123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386 |
- #!/bin/bash
- GNUPGHOME=$(mktemp -d)
- export GNUPGHOME
- echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" > "$GNUPGHOME/gpg.conf"
- trap 'rm -rf $GNUPGHOME' EXIT
- BASEDIR=$(dirname "$0")
- KEY_DIR="$BASEDIR/.."
- KEY_PASSPHRASE=zammad
- KEY_ALGO=rsa4096
- KEY_USAGE=sign,encr
- KEY_EXPIRE=10y
- MAIL_DIR="$KEY_DIR/mail/"
- echo "Zammad PGP test key generation"
- # Don't use dashes (-) in email addresses unless you know what you're doing!
- # shellcheck disable=SC2043
- for PGP_UID in zammad@localhost pgp1@example.com pgp2@example.com pgp2@example.com-other pgp3@example.com 'Nicole Braun <nicole.braun@zammad.org>' noexpirepgp1@example.com expiredpgp1@example.com ocbpgp1@example.com
- do
- echo "Processing key: $PGP_UID"
- echo -n " Identifying email address... "
- EMAIL_REGEX=$(echo "$PGP_UID" | perl -wlne '/<(.*)>/ and print $1')
- EMAIL_ADDRESS=${EMAIL_REGEX:-$PGP_UID}
- echo "$EMAIL_ADDRESS"
- # Support additional keys.
- PGP_UID=${PGP_UID%-*}
- echo " Using '$PGP_UID' as UID…"
- KEY_EXPIRE_ARG=$KEY_EXPIRE
- # Support keys without expiration date.
- [[ $PGP_UID =~ ^noexpire ]] && KEY_EXPIRE_ARG=0
- # Support expired keys.
- [[ $PGP_UID =~ ^expired ]] && KEY_EXPIRE_ARG=$(date -u +'%Y%m%dT000000')
- # Support AEAD: OCB keys.
- if [[ $PGP_UID =~ ^ocb ]]; then
- # Support for OCB was added in GPG 2.2.40, it will not work on older versions.
- if printf '%s\n%s\n' "$(gpg --version | head -1 | cut -d' ' -f3)" "2.2.40" | sort -rVC; then
- DEFAULT_PREFERENCE_LIST_ARG=--default-preference-list="AES256,AES192,AES,CAST5,3DES,OCB,SHA512,SHA384,SHA256,SHA224,SHA1,ZLIB,BZIP2,ZIP,Uncompressed,MDC,AEAD"
- else
- echo " ERROR: GnuPG too old, please update to v2.2.40 or later in order to generate OCB keys."
- echo " Skipping…"
- continue
- fi
- fi
- echo " Generating key…"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE $DEFAULT_PREFERENCE_LIST_ARG --quick-generate-key "$PGP_UID" $KEY_ALGO $KEY_USAGE $KEY_EXPIRE_ARG
- echo " Exporting public key…"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pub.pgp" --export "$PGP_UID"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pub.asc" --armor --export "$PGP_UID"
- echo " Exporting private key…"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pgp" --export-secret-key "$PGP_UID"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.asc" --armor --export-secret-key "$PGP_UID"
- echo " Exporting key information…"
- echo -n $KEY_PASSPHRASE > "$KEY_DIR/$EMAIL_ADDRESS.passphrase"
- KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$EMAIL_ADDRESS.pub.asc")
- KEY_CREATED_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f6)
- echo -n "$(date -d @$KEY_CREATED_AT -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -r $KEY_CREATED_AT -u +'%Y-%m-%dT%H:%M:%SZ')" > "$KEY_DIR/$EMAIL_ADDRESS.created_at"
- KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
- if [ -n "$KEY_EXPIRES_AT" ]; then
- echo -n "$(date -d @$KEY_EXPIRES_AT -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y-%m-%dT%H:%M:%SZ')" > "$KEY_DIR/$EMAIL_ADDRESS.expires_at"
- fi
- KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
- echo -n $KEY_FINGERPRINT > "$KEY_DIR/$EMAIL_ADDRESS.fingerprint"
- # Cleanup.
