3 # Filter for encrypting/decrypting/signing LBS archives using gpg.
5 # This takes input on stdin and produces output to stdout. It can operate in
6 # one of several modes, depending upon the command-line argument supplied:
7 # --encrypt Encrypt the data stream
8 # --decrypt Decrypt the supplied data
9 # --clearsign Enclose a text file with a signature
10 # Options are controlled by various environment variables:
11 # LBS_GPG_HOME set the gpg home directory (containing keyrings)
12 # LBS_GPG_ENC_KEY key ID to use encryption
13 # LBS_GPG_SIGN_KEY key ID to use for signing
14 # LBS_GPG_PASSPHRASE passphrase to supply to gpg, if needed
16 declare -a gpg_options
17 gpg_options=(--quiet --batch)
19 if [ -n "$LBS_GPG_HOME" ]; then
20 gpg_options=("${gpg_options[@]}" --homedir "$LBS_GPG_HOME")
23 # Run gpg with the options in $gpg_options and any arguments supplied to this
24 # function. If LBS_GPG_PASSPHRASE is set, it will arrange redirections so that
25 # the passphrase is supplied to gpg on a file descriptor.
27 if [ -n "$LBS_GPG_PASSPHRASE" ]; then
29 echo "$LBS_GPG_PASSPHRASE" |
30 gpg "${gpg_options[@]}" --passphrase-fd=3 "$@" 3<&0 <&4
32 gpg "${gpg_options[@]}" "$@"
38 if [ -n "$LBS_GPG_ENC_KEY" ]; then
39 gpg_options=("${gpg_options[@]}" --recipient "$LBS_GPG_ENC_KEY")
49 if [ -n "$LBS_GPG_SIGN_KEY" ]; then
50 gpg_options=("${gpg_options[@]}" --local-user "$LBS_GPG_SIGN_KEY")
56 echo "$0: Unknown command or command not specified: $1" 1>&2