From 4624d096a8629747da2580507f0201e36ca1cec3 Mon Sep 17 00:00:00 2001 From: drduh Date: Fri, 9 May 2025 17:01:19 -0700 Subject: [PATCH 01/11] script generate commands --- scripts/generate.sh | 69 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100755 scripts/generate.sh diff --git a/scripts/generate.sh b/scripts/generate.sh new file mode 100755 index 0000000..2535bdc --- /dev/null +++ b/scripts/generate.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env bash + +#set -x # uncomment to debug +set -o errtrace +set -o nounset +set -o pipefail + +umask 077 + +export LC_ALL="C" + +export GNUPGHOME=$(mktemp -d -t $(date +%Y.%m.%d)-XXXX) + +cd "${GNUPGHOME}" ; pwd + +export IDENTITY="YubiKey User " + +export KEY_TYPE="rsa4096" + +export KEY_EXPIRATION="2027-05-01" + +export CERTIFY_PASS=$(LC_ALL=C tr -dc "A-Z2-9" < /dev/urandom | \ + tr -d "IOUS5" | \ + fold -w ${PASS_GROUPSIZE:-4} | \ + paste -sd ${PASS_DELIMITER:--} - | \ + head -c ${PASS_LENGTH:-29}) + +echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 \ + --quick-generate-key "$IDENTITY" "$KEY_TYPE" cert never + +export KEYID=$(gpg -k --with-colons "$IDENTITY" | \ + awk -F: '/^pub:/ { print $5; exit }') + +export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \ + awk -F: '/^fpr:/ { print $10; exit }') + +printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" + +for SUBKEY in sign encrypt auth ; do \ + echo "$CERTIFY_PASS" | \ + gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION" +done + +gpg -K + +echo "$CERTIFY_PASS" | \ + gpg --output $GNUPGHOME/$KEYID-Certify.key \ + --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --armor --export-secret-keys $KEYID + +echo "$CERTIFY_PASS" | \ + gpg --output $GNUPGHOME/$KEYID-Subkeys.key \ + --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --armor --export-secret-subkeys $KEYID + +gpg --output $GNUPGHOME/$KEYID-$(date +%F).asc \ + --armor --export $KEYID + +export LUKS_PASS=$(LC_ALL=C tr -dc "A-Z2-9" < /dev/urandom | \ + tr -d "IOUS5" | \ + fold -w ${PASS_GROUPSIZE:-4} | \ + paste -sd ${PASS_DELIMITER:--} - | \ + head -c ${PASS_LENGTH:-29}) + +printf "CERTIFY PASS: \n$CERTIFY_PASS\n\n" + +printf "LUKS PASS:\n$LUKS_PASS\n\n" From f2c4ca3e689776942c83e73416de5f204fda3cde Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 16:21:48 -0700 Subject: [PATCH 02/11] get pass function --- scripts/generate.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index 2535bdc..3be3c0a 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -19,11 +19,16 @@ export KEY_TYPE="rsa4096" export KEY_EXPIRATION="2027-05-01" -export CERTIFY_PASS=$(LC_ALL=C tr -dc "A-Z2-9" < /dev/urandom | \ - tr -d "IOUS5" | \ - fold -w ${PASS_GROUPSIZE:-4} | \ - paste -sd ${PASS_DELIMITER:--} - | \ - head -c ${PASS_LENGTH:-29}) +get_pass () { + # Returns random passphrase. + tr -dc "A-Z2-9" < /dev/urandom | \ + tr -d "IOUS5" | \ + fold -w ${PASS_GROUPSIZE:-4} | \ + paste -sd ${PASS_DELIMITER:--} - | \ + head -c ${PASS_LENGTH:-29} +} + +export CERTIFY_PASS="$(get_pass)" echo "$CERTIFY_PASS" | \ gpg --batch --passphrase-fd 0 \ @@ -58,11 +63,7 @@ echo "$CERTIFY_PASS" | \ gpg --output $GNUPGHOME/$KEYID-$(date +%F).asc \ --armor --export $KEYID -export LUKS_PASS=$(LC_ALL=C tr -dc "A-Z2-9" < /dev/urandom | \ - tr -d "IOUS5" | \ - fold -w ${PASS_GROUPSIZE:-4} | \ - paste -sd ${PASS_DELIMITER:--} - | \ - head -c ${PASS_LENGTH:-29}) +export LUKS_PASS="$(get_pass)" printf "CERTIFY PASS: \n$CERTIFY_PASS\n\n" From 1ab20d5fea38a45da42a29c5a0bb7b69912d9742 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 16:27:14 -0700 Subject: [PATCH 03/11] gen key functions --- scripts/generate.sh | 43 ++++++++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index 3be3c0a..e04000f 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -11,7 +11,7 @@ export LC_ALL="C" export GNUPGHOME=$(mktemp -d -t $(date +%Y.