fi
case "$stopwhich" in
all)
kill $stop_mypids >/dev/null 2>&1
mesg "All ${CYANN}$me${OFF}'s $stop_prog-agents stopped: ${CYANN}$stop_mypids${OFF}"
;;
others)
# Try to handle the case where we *will* inherit a pid
kill -0 $stop_except >/dev/null 2>&1
if [ -z "$stop_except" -o $? != 0 -o \
"$inheritwhich" = local -o "$inheritwhich" = any ]; then
if [ "$inheritwhich" != none ]; then
eval stop_except=\$\{inherit_${stop_prog}_agent_pid\}
kill -0 $stop_except >/dev/null 2>&1
if [ -z "$stop_except" -o $? != 0 ]; then
# Handle ssh2
eval stop_except=\$\{inherit_${stop_prog}2_agent_pid\}
fi
fi
fi
# Filter out the running agent pid
unset stop_mynewpids
for stop_x in $stop_mypids; do
[ $stop_x -eq $stop_except ] 2>/dev/null && continue
stop_mynewpids="${stop_mynewpids+$stop_mynewpids }$stop_x"
done
if [ -n "$stop_mynewpids" ]; then
kill $stop_mynewpids >/dev/null 2>&1
mesg "Other ${CYANN}$me${OFF}'s $stop_prog-agents stopped: ${CYANN}$stop_mynewpids${OFF}"
else
mesg "No other $stop_prog-agent(s) than keychain's $stop_except found running"
fi
;;
mine)
if [ $stop_except -gt 0 ] 2>/dev/null; then
kill $stop_except >/dev/null 2>&1
mesg "Keychain $stop_prog-agents stopped: ${CYANN}$stop_except${OFF}"
else
mesg "No keychain $stop_prog-agent found running"
fi
;;
esac
# remove pid files if keychain-controlled
if [ "$stopwhich" != others ]; then
if [ "$stop_prog" != ssh ]; then
rm -f "${pidf}-$stop_prog" "${cshpidf}-$stop_prog" "${fishpidf}-$stop_prog" 2>/dev/null
else
rm -f "${pidf}" "${cshpidf}" "${fishpidf}" 2>/dev/null
fi
eval unset ${stop_prog}_agent_pid
fi
}
# synopsis: inheritagents
# Save agent variables from the environment before they get wiped out
inheritagents() {
# Verify these global vars are null
unset inherit_ssh_auth_sock inherit_ssh_agent_pid
unset inherit_ssh2_auth_sock inherit_ssh2_agent_sock
unset inherit_gpg_agent_info inherit_gpg_agent_pid
# Save variables so we can inherit a running agent
if [ "$inheritwhich" != none ]; then
if wantagent ssh; then
if [ -n "$SSH_AUTH_SOCK" ]; then
inherit_ssh_auth_sock="$SSH_AUTH_SOCK"
inherit_ssh_agent_pid="$SSH_AGENT_PID"
fi
if [ -n "$SSH2_AUTH_SOCK" ]; then
inherit_ssh2_auth_sock="$SSH2_AUTH_SOCK"
inherit_ssh2_agent_pid="$SSH2_AGENT_PID"
fi
fi
if wantagent gpg; then
if [ -n "$GPG_AGENT_INFO" ]; then
inherit_gpg_agent_info="$GPG_AGENT_INFO"
inherit_gpg_agent_pid=`echo "$GPG_AGENT_INFO" | cut -f2 -d:`
fi
fi
fi
}
# synopsis: validinherit
# Test inherit_* variables for validity
validinherit() {
vi_agent="$1"
vi_status=0
if [ "$vi_agent" = ssh ]; then
if [ -n "$inherit_ssh_auth_sock" ]; then
ls "$inherit_ssh_auth_sock" >/dev/null 2>&1
if [ $? != 0 ]; then
warn "SSH_AUTH_SOCK in environment is invalid; ignoring it"
unset inherit_ssh_auth_sock inherit_ssh_agent_pid
vi_status=1
fi
fi
if [ -n "$inherit_ssh2_auth_sock" ]; then
ls "$inherit_ssh2_auth_sock" >/dev/null 2>&1
if [ $? != 0 ]; then
warn "SSH2_AUTH_SOCK in environment is invalid; ignoring it"
unset inherit_ssh2_auth_sock inherit_ssh2_agent_pid
vi_status=1
fi
fi
elif [ "$vi_agent" = gpg ]; then
if [ -n "$inherit_gpg_agent_pid" ]; then
kill -0 "$inherit_gpg_agent_pid" >/dev/null 2>&1
if [ $? != 0 ]; then
unset inherit_gpg_agent_pid inherit_gpg_agent_info
warn "GPG_AGENT_INFO in environment is invalid; ignoring it"
vi_status=1
fi
fi
fi
return $vi_status
}
# synopsis: catpidf_shell shell agents...
# cat the pid files for the given agents. This is used by loadagents and also
# for keychain output when --eval is given.
catpidf_shell() {
case "$1" in
*/fish|fish) cp_pidf="$fishpidf" ;;
*csh) cp_pidf="$cshpidf" ;;
*) cp_pidf="$pidf" ;;
esac
shift
for cp_a in "$@"; do
case "${cp_a}" in
ssh) [ -f "$cp_pidf" ] && cat "$cp_pidf" ;;
*) [ -f "${cp_pidf}-$cp_a" ] && cat "${cp_pidf}-$cp_a" ;;
esac
echo
done
return 0
}
# synopsis: catpidf agents...
# cat the pid files for the given agents, appropriate for the current value of
# $SHELL. This is used for keychain output when --eval is given.
catpidf() {
catpidf_shell "$SHELL" "$@"
}
# synopsis: loadagents agents...
# Load agent variables from $pidf and copy implementation-specific environment
# variables into generic global strings
loadagents() {
for la_a in "$@"; do
case "$la_a" in
ssh)
unset SSH_AUTH_SOCK SSH_AGENT_PID SSH2_AUTH_SOCK SSH2_AGENT_PID
eval "`catpidf_shell sh $la_a`"
if [ -n "$SSH_AUTH_SOCK" ]; then
ssh_auth_sock=$SSH_AUTH_SOCK
ssh_agent_pid=$SSH_AGENT_PID
elif [ -n "$SSH2_AUTH_SOCK" ]; then
ssh_auth_sock=$SSH2_AUTH_SOCK
ssh_agent_pid=$SSH2_AGENT_PID
else
unset ssh_auth_sock ssh_agent_pid
fi
;;
gpg)
unset GPG_AGENT_INFO
eval "`catpidf_shell sh $la_a`"
if [ -n "$GPG_AGENT_INFO" ]; then
la_IFS="$IFS" # save current IFS
IFS=':' # set IFS to colon to separate PATH
set -- $GPG_AGENT_INFO
IFS="$la_IFS" # restore IFS
gpg_agent_pid=$2
fi
;;
*)
eval "`catpidf_shell sh $la_a`"
;;
esac
done
return 0
}
# synopsis: startagent [prog]
# Starts an agent if it isn't already running.
# Requires $ssh_agent_pid
startagent() {
start_prog=${1-ssh}
unset start_pid
start_inherit_pid=none
start_mypids=`findpids "$start_prog"`
[ $? = 0 ] || die
# Unfortunately there isn't much way to genericize this without introducing
# a lot more supporting code/structures.
if [ "$start_prog" = ssh ]; then
start_pidf="$pidf"
start_cshpidf="$cshpidf"
start_fishpidf="$fishpidf"
start_pid="$ssh_agent_pid"
if [ -n "$inherit_ssh_auth_sock" -o -n "$inherit_ssh2_auth_sock" ]; then
if [ -n "$inherit_ssh_agent_pid" ]; then
start_inherit_pid="$inherit_ssh_agent_pid"
elif [ -n "$inherit_ssh2_agent_pid" ]; then
start_inherit_pid="$inherit_ssh2_agent_pid"
else
start_inherit_pid="forwarded"
fi
fi
else
start_pidf="${pidf}-$start_prog"
start_cshpidf="${cshpidf}-$start_prog"
start_fishpidf="${fishpidf}-$start_prog"
if [ "$start_prog" = gpg ]; then
start_pid="$gpg_agent_pid"
if [ -n "$inherit_gpg_agent_pid" ]; then
start_inherit_pid="$inherit_gpg_agent_pid"
fi
else
error "I don't know how to start $start_prog-agent (1)"
return 1
fi
fi
[ "$start_pid" -gt 0 ] 2>/dev/null || start_pid=none
# This hack makes the case statement easier
if [ "$inheritwhich" = any -o "$inheritwhich" = any-once ]; then
start_fwdflg=forwarded
else
unset start_fwdflg
fi
# Check for an existing agent
start_tester="$inheritwhich: $start_mypids $start_fwdflg "
case "$start_tester" in
none:*" $start_pid "*|*-once:*" $start_pid "*)
mesg "Found existing ${start_prog}-agent: ${CYANN}$start_pid${OFF}"
return 0
;;
*:*" $start_inherit_pid "*)
# This test was postponed until now to prevent generating warnings
validinherit "$start_prog"
if [ $? != 0 ]; then
# inherit_* vars have been removed from the environment. Try
# again now
startagent "$start_prog"
return $?
