actions/import-gpg
actions/import-gpg
3
0
Fork 0
mirror of https://github.com/crazy-max/ghaction-import-gpg.git synced 2025-01-18 13:54:47 +01:00
Code Issues Projects Activity Pipelines

Update generated content

Browse source
This commit is contained in:
CrazyMax 2020-09-03 21:32:38 +02:00
parent e55ea8984f
commit 0a25c3b971
No known key found for this signature in database
GPG key ID: 3248E46B6BB8C7F7
3 changed files with 86 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
__tests__/gpg.test.ts
View file

@ -18,10 +18,7 @@ const userInfo = {
email: 'joe@foo.bar', email: 'joe@foo.bar',
keyID: 'D523BD50DD70B0BA', keyID: 'D523BD50DD70B0BA',
fingerprint: '27571A53B86AF0C799B38BA77D851EB72D73BDA0', fingerprint: '27571A53B86AF0C799B38BA77D851EB72D73BDA0',
keygrips: [ keygrips: ['3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627', 'BA83FC8947213477F28ADC019F6564A956456163']
'3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627',
'BA83FC8947213477F28ADC019F6564A956456163',
]
}; };
describe('gpg', () => { describe('gpg', () => {

120
dist/index.js generated vendored
View file

@ -83,7 +83,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
}); });
}; };
Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(exports, "__esModule", { value: true });
exports.killAgent = exports.deleteKey = exports.presetPassphrase = exports.configureAgent = exports.getKeygrip = exports.importKey = exports.getDirs = exports.getVersion = exports.agentConfig = void 0; exports.killAgent = exports.deleteKey = exports.presetPassphrase = exports.configureAgent = exports.getKeygrips = exports.importKey = exports.getDirs = exports.getVersion = exports.agentConfig = void 0;
const fs = __importStar(__webpack_require__(747)); const fs = __importStar(__webpack_require__(747));
const path = __importStar(__webpack_require__(622)); const path = __importStar(__webpack_require__(622));
const os = __importStar(__webpack_require__(87)); const os = __importStar(__webpack_require__(87));
@ -189,19 +189,18 @@ exports.importKey = (key) => __awaiter(void 0, void 0, void 0, function* () {
fs.unlinkSync(keyPath); fs.unlinkSync(keyPath);
}); });
}); });
exports.getKeygrip = (fingerprint) => __awaiter(void 0, void 0, void 0, function* () { exports.getKeygrips = (fingerprint) => __awaiter(void 0, void 0, void 0, function* () {
return yield exec.exec('gpg', ['--batch', '--with-colons', '--with-keygrip', '--list-secret-keys', fingerprint], true).then(res => { return yield exec.exec('gpg', ['--batch', '--with-colons', '--with-keygrip', '--list-secret-keys', fingerprint], true).then(res => {
if (res.stderr != '' && !res.success) { if (res.stderr != '' && !res.success) {
throw new Error(res.stderr); throw new Error(res.stderr);
} }
let keygrip = ''; let keygrips = [];
for (let line of res.stdout.replace(/\r/g, '').trim().split(/\n/g)) { for (let line of res.stdout.replace(/\r/g, '').trim().split(/\n/g)) {
if (line.startsWith('grp')) { if (line.startsWith('grp')) {
keygrip = line.replace(/(grp|:)/g, '').trim(); keygrips.push(line.replace(/(grp|:)/g, '').trim());
break;
} }
} }
return keygrip; return keygrips;
}); });
}); });
exports.configureAgent = (config) => __awaiter(void 0, void 0, void 0, function* () { exports.configureAgent = (config) => __awaiter(void 0, void 0, void 0, function* () {
@ -322,13 +321,13 @@ function run() {
if (process.env.PASSPHRASE) { if (process.env.PASSPHRASE) {
core.info('⚙️ Configuring GnuPG agent'); core.info('⚙️ Configuring GnuPG agent');
yield gpg.configureAgent(gpg.agentConfig); yield gpg.configureAgent(gpg.agentConfig);
core.info('📌 Getting keygrip'); core.info('📌 Getting keygrips');
const keygrip = yield gpg.getKeygrip(privateKey.fingerprint); for (let keygrip of yield gpg.getKeygrips(privateKey.fingerprint)) {
core.debug(`${keygrip}`); core.info(`🔓 Presetting passphrase for ${keygrip}`);
core.info('🔓 Presetting passphrase'); yield gpg.presetPassphrase(keygrip, process.env.PASSPHRASE).then(stdout => {
