From 4634fc5c537ca41495d6afa8ff282981fff16a1f Mon Sep 17 00:00:00 2001 From: Oskar Sharipov Date: Fri, 22 Jul 2022 17:50:57 +0300 Subject: [PATCH] Configure trustedDir with MINITRUST_DIR env var Closes #4. --- cmd/minitrust/minitrust.go | 41 ++++++++++++++++++++++++++------------ minitrust.go | 30 ++++++++++++---------------- 2 files changed, 41 insertions(+), 30 deletions(-) diff --git a/cmd/minitrust/minitrust.go b/cmd/minitrust/minitrust.go index 232bf55..cbf2d83 100644 --- a/cmd/minitrust/minitrust.go +++ b/cmd/minitrust/minitrust.go @@ -6,6 +6,7 @@ import ( "io" "log" "os" + "path/filepath" "time" "github.com/igoose1/minitrust" @@ -16,13 +17,17 @@ const Usage = `Usage: minitrust -V [-x sigfile] [-o] -m file minitrust -A [-c comment] -P pubkey --V verify that a signature is valid for a given file --A add new public key to trusted directory --x signature file (default: .minisig) --o output the file content after verification --m file to verify --P public key, as a base64 string --c one-line untrusted comment +-V verify that a signature is valid for a given file +-A add new public key to trusted directory +-x signature file (default: .minisig) +-o output the file content after verification +-m file to verify +-P public key, as a base64 string +-c one-line untrusted comment + +Environment variables: + +MINITRUST_DIR name of the trusted directory (default: ~/.minisign/trusted) ` var logger = log.New(os.Stderr, "", log.Lshortfile) @@ -35,6 +40,7 @@ func main() { file string pubKey string comment string + trustedDir string ) verifyCommand := flag.NewFlagSet("-V", flag.ExitOnError) // flag.BoolVar(&hashFlag, "H", false, "require input to be prehashed.") @@ -48,6 +54,15 @@ func main() { addCommand.StringVar(&comment, "c", "", "one-line untrusted comment") addCommand.Usage = func() { fmt.Fprint(os.Stderr, Usage) } + trustedDir = os.Getenv("MINITRUST_DIR") + if trustedDir == "" { + homedir, err := os.UserHomeDir() + if err != nil { + logger.Fatal(err) + } + trustedDir = filepath.Join(homedir, ".minisign/trusted") + } + if len(os.Args) < 2 { fmt.Fprint(os.Stderr, Usage) os.Exit(0) @@ -61,7 +76,7 @@ func main() { if sigFile == "" { sigFile = file + ".minisig" } - err := verify(file, sigFile) + err := verify(trustedDir, file, sigFile) if err != nil { logger.Fatalf("Error: %v\n", err) } @@ -75,7 +90,7 @@ func main() { if comment == "" { comment = "key added on " + time.Now().Format("2006-01-02") } - err := add(pubKey, comment) + err := add(trustedDir, pubKey, comment) if err != nil { logger.Fatalf("Error: %v\n", err) } @@ -84,12 +99,12 @@ func main() { } } -func add(pubKey string, comment string) error { - return minitrust.AddTrustedPubKey(pubKey, comment) +func add(trustedDir, pubKey, comment string) error { + return minitrust.AddTrustedPubKey(trustedDir, pubKey, comment) } -func verify(file string, sigFile string) error { - key, comment, err := minitrust.SearchTrustedPubKey(sigFile) +func verify(trustedDir, file, sigFile string) error { + key, comment, err := minitrust.SearchTrustedPubKey(trustedDir, sigFile) if err != nil { return err } diff --git a/minitrust.go b/minitrust.go index 6460df4..e48b4fb 100644 --- a/minitrust.go +++ b/minitrust.go @@ -17,21 +17,14 @@ import ( var logger = log.New(os.Stderr, "", log.Lshortfile) const commentPrefix = "untrusted comment: " +const trustedDirEnv = "MINITRUST_DIR" const ( trustedDirPerm = 0700 trustedKeyPerm = 0600 ) -func getTrustedPath() string { - dirname, err := os.UserHomeDir() - if err != nil { - logger.Fatal(err) - } - return filepath.Join(dirname, ".minisign/trusted") -} - -func ensureTrustedDir() error { - err := os.MkdirAll(getTrustedPath(), trustedDirPerm) +func ensureTrustedDir(trustedDir string) error { + err := os.MkdirAll(trustedDir, trustedDirPerm) if !os.IsExist(err) { return err } @@ -75,13 +68,13 @@ func readKeyFile(keyPath string) (minisign.PublicKey, string, error) { return decodeKeyFileContent(string(content)) } -func getKeyPath(keyID [8]byte) string { - return filepath.Join(getTrustedPath(), EncodeID(keyID)+".pub") +func getKeyPath(trustedDir string, keyID [8]byte) string { + return filepath.Join(trustedDir, EncodeID(keyID)+".pub") } // SearchTrustedPubKey returns public key and untrusted comment. -func SearchTrustedPubKey(sigFile string) (minisign.PublicKey, string, error) { - if err := ensureTrustedDir(); err != nil { +func SearchTrustedPubKey(trustedDir, sigFile string) (minisign.PublicKey, string, error) { + if err := ensureTrustedDir(trustedDir); err != nil { return minisign.PublicKey{}, "", errors.New("minitrust: can't create trusted directory.") } @@ -90,7 +83,7 @@ func SearchTrustedPubKey(sigFile string) (minisign.PublicKey, string, error) { return minisign.PublicKey{}, "", err } - key, comment, err := readKeyFile(getKeyPath(signature.KeyId)) + key, comment, err := readKeyFile(getKeyPath(trustedDir, signature.KeyId)) if err != nil { return minisign.PublicKey{}, "", err } @@ -98,7 +91,10 @@ func SearchTrustedPubKey(sigFile string) (minisign.PublicKey, string, error) { return key, comment, nil } -func AddTrustedPubKey(rawPubKey string, comment string) error { +func AddTrustedPubKey(trustedDir, rawPubKey, comment string) error { + if err := ensureTrustedDir(trustedDir); err != nil { + return errors.New("minitrust: can't create trusted directory.") + } if strings.Count(comment, "\n") != 0 { return errors.New("minitrust: comment must be one-lined.") } @@ -115,5 +111,5 @@ func AddTrustedPubKey(rawPubKey string, comment string) error { }, "\n", ) - return ioutil.WriteFile(getKeyPath(pk.KeyId), []byte(content), trustedKeyPerm) + return ioutil.WriteFile(getKeyPath(trustedDir, pk.KeyId), []byte(content), trustedKeyPerm) }