actions/gpg
1
0
Fork 0
mirror of https://github.com/crazy-max/ghaction-import-gpg.git synced 2024-11-05 21:25:50 -05:00
Code Issues Projects Releases Packages Wiki Activity

Handle signing-only subkeys (#112)

Browse source 
Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2021-10-15 13:40:04 +02:00 committed by GitHub
parent aaade0d1c6
commit 60f6f3e9a9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 396 additions and 213 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
.github/workflows/ci.yml vendored
View file

@ -2,7 +2,7 @@ name: ci
on: on:
schedule: schedule:
- cron: '0 10 * * *' # everyday at 10am - cron: '0 10 * * *'
push: push:
branches: branches:
- 'master' - 'master'
@ -20,6 +20,9 @@ jobs:
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
key:
- test-key
- test-subkey
global: global:
- false - false
- true - true
@ -27,10 +30,26 @@ jobs:
- ubuntu-latest - ubuntu-latest
- macOS-latest - macOS-latest
- windows-latest - windows-latest
include:
- key: test-subkey
fingerprint: C17D11ADF199F12A30A0910F1F80449BE0B08CB8
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@v2
-
name: GPG conf
uses: actions/github-script@v4
with:
script: |
const fs = require('fs');
const gnupgfolder = `${require('os').homedir()}/.gnupg`;
if (!fs.existsSync(gnupgfolder)){
fs.mkdirSync(gnupgfolder);
}
fs.copyFile('__tests__/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
if (err) throw err;
});
- -
name: Get test key and passphrase name: Get test key and passphrase
uses: actions/github-script@v5 uses: actions/github-script@v5
@ -38,8 +57,8 @@ jobs:
with: with:
script: | script: |
const fs = require('fs'); const fs = require('fs');
core.setOutput('pgp', fs.readFileSync('.github/test-key.pgp', {encoding: 'utf8'})); core.setOutput('pgp', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pgp', {encoding: 'utf8'}));
core.setOutput('passphrase', fs.readFileSync('.github/test-key.pass', {encoding: 'utf8'})); core.setOutput('passphrase', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pass', {encoding: 'utf8'}));
- -
name: Import GPG name: Import GPG
id: import_gpg id: import_gpg
@ -52,23 +71,28 @@ jobs:
git_commit_gpgsign: true git_commit_gpgsign: true
git_tag_gpgsign: true git_tag_gpgsign: true
git_push_gpgsign: if-asked git_push_gpgsign: if-asked
fingerprint: ${{ matrix.fingerprint }}
- -
name: GPG user IDs name: List keys
run: | run: |
echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}" gpg -K
echo "keyid: ${{ steps.import_gpg.outputs.keyid }}" shell: bash
echo "name: ${{ steps.import_gpg.outputs.name }}"
echo "email: ${{ steps.import_gpg.outputs.email }}"
base64: base64:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
key:
- test-key
- test-subkey
os: os:
- ubuntu-latest - ubuntu-latest
- macOS-latest - macOS-latest
- windows-latest - windows-latest
include:
- key: test-subkey
fingerprint: C17D11ADF199F12A30A0910F1F80449BE0B08CB8
steps: steps:
- -
name: Checkout name: Checkout
@ -80,8 +104,8 @@ jobs:
with: with:
script: | script: |
const fs = require('fs'); const fs = require('fs');
core.setOutput('pgp-base64', fs.readFileSync('.github/test-key-base64.pgp', {encoding: 'utf8'})); core.setOutput('pgp-base64', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}-base64.pgp', {encoding: 'utf8'}));
core.setOutput('passphrase', fs.readFileSync('.github/test-key.pass', {encoding: 'utf8'})); core.setOutput('passphrase', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pass', {encoding: 'utf8'}));
- -
name: Import GPG name: Import GPG
id: import_gpg id: import_gpg
@ -93,10 +117,4 @@ jobs:
git_commit_gpgsign: true git_commit_gpgsign: true
git_tag_gpgsign: true git_tag_gpgsign: true
git_push_gpgsign: if-asked git_push_gpgsign: if-asked
- fingerprint: ${{ matrix.fingerprint }}
name: GPG user IDs
run: |
echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
echo "keyid: ${{ steps.import_gpg.outputs.keyid }}"
echo "name: ${{ steps.import_gpg.outputs.name }}"
echo "email: ${{ steps.import_gpg.outputs.email }}"

1
README.md
View file

@ -141,6 +141,7 @@ Following inputs can be used as `step.with` keys
| `git_committer_name` | String | Set commit author's name (defaults to the name associated with the GPG key) | | `git_committer_name` | String | Set commit author's name (defaults to the name associated with the GPG key) |
| `git_committer_email` | String | Set commit author's email (defaults to the email address associated with the GPG key) | | `git_committer_email` | String | Set commit author's email (defaults to the email address associated with the GPG key) |
| `workdir` | String | Working directory (below repository root) (default `.`) | | `workdir` | String | Working directory (below repository root) (default `.`) |
| `fingerprint` | String | Specific fingerprint to use (subkey) |
> `git_user_signingkey` needs to be enabled for `git_commit_gpgsign`, `git_tag_gpgsign`, > `git_user_signingkey` needs to be enabled for `git_commit_gpgsign`, `git_tag_gpgsign`,
> `git_push_gpgsign`, `git_committer_name`, `git_committer_email` inputs. > `git_push_gpgsign`, `git_committer_name`, `git_committer_email` inputs.