yield gpg.presetPassphrase(keygrip, process.env.PASSPHRASE).then(stdout => { core.debug(stdout);
core.debug(stdout); });
}); }
} }
core.info('🛒 Setting outputs...'); core.info('🛒 Setting outputs...');
core.setOutput('fingerprint', privateKey.fingerprint); core.setOutput('fingerprint', privateKey.fingerprint);
@ -406,7 +405,7 @@ module.exports = require("child_process");
/***/ 144: /***/ 144:
/***/ (function(module) { /***/ (function(module) {
/*! OpenPGP.js v4.10.7 - 2020-07-21 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */ /*! OpenPGP.js v4.10.8 - 2020-08-28 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
(function(f){if(true){module.exports=f()}else { var g; }})(function(){var define,module,exports;return (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c=require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u=require,i=0;i<t.length;i++)o(t[i]);return o}return r})()({1:[function(require,module,exports){ (function(f){if(true){module.exports=f()}else { var g; }})(function(){var define,module,exports;return (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c=require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u=require,i=0;i<t.length;i++)o(t[i]);return o}return r})()({1:[function(require,module,exports){
(function (global){ (function (global){
"use strict"; "use strict";
@ -25419,6 +25418,14 @@ exports.default = {
* @property {Boolean} revocations_expire If true, expired revocation signatures are ignored * @property {Boolean} revocations_expire If true, expired revocation signatures are ignored
*/ */
revocations_expire: false, revocations_expire: false,
/**
* Allow decryption using RSA keys without `encrypt` flag.
* This setting is potentially insecure, but it is needed to get around an old openpgpjs bug
* where key flags were ignored when selecting a key for encryption.
* @memberof module:config
* @property {Boolean} allow_insecure_decryption_with_signing_keys
*/
allow_insecure_decryption_with_signing_keys: false,
/** /**
* @memberof module:config * @memberof module:config
@ -25460,7 +25467,7 @@ exports.default = {
* @memberof module:config * @memberof module:config
* @property {String} versionstring A version string to be included in armored messages * @property {String} versionstring A version string to be included in armored messages
*/ */
versionstring: "OpenPGP.js v4.10.7", versionstring: "OpenPGP.js v4.10.8",
/** /**
* @memberof module:config * @memberof module:config
* @property {String} commentstring A comment string to be included in armored messages * @property {String} commentstring A comment string to be included in armored messages
@ -34236,6 +34243,7 @@ exports.isAeadSupported = isAeadSupported;
exports.sanitizeKeyOptions = sanitizeKeyOptions; exports.sanitizeKeyOptions = sanitizeKeyOptions;
exports.isValidSigningKeyPacket = isValidSigningKeyPacket; exports.isValidSigningKeyPacket = isValidSigningKeyPacket;
exports.isValidEncryptionKeyPacket = isValidEncryptionKeyPacket; exports.isValidEncryptionKeyPacket = isValidEncryptionKeyPacket;
exports.isValidDecryptionKeyPacket = isValidDecryptionKeyPacket;
var _packet = require('../packet'); var _packet = require('../packet');
@ -34587,6 +34595,20 @@ function isValidEncryptionKeyPacket(keyPacket, signature) {
return keyPacket.algorithm !== _enums2.default.read(_enums2.default.publicKey, _enums2.default.publicKey.dsa) && keyPacket.algorithm !== _enums2.default.read(_enums2.default.publicKey, _enums2.default.publicKey.rsa_sign) && keyPacket.algorithm !== _enums2.default.read(_enums2.default.publicKey, _enums2.default.publicKey.ecdsa) && keyPacket.algorithm !== _enums2.default.read(_enums2.default.publicKey, _enums2.default.publicKey.eddsa) && (!signature.keyFlags || (signature.keyFlags[0] & _enums2.default.keyFlags.encrypt_communication) !== 0 || (signature.keyFlags[0] & _enums2.default.keyFlags.encrypt_storage) !== 0); return keyPacket.algorithm !== _enums2.default.read(_enums2.default.publicKey, _enums2.default.publicKey.dsa) && keyPacket.algorithm !== _enums2.default.read(_enums2.default.publicKey, _enums2.default.publicKey.rsa_sign) && keyPacket.algorithm !== _enums2.default.read(_enums2.default.publicKey, _enums2.default.publicKey.ecdsa) && keyPacket.algorithm !== _enums2.default.read(_enums2.default.publicKey, _enums2.default.publicKey.eddsa) && (!signature.keyFlags || (signature.keyFlags[0] & _enums2.default.keyFlags.encrypt_communication) !== 0 || (signature.keyFlags[0] & _enums2.default.keyFlags.encrypt_storage) !== 0);