%m.%d)-XXXX) -cd "${GNUPGHOME}" ; pwd +cd "${GNUPGHOME}" ; printf "saving to %s\n" "$(pwd)" export IDENTITY="YubiKey User " @@ -30,23 +30,40 @@ get_pass () { export CERTIFY_PASS="$(get_pass)" -echo "$CERTIFY_PASS" | \ - gpg --batch --passphrase-fd 0 \ - --quick-generate-key "$IDENTITY" "$KEY_TYPE" cert never +gen_key_certify () { + # Generates Certify key with no expiration. + echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 \ + --quick-generate-key "$IDENTITY" \ + "$KEY_TYPE" "cert" "never" +} -export KEYID=$(gpg -k --with-colons "$IDENTITY" | \ - awk -F: '/^pub:/ { print $5; exit }') +set_key_id_fp () { + # Sets Key ID and Fingerprint environment vars. + export KEYID=$(gpg -k --with-colons "$IDENTITY" | \ + awk -F: '/^pub:/ { print $5; exit }') + export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \ + awk -F: '/^fpr:/ { print $10; exit }') +} -export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \ - awk -F: '/^fpr:/ { print $10; exit }') +gen_key_certify + +set_key_id_fp printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" -for SUBKEY in sign encrypt auth ; do \ - echo "$CERTIFY_PASS" | \ - gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION" -done +gen_key_subs () { + # Generates Subkeys with specified expiration. + for SUBKEY in sign encrypt auth ; do \ + echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 \ + --pinentry-mode=loopback \ + --quick-add-key "$KEYFP" \ + "$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION" + done +} + +gen_key_subs gpg -K From cbd39ffbb06e4e2ea3abed5b6e3d5fdee39818ab Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 16:31:51 -0700 Subject: [PATCH 04/11] save mats functions --- scripts/generate.sh | 39 +++++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index e04000f..1d61bb5 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -65,23 +65,38 @@ gen_key_subs () { gen_key_subs -gpg -K +list_keys () { + # Prints available secret keys. + gpg --list-secret-keys +} -echo "$CERTIFY_PASS" | \ - gpg --output $GNUPGHOME/$KEYID-Certify.key \ - --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --armor --export-secret-keys $KEYID +save_secrets () { + # Exports secret keys to local files. + echo "$CERTIFY_PASS" | \ + gpg --output $GNUPGHOME/$KEYID-Certify.key \ + --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --armor --export-secret-keys $KEYID -echo "$CERTIFY_PASS" | \ - gpg --output $GNUPGHOME/$KEYID-Subkeys.key \ - --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --armor --export-secret-subkeys $KEYID + echo "$CERTIFY_PASS" | \ + gpg --output $GNUPGHOME/$KEYID-Subkeys.key \ + --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --armor --export-secret-subkeys $KEYID +} -gpg --output $GNUPGHOME/$KEYID-$(date +%F).asc \ - --armor --export $KEYID +save_pubkey () { + # Exports public key to local file. + gpg --output $GNUPGHOME/$KEYID-$(date +%F).asc \ + --armor --export $KEYID +} -export LUKS_PASS="$(get_pass)" +list_keys + +save_secrets + +save_pubkey printf "CERTIFY PASS: \n$CERTIFY_PASS\n\n" +export LUKS_PASS="$(get_pass)" + printf "LUKS PASS:\n$LUKS_PASS\n\n" From 4fe4b8c157fc758ae6e7490893822bdcf2f827f6 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 16:40:00 -0700 Subject: [PATCH 05/11] temp dir and label functions --- scripts/generate.sh | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index 1d61bb5..55ecb76 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -1,4 +1,6 @@ #!