Class: Yast::GPGClass

Inherits:

Module

• Object
• Module
• Yast::GPGClass

Defined in:

library/gpg/src/modules/GPG.rb

Constant Summary

XTERM_PATH =

"/usr/bin/xterm".freeze

Instance Method Summary

• #buildGPGcommand(options) ⇒ String

  Build GPG option string.

• #callGPG(options) ⇒ Hash

  Execute gpg with the specified parameters, --homedir is added to the options.

• #CreateKey ⇒ Object

  Create a new gpg key.

• #decrypt_symmetric(file, password) ⇒ String

  Decrypts file with symmetric cipher.

• #encrypt_symmetric(input_file, output_file, password) ⇒ void

  Encrypts file with symmetric cipher.

• #encrypted_symmetric?(file) ⇒ Boolean

  If file is gpg symmetric encrypted with --armor.

• #ExportAsciiPublicKey(keyid, file) ⇒ Boolean

  Export a public gpg key in ACSII armored file.

• #ExportPublicKey(keyid, file) ⇒ Boolean

  Export a public gpg key in binary format.

• #Init(home_dir, force) ⇒ Object

  (Re)initialize the module, the cache is invalidated if the home directory is changed.

• #main ⇒ Object
• #parse_key(lines) ⇒ Hash

  Parse gpg output using the parsing map.

• #parseKeys(input) ⇒ Array<Hash>

  Parse gpg output.

• #PrivateKeys ⇒ Array<Hash> public keys: [ $["fingerprint": String key_fingerprint, "id": String key_ID, "uid": Array<String>] user_ids], ...

  Return list of the private keys in the keyring.

• #PublicKeys ⇒ Array<Hash> public keys: [ $["fingerprint": String key_fingerprint, "id": String key_ID, "uid": Array<String>] user_ids], ...

  Return list of the public keys in the keyring.

• #SignAsciiDetached(keyid, file, passphrase) ⇒ Boolean

  Sign a file.

• #SignDetached(keyid, file, passphrase) ⇒ Boolean

  Sign a file.

• #SignFile(keyid, file, passphrase, ascii_signature) ⇒ Boolean

  Sign a file.

• #VerifyFile(sig_file, file) ⇒ Boolean

  Verify a file using a signature file.

Instance Method Details

#buildGPGcommand(options) ⇒ String

Build GPG option string

Parameters:

• options (String) —

  additional gpg options

Returns:

• (String) —

  gpg option string

# File 'library/gpg/src/modules/GPG.rb', line 90

def buildGPGcommand(options)
  home_opt = @home.empty? ? "" : "--homedir '#{String.Quote(@home)}' "
  ret = "/usr/bin/gpg #{home_opt} #{options}"
  Builtins.y2milestone("gpg command: %1", ret)

  ret
end

#callGPG(options) ⇒ Hash

Execute gpg with the specified parameters, --homedir is added to the options

Parameters:

• options (String) —

  additional gpg options

Returns:

• (Hash) —

  result of the execution

# File 'library/gpg/src/modules/GPG.rb', line 101

def callGPG(options)
  command = "LC_ALL=en_US.UTF-8 " + buildGPGcommand(options)

  ret = Convert.to_map(SCR.Execute(path(".target.bash_output"), command))

  Builtins.y2error("gpg error: %1", ret) if Ops.get_integer(ret, "exit", -1) != 0

  deep_copy(ret)
end

#CreateKey ⇒ Object

Create a new gpg key. Executes 'gpg --gen-key' in an xterm window (in the QT UI) or in the terminal window (in the ncurses UI).

# File 'library/gpg/src/modules/GPG.rb', line 214

def CreateKey
  command = Ops.add("GPG_AGENT_INFO='' ", buildGPGcommand("--gen-key"))
  text_mode = Ops.get_boolean(UI.GetDisplayInfo, "TextMode", false)

  Builtins.y2debug("text_mode: %1", text_mode)

  ret = false

  if text_mode
    command = Ops.add("LC_ALL=en_US.UTF-8 ", command)
    Builtins.y2internal("Executing in terminal: %1", command)
    # in ncurses use UI::RunInTerminal
    ret = UI.RunInTerminal(command) == 0
  else
    if Ops.less_than(SCR.Read(path(".target.size"), XTERM_PATH), 0)
      # FIXME: do it
      Report.Error(_("Xterm is missing, install xterm package."))
      return false
    end

    exit_file = Ops.add(
      Convert.to_string(SCR.Read(path(".target.tmpdir"))),
      "/gpg_tmp_exit_file"
    )
    SCR.Execute(path(".target.bash"), "/usr/bin/rm -f #{exit_file.shellescape}") if FileUtils.Exists(exit_file)

    command = "LC_ALL=en_US.UTF-8 #{XTERM_PATH} -e " \
              "\"#{command}; echo $? > #{exit_file.shellescape}\""

