X-Git-Url: http://git.vrable.net/?a=blobdiff_plain;f=contrib%2Fcumulus-filter-gpg;fp=contrib%2Fcumulus-filter-gpg;h=010c05f40edf196c0fcb9482dc50c401d02cd7dd;hb=9d3cca72ea3c0f912c7250d84e12357346e59fe2;hp=0000000000000000000000000000000000000000;hpb=d3f9ee42a4023631059f16cc2a8b96b9540750b2;p=cumulus.git

diff --git a/contrib/cumulus-filter-gpg b/contrib/cumulus-filter-gpg
new file mode 100755
index 0000000..010c05f
--- /dev/null
+++ b/contrib/cumulus-filter-gpg
@@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# Filter for encrypting/decrypting/signing LBS archives using gpg.
+#
+# This takes input on stdin and produces output to stdout.  It can operate in
+# one of several modes, depending upon the command-line argument supplied:
+#   --encrypt           Encrypt the data stream
+#   --decrypt           Decrypt the supplied data
+#   --clearsign         Enclose a text file with a signature
+# Options are controlled by various environment variables:
+#   LBS_GPG_HOME        set the gpg home directory (containing keyrings)
+#   LBS_GPG_ENC_KEY     key ID to use encryption
+#   LBS_GPG_SIGN_KEY    key ID to use for signing
+#   LBS_GPG_PASSPHRASE  passphrase to supply to gpg, if needed
+
+declare -a gpg_options
+gpg_options=(--quiet --batch)
+
+if [ -n "$LBS_GPG_HOME" ]; then
+    gpg_options=("${gpg_options[@]}" --homedir "$LBS_GPG_HOME")
+fi
+
+# Run gpg with the options in $gpg_options and any arguments supplied to this
+# function.  If LBS_GPG_PASSPHRASE is set, it will arrange redirections so that
+# the passphrase is supplied to gpg on a file descriptor.
+run_gpg () {
+    if [ -n "$LBS_GPG_PASSPHRASE" ]; then
+        exec 4<&0
+        echo "$LBS_GPG_PASSPHRASE" |
+            gpg "${gpg_options[@]}" --passphrase-fd=3 "$@" 3<&0 <&4
+    else
+        gpg "${gpg_options[@]}" "$@"
+    fi
+}
+
+case "$1" in
+    --encrypt)
+        if [ -n "$LBS_GPG_ENC_KEY" ]; then
+            gpg_options=("${gpg_options[@]}" --recipient "$LBS_GPG_ENC_KEY")
+        fi
+        run_gpg --encrypt
+        ;;
+
+    --decrypt)
+        run_gpg
+        ;;
+
+    --clearsign)
+        if [ -n "$LBS_GPG_SIGN_KEY" ]; then
+            gpg_options=("${gpg_options[@]}" --local-user "$LBS_GPG_SIGN_KEY")
+        fi
+        run_gpg --clearsign
+        ;;
+
+    *)
+        echo "$0: Unknown command or command not specified: $1" 1>&2
+        exit 1
+        ;;
+esac