1
__tests__/context.test.ts
View file

@ -1,5 +1,4 @@
import * as os from 'os'; import * as os from 'os';
import * as context from '../src/context'; import * as context from '../src/context';
describe('setOutput', () => { describe('setOutput', () => {

71
__tests__/fixtures/gpg.conf Normal file
View file

@ -0,0 +1,71 @@
################################################################################
# GnuPG Options
# (OpenPGP-Configuration-Options)
# Assume that command line arguments are given as UTF8 strings.
utf8-strings
# (OpenPGP-Protocol-Options)
# Set the list of personal digest/cipher/compression preferences. This allows
# the user to safely override the algorithm chosen by the recipient key
# preferences, as GPG will only select an algorithm that is usable by all
# recipients.
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-cipher-preferences AES256 AES192 AES CAST5 CAMELLIA192 BLOWFISH TWOFISH CAMELLIA128 3DES
personal-compress-preferences ZLIB BZIP2 ZIP
# Set the list of default preferences to string. This preference list is used
# for new keys and becomes the default for "setpref" in the edit menu.
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
# (OpenPGP-Esoteric-Options)
# Use name as the message digest algorithm used when signing a key. Running the
# program with the command --version yields a list of supported algorithms. Be
# aware that if you choose an algorithm that GnuPG supports but other OpenPGP
# implementations do not, then some users will not be able to use the key
# signatures you make, or quite possibly your entire key.
#
# SHA-1 is the only algorithm specified for OpenPGP V4. By changing the
# cert-digest-algo, the OpenPGP V4 specification is not met but with even
# GnuPG 1.4.10 (release 2009) supporting SHA-2 algorithm, this should be safe.
# Source: https://tools.ietf.org/html/rfc4880#section-12.2
cert-digest-algo SHA512
digest-algo SHA256
# Selects how passphrases for symmetric encryption are mangled. 3 (the default)
# iterates the whole process a number of times (see --s2k-count).
s2k-mode 3
# (OpenPGP-Protocol-Options)
# Use name as the cipher algorithm for symmetric encryption with a passphrase
# if --personal-cipher-preferences and --cipher-algo are not given. The
# default is AES-128.
s2k-cipher-algo AES256
# (OpenPGP-Protocol-Options)
# Use name as the digest algorithm used to mangle the passphrases for symmetric
# encryption. The default is SHA-1.
s2k-digest-algo SHA512
# (OpenPGP-Protocol-Options)
# Specify how many times the passphrases mangling for symmetric encryption is
# repeated. This value may range between 1024 and 65011712 inclusive. The
# default is inquired from gpg-agent. Note that not all values in the
# 1024-65011712 range are legal and if an illegal value is selected, GnuPG will
# round up to the nearest legal value. This option is only meaningful if
# --s2k-mode is set to the default of 3.
s2k-count 1015808
################################################################################
# GnuPG View Options
# Select how to display key IDs. "long" is the more accurate (but less
# convenient) 16-character key ID. Add an "0x" to include an "0x" at the
# beginning of the key ID.
keyid-format 0xlong
# List all keys with their fingerprints. This is the same output as --list-keys
# but with the additional output of a line with the fingerprint. If this
# command is given twice, the fingerprints of all secondary keys are listed too.
with-fingerprint
with-fingerprint