} }
function isValidDecryptionKeyPacket(signature) {
if (!signature.verified) {
// Sanity check
throw new Error('Signature not verified');
}
if (_config2.default.allow_insecure_decryption_with_signing_keys) {
// This is only relevant for RSA keys, all other signing ciphers cannot decrypt
return true;
}
return !signature.keyFlags || (signature.keyFlags[0] & _enums2.default.keyFlags.encrypt_communication) !== 0 || (signature.keyFlags[0] & _enums2.default.keyFlags.encrypt_storage) !== 0;
}
},{"../config":79,"../crypto":94,"../enums":113,"../packet":131,"../util":158}],118:[function(require,module,exports){ },{"../config":79,"../crypto":94,"../enums":113,"../packet":131,"../util":158}],118:[function(require,module,exports){
'use strict'; 'use strict';
@ -34992,16 +35014,14 @@ Key.prototype.getEncryptionKey = async function (keyId, date = new Date(), userI
* @async * @async
*/ */
Key.prototype.getDecryptionKeys = async function (keyId, date = new Date(), userId = {}) { Key.prototype.getDecryptionKeys = async function (keyId, date = new Date(), userId = {}) {
await this.verifyPrimaryKey(date, userId);
const primaryKey = this.keyPacket; const primaryKey = this.keyPacket;
const keys = []; const keys = [];
for (let i = 0; i < this.subKeys.length; i++) { for (let i = 0; i < this.subKeys.length; i++) {
if (!keyId || this.subKeys[i].getKeyId().equals(keyId, true)) { if (!keyId || this.subKeys[i].getKeyId().equals(keyId, true)) {
try { try {
await this.subKeys[i].verify(primaryKey, date);
const dataToVerify = { key: primaryKey, bind: this.subKeys[i].keyPacket }; const dataToVerify = { key: primaryKey, bind: this.subKeys[i].keyPacket };
const bindingSignature = await helper.getLatestValidSignature(this.subKeys[i].bindingSignatures, primaryKey, _enums2.default.signature.subkey_binding, dataToVerify, date); const bindingSignature = await helper.getLatestValidSignature(this.subKeys[i].bindingSignatures, primaryKey, _enums2.default.signature.subkey_binding, dataToVerify, date);
if (bindingSignature && helper.isValidEncryptionKeyPacket(this.subKeys[i].keyPacket, bindingSignature)) { if (bindingSignature && helper.isValidDecryptionKeyPacket(bindingSignature)) {
keys.push(this.subKeys[i]); keys.push(this.subKeys[i]);
} }
} catch (e) {} } catch (e) {}
@ -35010,7 +35030,7 @@ Key.prototype.getDecryptionKeys = async function (keyId, date = new Date(), user
// evaluate primary key // evaluate primary key
const primaryUser = await this.getPrimaryUser(date, userId); const primaryUser = await this.getPrimaryUser(date, userId);
if ((!keyId || primaryKey.getKeyId().equals(keyId, true)) && helper.isValidEncryptionKeyPacket(primaryKey, primaryUser.selfCertification)) { if ((!keyId || primaryKey.getKeyId().equals(keyId, true)) && helper.isValidDecryptionKeyPacket(primaryUser.selfCertification)) {
keys.push(this); keys.push(this);
} }
@ -35100,7 +35120,7 @@ Key.prototype.validate = async function () {
} }
let signingKeyPacket; let signingKeyPacket;
if (!this.keyPacket.isDummy()) { if (!this.primaryKey.isDummy()) {
signingKeyPacket = this.primaryKey; signingKeyPacket = this.primaryKey;
} else { } else {
/** /**
@ -35616,9 +35636,9 @@ SubKey.prototype.isRevoked = async function (primaryKey, signature, key, date =
* Verify subkey. Checks for revocation signatures, expiration time * Verify subkey. Checks for revocation signatures, expiration time
* and valid binding signature. Throws if the subkey is invalid. * and valid binding signature. Throws if the subkey is invalid.