fi
mesg "Inheriting ${start_prog}-agent ($start_inherit_pid)"
;;
*)
# start_inherit_pid might be "forwarded" which we don't allow with,
# for example, local-once (the default setting)
start_inherit_pid=none
;;
esac
# Init the bourne-formatted pidfile
( umask 0177 && :> "$start_pidf"; )
if [ $? != 0 ]; then
rm -f "$start_pidf" "$start_cshpidf" "$start_fishpidf" 2>/dev/null
error "can't create $start_pidf"
return 1
fi
# Init the csh-formatted pidfile
( umask 0177 && :> "$start_cshpidf"; )
if [ $? != 0 ]; then
rm -f "$start_pidf" "$start_cshpidf" "$start_fishpidf" 2>/dev/null
error "can't create $start_cshpidf"
return 1
fi
# Init the fish-formatted pidfile
( umask 0177 && :> "$start_fishpidf"; )
if [ $? != 0 ]; then
rm -f "$start_pidf" "$start_cshpidf" "$start_fishpidf" 2>/dev/null
error "can't create $start_fishpidf"
return 1
fi
# Determine content for files
unset start_out
if [ "$start_inherit_pid" = none ]; then
# Start the agent.
# Branch again since the agents start differently
mesg "Starting ${start_prog}-agent..."
if [ "$start_prog" = ssh ]; then
start_out=`ssh-agent`
elif [ "$start_prog" = gpg ]; then
if [ -n "${timeout}" ]; then
start_gpg_timeout="--default-cache-ttl `expr $timeout \* 60`"
else
unset start_gpg_timeout
fi
# the 1.9.x series of gpg spews debug on stderr
start_out=`gpg-agent --daemon $start_gpg_timeout 2>/dev/null`
else
error "I don't know how to start $start_prog-agent (2)"
return 1
fi
if [ $? != 0 ]; then
rm -f "$start_pidf" "$start_cshpidf" "$start_fishpidf" 2>/dev/null
error "Failed to start ${start_prog}-agent"
return 1
fi
elif [ "$start_prog" = ssh -a -n "$inherit_ssh_auth_sock" ]; then
start_out="SSH_AUTH_SOCK=$inherit_ssh_auth_sock; export SSH_AUTH_SOCK;"
if [ "$inherit_ssh_agent_pid" -gt 0 ] 2>/dev/null; then
start_out="$start_out
SSH_AGENT_PID=$inherit_ssh_agent_pid; export SSH_AGENT_PID;"
fi
elif [ "$start_prog" = ssh -a -n "$inherit_ssh2_auth_sock" ]; then
start_out="SSH2_AUTH_SOCK=$inherit_ssh2_auth_sock; export SSH2_AUTH_SOCK;
SSH2_AGENT_PID=$inherit_ssh2_agent_pid; export SSH2_AGENT_PID;"
if [ "$inherit_ssh2_agent_pid" -gt 0 ] 2>/dev/null; then
start_out="$start_out
SSH2_AGENT_PID=$inherit_ssh2_agent_pid; export SSH2_AGENT_PID;"
fi
elif [ "$start_prog" = gpg -a -n "$inherit_gpg_agent_info" ]; then
start_out="GPG_AGENT_INFO=$inherit_gpg_agent_info; export GPG_AGENT_INFO;"
else
die "something bad happened" # should never be here
fi
# Add content to pidfiles.
# Some versions of ssh-agent don't understand -s, which means to
# generate Bourne shell syntax. It appears they also ignore SHELL,
# according to http://bugs.gentoo.org/show_bug.cgi?id=52874
# So make no assumptions.
start_out=`echo "$start_out" | grep -v 'Agent pid'`
case "$start_out" in
setenv*)
echo "$start_out" >"$start_cshpidf"
echo "$start_out" | awk '{print $2"="$3" export "$2";"}' >"$start_pidf"
;;
*)
echo "$start_out" >"$start_pidf"
echo "$start_out" | sed 's/;.*/;/' | sed 's/=/ /' | sed 's/^/setenv /' >"$start_cshpidf"
echo "$start_out" | sed 's/;.*/;/' | sed 's/^\(.*\)=\(.*\);/set -e \1; and set -x -U \1 \2/' >"$start_fishpidf"
;;
esac
# Hey the agent should be started now... load it up!
loadagents "$start_prog"
