From 383d3222b1d2c776bf4dc097203a2ebf58b7b470 Mon Sep 17 00:00:00 2001 From: steering7253 Date: Mon, 18 May 2026 07:09:31 -0600 Subject: use gpgv betterer --- gpg-verify | 10 +++++++--- pam_autopeer/pam_autopeer.c | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/gpg-verify b/gpg-verify index c572f61..358b1c9 100755 --- a/gpg-verify +++ b/gpg-verify @@ -12,20 +12,24 @@ nonce="$2" key="$3" sig="$4" +cd /opt/autopeer +NOTIFY_TO="$(python3 -c 'import config; print(config.NOTIFY_TO)')" echo "[autopeer $(hostname -f)] pgp: $username $key" | socat stdio "$NOTIFY_TO" keyring="$(mktemp)" curl -sL "$key" | gpg -o - --dearmor >"$keyring" || exit 7 -gpgv_out="$(gpgv --keyring "$keyring" <(echo "$sig" | sed 's/-----BEGIN PGP SIGNATURE-----/&\n\n/') <(echo "$nonce") 2>&1)" -verified_key="$(echo "$gpgv_out" |& grep -oP 'gpgv:\s*using \S+ key \K.*')" +gpgv_out="$(gpgv --status-fd 1 --keyring "$keyring" <(echo "$sig" | sed 's/-----BEGIN PGP SIGNATURE-----/&\n\n/') <(echo "$nonce"))" +#[GNUPG:] VALIDSIG 1449565B711BABA3BC5347AE66B26E9D823D8647 2026-05-18 1779109475 0 4 0 22 10 00 1449565B711BABA3BC5347AE66B26E9D823D8647 echo "keyring: $keyring" echo "$gpgv_out" -if ! echo "$gpgv_out" | grep -qP 'gpgv: Good signature from'; then +if ! echo "$gpgv_out" | grep -qP '^\[GNUPG:\] VALIDSIG '; then exit 3 fi +verified_key="$(echo "$gpgv_out" | grep -P '^\[GNUPG:\] VALIDSIG ' | cut -d' ' -f3)" + if [ -z "$verified_key" ]; then exit 4 fi diff --git a/pam_autopeer/pam_autopeer.c b/pam_autopeer/pam_autopeer.c index 0b7b1b7..f5051f3 100644 --- a/pam_autopeer/pam_autopeer.c +++ b/pam_autopeer/pam_autopeer.c @@ -48,7 +48,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar char *key, *sig; pam_prompt(pamh, PAM_TEXT_INFO, NULL, "No SSH key was successful; entering PGP auth mode."); pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &key, "Please enter a URL to download your ASCII-armored key:\n"); - pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &sig, "Please enter a ASCII-armored detached signature of the nonce '%s\\n', without newlines, i.e. `gpg -a --detach-sign -o - -u $YOUR_KEY <(echo %s) | tr -d '\\n'; echo`:\n", s_nonce, s_nonce); + pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &sig, "Please enter a ASCII-armored detached signature of the nonce '%s\\n', without newlines,\ni.e. `gpg -a --detach-sign -o - -u $YOUR_KEY <(echo %s) | tr -d '\\n'; echo`:\n", s_nonce, s_nonce); int pid; switch (pid = fork()) { -- cgit v1.3.1-10-gc9f91