* @param {module:packet.SecretKey| * @param {module:packet.SecretKey|
* module:packet.PublicKey} primaryKey The primary key packet * module:packet.PublicKey} primaryKey The primary key packet
* @param {Date} date Use the given date instead of the current time * @param {Date} date Use the given date instead of the current time
* @returns {Promise<true>} The status of the subkey * @returns {Promise<undefined>}
* @async * @async
*/ */
SubKey.prototype.verify = async function (primaryKey, date = new Date()) { SubKey.prototype.verify = async function (primaryKey, date = new Date()) {
@ -40199,6 +40219,11 @@ PublicKeyEncryptedSessionKey.prototype.encrypt = async function (key) {
*/ */
PublicKeyEncryptedSessionKey.prototype.decrypt = async function (key) { PublicKeyEncryptedSessionKey.prototype.decrypt = async function (key) {
const algo = _enums2.default.write(_enums2.default.publicKey, this.publicKeyAlgorithm); const algo = _enums2.default.write(_enums2.default.publicKey, this.publicKeyAlgorithm);
const keyAlgo = _enums2.default.write(_enums2.default.publicKey, key.algorithm);
// check that session key algo matches the secret key algo
if (algo !== keyAlgo) {
throw new Error('Decryption error');
}
const decoded = await _crypto2.default.publicKeyDecrypt(algo, key.params, this.encrypted, key.getFingerprintBytes()); const decoded = await _crypto2.default.publicKeyDecrypt(algo, key.params, this.encrypted, key.getFingerprintBytes());
const checksum = _util2.default.str_to_Uint8Array(decoded.substr(decoded.length - 2)); const checksum = _util2.default.str_to_Uint8Array(decoded.substr(decoded.length - 2));
key = _util2.default.str_to_Uint8Array(decoded.substring(1, decoded.length - 2)); key = _util2.default.str_to_Uint8Array(decoded.substring(1, decoded.length - 2));
@ -40573,6 +40598,26 @@ SecretKey.prototype.isDummy = function () {
return !!(this.s2k && this.s2k.type === 'gnu-dummy'); return !!(this.s2k && this.s2k.type === 'gnu-dummy');
}; };
/**
* Remove private key material, converting the key to a dummy one
* The resulting key cannot be used for signing/decrypting but can still verify signatures
*/
SecretKey.prototype.makeDummy = function () {
if (this.isDummy()) {
return;
}
if (!this.isDecrypted()) {
// this is technically not needed, but makes the conversion simpler
throw new Error("Key is not decrypted");
}
this.clearPrivateParams();
this.isEncrypted = false;
this.s2k = new _s2k2.default();
this.s2k.algorithm = 0;
this.s2k.c = 0;
this.s2k.type = 'gnu-dummy';
};
/** /**
* Encrypt the payload. By default, we use aes256 and iterated, salted string * Encrypt the payload. By default, we use aes256 and iterated, salted string
* to key specifier. If the key is in a decrypted state (isEncrypted === false) * to key specifier. If the key is in a decrypted state (isEncrypted === false)
@ -40908,7 +40953,8 @@ function Signature(date = new Date()) {
this.revocationKeyAlgorithm = null; this.revocationKeyAlgorithm = null;
this.revocationKeyFingerprint = null; this.revocationKeyFingerprint = null;
this.issuerKeyId = new _keyid2.default(); this.issuerKeyId = new _keyid2.default();
this.notations = []; this.rawNotations = [];
this.notations = {};
this.preferredHashAlgorithms = null; this.preferredHashAlgorithms = null;
this.preferredCompressionAlgorithms = null; this.preferredCompressionAlgorithms = null;
this.keyServerPreferences = null; this.keyServerPreferences = null;
@ -41068,13 +41114,14 @@ Signature.prototype.write_hashed_sub_packets = function () {