}
# synopsis: extract_fingerprints
# Extract the fingerprints from standard input, returns space-separated list.
# Utility routine for ssh_l and ssh_f
extract_fingerprints() {
while read ef_line; do
case "$ef_line" in
*\ *\ [0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:*)
# Sun SSH spits out different things depending on the type of
# key. For example:
# md5 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 /home/barney/.ssh/id_dsa(DSA)
# 2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 /home/barney/.ssh/id_rsa.pub
echo "$ef_line" | cut -f3 -d' '
;;
*\ [0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:*)
# The more consistent OpenSSH format, we hope
# 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 /home/barney/.ssh/id_dsa (DSA)
echo "$ef_line" | cut -f2 -d' '
;;
*)
# Fall back to filename. Note that commercial ssh is handled
# explicitly in ssh_l and ssh_f, so hopefully this rule will
# never fire.
warn "Can't determine fingerprint from the following line, falling back to filename"
mesg "$ef_line"
basename "$ef_line" | sed 's/[ (].*//'
;;
esac
done | xargs
}
# synopsis: ssh_l
# Return space-separated list of known fingerprints
ssh_l() {
sl_mylist=`ssh-add -l 2>/dev/null`
sl_retval=$?
if $openssh; then
# Error codes:
# 0 success
# 1 OpenSSH_3.8.1p1 on Linux: no identities (not an error)
# OpenSSH_3.0.2p1 on HP-UX: can't connect to auth agent
# 2 can't connect to auth agent
case $sl_retval in
0)
echo "$sl_mylist" | extract_fingerprints
;;
1)
case "$sl_mylist" in
*"open a connection"*) sl_retval=2 ;;
esac
;;
esac
return $sl_retval
elif $sunssh; then
# Error codes (from http://docs.sun.com/db/doc/817-3936/6mjgdbvio?a=view)
# 0 success (even when there are no keys)
# 1 error
case $sl_retval in
0)
echo "$sl_mylist" | extract_fingerprints
;;
1)
case "$sl_mylist" in
*"open a connection"*) sl_retval=2 ;;
esac
;;
esac
return $sl_retval
else
# Error codes:
# 0 success - however might say "The authorization agent has no keys."
# 1 can't connect to auth agent
# 2 bad passphrase
# 3 bad identity file
# 4 the agent does not have the requested identity
# 5 unspecified error
if [ $sl_retval = 0 ]; then
# Output of ssh-add -l:
# The authorization agent has one key:
# id_dsa_2048_a: 2048-bit dsa, agriffis@alpha.zk3.dec.com, Fri Jul 25 2003 10:53:49 -0400
# Since we don't have a fingerprint, just get the filenames *shrug*
echo "$sl_mylist" | sed '2,$s/:.*//' | xargs
fi
return $sl_retval
fi
}
# synopsis: ssh_f filename
# Return finger print for a keyfile
# Requires $openssh and $sunssh
ssh_f() {
sf_filename="$1"
if $openssh || $sunssh; then
if [ ! -f "$sf_filename.pub" ]; then
warn "$sf_filename.pub missing; can't tell if $sf_filename is loaded"
return 1
fi
sf_fing=`ssh-keygen -l -f "$sf_filename.pub"` || return 1
echo "$sf_fing" | extract_fingerprints
else
# can't get fingerprint for ssh2 so use filename *shrug*
basename "$sf_filename"
fi
return 0
}
# synopsis: gpg_listmissing
# Uses $gpgkeys
# Returns a newline-separated list of keys found to be missing.
gpg_listmissing() {
unset glm_missing
GPG_TTY=`tty`
# Parse $gpgkeys into positional params to preserve spaces in filenames
set -f # disable globbing
glm_IFS="$IFS" # save current IFS
IFS="
