chiark / gitweb /
6 years Make nub directories readable.
Mark Wooding [Sun, 2 Dec 2012 15:46:33 +0000 (15:46 +0000)] Make nub directories readable.

This makes poking around via sudo much easier; and nub creation is now
handled centrally (and carefully).

6 years, ktype.*: Make nub creation the job of `c_genkey'.
Mark Wooding [Sun, 2 Dec 2012 15:44:47 +0000 (15:44 +0000)], ktype.*: Make nub creation the job of `c_genkey'.

This means that we can stop worrying about the permissions on the file,
and the duplicated calls to `makenub' can disappear.

6 years Print usage summary when writing command-specific help.
Mark Wooding [Thu, 1 Nov 2012 18:22:44 +0000 (18:22 +0000)] Print usage summary when writing command-specific help.

6 years ago.gitignore: Ignore `INSTALL'.
Mark Wooding [Fri, 26 Oct 2012 13:24:51 +0000 (14:24 +0100)]
.gitignore: Ignore `INSTALL'.

6 years agoclaim-dir: New `mode' option for non-private pieces of filesystem.
Mark Wooding [Thu, 1 Nov 2012 12:02:24 +0000 (12:02 +0000)]
claim-dir: New `mode' option for non-private pieces of filesystem.

It turns out that `claim-dir' is also useful for allocating pieces of
filesystem for things like public Git repositories, but restrictive
initial permissions make this annoying.

6 years agodebian/changelog: Another pre-release. 0.99.2
Mark Wooding [Sun, 7 Oct 2012 10:54:04 +0000 (11:54 +0100)]
debian/changelog: Another pre-release.

6 years Make help option work.
Mark Wooding [Sat, 6 Oct 2012 22:44:14 +0000 (23:44 +0100)] Make help option work.

Must have been left behind in some rearrangement.

6 years agoImprove consistency in program version strings.
Mark Wooding [Sat, 6 Oct 2012 22:43:05 +0000 (23:43 +0100)]
Improve consistency in program version strings.

Previously, `shamir' had no version string at all; programs based on
`' didn't print their program name, and `extract-profile'
didn't print the package name.

6 years agoktype.seccure: Bodge around `permission denied' error in signing.
Mark Wooding [Sat, 6 Oct 2012 22:22:06 +0000 (23:22 +0100)]
ktype.seccure: Bodge around `permission denied' error in signing.

Not sure why /dev/stdout should be problematic, but avoid the problem
using $(...) to provide a fresh and friendly stdout, and then echo to
the existing file descriptor.

6 years agoprofile.d/02infra: The number of keepers in a set is `tot', not `num'.
Mark Wooding [Mon, 24 Sep 2012 17:39:41 +0000 (18:39 +0100)]
profile.d/02infra: The number of keepers in a set is `tot', not `num'.

6 years agocryptop.list: Report an absence of keys rather than failing messily.
Mark Wooding [Thu, 20 Sep 2012 00:08:04 +0000 (01:08 +0100)]
cryptop.list: Report an absence of keys rather than failing messily.

6 years agocryptop.list: Look for correct delimiter when fixing up key labels.
Mark Wooding [Thu, 20 Sep 2012 00:07:37 +0000 (01:07 +0100)]
cryptop.list: Look for correct delimiter when fixing up key labels.

6 years agocryptop.genkey: Look up the recovery keys in the correct place.
Mark Wooding [Thu, 20 Sep 2012 00:05:08 +0000 (01:05 +0100)]
cryptop.genkey: Look up the recovery keys in the correct place.

It's a key property from the profile, not an option from the command

6 years agocryptop.list: Fix column width calculation.
Mark Wooding [Tue, 18 Sep 2012 19:33:27 +0000 (20:33 +0100)]
cryptop.list: Fix column width calculation.

Confusion over where the calculated column widths went caused the final
line's values to be ignored.  Simplify and fix.

