diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..314f02b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.txt \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..d2fc7f6 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: +- repo: https://github.com/avilaton/add-msg-issue-prefix-hook + rev: v0.0.6 # Use the ref you want to point at + hooks: + - id: add-msg-issue-prefix \ No newline at end of file diff --git a/README.md b/README.md index 61c891c..eb70256 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,61 @@ -# template-default-repository +# GPG helper script +Use ./gpg-tool.sh to automate gpg operations -Template with default configuration for Avroid GIT project \ No newline at end of file +Usage: +------------------------------------- + +``` +gpg-tool.sh [args] file.asc + +Commands: + -d, --decrypt decrypt file + -e, --encrypt encrypt file + -i, --import_keys import keys + -h, --help display help + +Example: + ./gpg-tool.sh --import_keys + ./gpg-tool.sh --decrypt token.txt.asc + ./gpg-tool.sh --encrypt token.txt +``` + +# Как переподписать секреты новым ключом +``` +1. Сгенерировать и добавить новый ключ в каталог `keys` +https://confluence.ncloudtech.ru/display/KDM/GPG+How-To + +2. Перейти в корень репозитория и выполнить команды: +./gpg-tool.sh --import_keys + +./gpg-tool.sh --decrypt token.txt.asc +./gpg-tool.sh --decrypt jenkins_secrets.txt.asc + +./gpg-tool.sh --encrypt token.txt +./gpg-tool.sh --encrypt jenkins_secrets.txt + +3. Переподписанные файлы .asc PUSH в репозиторий +``` + + +# How to use GPG +To encrypt a document the option --encrypt is used. You must have the public keys of the intended recipients. The software expects the name of the document to encrypt as input or, if omitted, on standard input. The encrypted result is placed on standard output or as specified using the option --output. The document is compressed for additional security in addition to encrypting it. + + > gpg --output doc.gpg --encrypt --recipient blake@cyb.org doc + +The --recipient option is used once for each recipient and takes an extra argument specifying the public key to which the document should be encrypted. The encrypted document can only be decrypted by someone with a private key that complements one of the recipients' public keys. In particular, you cannot decrypt a document encrypted by you unless you included your own public key in the recipient list. + +To decrypt a message the option --decrypt is used. You need the private key to which the message was encrypted. Similar to the encryption process, the document to decrypt is input, and the decrypted result is output. + + > gpg --output doc --decrypt doc.gpg + + You need a passphrase to unlock the secret key for + user: "Blake (Executioner) " + 1024-bit ELG-E key, ID 5C8CBD41, created 1999-06-04 (main key ID 9E98BC16) + + Enter passphrase: + +Documents may also be encrypted without using public-key cryptography. Instead, only a symmetric cipher is used to encrypt the document. The key used to drive the symmetric cipher is derived from a passphrase supplied when the document is encrypted, and for good security, it should not be the same passphrase that you use to protect your private key. Symmetric encryption is useful for securing documents when the passphrase does not need to be communicated to others. A document can be encrypted with a symmetric cipher by using the --symmetric option. + + > gpg --output doc.gpg --symmetric doc + + Enter passphrase: \ No newline at end of file diff --git a/gpg-tool.sh b/gpg-tool.sh new file mode 100755 index 0000000..93965f1 --- /dev/null +++ b/gpg-tool.sh @@ -0,0 +1,87 @@ +#!/bin/bash +set -euo pipefail +SCRIPT_PATH=$(dirname "$(readlink -f "$0")";) + +function help { +echo " +sign.sh [args] file + +Commands: + -d, --decrypt decrypt file + -e, --encrypt encrypt file + -v, --view view encrypted file + -i, --import_keys import keys + -h, --help display help + +Example: + ./sign.sh --import_keys + ./sign.sh --decrypt token.txt.asc + ./sign.sh --encrypt token.txt +" +} + +function decrypt { + FILE="$1" + gpg --decrypt-files "$SCRIPT_PATH/$FILE" + rm -r "$SCRIPT_PATH/$FILE" +} + +function view { + FILE="$1" + gpg --decrypt "$SCRIPT_PATH"/"$FILE" 2>/dev/null +} + +function import_keys { + for i in ls "$SCRIPT_PATH"/keys/*.pub + do + gpg --import "$i" 2>&1 | head -1 | awk '{print $3}' | sed 's/.$//' > /dev/null + done + echo 'All keys have been imported' +} + +function get_recipients { + for i in "$SCRIPT_PATH"/keys/*.pub + do + allKeys+="--recipient $(gpg --import "$i" 2>&1 | head -1 | awk '{print $3}' | sed 's/.$//') " + done + echo "$allKeys" +} + +function encrypt { + PUBKEYS=$(get_recipients) + FILE="$1" + gpg --encrypt-files --trust-model always $PUBKEYS --armor "$FILE" +} + +if [ $# = 0 ]; then + help + exit +fi + +case $1 in + -i| --import_keys) + import_keys && exit 0 + ;; + + -d| --decrypt) + decrypt "$2" + ;; + + -e| --encrypt) + encrypt "$2" + ;; + + -v| --view) + view "$2" + ;; + + -h| --help) + help + exit + ;; + + *) + help + exit 0 + ;; +esac \ No newline at end of file diff --git a/keys/stanislav.gabenov.pub b/keys/stanislav.gabenov.pub new file mode 100644 index 0000000..5609477 --- /dev/null +++ b/keys/stanislav.gabenov.pub @@ -0,0 +1,14 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZGR/MBYJKwYBBAHaRw8BAQdAFu3GZthxx8lSsh4lcMVfpEEU41+3oCwRpcNm +qr80Ljm0M1N0YW5pc2xhdiBHYWJlbm92IDxzdGFuaXNsYXYuZ2FiZW5vdkBteW9m +ZmljZS50ZWFtPoiTBBMWCgA7FiEEzvHEydW9bX58O1q12WIE+EqFqxYFAmRkfzAC +GwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQ2WIE+EqFqxZdYgEAx7w+ +KJnBT6+DeGO+72l/D+8+t3lL4FsoTZLihkFYwjwA/jav8LfJt68cjFFnHG14p+gC +dKz8R1EpYvOonrxhqxsAuDgEZGR/MBIKKwYBBAGXVQEFAQEHQAv35CwCjKOw1Akf +GbKX7ddguwsWqFf4gDqxdHR6S101AwEIB4h4BBgWCgAgFiEEzvHEydW9bX58O1q1 +2WIE+EqFqxYFAmRkfzACGwwACgkQ2WIE+EqFqxbfigEAlFrbtsBVEXAXYRMcdVTK +YJywkCmuy8bTZPt+0sBnc6QA/3xFzj/gdC7h/p1EORJ0peRlVfQvbL7hdEM+mjRX +M5IA +=2+yu +-----END PGP PUBLIC KEY BLOCK-----