" # set IFS to newline
set -- $gpgkeys
IFS="$glm_IFS" # restore IFS
set +f # re-enable globbing
for glm_k in "$@"; do
# Check if this key is known to the agent. Don't know another way...
if echo | env -i GPG_TTY="$GPG_TTY" PATH="$PATH" GPG_AGENT_INFO="$GPG_AGENT_INFO" \
gpg --no-options --use-agent --no-tty --sign --local-user "$glm_k" -o- >/dev/null 2>&1; then
# already know about this key
mesg "Known gpg key: ${CYANN}${glm_k}${OFF}"
continue
else
# need to add this key
if [ -z "$glm_missing" ]; then
glm_missing="$glm_k"
else
glm_missing="$glm_missing
$glm_k"
fi
fi
done
echo "$glm_missing"
}
# synopsis: ssh_listmissing
# Uses $sshkeys and $sshavail
# Returns a newline-separated list of keys found to be missing.
ssh_listmissing() {
unset slm_missing
# Parse $sshkeys into positional params to preserve spaces in filenames
set -f # disable globbing
slm_IFS="$IFS" # save current IFS
IFS="
" # set IFS to newline
set -- $sshkeys
IFS="$slm_IFS" # restore IFS
set +f # re-enable globbing
for slm_k in "$@"; do
# Fingerprint current user-specified key
slm_finger=`ssh_f "$slm_k"` || continue
# Check if it needs to be added
case " $sshavail " in
*" $slm_finger "*)
# already know about this key
mesg "Known ssh key: ${CYANN}${slm_k}${OFF}"
;;
*)
# need to add this key
if [ -z "$slm_missing" ]; then
slm_missing="$slm_k"
else
slm_missing="$slm_missing
$slm_k"
fi
;;
esac
done
echo "$slm_missing"
}
# synopsis: add_gpgkey
# Adds a key to $gpgkeys
add_gpgkey() {
gpgkeys=${gpgkeys+"$gpgkeys
"}"$1"
}
# synopsis: add_sshkey
# Adds a key to $sshkeys
add_sshkey() {
sshkeys=${sshkeys+"$sshkeys
"}"$1"
}
# synopsis: parse_mykeys
# Sets $sshkeys and $gpgkeys based on $mykeys
parse_mykeys() {
# Parse $mykeys into positional params to preserve spaces in filenames
set -f # disable globbing
pm_IFS="$IFS" # save current IFS
IFS="
" # set IFS to newline
set -- $mykeys
IFS="$pm_IFS" # restore IFS
set +f # re-enable globbing
for pm_k in "$@"; do
# Check for ssh
if wantagent ssh; then
if [ -f "$pm_k" ]; then
add_sshkey "$pm_k" ; continue
elif [ -f "$HOME/.ssh/$pm_k" ]; then
add_sshkey "$HOME/.ssh/$pm_k" ; continue
elif [ -f "$HOME/.ssh2/$pm_k" ]; then
add_sshkey "$HOME/.ssh2/$pm_k" ; continue
fi
fi
# Check for gpg
if wantagent gpg; then
if [ -z "$pm_gpgsecrets" ]; then
pm_gpgsecrets="`gpg --list-secret-keys 2>/dev/null | cut -d/ -f2 | cut -d' ' -f1 | xargs`"
[ -z "$pm_gpgsecrets" ] && pm_gpgsecrets='/' # arbitrary
fi
case " $pm_gpgsecrets " in *" $pm_k "*)
add_gpgkey "$pm_k" ; continue ;;
esac
fi
$ignoreopt || warn "can't find $pm_k; skipping"
continue
done
return 0
}
# synopsis: setaction
# Sets $myaction or dies if $myaction is already set
setaction() {
if [ -n "$myaction" ]; then
die "you can't specify --$myaction and $1 at the same time"
else
myaction="$1"
fi
}
# synopsis: in_path
# Look for executables in the path
in_path() {
ip_lookfor="$1"
# Parse $PATH into positional params to preserve spaces
ip_IFS="$IFS" # save current IFS
IFS=':' # set IFS to colon to separate PATH
set -- $PATH
IFS="$ip_IFS" # restore IFS
for ip_x in "$@"; do
[ -x "$ip_x/$ip_lookfor" ] || continue
echo "$ip_x/$ip_lookfor"
return 0
done
return 1
}
# synopsis: setagents
# Check validity of agentsopt
setagents() {
if [ -n "$agentsopt" ]; then
agentsopt=`echo "$agentsopt" | sed 's/,/ /g'`
unset new_agentsopt
for a in $agentsopt; do
if in_path ${a}-agent >/dev/null; then
new_agentsopt="${new_agentsopt+$new_agentsopt }${a}"
else
warn "can't find ${a}-agent, removing from list"
fi
done
agentsopt="${new_agentsopt}"
else
for a in ssh gpg; do
in_path ${a}-agent >/dev/null || continue
agentsopt="${agentsopt+$agentsopt }${a}"
done
fi
if [ -z "$agentsopt" ]; then
die "no agents available to start"
fi
}
# synopsis: wantagent prog
# Return 0 (true) or 1 (false) depending on whether prog is one of the agents in
# agentsopt
wantagent() {
case "$agentsopt" in
"$1"|"$1 "*|*" $1 "*|*" $1")
return 0 ;;
*)
return 1 ;;
esac
}
#
# MAIN PROGRAM
#
# parse the command-line
while [ -n "$1" ]; do
case "$1" in
--help|-h)
setaction help
;;
--stop|-k)
# As of version 2.5, --stop takes an argument. For the sake of
# backward compatibility, only eat the arg if it's one we recognize.
if [ "$2" = mine ]; then
stopwhich=mine; shift
elif [ "$2" = others ]; then
stopwhich=others; shift
elif [ "$2" = all ]; then
stopwhich=all; shift
else
# backward compat
stopwhich=all-warn
fi
;;
--version|-V)
setaction version
;;
--agents)
shift
agentsopt="$1"
;;
--attempts)
shift
if [ "$1" -gt 0 ] 2>/dev/null; then
attempts=$1
else
die "--attempts requires a numeric argument greater than zero"
fi
;;
--clear)
clearopt=true
$quickopt && die "--quick and --clear are not compatible"
;;
--confirm)
confirmopt=true
;;
--dir)
shift
case "$1" in
*/.*) keydir="$1" ;;
'') die "--dir requires an argument" ;;
*) keydir="$1/.keychain" ;; # be backward-compatible
esac
;;
--env)
shift
if [ -z "$1" ]; then
die "--env requires an argument"
else
envf="$1"
fi
;;
--eval)
evalopt=true
;;
--host)
shift
hostopt="$1"
;;
--ignore-missing)
ignoreopt=true
;;
--inherit)
shift
case "$1" in
local|any|local-once|any-once)
inheritwhich="$1"
;;
*)
die "--inherit requires an argument (local, any, local-once or any-once)"
;;
esac
;;
--noinherit)
inheritwhich=none
;;
--noask)
noaskopt=true
;;
--nogui)
noguiopt=true
;;
--nolock)
nolockopt=true
;;
--lockwait)
shift
if [ "$1" -ge 0 ] 2>/dev/null; then
lockwait="$1"
else
die "--lockwait requires an argument zero or greater."
fi
;;
--quick|-Q)
quickopt=true
$clearopt && die "--quick and --clear are not compatible"
;;
--quiet|-q)
quietopt=true
;;
--nocolor)
color=false
;;
--timeout)
shift
if [ "$1" -gt 0 ] 2>/dev/null; then
timeout=$1
else
die "--timeout requires a numeric argument greater than zero"
fi
;;
--)
shift
IFS="
"
mykeys=${mykeys+"$mykeys
"}"$*"
unset IFS
break
;;
-*)
echo "$zero: unknown option $1" >&2
$evalopt && { echo; echo "false;"; }
exit 1
;;
*)
mykeys=${mykeys+"$mykeys
"}"$1"
;;
esac
shift
done
# Set filenames *after* parsing command-line options to allow
# modification of $keydir and/or $hostopt
#
# pidf holds the specific name of the keychain .ssh-agent-myhostname file.
# We use the new hostname extension for NFS compatibility. cshpidf is the
# .ssh-agent file with csh-compatible syntax. fishpidf is the .ssh-agent
# file with fish-compatible syntax. lockf is the lockfile, used
# to serialize the execution of multiple ssh-agent processes started
# simultaneously
[ -z "$hostopt" ] && hostopt="${HOSTNAME}"
[ -z "$hostopt" ] && hostopt=`uname -n 2>/dev/null || echo unknown`
pidf="${keydir}/${hostopt}-sh"
cshpidf="${keydir}/${hostopt}-csh"
fishpidf="${keydir}/${hostopt}-fish"
olockf="${keydir}/${hostopt}-lock"
lockf="${keydir}/${hostopt}-lockf"
# Read the env snippet (especially for things like PATH, but could modify
# basically anything)
if [ -z "$envf" ]; then
envf="${keydir}/${hostopt}-env"
[ -f "$envf" ] || envf="${keydir}/env"
[ -f "$envf" ] || unset envf
fi
if [ -n "$envf" ]; then
. "$envf"
fi
# Don't use color if there's no terminal on stderr
if [ -n "$OFF" ]; then
tty <&2 >/dev/null 2>&1 || color=false
fi
#disable color if necessary, right before our initial newline
$color || unset BLUE CYAN CYANN GREEN PURP OFF RED
qprint #initial newline
mesg "${PURP}keychain ${OFF}${CYANN}${version}${OFF} ~ ${GREEN}http://www.funtoo.org${OFF}"
