+++ /dev/null
-#!/bin/bash
-#
-# Filter for encrypting/decrypting/signing LBS archives using gpg.
-#
-# This takes input on stdin and produces output to stdout. It can operate in
-# one of several modes, depending upon the command-line argument supplied:
-# --encrypt Encrypt the data stream
-# --decrypt Decrypt the supplied data
-# --clearsign Enclose a text file with a signature
-# Options are controlled by various environment variables:
-# LBS_GPG_HOME set the gpg home directory (containing keyrings)
-# LBS_GPG_ENC_KEY key ID to use encryption
-# LBS_GPG_SIGN_KEY key ID to use for signing
-# LBS_GPG_PASSPHRASE passphrase to supply to gpg, if needed
-
-declare -a gpg_options
-gpg_options=(--quiet --batch)
-
-if [ -n "$LBS_GPG_HOME" ]; then
- gpg_options=("${gpg_options[@]}" --homedir "$LBS_GPG_HOME")
-fi
-
-# Run gpg with the options in $gpg_options and any arguments supplied to this
-# function. If LBS_GPG_PASSPHRASE is set, it will arrange redirections so that
-# the passphrase is supplied to gpg on a file descriptor.
-run_gpg () {
- if [ -n "$LBS_GPG_PASSPHRASE" ]; then
- exec 4<&0
- echo "$LBS_GPG_PASSPHRASE" |
- gpg "${gpg_options[@]}" --passphrase-fd=3 "$@" 3<&0 <&4
- else
- gpg "${gpg_options[@]}" "$@"
- fi
-}
-
-case "$1" in
- --encrypt)
- if [ -n "$LBS_GPG_ENC_KEY" ]; then
- gpg_options=("${gpg_options[@]}" --recipient "$LBS_GPG_ENC_KEY")
- fi
- run_gpg --encrypt
- ;;
-
- --decrypt)
- run_gpg
- ;;
-
- --clearsign)
- if [ -n "$LBS_GPG_SIGN_KEY" ]; then
- gpg_options=("${gpg_options[@]}" --local-user "$LBS_GPG_SIGN_KEY")
- fi
- run_gpg --clearsign
- ;;
-
- *)
- echo "$0: Unknown command or command not specified: $1" 1>&2
- exit 1
- ;;
-esac