6 years agokeys.reveal: Rename variables to avoid them being clobbered.
Mark Wooding [Thu, 20 Sep 2012 00:08:43 +0000 (01:08 +0100)]
keys.reveal: Rename variables to avoid them being clobbered.

This is getting to be a nuisance.

6 years agokeys.list-recov: Remove spurious `.recov' suffix from listed secrets.
Mark Wooding [Thu, 20 Sep 2012 00:02:18 +0000 (01:02 +0100)]
keys.list-recov: Remove spurious `.recov' suffix from listed secrets.

It's not correct for users to provide it, so we shouldn't print it.

6 years agokeys.list-keepers: Identify the current recovery key instance.
Mark Wooding [Thu, 20 Sep 2012 00:01:22 +0000 (01:01 +0100)]
keys.list-keepers: Identify the current recovery key instance.

Otherwise we never print anything useful about key revelation status.

6 years Make sure we can match the `0' string.
Mark Wooding [Wed, 19 Sep 2012 23:59:16 +0000 (00:59 +0100)] Make sure we can match the `0' string.

The expr(1) tool exits with status 1 if its output is zero.  The `:'
operator evaluates to the substring matched by the outermost parentheses
in the pattern, if there are any.  Therefore, matching `0' against the
`R_NUMERIC' pattern always appears to fail.  Fix this and similar problems
by adding extra parens around the entire pattern, including the leading
sentinel `Q'.

6 years Fix a couple of messages.
Mark Wooding [Thu, 20 Sep 2012 00:00:30 +0000 (01:00 +0100)] Fix a couple of messages.

One adjusted for length; the other has a spurious `current' removed,
since it may in fact be referring to an outdated recovery key.

6 years agodebian/control: Remove spurious trailing space.
Mark Wooding [Wed, 19 Sep 2012 23:59:41 +0000 (00:59 +0100)]
debian/control: Remove spurious trailing space.

6 years agoRemove `--force' from; introduce explicit delete command.
Mark Wooding [Tue, 18 Sep 2012 19:32:05 +0000 (20:32 +0100)]
Remove `--force' from; introduce explicit delete command.

Deleting keepers is fiddly and involves handling recovery blobs
carefully.  Therefore don't do this in the middle of keeper creation;
rather, have a separate command and make a proper performance of this
hopefully unusual operaton.

6 years agoprofile.d/00base: Fix stupid typo.
Mark Wooding [Tue, 18 Sep 2012 19:29:50 +0000 (20:29 +0100)]
profile.d/00base: Fix stupid typo.

6 years agoAllow explicit selection of recovery instances.
Mark Wooding [Tue, 18 Sep 2012 19:29:26 +0000 (20:29 +0100)]
Allow explicit selection of recovery instances.

Also improve reporting of recovery instances.

7 years agokeys.keeper-cards: Allow output as TeX source.
Mark Wooding [Thu, 23 Feb 2012 03:05:45 +0000 (03:05 +0000)]
keys.keeper-cards: Allow output as TeX source.

This still requires `qrencode', but doesn't require a huge TeX
installation.  Leave TeX recommended, but promote `qrencode' to a

7 years agoMakefile: Install configuration files.
Mark Wooding [Thu, 23 Feb 2012 02:49:15 +0000 (02:49 +0000)]
Makefile: Install configuration files.

Configuration files are installed only if there are no files at the
destination already.  This means that you get at least a skeleton
installation from the source distribution, even if it requires some
light hacking.

This also requires:

  * moving some files from the Debian packaging into the main

  * allowing the user to configure a `userv' installation directory; and

  * adjusting the Debian installation runes.

7 years agoclaim-dir, debian/distorted-keys.postinst: Let `keys' run `claim-dir'.
Mark Wooding [Thu, 23 Feb 2012 03:03:09 +0000 (03:03 +0000)]
claim-dir, debian/distorted-keys.postinst: Let `keys' run `claim-dir'.