- echo " Deleting keys from keyring…"
- gpg --batch --quiet --yes --delete-secret-key $KEY_FINGERPRINT
- gpg --batch --quiet --yes --delete-key $KEY_FINGERPRINT
- done
- # A key with multiple UIDs.
- PGP_UIDS=("Multi PGP2 <multipgp2@example.com>" "Multi PGP1 <multipgp1@example.com>")
- echo "Generating key for ${PGP_UIDS[0]}"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --quick-generate-key "${PGP_UIDS[0]}" $KEY_ALGO $KEY_USAGE $KEY_EXPIRE
- for i in "${!PGP_UIDS[@]}"
- do
- if [[ $i -eq 0 ]]; then
- continue
- fi
- echo " Adding UID ${PGP_UIDS[$i]} to the same key…"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --quick-add-uid "${PGP_UIDS[0]}" "${PGP_UIDS[$i]}"
- done
- EMAIL_REGEX=$(echo ${PGP_UIDS[0]} | perl -wlne '/<(.*)>/ and print $1')
- EMAIL_ADDRESS=${EMAIL_REGEX:-${PGP_UIDS[0]}}
- echo " Exporting public key for $EMAIL_ADDRESS"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pub.pgp" --export $EMAIL_ADDRESS
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pub.asc" --armor --export $EMAIL_ADDRESS
- echo " Exporting private key for $EMAIL_ADDRESS"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pgp" --export-secret-key $EMAIL_ADDRESS
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.asc" --armor --export-secret-key $EMAIL_ADDRESS
- echo " Exporting key information for $EMAIL_ADDRESS"
- echo -n $KEY_PASSPHRASE > "$KEY_DIR/$EMAIL_ADDRESS.passphrase"
- KEY_INFO=$(gpg --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$EMAIL_ADDRESS.pub.asc")
- KEY_CREATED_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f6)
- echo -n "$(date -d @$KEY_CREATED_AT -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -r $KEY_CREATED_AT -u +'%Y-%m-%dT%H:%M:%SZ')" > "$KEY_DIR/$EMAIL_ADDRESS.created_at"
- KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
- echo -n "$(date -d @$KEY_EXPIRES_AT -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y-%m-%dT%H:%M:%SZ')" > "$KEY_DIR/$EMAIL_ADDRESS.expires_at"
- KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
- echo -n $KEY_FINGERPRINT > "$KEY_DIR/$EMAIL_ADDRESS.fingerprint"
- echo "Generating signed test mails (detached signature)"
- # shellcheck disable=SC2042
- for TEST_MAIL_KEY in mail-expired,expiredpgp1@example.com
- do
- TEST_MAIL=${TEST_MAIL_KEY%,*}
- EMAIL_ADDRESS=${TEST_MAIL_KEY#*,}
- echo "Processing mail: $TEST_MAIL"
- KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$EMAIL_ADDRESS.pub.asc")
- KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
- KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
- KEY_EXPIRATION_DATE=$(date -d @$KEY_EXPIRES_AT -R 2>/dev/null || date -r $KEY_EXPIRES_AT -R)
- KEY_EXPIRE_ARG=$(date -d @$KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S')
- echo " Importing key for $EMAIL_ADDRESS"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$EMAIL_ADDRESS.asc"
- echo " Computing current date header…"
- echo "Date: $(date -R)" > "$MAIL_DIR/$TEST_MAIL.box"
- # Support expired keys.
- [[ $EMAIL_ADDRESS =~ ^expired ]] && echo "Date: $KEY_EXPIRATION_DATE" > "$MAIL_DIR/$TEST_MAIL.box"
- echo " Constructing mail body…"
- cat "$MAIL_DIR/$TEST_MAIL.part1.box" "$MAIL_DIR/$TEST_MAIL.part2.box" "$MAIL_DIR/$TEST_MAIL.part3.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- echo " Appending message signature…"
- # Support expired keys.