bytes = _util2.default.concat([bytes, this.revocationKeyFingerprint]); bytes = _util2.default.concat([bytes, this.revocationKeyFingerprint]);
arr.push(write_sub_packet(sub.revocation_key, bytes)); arr.push(write_sub_packet(sub.revocation_key, bytes));
} }
this.notations.forEach(([name, value]) => { this.rawNotations.forEach(([{ name, value, humanReadable }]) => {
bytes = [new Uint8Array([0x80, 0, 0, 0])]; bytes = [new Uint8Array([humanReadable ? 0x80 : 0, 0, 0, 0])];
// 2 octets of name length // 2 octets of name length
bytes.push(_util2.default.writeNumber(name.length, 2)); bytes.push(_util2.default.writeNumber(name.length, 2));
// 2 octets of value length // 2 octets of value length
bytes.push(_util2.default.writeNumber(value.length, 2)); bytes.push(_util2.default.writeNumber(value.length, 2));
bytes.push(_util2.default.str_to_Uint8Array(name + value)); bytes.push(_util2.default.str_to_Uint8Array(name));
bytes.push(value);
bytes = _util2.default.concat(bytes); bytes = _util2.default.concat(bytes);
arr.push(write_sub_packet(sub.notation_data, bytes)); arr.push(write_sub_packet(sub.notation_data, bytes));
}); });
@ -41270,9 +41317,10 @@ Signature.prototype.read_sub_packet = function (bytes, trusted = true) {
break; break;
case 20: case 20:
// Notation Data {
// We don't know how to handle anything but a text flagged data. // Notation Data
if (bytes[mypos] === 0x80) { const humanReadable = !!(bytes[mypos] & 0x80);
// We extract key/value tuple from the byte stream. // We extract key/value tuple from the byte stream.
mypos += 4; mypos += 4;
const m = _util2.default.readNumber(bytes.subarray(mypos, mypos + 2)); const m = _util2.default.readNumber(bytes.subarray(mypos, mypos + 2));
@ -41281,17 +41329,19 @@ Signature.prototype.read_sub_packet = function (bytes, trusted = true) {
mypos += 2; mypos += 2;
const name = _util2.default.Uint8Array_to_str(bytes.subarray(mypos, mypos + m)); const name = _util2.default.Uint8Array_to_str(bytes.subarray(mypos, mypos + m));
const value = _util2.default.Uint8Array_to_str(bytes.subarray(mypos + m, mypos + m + n)); const value = bytes.subarray(mypos + m, mypos + m + n);
this.notations.push([name, value]); this.rawNotations.push({ name, humanReadable, value });
if (humanReadable) {
this.notations[name] = _util2.default.Uint8Array_to_str(value);
}
if (critical && _config2.default.known_notations.indexOf(name) === -1) { if (critical && _config2.default.known_notations.indexOf(name) === -1) {
throw new Error("Unknown critical notation: " + name); throw new Error("Unknown critical notation: " + name);
} }
} else { break;
_util2.default.print_debug("Unsupported notation flag " + bytes[mypos]);
} }
break;
case 21: case 21:
// Preferred Hash Algorithms // Preferred Hash Algorithms
read_array('preferredHashAlgorithms', bytes.subarray(mypos, bytes.length)); read_array('preferredHashAlgorithms', bytes.subarray(mypos, bytes.length));

1
src/gpg.ts
View file

@ -124,7 +124,6 @@ export const importKey = async (key: string): Promise<string> => {
}); });
}; };
export const getKeygrips = async (fingerprint: string): Promise<Array<string>> => { export const getKeygrips = async (fingerprint: string): Promise<Array<string>> => {
return await exec.exec('gpg', ['--batch', '--with-colons', '--with-keygrip', '--list-secret-keys', fingerprint], true).then(res => { return await exec.exec('gpg', ['--batch', '--with-colons', '--with-keygrip', '--list-secret-keys', fingerprint], true).then(res => {
if (res.stderr != '' && !res.success) { if (res.stderr != '' && !res.success) {