0
.github/test-key-base64.pgp → __tests__/fixtures/test-key-base64.pgp
View file

0
.github/test-key.pass → __tests__/fixtures/test-key.pass
View file

0
.github/test-key.pgp → __tests__/fixtures/test-key.pgp
View file

1
__tests__/fixtures/test-subkey-base64.pgp Normal file
View file

@ -0,0 +1 @@
LS0tLS1CRUdJTiBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLQoKbElZRVlVNU0yaFlKS3dZQkJBSGFSdzhCQVFkQXNSbDlDUEtaaDB4MC9FRDFveDJwTmJ6R1J1TlpvRlVSN0JsYgpOUUdabzB6K0J3TUN1dVdvaTR5WTQ0YkhNU1AwMjBLRmUvOHhpWHJwby9LandiMXJaa1g3dW1laWZBRFh6L1JiCmJuMXdKMENGQ09TOHl4R3laL3NCYlk1OGZEL0gvMFU2TFdiSmRHSG1mZ0RXYTl0OEFQK09NTFFWU205bElFSmgKY2lBOGFtOWxRR0poY2k1bWIyOCtpSkFFRXhZS0FEZ1dJUVNIOGxlNG5PUmlFQXZzRC81Z2NkSVlPQS9jeUFVQwpZVTVNMmdJYkFRVUxDUWdIQXdVVkNna0lDd1VXQWdNQkFBSWVBUUlYZ0FBS0NSQmdjZElZT0EvY3lGd1VBUUN0CmRQdzU3MDh0Z296NkNqcEFMbzBjQ2NtZ2xuVHdGWlBYTm1DaGdPZUIzQUVBdkdNV2lrYy9iaG9waVRGUzNLVWkKR042a1o5ZUlhaTRYeDloTjRSZTlEd1NjaGdSaFRrMURGZ2tyQmdFRUFkcEhEd0VCQjBDVUtPdVVMYlNqZVF4QwpHNmY4VkhNWHRUbnc4MkF2TmlwM01rY3RNZEZmbC80SEF3SlBPM1loUVJkWU44Y1A1cVhvOFcwazFPZEJaTEJyCmN5cm5ra2tYVk91cjh1SlExV2tMb2FMSnZ3VmN1MlplSFlWdmcramNFSmVlTVF0ME43OWVOUUs5VVMzeEQ5ak4Kc2JZbTVrUkNHWldpaU84RUdCWUtBQ0FXSVFTSDhsZTRuT1JpRUF2c0QvNWdjZElZT0EvY3lBVUNZVTVOUXdJYgpBZ0NCQ1JCZ2NkSVlPQS9jeUhZZ0JCa1dDZ0FkRmlFRXdYMFJyZkdaOFNvd29KRVBINEJFbStDd2pMZ0ZBbUZPClRVTUFDZ2tRSDRCRW0rQ3dqTGlJT1FFQTZjazVCbXMwYzBvbHV4Ly9BeUprMlpINWl5WW11WmpaVTJNOEhtcEoKa1BJQkFPVWJsQmlwZURpc0dqQ0VmTE1SN1czcFBYTTMyY0ZOWVdwOW1SNzJ6SWdOcEdvQS8zM1grRG55VHhtTgpYeUlpZFFtK0J3TFBZOXRTUlMvL0dCbVg4eHdDUWpWS0FRRG54V0VyaVk4clBQOTFUblhtR0VjL05LeFZVcHJoCjVRTndjMHNBTjVGRUJ3PT0KPTExQjQKLS0tLS1FTkQgUEdQIFBSSVZBVEUgS0VZIEJMT0NLLS0tLS0K

1
__tests__/fixtures/test-subkey.pass Normal file
View file

@ -0,0 +1 @@
with another passphrase

19
__tests__/fixtures/test-subkey.pgp Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
lIYEYU5M2hYJKwYBBAHaRw8BAQdAsRl9CPKZh0x0/ED1ox2pNbzGRuNZoFUR7Blb
NQGZo0z+BwMCuuWoi4yY44bHMSP020KFe/8xiXrpo/Kjwb1rZkX7umeifADXz/Rb
bn1wJ0CFCOS8yxGyZ/sBbY58fD/H/0U6LWbJdGHmfgDWa9t8AP+OMLQVSm9lIEJh
ciA8am9lQGJhci5mb28+iJAEExYKADgWIQSH8le4nORiEAvsD/5gcdIYOA/cyAUC
YU5M2gIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBgcdIYOA/cyFwUAQCt
dPw5708tgoz6CjpALo0cCcmglnTwFZPXNmChgOeB3AEAvGMWikc/bhopiTFS3KUi
GN6kZ9eIai4Xx9hN4Re9DwSchgRhTk1DFgkrBgEEAdpHDwEBB0CUKOuULbSjeQxC
G6f8VHMXtTnw82AvNip3MkctMdFfl/4HAwJPO3YhQRdYN8cP5qXo8W0k1OdBZLBr
cyrnkkkXVOur8uJQ1WkLoaLJvwVcu2ZeHYVvg+jcEJeeMQt0N79eNQK9US3xD9jN
sbYm5kRCGZWiiO8EGBYKACAWIQSH8le4nORiEAvsD/5gcdIYOA/cyAUCYU5NQwIb
AgCBCRBgcdIYOA/cyHYgBBkWCgAdFiEEwX0RrfGZ8SowoJEPH4BEm+CwjLgFAmFO
TUMACgkQH4BEm+CwjLiIOQEA6ck5Bms0c0olux//AyJk2ZH5iyYmuZjZU2M8HmpJ
kPIBAOUblBipeDisGjCEfLMR7W3pPXM32cFNYWp9mR72zIgNpGoA/33X+DnyTxmN
XyIidQm+BwLPY9tSRS//GBmX8xwCQjVKAQDnxWEriY8rPP91TnXmGEc/NKxVUprh
5QNwc0sAN5FEBw==
=11B4
-----END PGP PRIVATE KEY BLOCK-----

221
__tests__/gpg.test.ts
View file

@ -1,105 +1,130 @@
import * as fs from 'fs'; import * as fs from 'fs';
import * as gpg from '../src/gpg'; import * as gpg from '../src/gpg';
const userInfo = { const userInfos = [
pgp: fs.readFileSync('.github/test-key.pgp', { {
encoding: 'utf8', key: 'test-key',
flag: 'r' pgp: fs.readFileSync('__tests__/fixtures/test-key.pgp', {
}), encoding: 'utf8',
pgp_base64: fs.readFileSync('.github/test-key-base64.pgp', { flag: 'r'
encoding: 'utf8', }),
flag: 'r' pgp_base64: fs.readFileSync('__tests__/fixtures/test-key-base64.pgp', {
}), encoding: 'utf8',
passphrase: fs.readFileSync('.github/test-key.pass', { flag: 'r'
encoding: 'utf8', }),
flag: 'r' passphrase: fs.readFileSync('__tests__/fixtures/test-key.pass', {
}), encoding: 'utf8',
name: 'Joe Tester', flag: 'r'
email: 'joe@foo.bar', }),
keyID: 'D523BD50DD70B0BA', name: 'Joe Tester',
fingerprint: '27571A53B86AF0C799B38BA77D851EB72D73BDA0', email: 'joe@foo.bar',
keygrips: ['3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627', 'BA83FC8947213477F28ADC019F6564A956456163'] keyID: '7D851EB72D73BDA0',
}; fingerprint: '27571A53B86AF0C799B38BA77D851EB72D73BDA0',
keygrips: ['3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627', 'BA83FC8947213477F28ADC019F6564A956456163']
},
{
key: 'test-subkey',
pgp: fs.readFileSync('__tests__/fixtures/test-subkey.pgp', {
encoding: 'utf8',
flag: 'r'
}),
pgp_base64: fs.readFileSync('__tests__/fixtures/test-subkey-base64.pgp', {
encoding: 'utf8',
flag: 'r'
}),
passphrase: fs.readFileSync('__tests__/fixtures/test-subkey.pass', {
encoding: 'utf8',
flag: 'r'
}),
name: 'Joe Bar',
email: 'joe@bar.foo',
keyID: '6071D218380FDCC8',
fingerprint: 'C17D11ADF199F12A30A0910F1F80449BE0B08CB8',
keygrips: ['F5C3ABFAAB36B427FD98C4EDD0387E08EA1E8092', 'DEE0FC98F441519CA5DE5D79773CB29009695FEB']
}
];
describe('gpg', () => { describe('getVersion', () => {
describe('getVersion', () => { it('returns GnuPG and libgcrypt version', async () => {
it('returns GnuPG and libgcrypt version', async () => { await gpg.getVersion().then(version => {
await gpg.getVersion().then(version => { console.log(version);
console.log(version); expect(version.gnupg).not.toEqual('');
expect(version.gnupg).not.toEqual(''); expect(version.libgcrypt).not.toEqual('');
expect(version.libgcrypt).not.toEqual('');
});
});
});
describe('getDirs', () => {
it('returns GnuPG dirs', async () => {
await gpg.getDirs().then(dirs => {
console.log(dirs);
expect(dirs.libdir).not.toEqual('');
expect(dirs.datadir).not.toEqual('');
expect(dirs.homedir).not.toEqual('');
});
});
});
describe('importKey', () => {
it('imports key (as armored string) to GnuPG', async () => {
await gpg.importKey(userInfo.pgp).then(output => {
console.log(output);
expect(output).not.toEqual('');
});
});
it('imports key (as base64 string) to GnuPG', async () => {
await gpg.importKey(userInfo.pgp_base64).then(output => {
console.log(output);
expect(output).not.toEqual('');
});
});
});
describe('getKeygrips', () => {
it('returns the keygrips', async () => {
await gpg.importKey(userInfo.pgp);
await gpg.getKeygrips(userInfo.fingerprint).then(keygrips => {
console.log(keygrips);
expect(keygrips.length).toEqual(userInfo.keygrips.length);
for (let i = 0; i < keygrips.length; i++) {
expect(keygrips[i]).toEqual(userInfo.keygrips[i]);
}
});
});
});
describe('configureAgent', () => {
it('configures GnuPG agent', async () => {
await gpg.configureAgent(gpg.agentConfig);
});
});
describe('presetPassphrase', () => {
it('presets passphrase', async () => {
await gpg.importKey(userInfo.pgp);
await gpg.configureAgent(gpg.agentConfig);
for (let keygrip of await gpg.getKeygrips(userInfo.fingerprint)) {
await gpg.presetPassphrase(keygrip, userInfo.passphrase).then(output => {
console.log(output);
expect(output).not.toEqual('');
});
}
});
});
describe('deleteKey', () => {
it('removes key from GnuPG', async () => {
await gpg.importKey(userInfo.pgp);
await gpg.deleteKey(userInfo.fingerprint);
});
});
describe('killAgent', () => {
it('kills GnuPG agent', async () => {
await gpg.killAgent();
}); });
}); });
}); });
describe('getDirs', () => {
it('returns GnuPG dirs', async () => {
await gpg.getDirs().then(dirs => {
console.log(dirs);
expect(dirs.libdir).not.toEqual('');
expect(dirs.datadir).not.toEqual('');
expect(dirs.homedir).not.toEqual('');
});
});
});
describe('configureAgent', () => {
it('configures GnuPG agent', async () => {
await gpg.configureAgent(gpg.agentConfig);
});
});
for (let userInfo of userInfos) {
describe(userInfo.key, () => {
describe('importKey', () => {
it('imports key (as armored string) to GnuPG', async () => {
await gpg.importKey(userInfo.pgp).then(output => {
console.log(output);
expect(output).not.toEqual('');
});
});
it('imports key (as base64 string) to GnuPG', async () => {
await gpg.importKey(userInfo.pgp_base64).then(output => {
console.log(output);
expect(output).not.toEqual('');
});
});
});
describe('getKeygrips', () => {
it('returns the keygrips', async () => {
await gpg.importKey(userInfo.pgp);
await gpg.getKeygrips(userInfo.fingerprint).then(keygrips => {
console.log(keygrips);
expect(keygrips.length).toEqual(userInfo.keygrips.length);
for (let i = 0; i < keygrips.length; i++) {
expect(keygrips[i]).toEqual(userInfo.keygrips[i]);
}
});
});
});
describe('presetPassphrase', () => {
it('presets passphrase', async () => {
await gpg.importKey(userInfo.pgp);
await gpg.configureAgent(gpg.agentConfig);
for (let keygrip of await gpg.getKeygrips(userInfo.fingerprint)) {
await gpg.presetPassphrase(keygrip, userInfo.passphrase).then(output => {
console.log(output);
expect(output).not.toEqual('');
});
}
});
});
describe('deleteKey', () => {
it('removes key from GnuPG', async () => {
await gpg.importKey(userInfo.pgp);
await gpg.deleteKey(userInfo.fingerprint);
});
});
});
}
describe('killAgent', () => {
it('kills GnuPG agent', async () => {
await gpg.killAgent();
});
});

139
__tests__/openpgp.test.ts
View file

@ -1,66 +1,91 @@
import * as fs from 'fs'; import * as fs from 'fs';
import * as openpgp from '../src/openpgp'; import * as openpgp from '../src/openpgp';
const userInfo = { const userInfos = [
pgp: fs.readFileSync('.github/test-key.pgp', { {
encoding: 'utf8', key: 'test-key',
flag: 'r' pgp: fs.readFileSync('__tests__/fixtures/test-key.pgp', {
}), encoding: 'utf8',
pgp_base64: fs.readFileSync('.github/test-key-base64.pgp', { flag: 'r'
encoding: 'utf8', }),
flag: 'r' pgp_base64: fs.readFileSync('__tests__/fixtures/test-key-base64.pgp', {
}), encoding: 'utf8',
passphrase: fs.readFileSync('.github/test-key.pass', { flag: 'r'
encoding: 'utf8', }),
flag: 'r' passphrase: fs.readFileSync('__tests__/fixtures/test-key.pass', {
}), encoding: 'utf8',
name: 'Joe Tester', flag: 'r'
email: 'joe@foo.bar', }),
keyID: 'D523BD50DD70B0BA', name: 'Joe Tester',
fingerprint: '27571A53B86AF0C799B38BA77D851EB72D73BDA0', email: 'joe@foo.bar',
keygrip: '3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627' keyID: '7D851EB72D73BDA0',
}; fingerprint: '27571A53B86AF0C799B38BA77D851EB72D73BDA0',
keygrip: '3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627'
},
{
key: 'test-subkey',
pgp: fs.readFileSync('__tests__/fixtures/test-subkey.pgp', {
encoding: 'utf8',
flag: 'r'
}),
pgp_base64: fs.readFileSync('__tests__/fixtures/test-subkey-base64.pgp', {
encoding: 'utf8',
flag: 'r'
}),
passphrase: fs.readFileSync('__tests__/fixtures/test-subkey.pass', {
encoding: 'utf8',
flag: 'r'
}),
name: 'Joe Bar',
email: 'joe@bar.foo',
keyID: '6071D218380FDCC8',
fingerprint: '87F257B89CE462100BEC0FFE6071D218380FDCC8',
keygrips: ['F5C3ABFAAB36B427FD98C4EDD0387E08EA1E8092', 'DEE0FC98F441519CA5DE5D79773CB29009695FEB']
}
];
describe('openpgp', () => { for (let userInfo of userInfos) {
describe('readPrivateKey', () => { describe(userInfo.key, () => {
it('returns a PGP private key from an armored string', async () => { describe('readPrivateKey', () => {
await openpgp.readPrivateKey(userInfo.pgp).then(privateKey => { it('returns a PGP private key from an armored string', async () => {
expect(privateKey.keyID).toEqual(userInfo.keyID); await openpgp.readPrivateKey(userInfo.pgp).then(privateKey => {
expect(privateKey.name).toEqual(userInfo.name); expect(privateKey.keyID).toEqual(userInfo.keyID);
expect(privateKey.email).toEqual(userInfo.email); expect(privateKey.name).toEqual(userInfo.name);
expect(privateKey.fingerprint).toEqual(userInfo.fingerprint); expect(privateKey.email).toEqual(userInfo.email);
expect(privateKey.fingerprint).toEqual(userInfo.fingerprint);
});
});
it('returns a PGP private key from a base64 armored string', async () => {
await openpgp.readPrivateKey(userInfo.pgp_base64).then(privateKey => {
expect(privateKey.keyID).toEqual(userInfo.keyID);
expect(privateKey.name).toEqual(userInfo.name);
expect(privateKey.email).toEqual(userInfo.email);
expect(privateKey.fingerprint).toEqual(userInfo.fingerprint);
});
}); });
}); });
it('returns a PGP private key from a base64 armored string', async () => {
await openpgp.readPrivateKey(userInfo.pgp_base64).then(privateKey => { describe('generateKeyPair', () => {
expect(privateKey.keyID).toEqual(userInfo.keyID); it('generates a PGP key pair', async () => {
expect(privateKey.name).toEqual(userInfo.name); await openpgp.generateKeyPair(userInfo.name, userInfo.email, userInfo.passphrase).then(keyPair => {
expect(privateKey.email).toEqual(userInfo.email); expect(keyPair).not.toBeUndefined();
expect(privateKey.fingerprint).toEqual(userInfo.fingerprint); expect(keyPair.publicKey).not.toBeUndefined();
expect(keyPair.privateKey).not.toBeUndefined();
});
}, 30000);
});
describe('isArmored', () => {
it('returns true for armored key string', async () => {
await openpgp.isArmored(userInfo.pgp).then(armored => {
expect(armored).toEqual(true);
});
});
it('returns false for base64 key string', async () => {
await openpgp.isArmored(userInfo.pgp_base64).then(armored => {
expect(armored).toEqual(false);
});
}); });
}); });
}); });
}
describe('generateKeyPair', () => {
it('generates a PGP key pair', async () => {
await openpgp.generateKeyPair(userInfo.name, userInfo.email, userInfo.passphrase).then(keyPair => {
expect(keyPair).not.toBeUndefined();
expect(keyPair.publicKey).not.toBeUndefined();
expect(keyPair.privateKey).not.toBeUndefined();
});
}, 30000);
});
describe('isArmored', () => {
it('returns true for armored key string', async () => {
await openpgp.isArmored(userInfo.pgp).then(armored => {
expect(armored).toEqual(true);
});
});
it('returns false for base64 key string', async () => {
await openpgp.isArmored(userInfo.pgp_base64).then(armored => {
expect(armored).toEqual(false);
});
});
});
});

3
action.yml
View file

@ -43,6 +43,9 @@ inputs:
description: 'Working directory (below repository root)' description: 'Working directory (below repository root)'
default: '.' default: '.'
required: false required: false
fingerprint:
description: 'Specific fingerprint to use (subkey)'
required: false
outputs: outputs:
fingerprint: fingerprint:

51
dist/index.js generated vendored
View file

@ -51,7 +51,8 @@ function getInputs() {
gitPushGpgsign: core.getInput('git_push_gpgsign') || 'if-asked', gitPushGpgsign: core.getInput('git_push_gpgsign') || 'if-asked',
gitCommitterName: core.getInput('git_committer_name'), gitCommitterName: core.getInput('git_committer_name'),
gitCommitterEmail: core.getInput('git_committer_email'), gitCommitterEmail: core.getInput('git_committer_email'),
workdir: core.getInput('workdir') || '.' workdir: core.getInput('workdir') || '.',
fingerprint: core.getInput('fingerprint')
}; };
}); });
} }
@ -389,7 +390,6 @@ function run() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
try { try {
let inputs = yield context.getInputs(); let inputs = yield context.getInputs();
stateHelper.setGpgPrivateKey(inputs.gpgPrivateKey);
if (inputs.workdir && inputs.workdir !== '.') { if (inputs.workdir && inputs.workdir !== '.') {
core.info(`📂 Using ${inputs.workdir} as working directory...`); core.info(`📂 Using ${inputs.workdir} as working directory...`);
process.chdir(inputs.workdir); process.chdir(inputs.workdir);
@ -411,6 +411,14 @@ function run() {
core.info(`Email : ${privateKey.email}`); core.info(`Email : ${privateKey.email}`);
core.info(`CreationTime : ${privateKey.creationTime}`); core.info(`CreationTime : ${privateKey.creationTime}`);
})); }));
let fingerprint = privateKey.fingerprint;
if (inputs.fingerprint) {
fingerprint = inputs.fingerprint;
}
stateHelper.setFingerprint(fingerprint);
yield core.group(`Fingerprint to use`, () => __awaiter(this, void 0, void 0, function* () {
core.info(fingerprint);
}));
yield core.group(`Importing GPG private key`, () => __awaiter(this, void 0, void 0, function* () { yield core.group(`Importing GPG private key`, () => __awaiter(this, void 0, void 0, function* () {
yield gpg.importKey(inputs.gpgPrivateKey).then(stdout => { yield gpg.importKey(inputs.gpgPrivateKey).then(stdout => {
core.info(stdout); core.info(stdout);
@ -420,7 +428,7 @@ function run() {
core.info('Configuring GnuPG agent'); core.info('Configuring GnuPG agent');
yield gpg.configureAgent(gpg.agentConfig); yield gpg.configureAgent(gpg.agentConfig);
yield core.group(`Getting keygrips`, () => __awaiter(this, void 0, void 0, function* () { yield core.group(`Getting keygrips`, () => __awaiter(this, void 0, void 0, function* () {
for (let keygrip of yield gpg.getKeygrips(privateKey.fingerprint)) { for (let keygrip of yield gpg.getKeygrips(fingerprint)) {
core.info(`Presetting passphrase for ${keygrip}`); core.info(`Presetting passphrase for ${keygrip}`);
yield gpg.presetPassphrase(keygrip, inputs.passphrase).then(stdout => { yield gpg.presetPassphrase(keygrip, inputs.passphrase).then(stdout => {
core.debug(stdout); core.debug(stdout);
@ -428,11 +436,16 @@ function run() {
} }
})); }));
} }
core.info('Setting outputs'); yield core.group(`Setting outputs`, () => __awaiter(this, void 0, void 0, function* () {
context.setOutput('fingerprint', privateKey.fingerprint); core.info(`fingerprint=${fingerprint}`);
context.setOutput('keyid', privateKey.keyID); context.setOutput('fingerprint', fingerprint);
context.setOutput('name', privateKey.name); core.info(`keyid=${privateKey.keyID}`);
context.setOutput('email', privateKey.email); context.setOutput('keyid', privateKey.keyID);
core.info(`name=${privateKey.name}`);
context.setOutput('name', privateKey.name);
core.info(`email=${privateKey.email}`);
context.setOutput('email', privateKey.email);
}));
if (inputs.gitUserSigningkey) { if (inputs.gitUserSigningkey) {
core.info('Setting GPG signing keyID for this Git repository'); core.info('Setting GPG signing keyID for this Git repository');
yield git.setConfig('user.signingkey', privateKey.keyID, inputs.gitConfigGlobal); yield git.setConfig('user.signingkey', privateKey.keyID, inputs.gitConfigGlobal);
@ -466,14 +479,13 @@ function run() {
} }
function cleanup() { function cleanup() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
if (stateHelper.gpgPrivateKey.length <= 0) { if (stateHelper.fingerprint.length <= 0) {
core.debug('GPG private key is not defined. Skipping cleanup.'); core.debug('Fingerprint is not defined. Skipping cleanup.');
return; return;
} }
try { try {
core.info('Removing keys'); core.info('Removing keys');
const privateKey = yield openpgp.readPrivateKey(stateHelper.gpgPrivateKey); yield gpg.deleteKey(stateHelper.fingerprint);
yield gpg.deleteKey(privateKey.fingerprint);
core.info('Killing GnuPG agent'); core.info('Killing GnuPG agent');
yield gpg.killAgent(); yield gpg.killAgent();
} }
@ -542,10 +554,7 @@ exports.readPrivateKey = (key) => __awaiter(void 0, void 0, void 0, function* ()
}); });
return { return {
fingerprint: privateKey.getFingerprint().toUpperCase(), fingerprint: privateKey.getFingerprint().toUpperCase(),
keyID: yield privateKey.getEncryptionKey().then(encKey => { keyID: privateKey.getKeyID().toHex().toUpperCase(),
// @ts-ignore
return encKey === null || encKey === void 0 ? void 0 : encKey.getKeyID().toHex().toUpperCase();
}),
name: address.name, name: address.name,
email: address.address, email: address.address,
creationTime: privateKey.getCreationTime() creationTime: privateKey.getCreationTime()
@ -594,14 +603,14 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result; return result;
}; };
Object.defineProperty(exports, "__esModule", ({ value: true })); Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.setGpgPrivateKey = exports.gpgPrivateKey = exports.IsPost = void 0; exports.setFingerprint = exports.fingerprint = exports.IsPost = void 0;
const core = __importStar(__webpack_require__(186)); const core = __importStar(__webpack_require__(186));
exports.IsPost = !!process.env['STATE_isPost']; exports.IsPost = !!process.env['STATE_isPost'];
exports.gpgPrivateKey = process.env['STATE_gpgPrivateKey'] || ''; exports.fingerprint = process.env['STATE_fingerprint'] || '';
function setGpgPrivateKey(gpgPrivateKey) { function setFingerprint(fingerprint) {
core.saveState('gpgPrivateKey', gpgPrivateKey); core.saveState('fingerprint', fingerprint);
} }
exports.setGpgPrivateKey = setGpgPrivateKey; exports.setFingerprint = setFingerprint;
if (!exports.IsPost) { if (!exports.IsPost) {
core.saveState('isPost', 'true'); core.saveState('isPost', 'true');
} }

4
src/context.ts
View file

@ -12,6 +12,7 @@ export interface Inputs {
gitCommitterName: string; gitCommitterName: string;
gitCommitterEmail: string; gitCommitterEmail: string;
workdir: string; workdir: string;
fingerprint: string;
} }
export async function getInputs(): Promise<Inputs> { export async function getInputs(): Promise<Inputs> {
@ -25,7 +26,8 @@ export async function getInputs(): Promise<Inputs> {
gitPushGpgsign: core.getInput('git_push_gpgsign') || 'if-asked', gitPushGpgsign: core.getInput('git_push_gpgsign') || 'if-asked',
gitCommitterName: core.getInput('git_committer_name'), gitCommitterName: core.getInput('git_committer_name'),
gitCommitterEmail: core.getInput('git_committer_email'), gitCommitterEmail: core.getInput('git_committer_email'),
workdir: core.getInput('workdir') || '.' workdir: core.getInput('workdir') || '.',
fingerprint: core.getInput('fingerprint')
}; };
} }