    Builtins.y2internal("Executing: %1", command)

    # in Qt start GPG in a xterm window
    SCR.Execute(path(".target.bash"), command)

    if FileUtils.Exists(exit_file)
      # read the exit code from file
      # (the exit code from the SCR call above is the xterm exit code which is not what we want here)
      exit_code = Convert.to_string(
        SCR.Read(path(".target.string"), exit_file)
      )
      Builtins.y2milestone(
        "Read exit code from tmp file %1: %2",
        exit_file,
        exit_code
      )

      ret = exit_code == "0\n"
    else
      Builtins.y2warning("Exit file is missing, the gpg command has failed")
      ret = false
    end
  end

  if ret
    # invalidate cache, force reloading
    Init(@home, true)
  end

  ret
end

#decrypt_symmetric(file, password) ⇒ String

Decrypts file with symmetric cipher.

Parameters:

• file (String) —

  encrypted file

• password (String) —

  to use

Returns:

• (String) —

  decrypted content of file

Raises:

• (GPGFailed) —

  when decryption failed

# File 'library/gpg/src/modules/GPG.rb', line 409

def decrypt_symmetric(file, password)
  out = callGPG("--decrypt --batch --passphrase '#{String.Quote(password)}' '#{String.Quote(file)}'")

  raise GPGFailed, out["stderr"] if out["exit"] != 0

  out["stdout"]
end

#encrypt_symmetric(input_file, output_file, password) ⇒ void

Note:

exception is raised even if file exist

This method returns an undefined value.

Encrypts file with symmetric cipher.

Parameters:

• input_file (String) —

  file to encrypt

• output_file (String) —

  where result is written

• password (String) —

  to use

Raises:

• (GPGFailed) —

  when encryption failed

# File 'library/gpg/src/modules/GPG.rb', line 429

def encrypt_symmetric(input_file, output_file, password)
  out = callGPG("--armor --batch --symmetric --passphrase '#{String.Quote(password)}' " \
                "--output '#{String.Quote(output_file)}' '#{String.Quote(input_file)}'")

  raise GPGFailed, out["stderr"] if out["exit"] != 0
end

#encrypted_symmetric?(file) ⇒ Boolean

Returns if file is gpg symmetric encrypted with --armor.

Returns:

• (Boolean) —

  if file is gpg symmetric encrypted with --armor

# File 'library/gpg/src/modules/GPG.rb', line 418

def encrypted_symmetric?(file)
  File.readlines(file).first&.strip == "-----BEGIN PGP MESSAGE-----"
end

#ExportAsciiPublicKey(keyid, file) ⇒ Boolean

Export a public gpg key in ACSII armored file.

Parameters:

• keyid (String) —

  id of the key

• file (String) —

  the target file

Returns:

• (Boolean) —

  true if the file has been successfuly signed

# File 'library/gpg/src/modules/GPG.rb', line 376

def ExportAsciiPublicKey(keyid, file)
  out = callGPG(
    Builtins.sformat(
      "-a --export '%1' > '%2'",
      String.Quote(keyid),
      String.Quote(file)
    )
  )

  Ops.get_integer(out, "exit", -1) == 0
end

#ExportPublicKey(keyid, file) ⇒ Boolean

Export a public gpg key in binary format.

Parameters:

• keyid (String) —

  id of the key

• file (String) —

  the target file

Returns:

• (Boolean) —

  true if the file has been successfuly signed

# File 'library/gpg/src/modules/GPG.rb', line 392

def ExportPublicKey(keyid, file)
  out = callGPG(
    Builtins.sformat(
      "--export '%1' > '%2'",
      String.Quote(keyid),
      String.Quote(file)
    )
  )

  Ops.get_integer(out, "exit", -1) == 0
end

#Init(home_dir, force) ⇒ Object

(Re)initialize the module, the cache is invalidated if the home directory is changed.