Unfortunately, `keys' as created by the `postinst' script doesn't have a
shell.  Allow callers without shells to run `claim-dir' if they have a
particular magical shell configured, and set this magic on the `keys'

7 years agoktype.seccure: Stop `seccure' from trying to open `/dev/tty'.
Mark Wooding [Thu, 23 Feb 2012 03:01:16 +0000 (03:01 +0000)]
ktype.seccure: Stop `seccure' from trying to open `/dev/tty'.

It won't work in a `userv' service.  For some reason, it will try to do
this if you don't provide a key file, even for operations which don't
need a private key.

7 years Don't try to create $SAFE/keys.keeper if it exists.
Mark Wooding [Thu, 23 Feb 2012 02:59:54 +0000 (02:59 +0000)] Don't try to create $SAFE/keys.keeper if it exists.

It's pointless and you get an error.

7 years Fix the OpenSSL `dgst' rune.
Mark Wooding [Thu, 23 Feb 2012 02:54:24 +0000 (02:54 +0000)] Fix the OpenSSL `dgst' rune.

A compatibility hack was a nice idea, but it helps if you don't throw
away the interesting answer and keep the boring and incompatible extra

7 years agoSplit underlying machinery into a separate package.
Mark Wooding [Wed, 15 Feb 2012 01:10:48 +0000 (01:10 +0000)]
Split underlying machinery into a separate package.

7 years New script for doing stuff with public keys.
Mark Wooding [Wed, 15 Feb 2012 00:50:18 +0000 (00:50 +0000)] New script for doing stuff with public keys.

Now we can move public keys about, without losing the convenient
key-types abstraction.

7 years agoNew ktype operation `k_import'.
Mark Wooding [Wed, 15 Feb 2012 00:48:18 +0000 (00:48 +0000)]
New ktype operation `k_import'.

Given a directory containing `pub', populate it with anything else

This is trivial for `seccure'; `gnupg' requires a refactoring of key
generation, to split out the directory setup stuff.

7 years Infrastructure for built-in subcommands.
Mark Wooding [Wed, 15 Feb 2012 00:45:09 +0000 (00:45 +0000)] Infrastructure for built-in subcommands.

This is the `defcmd' machinery from elsewhere, in yet another guise.

7 years agocryptop.public: New operation to export a key with its properties.
Mark Wooding [Wed, 15 Feb 2012 00:49:26 +0000 (00:49 +0000)]
cryptop.public: New operation to export a key with its properties.

This form will be useful soon.

7 years, Refactor property dumping.
Mark Wooding [Wed, 15 Feb 2012 00:46:36 +0000 (00:46 +0000)], Refactor property dumping.

Move the functionality into the library.  Also, stop mangling
underscores in a broken way -- in fact, don't do it at all, so the
output is acceptable to `readprops'.

7 years agokeys.archive -> cryptop.archive: Command was in the wrong suite.
Mark Wooding [Wed, 15 Feb 2012 00:42:07 +0000 (00:42 +0000)]
keys.archive -> cryptop.archive: Command was in the wrong suite.

It uses user keys, and the archives are public.  It doesn't make sense
to restrict it to administrators only.  Also, it wrote its output to the
wrong place.  Since the output is in two pieces, this is fiddly: use a

7 years agokeys.conf: New file, suggesting a possible implementation of `$SAFE'.
Mark Wooding [Sun, 12 Feb 2012 23:21:44 +0000 (23:21 +0000)]
keys.conf: New file, suggesting a possible implementation of `$SAFE'.

7 years agoDirectory claiming and ephemeral filesystems.
Mark Wooding [Sun, 12 Feb 2012 23:14:36 +0000 (23:14 +0000)]
Directory claiming and ephemeral filesystems.

Two new related tools.

  * `mount-ephemeral' creates (and removes) a temporary filesystem,
    encrypted using a fresh random key so the contents are irretrievably
    lost when the host reboots or the power fails.