/usr/bin/env bash +# https://github.com/drduh/YubiKey-Guide/blob/master/scripts/generate.sh +# Generates GnuPG keys and corresponding passphrases to secure them. #set -x # uncomment to debug set -o errtrace @@ -9,11 +11,25 @@ umask 077 export LC_ALL="C" -export GNUPGHOME=$(mktemp -d -t $(date +%Y.%m.%d)-XXXX) +get_temp_dir () { + # Returns temporary working directory path. + mktemp -d -t $(date +%Y.%m.%d)-XXXX +} -cd "${GNUPGHOME}" ; printf "saving to %s\n" "$(pwd)" +get_id_label () { + # Returns Identity name/label. + printf "YubiKey User " +} -export IDENTITY="YubiKey User " +export GNUPGHOME="$(get_temp_dir)" + +cd "$GNUPGHOME" + +printf "set temp dir (path=%s)\n" "$(pwd)" + +export IDENTITY="$(get_id_label)" + +printf "set id (label=%s)\n" "$IDENTITY" export KEY_TYPE="rsa4096" From 1064d2e742431cc9487d1dcd2a441a93a2b6ab87 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 16:45:23 -0700 Subject: [PATCH 06/11] print configured id/key attributes --- scripts/generate.sh | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index 55ecb76..58cb0c9 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -21,19 +21,15 @@ get_id_label () { printf "YubiKey User " } -export GNUPGHOME="$(get_temp_dir)" +get_key_type () { + # Returns key type and size. + printf "rsa2048" +} -cd "$GNUPGHOME" - -printf "set temp dir (path=%s)\n" "$(pwd)" - -export IDENTITY="$(get_id_label)" - -printf "set id (label=%s)\n" "$IDENTITY" - -export KEY_TYPE="rsa4096" - -export KEY_EXPIRATION="2027-05-01" +get_key_expiration () { + # Returns key expiration date. + printf "2027-05-01" +} get_pass () { # Returns random passphrase. @@ -44,6 +40,16 @@ get_pass () { head -c ${PASS_LENGTH:-29} } +export GNUPGHOME="$(get_temp_dir)" +cd "$GNUPGHOME" +printf "set temp dir (path='%s')\n" "$(pwd)" + +export IDENTITY="$(get_id_label)" +export KEY_TYPE="$(get_key_type)" +export KEY_EXPIRATION="$(get_key_expiration)" +printf "set id (label='%s', type='%s', expire='%s')\n" \ + "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION" + export CERTIFY_PASS="$(get_pass)" gen_key_certify () { From e457f049825df674e09b4fd6dc6e86666d2fa6f1 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 16:57:30 -0700 Subject: [PATCH 07/11] set passphrases function --- scripts/generate.sh | 72 +++++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index 58cb0c9..ef4c6f1 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -40,17 +40,13 @@ get_pass () { head -c ${PASS_LENGTH:-29} } -export GNUPGHOME="$(get_temp_dir)" -cd "$GNUPGHOME" -printf "set temp dir (path='%s')\n" "$(pwd)" - -export IDENTITY="$(get_id_label)" -export KEY_TYPE="$(get_key_type)" -export KEY_EXPIRATION="$(get_key_expiration)" -printf "set id (label='%s', type='%s', expire='%s')\n" \ - "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION" - -export CERTIFY_PASS="$(get_pass)" +set_pass () { + # Exports Certify and LUKS passphrases. + export CERTIFY_PASS="$(get_pass)" + export LUKS_PASS="$(get_pass)" + printf "set passphrases (certify='%s', luks='%s')\n" \ + "$CERTIFY_PASS" "$LUKS_PASS" +} gen_key_certify () { # Generates Certify key with no expiration. @@ -60,33 +56,27 @@ gen_key_certify () { "$KEY_TYPE" "cert" "never" } -set_key_id_fp () { +set_id_fp () { # Sets Key ID and Fingerprint environment vars. - export KEYID=$(gpg -k --with-colons "$IDENTITY" | \ + export KEY_ID=$(gpg -k --with-colons "$IDENTITY" | \ awk -F: '/^pub:/ { print $5; exit }') - export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \ + export KEY_FP=$(gpg -k --with-colons "$IDENTITY" | \ awk -F: '/^fpr:/ { print $10; exit }') + printf "got identity (fp='%s', id='%s')\n" \ + "$KEY_FP" "$KEY_ID" } -gen_key_certify - -set_key_id_fp - -printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" - gen_key_subs () { # Generates Subkeys with specified expiration. for SUBKEY in sign encrypt auth ; do \ echo "$CERTIFY_PASS" | \ gpg --batch --passphrase-fd 0 \ --pinentry-mode=loopback \ - --quick-add-key "$KEYFP" \ + --quick-add-key "$KEY_FP" \ "$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION" done } -gen_key_subs - list_keys () { # Prints available secret keys. gpg --list-secret-keys @@ -95,30 +85,42 @@ list_keys () { save_secrets () { # Exports secret keys to local files. echo "$CERTIFY_PASS" | \ - gpg --output $GNUPGHOME/$KEYID-Certify.key \ + gpg --output $GNUPGHOME/$KEY_ID-Certify.key \ --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --armor --export-secret-keys $KEYID + --armor --export-secret-keys $KEY_ID echo "$CERTIFY_PASS" | \ - gpg --output $GNUPGHOME/$KEYID-Subkeys.key \ + gpg --output $GNUPGHOME/$KEY_ID-Subkeys.key \ --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --armor --export-secret-subkeys $KEYID + --armor --export-secret-subkeys $KEY_ID } save_pubkey () { # Exports public key to local file. - gpg --output $GNUPGHOME/$KEYID-$(date +%F).asc \ - --armor --export $KEYID + gpg --output $GNUPGHOME/$KEY_ID-$(date +%F).asc \ + --armor --export $KEY_ID } +export GNUPGHOME="$(get_temp_dir)" +cd "$GNUPGHOME" +printf "set temp dir (path='%s')\n" "$(pwd)" + +export IDENTITY="$(get_id_label)" +export KEY_TYPE="$(get_key_type)" +export KEY_EXPIRATION="$(get_key_expiration)" +printf "set attributes (label='%s', type='%s', expire='%s')\n" \ + "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION" + +set_pass + +gen_key_certify + +set_id_fp + +gen_key_subs + list_keys save_secrets save_pubkey - -printf "CERTIFY PASS: \n$CERTIFY_PASS\n\n" - -export LUKS_PASS="$(get_pass)" - -printf "LUKS PASS:\n$LUKS_PASS\n\n" From f48c9fa3eeab81f7ebfd700df9efc72a955319c8 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 17:08:04 -0700 Subject: [PATCH 08/11] finish by printing certify and encrypt passphrases --- scripts/generate.sh | 54 +++++++++++++++++++++++++++++++++------------ 1 file changed, 40 insertions(+), 14 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index ef4c6f1..3cc62cd 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -11,9 +11,9 @@ umask 077 export LC_ALL="C" -get_temp_dir () { - # Returns temporary working directory path. - mktemp -d -t $(date +%Y.%m.%d)-XXXX +print_cred () { + # Print a credential string in red. + tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 } get_id_label () { @@ -31,6 +31,27 @@ get_key_expiration () { printf "2027-05-01" } +get_temp_dir () { + # Returns temporary working directory path. + mktemp -d -t $(date +%Y.%m.%d)-XXXX +} + +set_temp_dir () { + # Exports and switches to temporary dir. + export GNUPGHOME="$(get_temp_dir)" + cd "$GNUPGHOME" + printf "set temp dir (path='%s')\n" "$(pwd)" +} + +set_attrs () { + # Sets identity and key attributes. + export IDENTITY="$(get_id_label)" + export KEY_TYPE="$(get_key_type)" + export KEY_EXPIRATION="$(get_key_expiration)" + printf "set attributes (label='%s', type='%s', expire='%s')\n" \ + "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION" +} + get_pass () { # Returns random passphrase. tr -dc "A-Z2-9" < /dev/urandom | \ @@ -43,9 +64,9 @@ get_pass () { set_pass () { # Exports Certify and LUKS passphrases. export CERTIFY_PASS="$(get_pass)" - export LUKS_PASS="$(get_pass)" - printf "set passphrases (certify='%s', luks='%s')\n" \ - "$CERTIFY_PASS" "$LUKS_PASS" + export ENCRYPT_PASS="$(get_pass)" + printf "set passphrases (certify='%s', encrypt='%s')\n" \ + "$CERTIFY_PASS" "$ENCRYPT_PASS" } gen_key_certify () { @@ -101,15 +122,18 @@ save_pubkey () { --armor --export $KEY_ID } -export GNUPGHOME="$(get_temp_dir)" -cd "$GNUPGHOME" -printf "set temp dir (path='%s')\n" "$(pwd)" +finish () { + # Prints final message with credentials. + printf "certify passphrase: " + print_cred $CERTIFY_PASS -export IDENTITY="$(get_id_label)" -export KEY_TYPE="$(get_key_type)" -export KEY_EXPIRATION="$(get_key_expiration)" -printf "set attributes (label='%s', type='%s', expire='%s')\n" \ - "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION" + printf "encrypt passphrase: " + print_cred $ENCRYPT_PASS +} + +set_temp_dir + +set_attrs set_pass @@ -124,3 +148,5 @@ list_keys save_secrets save_pubkey + +finish From d66ac5381fd02a3aa01b3d296c0a12af238448ee Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 17:25:26 -0700 Subject: [PATCH 09/11] delint and print id strings --- scripts/generate.sh | 45 ++++++++++++++++++++++++++++----------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index 3cc62cd..5b1cb75 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -16,6 +16,11 @@ print_cred () { tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 } +print_id () { + # Print an identity string in yellow. + tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0 +} + get_id_label () { # Returns Identity name/label. printf "YubiKey User " @@ -33,13 +38,13 @@ get_key_expiration () { get_temp_dir () { # Returns temporary working directory path. - mktemp -d -t $(date +%Y.%m.%d)-XXXX + mktemp -d -t "$(date +%Y.%m.%d)-XXXX" } set_temp_dir () { # Exports and switches to temporary dir. export GNUPGHOME="$(get_temp_dir)" - cd "$GNUPGHOME" + cd "$GNUPGHOME" || exit 1 printf "set temp dir (path='%s')\n" "$(pwd)" } @@ -56,9 +61,9 @@ get_pass () { # Returns random passphrase. tr -dc "A-Z2-9" < /dev/urandom | \ tr -d "IOUS5" | \ - fold -w ${PASS_GROUPSIZE:-4} | \ - paste -sd ${PASS_DELIMITER:--} - | \ - head -c ${PASS_LENGTH:-29} + fold -w "${PASS_GROUPSIZE:-4}" | \ + paste -sd "${PASS_DELIMITER:--}" - | \ + head -c "${PASS_LENGTH:-29}" } set_pass () { @@ -106,29 +111,35 @@ list_keys () { save_secrets () { # Exports secret keys to local files. echo "$CERTIFY_PASS" | \ - gpg --output $GNUPGHOME/$KEY_ID-Certify.key \ + gpg --output "$GNUPGHOME/$KEY_ID-Certify.key" \ --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --armor --export-secret-keys $KEY_ID - + --armor --export-secret-keys "$KEY_ID" echo "$CERTIFY_PASS" | \ - gpg --output $GNUPGHOME/$KEY_ID-Subkeys.key \ + gpg --output "$GNUPGHOME/$KEY_ID-Subkeys.key" \ --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --armor --export-secret-subkeys $KEY_ID + --armor --export-secret-subkeys "$KEY_ID" } save_pubkey () { # Exports public key to local file. - gpg --output $GNUPGHOME/$KEY_ID-$(date +%F).asc \ - --armor --export $KEY_ID + gpg --output "$GNUPGHOME/$KEY_ID-$(date +%F).asc" \ + --armor --export "$KEY_ID" } finish () { - # Prints final message with credentials. - printf "certify passphrase: " - print_cred $CERTIFY_PASS + # Prints final message with id and credentials. + printf "\nidentity/key label: " + print_id "$IDENTITY" + printf "key id/fingerprint: " + print_id "$KEY_ID" + print_id "$KEY_FP" + printf "subkeys expiration: " + print_id "$KEY_EXPIRATION" - printf "encrypt passphrase: " - print_cred $ENCRYPT_PASS + printf "\ncertify passphrase: " + print_cred "$CERTIFY_PASS" + printf "encrypt passphrase: " + print_cred "$ENCRYPT_PASS" } set_temp_dir From 04dbdf35c3ecc14ca27ecc6abf3ff9c2c1dfbfe4 Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 17:47:40 -0700 Subject: [PATCH 10/11] label each step --- scripts/generate.sh | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index 5b1cb75..f889e96 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -103,26 +103,24 @@ gen_key_subs () { done } -list_keys () { - # Prints available secret keys. - gpg --list-secret-keys -} - save_secrets () { # Exports secret keys to local files. + export OUTPUT_CERTIFY="$GNUPGHOME/$KEY_ID-Certify.key" + export OUTPUT_SUBKEYS="$GNUPGHOME/$KEY_ID-Subkeys.key" echo "$CERTIFY_PASS" | \ - gpg --output "$GNUPGHOME/$KEY_ID-Certify.key" \ + gpg --output "$OUTPUT_CERTIFY" \ --batch --pinentry-mode=loopback --passphrase-fd 0 \ --armor --export-secret-keys "$KEY_ID" echo "$CERTIFY_PASS" | \ - gpg --output "$GNUPGHOME/$KEY_ID-Subkeys.key" \ + gpg --output "$OUTPUT_SUBKEYS" \ --batch --pinentry-mode=loopback --passphrase-fd 0 \ --armor --export-secret-subkeys "$KEY_ID" } save_pubkey () { # Exports public key to local file. - gpg --output "$GNUPGHOME/$KEY_ID-$(date +%F).asc" \ + export OUTPUT_PUBKEY="$GNUPGHOME/$KEY_ID-Public.asc" + gpg --output "$OUTPUT_PUBKEY" \ --armor --export "$KEY_ID" } @@ -136,28 +134,41 @@ finish () { printf "subkeys expiration: " print_id "$KEY_EXPIRATION" + printf "\nsecrets and pubkey: " + print_id "$GNUPGHOME" + print_id "$OUTPUT_PUBKEY" + printf "\ncertify passphrase: " print_cred "$CERTIFY_PASS" printf "encrypt passphrase: " print_cred "$ENCRYPT_PASS" + + exit 0 } +# 1. Set temporary working directory for GnuPG ops. set_temp_dir +# 2. Set identity and key attributes, such as label and type. set_attrs +# 3. Set passphrases for identity and storage encryption. set_pass +# 4. Generate the Certify key. gen_key_certify +# 5. Set resulting identity fingerprint. set_id_fp +# 6. Generate the Subkeys. gen_key_subs -list_keys - +# 7. Export Certify and Subkeys to local storage. save_secrets +# 8. Export public key to local storage. save_pubkey +# 9. Print results and exit. finish From 7473d2e0d885493dc175beae4bdc69f995cde6fe Mon Sep 17 00:00:00 2001 From: drduh Date: Sat, 10 May 2025 17:59:19 -0700 Subject: [PATCH 11/11] reuse key list for id/fp --- scripts/generate.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index f889e96..faf857f 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -28,7 +28,7 @@ get_id_label () { get_key_type () { # Returns key type and size. - printf "rsa2048" + printf "rsa4096" } get_key_expiration () { @@ -82,14 +82,12 @@ gen_key_certify () { "$KEY_TYPE" "cert" "never" } -set_id_fp () { +set_fingerprint () { # Sets Key ID and Fingerprint environment vars. - export KEY_ID=$(gpg -k --with-colons "$IDENTITY" | \ - awk -F: '/^pub:/ { print $5; exit }') - export KEY_FP=$(gpg -k --with-colons "$IDENTITY" | \ - awk -F: '/^fpr:/ { print $10; exit }') - printf "got identity (fp='%s', id='%s')\n" \ - "$KEY_FP" "$KEY_ID" + key_list=$(gpg --list-secret-keys --with-colons) + export KEY_ID=$(printf "$key_list" | awk -F: '/^sec/ { print $5; exit }') + export KEY_FP=$(printf "$key_list" | awk -F: '/^fpr/ { print $10; exit }') + printf "got identity (fp='%s', id='%s')\n" "$KEY_FP" "$KEY_ID" } gen_key_subs () { @@ -134,7 +132,7 @@ finish () { printf "subkeys expiration: " print_id "$KEY_EXPIRATION" - printf "\nsecrets and pubkey: " + printf "\nsecrets and pubkey: " print_id "$GNUPGHOME" print_id "$OUTPUT_PUBKEY" @@ -159,7 +157,7 @@ set_pass gen_key_certify # 5. Set resulting identity fingerprint. -set_id_fp +set_fingerprint # 6. Generate the Subkeys. gen_key_subs