Parameters:

• home_dir (String) —

  home directory for gpg (location of the keyring)

• force (Boolean) —

  unconditionaly clear the key caches

# File 'library/gpg/src/modules/GPG.rb', line 70

def Init(home_dir, force)
  if home_dir != "" && FileUtils.IsDirectory(home_dir) != true
    Builtins.y2error("Path %1 is not a directory", home_dir)
    return false
  end

  if home_dir != @home || force
    # clear the cache, home has been changed
    @public_keys = nil
    @private_keys = nil
  end

  @home = home_dir

  true
end

#main ⇒ Object

# File 'library/gpg/src/modules/GPG.rb', line 36

def main
  Yast.import "UI"

  Yast.import "String"
  Yast.import "Report"
  Yast.import "FileUtils"

  textdomain "base"

  # value for --homedir gpg option, empty string means default home directory
  @home = ""

  # key cache
  @public_keys = nil
  # key cache
  @private_keys = nil

  # Map for parsing gpg output. Key is regexp, value is the key returned
  # in the result of the parsing.
  @parsing_map = {
    # secret key ID
    "^sec  .*/([^ ]*) "             => "id",
    # public key id
    "^pub  .*/([^ ]*) "             => "id",
    # user id
    "^uid *(.*)"                    => "uid",
    # fingerprint
    "^      Key fingerprint = (.*)" => "fingerprint"
  }
end

#parse_key(lines) ⇒ Hash

Parse gpg output using the parsing map

Parameters:

• lines (Array<String>) —

  gpg output (splitted into lines)

Returns:

• (Hash) —

  parsed output

# File 'library/gpg/src/modules/GPG.rb', line 114

def parse_key(lines)
  lines = deep_copy(lines)
  ret = {}

  Builtins.foreach(lines) do |line|
    Builtins.foreach(@parsing_map) do |regexp, key|
      parsed = Builtins.regexpsub(line, regexp, "\\1")
      if !parsed.nil?
        # there might be more UIDs
        if key == "uid"
          Builtins.y2milestone("%1: %2", key, parsed)
          Ops.set(ret, key, Builtins.add(Ops.get_list(ret, key, []), parsed))
        else
          if Builtins.haskey(ret, key)
            Builtins.y2warning(
              "Key %1: replacing old value '%2' with '%3'",
              key,
              Ops.get_string(ret, key, ""),
              parsed
            )
          end
          Ops.set(ret, key, parsed)
        end
      end
    end
  end

  Builtins.y2milestone("Parsed key: %1", ret)

  deep_copy(ret)
end

#parseKeys(input) ⇒ Array<Hash>

Parse gpg output

Parameters:

• input (String) —

  gpg output

Returns:

• (Array<Hash>) —

  parsed keys

# File 'library/gpg/src/modules/GPG.rb', line 149

def parseKeys(input)
  # NOTE: see /usr/share/doc/packages/gpg/DETAILS for another way

  ret = []
  lines = Builtins.splitstring(input, "\n")

  if Ops.greater_than(Builtins.size(input), 2)
    # remove the header
    lines = Builtins.remove(lines, 0)
    lines = Builtins.remove(lines, 0)
  end

  key_lines = []
  key_line_list = []

  # create groups
  Builtins.foreach(lines) do |line|
    if line == ""
      key_lines = Builtins.add(key_lines, key_line_list)
      key_line_list = []
    else
      key_line_list = Builtins.add(key_line_list, line)
    end
  end

  # parse each group to map
  Builtins.foreach(key_lines) do |keylines|
    parsed = parse_key(keylines)
    ret = Builtins.add(ret, parsed) if Ops.greater_than(Builtins.size(parsed), 0)
  end

  Builtins.y2milestone("Parsed keys: %1", ret)

  deep_copy(ret)
end

#PrivateKeys ⇒ Array<Hash> public keys: [ $["fingerprint": String key_fingerprint, "id": String key_ID, "uid": Array<String>] user_ids], ...

Return list of the private keys in the keyring.

Returns:

• (Array<Hash> public keys: [ $["fingerprint": String key_fingerprint, "id": String key_ID, "uid": Array<String>] user_ids], ...)

# File 'library/gpg/src/modules/GPG.rb', line 200

def PrivateKeys
  # return the cached values if available
  return deep_copy(@private_keys) if !@private_keys.nil?

  out = callGPG("--list-secret-keys --fingerprint")

  @private_keys = parseKeys(Ops.get_string(out, "stdout", "")) if Ops.get_integer(out, "exit", -1) == 0

  deep_copy(@private_keys)
end

#PublicKeys ⇒ Array<Hash> public keys: [ $["fingerprint": String key_fingerprint, "id": String key_ID, "uid": Array<String>] user_ids], ...

