Created
September 10, 2019 19:08
-
-
Save michaelfranzl/009fc93f5a6ff7880cedfcf235d55573 to your computer and use it in GitHub Desktop.
Verify, automate and integrate gpg and paperkey
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script asserts the correctness of the program `paperkey` | |
| # by David Shaw. [1] It also exemplifies the automation and integration | |
| # of `gpg` and `paperkey`. | |
| # | |
| # If the program exits with code 0, then the test (see `function main`) | |
| # was successful. | |
| # | |
| # Developed for gpg (GnuPG) version 2.2.12 and paperkey version 1.6. | |
| # | |
| # Dependencies: gpg and paperkey in $PATH | |
| # | |
| # Copyright (c) 2019 Michael Karl Franzl | |
| # | |
| # Copying and distribution of this file, with or without modification, | |
| # are permitted in any medium without royalty provided the copyright | |
| # notice and this notice are preserved. This file is offered as-is, | |
| # without any warranty. [2] | |
| # | |
| # [1]: https://www.jabberwocky.com/software/paperkey/ | |
| # [2]: https://www.gnu.org/licenses/license-list#GNUAllPermissive | |
| set -e | |
| set -x | |
| readonly uid="example@example.com" | |
| readonly passphrase=hackme | |
| readonly paperkey_file="/tmp/paperkey.bin" | |
| readonly public_key_file="/tmp/public-key.bin" | |
| readonly secret_file="/tmp/secret.txt" | |
| readonly secret_file_encrypted="${secret_file}.gpg" | |
| readonly secret_text="secret-$(date --iso-8601=seconds)" | |
| readonly gpg_passphrase_arg="--pinentry-mode loopback --passphrase ${passphrase}" | |
| function create_clean_gpg_homedir { | |
| export GNUPGHOME=$(mktemp -d -t gpghome-XXXXXXXXXX) | |
| chmod 700 ${GNUPGHOME} | |
| } | |
| function create_keys { | |
| gpg ${gpg_passphrase_arg} --quick-gen-key ${uid} rsa1024 cert 2y | |
| local fingerprint=$(gpg --list-options show-only-fpr-mbox --list-keys | awk '{print $1}') | |
| gpg ${gpg_passphrase_arg} --quick-add-key ${fingerprint} rsa1024 sign 1y | |
| gpg ${gpg_passphrase_arg} --quick-add-key ${fingerprint} rsa1024 encrypt 1y | |
| gpg ${gpg_passphrase_arg} --quick-add-key ${fingerprint} rsa1024 auth 1y | |
| } | |
| function encrypt_secret_text { | |
| echo -n ${secret_text} > ${secret_file} | |
| rm -f ${secret_file_encrypted} | |
| gpg ${gpg_passphrase_arg} -e -r ${uid} ${secret_file} | |
| } | |
| function create_paperkey { | |
| gpg --export > ${public_key_file} | |
| local secret_key_base64=$(gpg ${gpg_passphrase_arg} --export-secret-key | base64 -w0) | |
| echo ${secret_key_base64} | base64 -d | paperkey --output-type raw > ${paperkey_file} | |
| # Assert that the generated paper key can be used to restore the secret key. | |
| [ "$(echo ${secret_key_base64} | base64 -d | md5sum)" == "$(secret_key_from_paperkey | md5sum)" ] | |
| } | |
| function secret_key_from_paperkey { | |
| cat ${paperkey_file} | paperkey --pubring ${public_key_file} | |
| } | |
| function import_keys_from_paperkey { | |
| gpg ${gpg_passphrase_arg} --import ${public_key_file} | |
| secret_key_from_paperkey | gpg ${gpg_passphrase_arg} --import | |
| } | |
| function decrypt_secret_text { | |
| [ "${secret_text}" == "$(gpg ${gpg_passphrase_arg} -d ${secret_file_encrypted})" ] | |
| } | |
| function main { | |
| create_clean_gpg_homedir | |
| create_keys | |
| encrypt_secret_text | |
| create_paperkey | |
| create_clean_gpg_homedir | |
| import_keys_from_paperkey | |
| decrypt_secret_text | |
| } | |
| main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment