run.sh 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386
  1. #!/bin/bash
  2. GNUPGHOME=$(mktemp -d)
  3. export GNUPGHOME
  4. echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" > "$GNUPGHOME/gpg.conf"
  5. trap 'rm -rf $GNUPGHOME' EXIT
  6. BASEDIR=$(dirname "$0")
  7. KEY_DIR="$BASEDIR/.."
  8. KEY_PASSPHRASE=zammad
  9. KEY_ALGO=rsa4096
  10. KEY_USAGE=sign,encr
  11. KEY_EXPIRE=10y
  12. MAIL_DIR="$KEY_DIR/mail/"
  13. echo "Zammad PGP test key generation"
  14. # Don't use dashes (-) in email addresses unless you know what you're doing!
  15. # shellcheck disable=SC2043
  16. for PGP_UID in zammad@localhost pgp1@example.com pgp2@example.com pgp2@example.com-other pgp3@example.com 'Nicole Braun <nicole.braun@zammad.org>' noexpirepgp1@example.com expiredpgp1@example.com ocbpgp1@example.com
  17. do
  18. echo "Processing key: $PGP_UID"
  19. echo -n " Identifying email address... "
  20. EMAIL_REGEX=$(echo "$PGP_UID" | perl -wlne '/<(.*)>/ and print $1')
  21. EMAIL_ADDRESS=${EMAIL_REGEX:-$PGP_UID}
  22. echo "$EMAIL_ADDRESS"
  23. # Support additional keys.
  24. PGP_UID=${PGP_UID%-*}
  25. echo " Using '$PGP_UID' as UID…"
  26. KEY_EXPIRE_ARG=$KEY_EXPIRE
  27. # Support keys without expiration date.
  28. [[ $PGP_UID =~ ^noexpire ]] && KEY_EXPIRE_ARG=0
  29. # Support expired keys.
  30. [[ $PGP_UID =~ ^expired ]] && KEY_EXPIRE_ARG=$(date -u +'%Y%m%dT000000')
  31. # Support AEAD: OCB keys.
  32. if [[ $PGP_UID =~ ^ocb ]]; then
  33. # Support for OCB was added in GPG 2.2.40, it will not work on older versions.
  34. if printf '%s\n%s\n' "$(gpg --version | head -1 | cut -d' ' -f3)" "2.2.40" | sort -rVC; then
  35. DEFAULT_PREFERENCE_LIST_ARG=--default-preference-list="AES256,AES192,AES,CAST5,3DES,OCB,SHA512,SHA384,SHA256,SHA224,SHA1,ZLIB,BZIP2,ZIP,Uncompressed,MDC,AEAD"
  36. else
  37. echo " ERROR: GnuPG too old, please update to v2.2.40 or later in order to generate OCB keys."
  38. echo " Skipping…"
  39. continue
  40. fi
  41. fi
  42. echo " Generating key…"
  43. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE $DEFAULT_PREFERENCE_LIST_ARG --quick-generate-key "$PGP_UID" $KEY_ALGO $KEY_USAGE $KEY_EXPIRE_ARG
  44. echo " Exporting public key…"
  45. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pub.pgp" --export "$PGP_UID"
  46. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pub.asc" --armor --export "$PGP_UID"
  47. echo " Exporting private key…"
  48. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pgp" --export-secret-key "$PGP_UID"
  49. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.asc" --armor --export-secret-key "$PGP_UID"
  50. echo " Exporting key information…"
  51. echo -n $KEY_PASSPHRASE > "$KEY_DIR/$EMAIL_ADDRESS.passphrase"
  52. KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$EMAIL_ADDRESS.pub.asc")
  53. KEY_CREATED_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f6)
  54. echo -n "$(date -d @$KEY_CREATED_AT -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -r $KEY_CREATED_AT -u +'%Y-%m-%dT%H:%M:%SZ')" > "$KEY_DIR/$EMAIL_ADDRESS.created_at"
  55. KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
  56. if [ -n "$KEY_EXPIRES_AT" ]; then
  57. echo -n "$(date -d @$KEY_EXPIRES_AT -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y-%m-%dT%H:%M:%SZ')" > "$KEY_DIR/$EMAIL_ADDRESS.expires_at"
  58. fi
  59. KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
  60. echo -n $KEY_FINGERPRINT > "$KEY_DIR/$EMAIL_ADDRESS.fingerprint"
  61. # Cleanup.