[ "$myaction" = version ] && { versinfo; exit 0; }
[ "$myaction" = help ] && { versinfo; helpinfo; exit 0; }
# Set up traps
# Don't use signal names because they don't work on Cygwin.
if $clearopt; then
trap '' 2 # disallow ^C until we've had a chance to --clear
trap 'droplock; exit 1' 1 15 # drop the lock on signal
trap 'droplock; exit 0' 0 # drop the lock on exit
else
# Don't use signal names because they don't work on Cygwin.
trap 'droplock; exit 1' 1 2 15 # drop the lock on signal
trap 'droplock; exit 0' 0 # drop the lock on exit
fi
setagents # verify/set $agentsopt
verifykeydir # sets up $keydir
wantagent ssh && testssh # sets $openssh and $sunssh
getuser # sets $me
# Inherit agent info from the environment before loadagents wipes it out.
# Always call this since it checks $inheritopt and sets variables accordingly.
inheritagents
# --stop: kill the existing ssh-agent(s) and quit
if [ -n "$stopwhich" ]; then
if [ "$stopwhich" = all-warn ]; then
warn "--stop without an argument is deprecated; see --help"
stopwhich=all
fi
takelock || die
if [ "$stopwhich" = mine -o "$stopwhich" = others ]; then
loadagents $agentsopt
fi
for a in $agentsopt; do
stopagent $a
done
if [ "$stopwhich" != others ]; then
qprint
exit 0 # stopagent is always successful
fi
fi
# Note regarding locking: if we're trying to be quick, then don't take the lock.
# It will be taken later if we discover we can't be quick.
if $quickopt; then
loadagents $agentsopt # sets ssh_auth_sock, ssh_agent_pid, etc
unset nagentsopt
for a in $agentsopt; do
needstart=true
# Trying to be quick has a price... If we discover the agent isn't running,
# then we'll have to check things again (in startagent) after taking the
# lock. So don't do the initial check unless --quick was specified.
if [ $a = ssh ]; then
sshavail=`ssh_l` # try to use existing agent
# 0 = found keys, 1 = no keys, 2 = no agent
if [ $? = 0 -o \( $? = 1 -a -z "$mykeys" \) ]; then
mesg "Found existing ssh-agent: ${CYANN}$ssh_agent_pid${OFF}"
needstart=false
fi
elif [ $a = gpg ]; then
# not much way to be quick on this
if [ -n "$gpg_agent_pid" ]; then
case " `findpids gpg` " in
*" $gpg_agent_pid "*)
mesg "Found existing gpg-agent: ${CYANN}$gpg_agent_pid${OFF}"
needstart=false ;;
esac
fi
fi
if $needstart; then
nagentsopt="$nagentsopt $a"
elif $evalopt; then
catpidf $a
fi
done
agentsopt="$nagentsopt"
fi
# If there are no agents remaining, then bow out now...
[ -n "$agentsopt" ] || { qprint; exit 0; }
# There are agents remaining to start, and we now know we can't be quick. Take
# the lock before continuing
takelock || die
loadagents $agentsopt
unset nagentsopt
for a in $agentsopt; do
if startagent $a; then
nagentsopt="${nagentsopt+$nagentsopt }$a"
$evalopt && catpidf $a
fi
done
agentsopt="$nagentsopt"
# If there are no agents remaining, then duck out now...
[ -n "$agentsopt" ] || { qprint; exit 0; }
# --timeout translates almost directly to ssh-add -t, but ssh.com uses
# minutes and OpenSSH uses seconds
if [ -n "$timeout" ] && wantagent ssh; then
ssh_timeout=$timeout
if $openssh || $sunssh; then
ssh_timeout=`expr $ssh_timeout \* 60`
fi
ssh_timeout="-t $ssh_timeout"
fi
# --confirm translates to ssh-add -c
if $confirmopt && wantagent ssh; then
if $openssh || $sunssh; then
ssh_confirm=-c
else
warn "--confirm only works with OpenSSH"
fi
fi
# --clear: remove all keys from the agent(s)
if $clearopt; then
for a in ${agentsopt}; do
if [ $a = ssh ]; then
sshout=`ssh-add -D 2>&1`
if [ $? = 0 ]; then
mesg "ssh-agent: $sshout"
else
warn "ssh-agent: $sshout"
fi
elif [ $a = gpg ]; then
kill -1 $gpg_agent_pid 2>/dev/null
mesg "gpg-agent: All identities removed."