  * `claim-dir' is a `userv' service which allows users to claim
    directories in a shared filesystem without the hazardous
    free-for-all that results from world writability with a sticky bit.

These go in their own separate Debian package.  There's no direct link
between the two, but bundling them together provides a hint regarding
possible applications.

7 years agokeys.list-{keepers,recov}: New commands for inspecting infrastructure.
Mark Wooding [Sun, 12 Feb 2012 23:19:52 +0000 (23:19 +0000)]
keys.list-{keepers,recov}: New commands for inspecting infrastructure.

There's some overlap in functionality (and, distressingly, in
implementation) but I think the two perspectives are useful.

7 years, keys.reveal: Factor out sharing parameter file parsing.
Mark Wooding [Sun, 12 Feb 2012 23:08:31 +0000 (23:08 +0000)], keys.reveal: Factor out sharing parameter file parsing.

We'll want it elsewhere soon.

7 years agoprofile.d/{01gnupg,01seccure}: Distinct secrecy/integrity sections.
Mark Wooding [Sun, 12 Feb 2012 23:07:24 +0000 (23:07 +0000)]
profile.d/{01gnupg,01seccure}: Distinct secrecy/integrity sections.

So that they actually include the correct ACLs.

7 years agoprofile.d/00base: Make `%FOO-secrecy' include the right base sections.
Mark Wooding [Sun, 12 Feb 2012 23:05:32 +0000 (23:05 +0000)]
profile.d/00base: Make `%FOO-secrecy' include the right base sections.

Copy and paste error.

7 years Don't let `userv' gobble our input.
Mark Wooding [Sun, 12 Feb 2012 23:00:03 +0000 (23:00 +0000)] Don't let `userv' gobble our input.

Unfortunately, `userv' has a bad habit of eating our stdin, whether it
needs it or not.  (This is a result of the `cat' processes and pipes
strung between the calling and service environments.)  To prevent this
from gobbling our input, which we might actually want to process
ourselves in some way, make sure that we let it chew on something less
important.  Like `/dev/null', say.

7 years Distinctive `SUBST' indicator for `confsubst' rules.
Mark Wooding [Sun, 12 Feb 2012 23:10:52 +0000 (23:10 +0000)] Distinctive `SUBST' indicator for `confsubst' rules.

Rather than use the generic `GEN' indicator.

7 years Use `$quis' in errors, rather than `$0'.
Mark Wooding [Sun, 12 Feb 2012 21:23:03 +0000 (21:23 +0000)] Use `$quis' in errors, rather than `$0'.

7 years agokeys.keeper-cards: Fallback plan in case `mdwfonts' doesn't exist.
Mark Wooding [Tue, 10 Jan 2012 00:39:11 +0000 (00:39 +0000)]
keys.keeper-cards: Fallback plan in case `mdwfonts' doesn't exist.

Just don't fiddle with the fonts in that case.

7 years agoPrograms invoke themselves via `userv' if necessary.
Mark Wooding [Sun, 8 Jan 2012 00:45:36 +0000 (00:45 +0000)]
Programs invoke themselves via `userv' if necessary.

This will prevent the permissions in the key store being messed up.  To
this end:

  * Move `cryptop' to @bindir@ where we can expect users to find it, and
    move `keys' to @sbindir@ where only administrators are likely to

  * Add a new userv service for `keys', with some configuration files
    listing the permitted users.

7 years agokeys.*: Enforce separation between user's files and the system.
Mark Wooding [Tue, 10 Jan 2012 00:24:14 +0000 (00:24 +0000)]
keys.*: Enforce separation between user's files and the system.

  * now writes its nubs into $SAFE rather than the
    caller's current directory.

  * keys.reveal and keys.stash insist on reading their input from stdin
    rather than a file name.

  * keys.keeper-cards writes its output to stdout, and collects input
    nubs from $SAFE.

  * keys.keeper-nub is a new tool which extracts a keeper nub on demand.