  62. echo " Deleting keys from keyring…"
  63. gpg --batch --quiet --yes --delete-secret-key $KEY_FINGERPRINT
  64. gpg --batch --quiet --yes --delete-key $KEY_FINGERPRINT
  65. done
  66. # A key with multiple UIDs.
  67. PGP_UIDS=("Multi PGP2 <multipgp2@example.com>" "Multi PGP1 <multipgp1@example.com>")
  68. echo "Generating key for ${PGP_UIDS[0]}"
  69. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --quick-generate-key "${PGP_UIDS[0]}" $KEY_ALGO $KEY_USAGE $KEY_EXPIRE
  70. for i in "${!PGP_UIDS[@]}"
  71. do
  72. if [[ $i -eq 0 ]]; then
  73. continue
  74. fi
  75. echo " Adding UID ${PGP_UIDS[$i]} to the same key…"
  76. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --quick-add-uid "${PGP_UIDS[0]}" "${PGP_UIDS[$i]}"
  77. done
  78. EMAIL_REGEX=$(echo ${PGP_UIDS[0]} | perl -wlne '/<(.*)>/ and print $1')
  79. EMAIL_ADDRESS=${EMAIL_REGEX:-${PGP_UIDS[0]}}
  80. echo " Exporting public key for $EMAIL_ADDRESS"
  81. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pub.pgp" --export $EMAIL_ADDRESS
  82. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pub.asc" --armor --export $EMAIL_ADDRESS
  83. echo " Exporting private key for $EMAIL_ADDRESS"
  84. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.pgp" --export-secret-key $EMAIL_ADDRESS
  85. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --output "$KEY_DIR/$EMAIL_ADDRESS.asc" --armor --export-secret-key $EMAIL_ADDRESS
  86. echo " Exporting key information for $EMAIL_ADDRESS"
  87. echo -n $KEY_PASSPHRASE > "$KEY_DIR/$EMAIL_ADDRESS.passphrase"
  88. KEY_INFO=$(gpg --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$EMAIL_ADDRESS.pub.asc")
  89. KEY_CREATED_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f6)
  90. echo -n "$(date -d @$KEY_CREATED_AT -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -r $KEY_CREATED_AT -u +'%Y-%m-%dT%H:%M:%SZ')" > "$KEY_DIR/$EMAIL_ADDRESS.created_at"
  91. KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
  92. echo -n "$(date -d @$KEY_EXPIRES_AT -u +'%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y-%m-%dT%H:%M:%SZ')" > "$KEY_DIR/$EMAIL_ADDRESS.expires_at"
  93. KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
  94. echo -n $KEY_FINGERPRINT > "$KEY_DIR/$EMAIL_ADDRESS.fingerprint"
  95. echo "Generating signed test mails (detached signature)"
  96. # shellcheck disable=SC2042
  97. for TEST_MAIL_KEY in mail-expired,expiredpgp1@example.com
  98. do
  99. TEST_MAIL=${TEST_MAIL_KEY%,*}
  100. EMAIL_ADDRESS=${TEST_MAIL_KEY#*,}
  101. echo "Processing mail: $TEST_MAIL"
  102. KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$EMAIL_ADDRESS.pub.asc")
  103. KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
  104. KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
  105. KEY_EXPIRATION_DATE=$(date -d @$KEY_EXPIRES_AT -R 2>/dev/null || date -r $KEY_EXPIRES_AT -R)
  106. KEY_EXPIRE_ARG=$(date -d @$KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S')
  107. echo " Importing key for $EMAIL_ADDRESS"
  108. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$EMAIL_ADDRESS.asc"
  109. echo " Computing current date header…"
  110. echo "Date: $(date -R)" > "$MAIL_DIR/$TEST_MAIL.box"
  111. # Support expired keys.
  112. [[ $EMAIL_ADDRESS =~ ^expired ]] && echo "Date: $KEY_EXPIRATION_DATE" > "$MAIL_DIR/$TEST_MAIL.box"
  113. echo " Constructing mail body…"
  114. cat "$MAIL_DIR/$TEST_MAIL.part1.box" "$MAIL_DIR/$TEST_MAIL.part2.box" "$MAIL_DIR/$TEST_MAIL.part3.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  115. echo " Appending message signature…"
  116. # Support expired keys.