- if [[ $EMAIL_ADDRESS =~ ^expired ]]; then
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --detach-sign --trust-model=always --faked-system-time=$KEY_EXPIRE_ARG --default-key $KEY_FINGERPRINT --sign < "$MAIL_DIR/$TEST_MAIL.part2.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- else
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --detach-sign --trust-model=always --default-key $KEY_FINGERPRINT --sign < "$MAIL_DIR/$TEST_MAIL.part2.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- fi
- echo " Ending mail file…"
- cat "$MAIL_DIR/$TEST_MAIL.part5.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- done
- echo "Generating encrypted test mails"
- # Don't use dashes (-) in email addresses unless you know what you're doing!
- # shellcheck disable=SC2042,SC2258
- for TEST_MAIL_SENDER_RECIPIENTS in mail-other-key,pgp1@example.com,pgp2@example.com-other,pgp3@example.com mail-decrypt-expired,pgp1@example.com,expiredpgp1@example.com,expiredpgp1@example.com mail-ocb,pgp1@example.com,ocbpgp1@example.com,pgp3@example.com mail-decrypt-bcc,pgp1@example.com,zammad@localhost,
- do
- TEST_MAIL=${TEST_MAIL_SENDER_RECIPIENTS%,*,*,*}
- EMAIL_ADDRESSES=${TEST_MAIL_SENDER_RECIPIENTS#*,}
- SENDER_EMAIL_ADDRESS=${EMAIL_ADDRESSES%,*,*}
- # shellcheck disable=SC2206
- RECIPIENTS=(${EMAIL_ADDRESSES#*,})
- # shellcheck disable=SC2128
- IFS=',' read -r -a RECIPIENT_EMAIL_ADDRESSES <<< "$RECIPIENTS"
- echo "Processing mail: $TEST_MAIL"
- unset RECIPIENTS_ARG
- unset KEY_EXPIRATION_DATE
- unset FAKED_SYSTEM_TIME_ARG
- unset FORCE_OCB_ARG
- for RECIPIENT_EMAIL_ADDRESS in "${RECIPIENT_EMAIL_ADDRESSES[@]}"
- do
- echo " Importing public key for $RECIPIENT_EMAIL_ADDRESS"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$RECIPIENT_EMAIL_ADDRESS.pub.asc"
- # Support expired keys.
- if [[ $RECIPIENT_EMAIL_ADDRESS =~ ^expired ]]; then
- KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$RECIPIENT_EMAIL_ADDRESS.pub.asc")
- KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
- KEY_EXPIRATION_DATE=$(date -d @$KEY_EXPIRES_AT -R 2>/dev/null || date -r $KEY_EXPIRES_AT -R)
- KEY_EXPIRE_ARG=$(date -d @$KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S')
- FAKED_SYSTEM_TIME_ARG="--faked-system-time=$KEY_EXPIRE_ARG"
- fi
- # Support AEAD: OCB keys.
- if [[ $RECIPIENT_EMAIL_ADDRESS =~ ^ocb ]]; then
- # Support for OCB was added in GPG 2.2.40, it will not work on older versions.
- if printf '%s\n%s\n' "$(gpg --version | head -1 | cut -d' ' -f3)" "2.2.40" | sort -rVC; then
- FORCE_OCB_ARG=--force-ocb
- else
- echo " ERROR: GnuPG too old, please update to v2.3.0 or later in order to generate OCB keys."
- echo " Skipping…"
- continue 2
- fi
- fi
- SANITIZED_EMAIL_ADDRESS=${RECIPIENT_EMAIL_ADDRESS%-*}
- echo " Using $SANITIZED_EMAIL_ADDRESS as recipient…"
- RECIPIENTS_ARG="$RECIPIENTS_ARG --recipient $SANITIZED_EMAIL_ADDRESS"
- done
- echo " Computing current date header…"
- echo "Date: $(date -R)" > "$MAIL_DIR/$TEST_MAIL.box"
- # Support expired keys.