else
warn "--clear not supported for ${a}-agent"
fi
done
trap 'droplock' 2 # done clearing, safe to ctrl-c
fi
# --noask: "don't ask for keys", so we're all done
$noaskopt && { qprint; exit 0; }
# Parse $mykeys into ssh vs. gpg keys; it may be necessary in the future to
# differentiate on the cmdline
parse_mykeys || die
# Load ssh keys
if wantagent ssh; then
sshavail=`ssh_l` # update sshavail now that we're locked
sshkeys="`ssh_listmissing`" # cache list of missing keys, newline-separated
sshattempts=$attempts
savedisplay="$DISPLAY"
# Attempt to add the keys
while [ -n "$sshkeys" ]; do
mesg "Adding ${CYANN}"`echo "$sshkeys" | wc -l`"${OFF} ssh key(s): `echo $sshkeys`"
# Parse $sshkeys into positional params to preserve spaces in filenames.
# This *must* happen after any calls to subroutines because pure Bourne
# shell doesn't restore "$@" following a call. Eeeeek!
set -f # disable globbing
old_IFS="$IFS" # save current IFS
IFS="
" # set IFS to newline
set -- $sshkeys
IFS="$old_IFS" # restore IFS
set +f # re-enable globbing
if $noguiopt || [ -z "$SSH_ASKPASS" -o -z "$DISPLAY" ]; then
unset DISPLAY # DISPLAY="" can cause problems
unset SSH_ASKPASS # make sure ssh-add doesn't try SSH_ASKPASS
sshout=`ssh-add ${ssh_timeout} ${ssh_confirm} "$@" 2>&1`
else
sshout=`ssh-add ${ssh_timeout} ${ssh_confirm} "$@" 2>&1 </dev/null`
fi
if [ $? = 0 ]
then
blurb=""
[ -n "$timeout" ] && blurb="life=${timeout}m"
[ -n "$timeout" ] && $confirmopt && blurb="${blurb},"
$confirmopt && blurb="${blurb}confirm"
[ -n "$blurb" ] && blurb=" (${blurb})"
mesg "ssh-add: Identities added: `echo $sshkeys`${blurb}"
break
fi
if [ $sshattempts = 1 ]; then
die "Problem adding; giving up"
else
warn "Problem adding; trying again"
fi
# Update the list of missing keys
sshavail=`ssh_l`
[ $? = 0 ] || die "problem running ssh-add -l"
sshkeys="`ssh_listmissing`" # remember, newline-separated
# Decrement the countdown
sshattempts=`expr $sshattempts - 1`
done
[ -n "$savedisplay" ] && DISPLAY="$savedisplay"
fi
# Load gpg keys
if wantagent gpg; then
gpgkeys="`gpg_listmissing`" # cache list of missing keys, newline-separated
gpgattempts=$attempts
$noguiopt && unset DISPLAY
[ -n "$DISPLAY" ] || unset DISPLAY # DISPLAY="" can cause problems
GPG_TTY=`tty` ; export GPG_TTY # fall back to ncurses pinentry
# Attempt to add the keys
while [ -n "$gpgkeys" ]; do
tryagain=false
mesg "Adding ${BLUE}"`echo "$gpgkeys" | wc -l`"${OFF} gpg key(s): `echo $gpgkeys`"
# Parse $gpgkeys into positional params to preserve spaces in filenames.
# This *must* happen after any calls to subroutines because pure Bourne
# shell doesn't restore "$@" following a call. Eeeeek!
set -f # disable globbing
old_IFS="$IFS" # save current IFS
IFS="
" # set IFS to newline
set -- $gpgkeys
IFS="$old_IFS" # restore IFS
set +f # re-enable globbing
for k in "$@"; do
echo | env LC_ALL="$pinentry_lc_all" \
gpg --no-options --use-agent --no-tty --sign --local-user "$k" -o- >/dev/null 2>&1
[ $? != 0 ] && tryagain=true
done
$tryagain || break
if [ $gpgattempts = 1 ]; then
die "Problem adding (is pinentry installed?); giving up"
else
warn "Problem adding; trying again"
fi
# Update the list of missing keys
gpgkeys="`gpg_listmissing`" # remember, newline-separated
# Decrement the countdown
gpgattempts=`expr $gpgattempts - 1`
done
fi
qprint # trailing newline
# vim:sw=4 expandtab tw=80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment