Handle signing-only subkeys (#112)

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
crazy-max · Oct 15, 2021 · 60f6f3e · 60f6f3e
1 parent aaade0d
commit 60f6f3e
Show file tree

Hide file tree

Showing 18 changed files with 375 additions and 192 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,7 +2,7 @@ name: ci
 
 on:
   schedule:
-    - cron: '0 10 * * *' # everyday at 10am
+    - cron: '0 10 * * *'
   push:
     branches:
       - 'master'
@@ -20,26 +20,45 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        key:
+          - test-key
+          - test-subkey
         global:
           - false
           - true
         os:
           - ubuntu-latest
           - macOS-latest
           - windows-latest
+        include:
+          - key: test-subkey
+            fingerprint: C17D11ADF199F12A30A0910F1F80449BE0B08CB8
     steps:
       -
         name: Checkout
         uses: actions/checkout@v2
+      -
+        name: GPG conf
+        uses: actions/github-script@v4
+        with:
+          script: |
+            const fs = require('fs');
+            const gnupgfolder = `${require('os').homedir()}/.gnupg`;
+            if (!fs.existsSync(gnupgfolder)){
+                fs.mkdirSync(gnupgfolder);
+            }
+            fs.copyFile('__tests__/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
+                if (err) throw err;
+            });
       -
         name: Get test key and passphrase
         uses: actions/github-script@v5
         id: test
         with:
           script: |
             const fs = require('fs');
-            core.setOutput('pgp', fs.readFileSync('.github/test-key.pgp', {encoding: 'utf8'}));
-            core.setOutput('passphrase', fs.readFileSync('.github/test-key.pass', {encoding: 'utf8'}));
+            core.setOutput('pgp', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pgp', {encoding: 'utf8'}));
+            core.setOutput('passphrase', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pass', {encoding: 'utf8'}));
       -
         name: Import GPG
         id: import_gpg
@@ -52,23 +71,28 @@ jobs:
           git_commit_gpgsign: true
           git_tag_gpgsign: true
           git_push_gpgsign: if-asked
+          fingerprint: ${{ matrix.fingerprint }}
       -
-        name: GPG user IDs
+        name: List keys
         run: |
-          echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
-          echo "keyid:       ${{ steps.import_gpg.outputs.keyid }}"
-          echo "name:        ${{ steps.import_gpg.outputs.name }}"
-          echo "email:       ${{ steps.import_gpg.outputs.email }}"
+          gpg -K
+        shell: bash
 
   base64:
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
+        key:
+          - test-key
+          - test-subkey
         os:
           - ubuntu-latest
           - macOS-latest
           - windows-latest
+        include:
+          - key: test-subkey
+            fingerprint: C17D11ADF199F12A30A0910F1F80449BE0B08CB8
     steps:
       -
         name: Checkout
@@ -80,8 +104,8 @@ jobs:
         with:
           script: |
             const fs = require('fs');
-            core.setOutput('pgp-base64', fs.readFileSync('.github/test-key-base64.pgp', {encoding: 'utf8'}));
-            core.setOutput('passphrase', fs.readFileSync('.github/test-key.pass', {encoding: 'utf8'}));
+            core.setOutput('pgp-base64', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}-base64.pgp', {encoding: 'utf8'}));
+            core.setOutput('passphrase', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pass', {encoding: 'utf8'}));
       -
         name: Import GPG
         id: import_gpg
@@ -93,10 +117,4 @@ jobs:
           git_commit_gpgsign: true
           git_tag_gpgsign: true
           git_push_gpgsign: if-asked
-      -
-        name: GPG user IDs
-        run: |
-          echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
-          echo "keyid:       ${{ steps.import_gpg.outputs.keyid }}"
-          echo "name:        ${{ steps.import_gpg.outputs.name }}"
-          echo "email:       ${{ steps.import_gpg.outputs.email }}"
+          fingerprint: ${{ matrix.fingerprint }}
diff --git a/README.md b/README.md
@@ -141,6 +141,7 @@ Following inputs can be used as `step.with` keys
 | `git_committer_name`                  | String  | Set commit author's name (defaults to the name associated with the GPG key) |
 | `git_committer_email`                 | String  | Set commit author's email (defaults to the email address associated with the GPG key) |
 | `workdir`                             | String  | Working directory (below repository root) (default `.`) |
+| `fingerprint`                         | String  | Specific fingerprint to use (subkey) |
 
 > `git_user_signingkey` needs to be enabled for `git_commit_gpgsign`, `git_tag_gpgsign`,
 > `git_push_gpgsign`, `git_committer_name`, `git_committer_email` inputs.

diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts
@@ -1,5 +1,4 @@
 import * as os from 'os';
-
 import * as context from '../src/context';
 
 describe('setOutput', () => {

diff --git a/__tests__/fixtures/gpg.conf b/__tests__/fixtures/gpg.conf
@@ -0,0 +1,71 @@
+################################################################################
+# GnuPG Options
+
+# (OpenPGP-Configuration-Options)
+# Assume that command line arguments are given as UTF8 strings.
+utf8-strings
+
+# (OpenPGP-Protocol-Options)
+# Set the list of personal digest/cipher/compression preferences. This allows
+# the user to safely override the algorithm chosen by the recipient key
+# preferences, as GPG will only select an algorithm that is usable by all
+# recipients.
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+personal-cipher-preferences AES256 AES192 AES CAST5 CAMELLIA192 BLOWFISH TWOFISH CAMELLIA128 3DES
+personal-compress-preferences ZLIB BZIP2 ZIP
+
+# Set the list of default preferences to string. This preference list is used
+# for new keys and becomes the default for "setpref" in the edit menu.
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+
+# (OpenPGP-Esoteric-Options)
+# Use name as the message digest algorithm used when signing a key. Running the
+# program with the command --version yields a list of supported algorithms. Be
+# aware that if you choose an algorithm that GnuPG supports but other OpenPGP
+# implementations do not, then some users will not be able to use the key
+# signatures you make, or quite possibly your entire key.
+#
+# SHA-1 is the only algorithm specified for OpenPGP V4. By changing the
+# cert-digest-algo, the OpenPGP V4 specification is not met but with even
+# GnuPG 1.4.10 (release 2009) supporting SHA-2 algorithm, this should be safe.
+# Source: https://tools.ietf.org/html/rfc4880#section-12.2
+cert-digest-algo SHA512
+digest-algo SHA256
+
+# Selects how passphrases for symmetric encryption are mangled. 3 (the default)
+# iterates the whole process a number of times (see --s2k-count).
+s2k-mode 3
+
+# (OpenPGP-Protocol-Options)
+# Use name as the cipher algorithm for symmetric encryption with a passphrase
+# if --personal-cipher-preferences and --cipher-algo are not given. The
+# default is AES-128.
+s2k-cipher-algo AES256
+
+# (OpenPGP-Protocol-Options)
+# Use name as the digest algorithm used to mangle the passphrases for symmetric
+# encryption. The default is SHA-1.
+s2k-digest-algo SHA512
+
+# (OpenPGP-Protocol-Options)
+# Specify how many times the passphrases mangling for symmetric encryption is
+# repeated. This value may range between 1024 and 65011712 inclusive. The
+# default is inquired from gpg-agent. Note that not all values in the
+# 1024-65011712 range are legal and if an illegal value is selected, GnuPG will
+# round up to the nearest legal value. This option is only meaningful if
+# --s2k-mode is set to the default of 3.
+s2k-count 1015808
+
+################################################################################
+# GnuPG View Options
+
+# Select how to display key IDs. "long" is the more accurate (but less
+# convenient) 16-character key ID. Add an "0x" to include an "0x" at the
+# beginning of the key ID.
+keyid-format 0xlong
+
+# List all keys with their fingerprints. This is the same output as --list-keys
+# but with the additional output of a line with the fingerprint. If this
+# command is given twice, the fingerprints of all secondary keys are listed too.
+with-fingerprint
+with-fingerprint
diff --git a/.github/test-key-base64.pgp → __tests__/fixtures/test-key-base64.pgp b/.github/test-key-base64.pgp → __tests__/fixtures/test-key-base64.pgp
diff --git a/.github/test-key.pass → __tests__/fixtures/test-key.pass b/.github/test-key.pass → __tests__/fixtures/test-key.pass
diff --git a/.github/test-key.pgp → __tests__/fixtures/test-key.pgp b/.github/test-key.pgp → __tests__/fixtures/test-key.pgp
diff --git a/__tests__/fixtures/test-subkey-base64.pgp b/__tests__/fixtures/test-subkey-base64.pgp
@@ -0,0 +1 @@
+LS0tLS1CRUdJTiBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLQoKbElZRVlVNU0yaFlKS3dZQkJBSGFSdzhCQVFkQXNSbDlDUEtaaDB4MC9FRDFveDJwTmJ6R1J1TlpvRlVSN0JsYgpOUUdabzB6K0J3TUN1dVdvaTR5WTQ0YkhNU1AwMjBLRmUvOHhpWHJwby9LandiMXJaa1g3dW1laWZBRFh6L1JiCmJuMXdKMENGQ09TOHl4R3laL3NCYlk1OGZEL0gvMFU2TFdiSmRHSG1mZ0RXYTl0OEFQK09NTFFWU205bElFSmgKY2lBOGFtOWxRR0poY2k1bWIyOCtpSkFFRXhZS0FEZ1dJUVNIOGxlNG5PUmlFQXZzRC81Z2NkSVlPQS9jeUFVQwpZVTVNMmdJYkFRVUxDUWdIQXdVVkNna0lDd1VXQWdNQkFBSWVBUUlYZ0FBS0NSQmdjZElZT0EvY3lGd1VBUUN0CmRQdzU3MDh0Z296NkNqcEFMbzBjQ2NtZ2xuVHdGWlBYTm1DaGdPZUIzQUVBdkdNV2lrYy9iaG9waVRGUzNLVWkKR042a1o5ZUlhaTRYeDloTjRSZTlEd1NjaGdSaFRrMURGZ2tyQmdFRUFkcEhEd0VCQjBDVUtPdVVMYlNqZVF4QwpHNmY4VkhNWHRUbnc4MkF2TmlwM01rY3RNZEZmbC80SEF3SlBPM1loUVJkWU44Y1A1cVhvOFcwazFPZEJaTEJyCmN5cm5ra2tYVk91cjh1SlExV2tMb2FMSnZ3VmN1MlplSFlWdmcramNFSmVlTVF0ME43OWVOUUs5VVMzeEQ5ak4Kc2JZbTVrUkNHWldpaU84RUdCWUtBQ0FXSVFTSDhsZTRuT1JpRUF2c0QvNWdjZElZT0EvY3lBVUNZVTVOUXdJYgpBZ0NCQ1JCZ2NkSVlPQS9jeUhZZ0JCa1dDZ0FkRmlFRXdYMFJyZkdaOFNvd29KRVBINEJFbStDd2pMZ0ZBbUZPClRVTUFDZ2tRSDRCRW0rQ3dqTGlJT1FFQTZjazVCbXMwYzBvbHV4Ly9BeUprMlpINWl5WW11WmpaVTJNOEhtcEoKa1BJQkFPVWJsQmlwZURpc0dqQ0VmTE1SN1czcFBYTTMyY0ZOWVdwOW1SNzJ6SWdOcEdvQS8zM1grRG55VHhtTgpYeUlpZFFtK0J3TFBZOXRTUlMvL0dCbVg4eHdDUWpWS0FRRG54V0VyaVk4clBQOTFUblhtR0VjL05LeFZVcHJoCjVRTndjMHNBTjVGRUJ3PT0KPTExQjQKLS0tLS1FTkQgUEdQIFBSSVZBVEUgS0VZIEJMT0NLLS0tLS0K
diff --git a/__tests__/fixtures/test-subkey.pass b/__tests__/fixtures/test-subkey.pass
@@ -0,0 +1 @@
+with another passphrase
diff --git a/__tests__/fixtures/test-subkey.pgp b/__tests__/fixtures/test-subkey.pgp
@@ -0,0 +1,19 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lIYEYU5M2hYJKwYBBAHaRw8BAQdAsRl9CPKZh0x0/ED1ox2pNbzGRuNZoFUR7Blb
+NQGZo0z+BwMCuuWoi4yY44bHMSP020KFe/8xiXrpo/Kjwb1rZkX7umeifADXz/Rb
+bn1wJ0CFCOS8yxGyZ/sBbY58fD/H/0U6LWbJdGHmfgDWa9t8AP+OMLQVSm9lIEJh
+ciA8am9lQGJhci5mb28+iJAEExYKADgWIQSH8le4nORiEAvsD/5gcdIYOA/cyAUC
+YU5M2gIbAQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBgcdIYOA/cyFwUAQCt
+dPw5708tgoz6CjpALo0cCcmglnTwFZPXNmChgOeB3AEAvGMWikc/bhopiTFS3KUi
+GN6kZ9eIai4Xx9hN4Re9DwSchgRhTk1DFgkrBgEEAdpHDwEBB0CUKOuULbSjeQxC
+G6f8VHMXtTnw82AvNip3MkctMdFfl/4HAwJPO3YhQRdYN8cP5qXo8W0k1OdBZLBr
+cyrnkkkXVOur8uJQ1WkLoaLJvwVcu2ZeHYVvg+jcEJeeMQt0N79eNQK9US3xD9jN
+sbYm5kRCGZWiiO8EGBYKACAWIQSH8le4nORiEAvsD/5gcdIYOA/cyAUCYU5NQwIb
+AgCBCRBgcdIYOA/cyHYgBBkWCgAdFiEEwX0RrfGZ8SowoJEPH4BEm+CwjLgFAmFO
+TUMACgkQH4BEm+CwjLiIOQEA6ck5Bms0c0olux//AyJk2ZH5iyYmuZjZU2M8HmpJ
+kPIBAOUblBipeDisGjCEfLMR7W3pPXM32cFNYWp9mR72zIgNpGoA/33X+DnyTxmN
+XyIidQm+BwLPY9tSRS//GBmX8xwCQjVKAQDnxWEriY8rPP91TnXmGEc/NKxVUprh
+5QNwc0sAN5FEBw==
+=11B4
+-----END PGP PRIVATE KEY BLOCK-----