- [[ ! -z $KEY_EXPIRATION_DATE ]] && echo "Date: $KEY_EXPIRATION_DATE" > "$MAIL_DIR/$TEST_MAIL.box"
- echo " Constructing mail body…"
- cat "$MAIL_DIR/$TEST_MAIL.part1.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- echo " Encrypting message…"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always $FAKED_SYSTEM_TIME_ARG $FORCE_OCB_ARG $RECIPIENTS_ARG --encrypt < "$MAIL_DIR/$TEST_MAIL.message.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- echo " Ending mail file…"
- cat "$MAIL_DIR/$TEST_MAIL.part3.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- done
- echo "Generating encrypted + signed test mails"
- # Don't use dashes (-) in email addresses unless you know what you're doing!
- # shellcheck disable=SC2042
- for TEST_MAIL_SENDER_RECIPIENTS in mail-detached,pgp1@example.com,pgp2@example.com,pgp3@example.com mail-attached,pgp1@example.com,pgp2@example.com,pgp3@example.com
- do
- TEST_MAIL=${TEST_MAIL_SENDER_RECIPIENTS%,*,*,*}
- EMAIL_ADDRESSES=${TEST_MAIL_SENDER_RECIPIENTS#*,}
- SENDER_EMAIL_ADDRESS=${EMAIL_ADDRESSES%,*,*}
- # shellcheck disable=SC2206
- RECIPIENTS=(${EMAIL_ADDRESSES#*,})
- # shellcheck disable=SC2128
- IFS=',' read -r -a RECIPIENT_EMAIL_ADDRESSES <<< "$RECIPIENTS"
- echo "Processing mail: $TEST_MAIL"
- KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$SENDER_EMAIL_ADDRESS.pub.asc")
- KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
- KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
- KEY_EXPIRATION_DATE=$(date -d @$KEY_EXPIRES_AT -R 2>/dev/null || date -r $KEY_EXPIRES_AT -R)
- KEY_EXPIRE_ARG=$(date -d @$KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S')
- echo " Importing key for $SENDER_EMAIL_ADDRESS"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$SENDER_EMAIL_ADDRESS.asc"
- echo " Constructing signed message…"
- SIGNED_MESSAGE_DIR=$(mktemp -d)
- cat "$MAIL_DIR/$TEST_MAIL.message.part1.box" "$MAIL_DIR/$TEST_MAIL.message.part2.box" "$MAIL_DIR/$TEST_MAIL.message.part3.box" > "$SIGNED_MESSAGE_DIR/signed-message"
- echo " Signing message…"
- DETACH_SIGN_ARG=--detach-sign
- # Support attached signatures.
- [[ $TEST_MAIL =~ -attached$ ]] && unset DETACH_SIGN_ARG
- # Support expired keys.
- if [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]]; then
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor $DETACH_SIGN_ARG --trust-model=always --faked-system-time=$KEY_EXPIRE_ARG --default-key $KEY_FINGERPRINT --sign < "$MAIL_DIR/$TEST_MAIL.message.part2.box" >> "$SIGNED_MESSAGE_DIR/signed-message"
- else
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor $DETACH_SIGN_ARG --trust-model=always --default-key $KEY_FINGERPRINT --sign < "$MAIL_DIR/$TEST_MAIL.message.part2.box" >> "$SIGNED_MESSAGE_DIR/signed-message"
- fi
- echo " Ending signed message…"
- cat "$MAIL_DIR/$TEST_MAIL.message.part5.box" >> "$SIGNED_MESSAGE_DIR/signed-message"
- echo " Computing current date header…"
- echo "Date: $(date -R)" > "$MAIL_DIR/$TEST_MAIL.box"
- # Support expired keys.
- [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]] && echo "Date: $KEY_EXPIRATION_DATE" > "$MAIL_DIR/$TEST_MAIL.box"
- echo " Constructing mail body…"
- cat "$MAIL_DIR/$TEST_MAIL.part1.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- unset RECIPIENTS_ARG
- for RECIPIENT_EMAIL_ADDRESS in "${RECIPIENT_EMAIL_ADDRESSES[@]}"
- do
- echo " Importing public key for $RECIPIENT_EMAIL_ADDRESS"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$RECIPIENT_EMAIL_ADDRESS.pub.asc"
- SANITIZED_EMAIL_ADDRESS=${RECIPIENT_EMAIL_ADDRESS%-*}
- echo " Using $SANITIZED_EMAIL_ADDRESS as recipient…"
- RECIPIENTS_ARG="$RECIPIENTS_ARG --recipient $SANITIZED_EMAIL_ADDRESS"
- done
- echo " Encrypting message…"
- # Support expired keys.