34
src/main.ts
View file

@ -8,7 +8,6 @@ import * as stateHelper from './state-helper';
async function run(): Promise<void> { async function run(): Promise<void> {
try { try {
let inputs: context.Inputs = await context.getInputs(); let inputs: context.Inputs = await context.getInputs();
stateHelper.setGpgPrivateKey(inputs.gpgPrivateKey);
if (inputs.workdir && inputs.workdir !== '.') { if (inputs.workdir && inputs.workdir !== '.') {
core.info(`📂 Using ${inputs.workdir} as working directory...`); core.info(`📂 Using ${inputs.workdir} as working directory...`);
@ -34,6 +33,15 @@ async function run(): Promise<void> {
core.info(`CreationTime : ${privateKey.creationTime}`); core.info(`CreationTime : ${privateKey.creationTime}`);
}); });
let fingerprint = privateKey.fingerprint;
if (inputs.fingerprint) {
fingerprint = inputs.fingerprint;
}
stateHelper.setFingerprint(fingerprint);
await core.group(`Fingerprint to use`, async () => {
core.info(fingerprint);
});
await core.group(`Importing GPG private key`, async () => { await core.group(`Importing GPG private key`, async () => {
await gpg.importKey(inputs.gpgPrivateKey).then(stdout => { await gpg.importKey(inputs.gpgPrivateKey).then(stdout => {
core.info(stdout); core.info(stdout);
@ -45,7 +53,7 @@ async function run(): Promise<void> {
await gpg.configureAgent(gpg.agentConfig); await gpg.configureAgent(gpg.agentConfig);
await core.group(`Getting keygrips`, async () => { await core.group(`Getting keygrips`, async () => {
for (let keygrip of await gpg.getKeygrips(privateKey.fingerprint)) { for (let keygrip of await gpg.getKeygrips(fingerprint)) {
core.info(`Presetting passphrase for ${keygrip}`); core.info(`Presetting passphrase for ${keygrip}`);
await gpg.presetPassphrase(keygrip, inputs.passphrase).then(stdout => { await gpg.presetPassphrase(keygrip, inputs.passphrase).then(stdout => {
core.debug(stdout); core.debug(stdout);
@ -54,11 +62,16 @@ async function run(): Promise<void> {
}); });
} }
core.info('Setting outputs'); await core.group(`Setting outputs`, async () => {
context.setOutput('fingerprint', privateKey.fingerprint); core.info(`fingerprint=${fingerprint}`);
context.setOutput('keyid', privateKey.keyID); context.setOutput('fingerprint', fingerprint);
context.setOutput('name', privateKey.name); core.info(`keyid=${privateKey.keyID}`);
context.setOutput('email', privateKey.email); context.setOutput('keyid', privateKey.keyID);
core.info(`name=${privateKey.name}`);
context.setOutput('name', privateKey.name);
core.info(`email=${privateKey.email}`);
context.setOutput('email', privateKey.email);
});
if (inputs.gitUserSigningkey) { if (inputs.gitUserSigningkey) {
core.info('Setting GPG signing keyID for this Git repository'); core.info('Setting GPG signing keyID for this Git repository');
@ -95,14 +108,13 @@ async function run(): Promise<void> {
} }
async function cleanup(): Promise<void> { async function cleanup(): Promise<void> {
if (stateHelper.gpgPrivateKey.length <= 0) { if (stateHelper.fingerprint.length <= 0) {
core.debug('GPG private key is not defined. Skipping cleanup.'); core.debug('Fingerprint is not defined. Skipping cleanup.');
return; return;
} }
try { try {
core.info('Removing keys'); core.info('Removing keys');
const privateKey = await openpgp.readPrivateKey(stateHelper.gpgPrivateKey); await gpg.deleteKey(stateHelper.fingerprint);
await gpg.deleteKey(privateKey.fingerprint);
core.info('Killing GnuPG agent'); core.info('Killing GnuPG agent');
await gpg.killAgent(); await gpg.killAgent();

5
src/openpgp.ts
View file

@ -25,10 +25,7 @@ export const readPrivateKey = async (key: string): Promise<PrivateKey> => {
return { return {
fingerprint: privateKey.getFingerprint().toUpperCase(), fingerprint: privateKey.getFingerprint().toUpperCase(),
keyID: await privateKey.getEncryptionKey().then(encKey => { keyID: privateKey.getKeyID().toHex().toUpperCase(),
// @ts-ignore
return encKey?.getKeyID().toHex().toUpperCase();
}),
name: address.name, name: address.name,
email: address.address, email: address.address,
creationTime: privateKey.getCreationTime() creationTime: privateKey.getCreationTime()

6
src/state-helper.ts
View file

@ -1,10 +1,10 @@
import * as core from '@actions/core'; import * as core from '@actions/core';
export const IsPost = !!process.env['STATE_isPost']; export const IsPost = !!process.env['STATE_isPost'];
export const gpgPrivateKey = process.env['STATE_gpgPrivateKey'] || ''; export const fingerprint = process.env['STATE_fingerprint'] || '';
export function setGpgPrivateKey(gpgPrivateKey: string) { export function setFingerprint(fingerprint: string) {
core.saveState('gpgPrivateKey', gpgPrivateKey); core.saveState('fingerprint', fingerprint);
} }
if (!IsPost) { if (!IsPost) {