Some of the tools have also had their error messages improved.

7 years agodebian: About time, really.
Mark Wooding [Sat, 7 Jan 2012 02:14:49 +0000 (02:14 +0000)]
debian: About time, really.

7 years agoMakefile: Do the release hook thing.
Mark Wooding [Sat, 7 Jan 2012 02:13:24 +0000 (02:13 +0000)]
Makefile: Do the release hook thing.

7 years agoprofile.d/*: Base configuration files.
Mark Wooding [Sat, 7 Jan 2012 02:12:47 +0000 (02:12 +0000)]
profile.d/*: Base configuration files.

Fairly detailed commentary.  Makes up for the lack of useful
documentation in my dreams, at least.

7 years agouserv/ Reformat, with backslashes in their own column.
Mark Wooding [Sun, 12 Feb 2012 21:29:21 +0000 (21:29 +0000)]
userv/ Reformat, with backslashes in their own column.

A whitespace-only change, empty under `diff -b'.

7 years agouserv/ Rename from
Mark Wooding [Sat, 7 Jan 2012 02:10:44 +0000 (02:10 +0000)]
userv/ Rename from

This way it gets created with the right name.  It makes Debianizing

7 years Check ACLs for good characters.
Mark Wooding [Sat, 7 Jan 2012 02:08:53 +0000 (02:08 +0000)] Check ACLs for good characters.

7 years Protect arguments to expr(1).
Mark Wooding [Sat, 7 Jan 2012 02:08:18 +0000 (02:08 +0000)] Protect arguments to expr(1).

Make sure they don't look like operators or functions.

7 years agokeys.stash: Shebang line.
Mark Wooding [Sat, 7 Jan 2012 02:07:29 +0000 (02:07 +0000)]
keys.stash: Shebang line.

I'm an idiot.

7 years agoextract-profile: Allow `%' characters in internal property names.
Mark Wooding [Sat, 7 Jan 2012 02:07:10 +0000 (02:07 +0000)]
extract-profile: Allow `%' characters in internal property names.

Now we don't have to spam the caller with uninteresting properties.

7 years agocryptop.list: Search the requested user's keys only; sort the output.
Mark Wooding [Wed, 28 Dec 2011 23:43:57 +0000 (23:43 +0000)]
cryptop.list: Search the requested user's keys only; sort the output.

7 years agocryptop.list: Fix up the column-spec documentation.
Mark Wooding [Mon, 26 Dec 2011 18:40:39 +0000 (18:40 +0000)]
cryptop.list: Fix up the column-spec documentation.

It got a bit out of date with respect to the actual implementation.

7 years agoWhitespace fixing.
Mark Wooding [Sat, 7 Jan 2012 16:12:07 +0000 (16:12 +0000)]
Whitespace fixing.

7 years agocryptop.list: New tool for listing keys. 0.99.1
Mark Wooding [Mon, 26 Dec 2011 04:19:01 +0000 (04:19 +0000)]
cryptop.list: New tool for listing keys.

Surprisingly nice output format.

7 years, cryptop.{genkey,recover}: Care over key ownership.
Mark Wooding [Mon, 26 Dec 2011 04:18:33 +0000 (04:18 +0000)], cryptop.{genkey,recover}: Care over key ownership.

Interpret profiles relative to the key owner, not the caller!  Only allow
the key owner to recover a key.

7 years agokeys.archive: New program to capture and sign an archive.
Mark Wooding [Mon, 26 Dec 2011 00:03:53 +0000 (00:03 +0000)]
keys.archive: New program to capture and sign an archive.

Doesn't include the key nubs.

7 years agodistorted-keys.userv: Add userv configuration snippet.
Mark Wooding [Mon, 26 Dec 2011 00:03:18 +0000 (00:03 +0000)]
distorted-keys.userv: Add userv configuration snippet.

Needs a configured user name, and sbindir.