- if [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]]; then
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always --faked-system-time=$KEY_EXPIRE_ARG $RECIPIENTS_ARG --encrypt < "$SIGNED_MESSAGE_DIR/signed-message" >> "$MAIL_DIR/$TEST_MAIL.box"
- else
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always $RECIPIENTS_ARG --encrypt < "$SIGNED_MESSAGE_DIR/signed-message" >> "$MAIL_DIR/$TEST_MAIL.box"
- fi
- echo " Ending mail file…"
- cat "$MAIL_DIR/$TEST_MAIL.part3.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- # Cleanup.
- rm -rf $SIGNED_MESSAGE_DIR && unset SIGNED_MESSAGE_DIR
- done
- echo "Generating encrypted + signed test mails (combined)"
- # Don't use dashes (-) in email addresses unless you know what you're doing!
- # shellcheck disable=SC2042
- for TEST_MAIL_SENDER_RECIPIENTS in mail-combined,pgp1@example.com,pgp2@example.com,pgp3@example.com
- do
- TEST_MAIL=${TEST_MAIL_SENDER_RECIPIENTS%,*,*,*}
- EMAIL_ADDRESSES=${TEST_MAIL_SENDER_RECIPIENTS#*,}
- SENDER_EMAIL_ADDRESS=${EMAIL_ADDRESSES%,*,*}
- # shellcheck disable=SC2206
- RECIPIENTS=(${EMAIL_ADDRESSES#*,})
- # shellcheck disable=SC2128
- IFS=',' read -r -a RECIPIENT_EMAIL_ADDRESSES <<< "$RECIPIENTS"
- echo "Processing mail: $TEST_MAIL"
- KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$SENDER_EMAIL_ADDRESS.pub.asc")
- KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
- KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
- KEY_EXPIRATION_DATE=$(date -d @$KEY_EXPIRES_AT -R 2>/dev/null || date -r $KEY_EXPIRES_AT -R)
- KEY_EXPIRE_ARG=$(date -d @$KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S')
- echo " Importing key for $SENDER_EMAIL_ADDRESS"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$SENDER_EMAIL_ADDRESS.asc"
- echo " Computing current date header…"
- echo "Date: $(date -R)" > "$MAIL_DIR/$TEST_MAIL.box"
- # Support expired keys.
- [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]] && echo "Date: $KEY_EXPIRATION_DATE" > "$MAIL_DIR/$TEST_MAIL.box"
- echo " Constructing mail body…"
- cat "$MAIL_DIR/$TEST_MAIL.part1.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- for RECIPIENT_EMAIL_ADDRESS in "${RECIPIENT_EMAIL_ADDRESSES[@]}"
- do
- echo " Importing public key for $RECIPIENT_EMAIL_ADDRESS"
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$RECIPIENT_EMAIL_ADDRESS.pub.asc"
- SANITIZED_EMAIL_ADDRESS=${RECIPIENT_EMAIL_ADDRESS%-*}
- echo " Using $SANITIZED_EMAIL_ADDRESS as recipient…"
- RECIPIENTS_ARG="$RECIPIENTS_ARG --recipient $SANITIZED_EMAIL_ADDRESS"
- done
- echo " Encrypting + signing message in one command…"
- # Support expired keys.
- if [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]]; then
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always --faked-system-time=$KEY_EXPIRE_ARG --default-key $KEY_FINGERPRINT --sign $RECIPIENTS_ARG --encrypt < "$MAIL_DIR/$TEST_MAIL.part2.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- else
- gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always --default-key $KEY_FINGERPRINT --sign $RECIPIENTS_ARG --encrypt < "$MAIL_DIR/$TEST_MAIL.part2.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- fi
- echo " Ending mail file…"
- cat "$MAIL_DIR/$TEST_MAIL.part3.box" >> "$MAIL_DIR/$TEST_MAIL.box"
- done
- echo "Done."
|