Return list of the public keys in the keyring.

Returns:

• (Array<Hash> public keys: [ $["fingerprint": String key_fingerprint, "id": String key_ID, "uid": Array<String>] user_ids], ...)

# File 'library/gpg/src/modules/GPG.rb', line 187

def PublicKeys
  # return the cached values if available
  return deep_copy(@public_keys) if !@public_keys.nil?

  out = callGPG("--list-keys --fingerprint")

  @public_keys = parseKeys(Ops.get_string(out, "stdout", "")) if Ops.get_integer(out, "exit", -1) == 0

  deep_copy(@public_keys)
end

#SignAsciiDetached(keyid, file, passphrase) ⇒ Boolean

Sign a file. The ASCII armored signature is stored in file with .asc suffix

Parameters:

• keyid (String) —

  id of the signing key

• file (String) —

  the file to sign

• passphrase (String) —

  passphrase to unlock the private key

Returns:

• (Boolean) —

  true if the file has been successfuly signed

# File 'library/gpg/src/modules/GPG.rb', line 343

def SignAsciiDetached(keyid, file, passphrase)
  SignFile(keyid, file, passphrase, true)
end

#SignDetached(keyid, file, passphrase) ⇒ Boolean

Sign a file. The binary signature is stored in file with .sig suffix

Parameters:

• keyid (String) —

  id of the signing key

• file (String) —

  the file to sign

• passphrase (String) —

  passphrase to unlock the private key

Returns:

• (Boolean) —

  true if the file has been successfuly signed

# File 'library/gpg/src/modules/GPG.rb', line 352

def SignDetached(keyid, file, passphrase)
  SignFile(keyid, file, passphrase, false)
end

#SignFile(keyid, file, passphrase, ascii_signature) ⇒ Boolean

Sign a file. The ASCII armored signature is stored in file with .asc suffix

Parameters:

• keyid (String) —

  id of the signing key

• file (String) —

  the file to sign

• passphrase (String) —

  passphrase to unlock the private key

• ascii_signature (Boolean) —

  if true ASCII armored signature is created (with suffix .asc) otherwise binary signature (with suffix .sig) is created

Returns:

• (Boolean) —

  true if the file has been successfuly signed

# File 'library/gpg/src/modules/GPG.rb', line 282

def SignFile(keyid, file, passphrase, ascii_signature)
  if passphrase.nil? || keyid.nil? || keyid == "" || file.nil? ||
      file == ""
    Builtins.y2error(
      "Invalid parameters: keyid: %1, file: %2, passphrase: %3",
      keyid,
      file,
      passphrase
    )
    return false
  end

  # signature suffix depends on the format
  suffix = ascii_signature ? ".asc" : ".sig"

  if Ops.greater_or_equal(
    Convert.to_integer(
      SCR.Read(path(".target.size"), Ops.add(file, suffix))
    ),
    0
  )
    # remove the existing key
    SCR.Execute(
      path(".target.bash"),
      "/usr/bin/rm -f #{(file + suffix).shellescape}"
    )
  end

  # save the passphrase to a file
  tmpfile = Ops.add(
    Convert.to_string(SCR.Read(path(".target.tmpdir"))),
    "/stdin"
  )

  written = SCR.Write(
    path(".target.string"),
    tmpfile,
    Ops.add(passphrase, "\n")
  )

  return false if !written

  # use the passphrase
  out = callGPG(
    Builtins.sformat(
      "--detach-sign -u '%1' --no-tty --batch --command-fd=0 --passphrase-fd 0 %2 '%3' < '%4'",
      String.Quote(keyid),
      ascii_signature ? "-a" : "",
      String.Quote(file),
      String.Quote(tmpfile)
    )
  )

  Ops.get_integer(out, "exit", -1) == 0
end

#VerifyFile(sig_file, file) ⇒ Boolean

Verify a file using a signature file. The key which has been used for signing must be imported in the keyring.

Parameters:

• sig_file (String) —

  file with the signature

• file (String) —

  file to verify

Returns:

• (Boolean) —

  true if the file has been successfuly verified

# File 'library/gpg/src/modules/GPG.rb', line 360

def VerifyFile(sig_file, file)
  out = callGPG(
    Builtins.sformat(
      "--verify '%1' '%2'",
      String.Quote(sig_file),
      String.Quote(file)
    )
  )

  Ops.get_integer(out, "exit", -1) == 0
end