7 years Move cryptop stuff after keys stuff.
Mark Wooding [Mon, 26 Dec 2011 00:00:43 +0000 (00:00 +0000)] Move cryptop stuff after keys stuff.

Makes more sense this way.

7 years Allow empty sections.
Mark Wooding [Sun, 25 Dec 2011 23:55:59 +0000 (23:55 +0000)] Allow empty sections.

Create a section as soon as we see a section header; we no longer need
the more complicated lazy creation code.

7 years, Move userv variable setup into
Mark Wooding [Sun, 25 Dec 2011 23:51:36 +0000 (23:51 +0000)], Move userv variable setup into

We'll need these set up in a later program.

7 years agocryptop.public: Don't check an ACL.
Mark Wooding [Sun, 25 Dec 2011 23:47:22 +0000 (23:47 +0000)]
cryptop.public: Don't check an ACL.

It's not worthwhile: public keys will be clearly visible in an archive

7 years (prepare): Indicate that an ACL check isn't necessary.
Mark Wooding [Sun, 25 Dec 2011 23:46:39 +0000 (23:46 +0000)] (prepare): Indicate that an ACL check isn't necessary.

7 years Add come commentary to the configuration section.
Mark Wooding [Sun, 25 Dec 2011 23:43:10 +0000 (23:43 +0000)] Add come commentary to the configuration section.

7 years, keys.reveal, Don't put @bindir@ on the PATH.
Mark Wooding [Sun, 25 Dec 2011 23:49:44 +0000 (23:49 +0000)], keys.reveal, Don't put @bindir@ on the PATH.

Call `shamir' using an explicit pathname instead.

7 years Rename the nub computation properties.
Mark Wooding [Sun, 25 Dec 2011 23:32:48 +0000 (23:32 +0000)] Rename the nub computation properties.

These names are more consistent with the longer names used elsewhere.

7 years Property name fixup wasn't applied to ${...} tokens.
Mark Wooding [Sun, 25 Dec 2011 23:58:43 +0000 (23:58 +0000)] Property name fixup wasn't applied to ${...} tokens.

Move it into the common replacement code.

7 years (prepare): Exit nonzero if ACL check fails.
Mark Wooding [Sun, 25 Dec 2011 23:43:50 +0000 (23:43 +0000)] (prepare): Exit nonzero if ACL check fails.

Just a missing return code.

7 years agocryptop.verify: Use the correct operations.
Mark Wooding [Sun, 25 Dec 2011 23:54:23 +0000 (23:54 +0000)]
cryptop.verify: Use the correct operations.

Stupid copy-and-paste error.

7 years, Put profile name before the filenames.
Mark Wooding [Sun, 25 Dec 2011 23:41:43 +0000 (23:41 +0000)], Put profile name before the filenames.

This is the way it was originally, but that version wasn't checked in.
I had some crazy idea that this ordering made interfacing to userv
easier, but it doesn't.

7 years agocryptop.*, Set execute bits.
Mark Wooding [Sun, 25 Dec 2011 23:30:26 +0000 (23:30 +0000)]
cryptop.*, Set execute bits.

7 years agoMultiple key types, key profiles, and user key storage.
Mark Wooding [Sat, 24 Dec 2011 02:29:11 +0000 (02:29 +0000)]
Multiple key types, key profiles, and user key storage.

  * Introduce multiple key types (currently GnuPG and Seccure, but maybe
    more later, e.g., OpenSSL).

  * Parameters are provided via time-varying profiles.

  * Profiles can be chosen for keeper and recovery keys.

  * Allow users to generate and use keys.

7 years agomore progress. recovery seems to be working now.
Mark Wooding [Sat, 17 Dec 2011 00:15:00 +0000 (00:15 +0000)]
more progress.  recovery seems to be working now.

7 years agoinitial checkin: still somewhat sketchy
Mark Wooding [Tue, 13 Dec 2011 01:05:10 +0000 (01:05 +0000)]
initial checkin: still somewhat sketchy