  117. if [[ $EMAIL_ADDRESS =~ ^expired ]]; then
  118. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --detach-sign --trust-model=always --faked-system-time=$KEY_EXPIRE_ARG --default-key $KEY_FINGERPRINT --sign < "$MAIL_DIR/$TEST_MAIL.part2.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  119. else
  120. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --detach-sign --trust-model=always --default-key $KEY_FINGERPRINT --sign < "$MAIL_DIR/$TEST_MAIL.part2.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  121. fi
  122. echo " Ending mail file…"
  123. cat "$MAIL_DIR/$TEST_MAIL.part5.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  124. done
  125. echo "Generating encrypted test mails"
  126. # Don't use dashes (-) in email addresses unless you know what you're doing!
  127. # shellcheck disable=SC2042,SC2258
  128. for TEST_MAIL_SENDER_RECIPIENTS in mail-other-key,pgp1@example.com,pgp2@example.com-other,pgp3@example.com mail-decrypt-expired,pgp1@example.com,expiredpgp1@example.com,expiredpgp1@example.com mail-ocb,pgp1@example.com,ocbpgp1@example.com,pgp3@example.com mail-decrypt-bcc,pgp1@example.com,zammad@localhost,
  129. do
  130. TEST_MAIL=${TEST_MAIL_SENDER_RECIPIENTS%,*,*,*}
  131. EMAIL_ADDRESSES=${TEST_MAIL_SENDER_RECIPIENTS#*,}
  132. SENDER_EMAIL_ADDRESS=${EMAIL_ADDRESSES%,*,*}
  133. # shellcheck disable=SC2206
  134. RECIPIENTS=(${EMAIL_ADDRESSES#*,})
  135. # shellcheck disable=SC2128
  136. IFS=',' read -r -a RECIPIENT_EMAIL_ADDRESSES <<< "$RECIPIENTS"
  137. echo "Processing mail: $TEST_MAIL"
  138. unset RECIPIENTS_ARG
  139. unset KEY_EXPIRATION_DATE
  140. unset FAKED_SYSTEM_TIME_ARG
  141. unset FORCE_OCB_ARG
  142. for RECIPIENT_EMAIL_ADDRESS in "${RECIPIENT_EMAIL_ADDRESSES[@]}"
  143. do
  144. echo " Importing public key for $RECIPIENT_EMAIL_ADDRESS"
  145. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$RECIPIENT_EMAIL_ADDRESS.pub.asc"
  146. # Support expired keys.
  147. if [[ $RECIPIENT_EMAIL_ADDRESS =~ ^expired ]]; then
  148. KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$RECIPIENT_EMAIL_ADDRESS.pub.asc")
  149. KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
  150. KEY_EXPIRATION_DATE=$(date -d @$KEY_EXPIRES_AT -R 2>/dev/null || date -r $KEY_EXPIRES_AT -R)
  151. KEY_EXPIRE_ARG=$(date -d @$KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S')
  152. FAKED_SYSTEM_TIME_ARG="--faked-system-time=$KEY_EXPIRE_ARG"
  153. fi
  154. # Support AEAD: OCB keys.
  155. if [[ $RECIPIENT_EMAIL_ADDRESS =~ ^ocb ]]; then
  156. # Support for OCB was added in GPG 2.2.40, it will not work on older versions.
  157. if printf '%s\n%s\n' "$(gpg --version | head -1 | cut -d' ' -f3)" "2.2.40" | sort -rVC; then
  158. FORCE_OCB_ARG=--force-ocb
  159. else
  160. echo " ERROR: GnuPG too old, please update to v2.3.0 or later in order to generate OCB keys."
  161. echo " Skipping…"
  162. continue 2
  163. fi
  164. fi
  165. SANITIZED_EMAIL_ADDRESS=${RECIPIENT_EMAIL_ADDRESS%-*}
  166. echo " Using $SANITIZED_EMAIL_ADDRESS as recipient…"
  167. RECIPIENTS_ARG="$RECIPIENTS_ARG --recipient $SANITIZED_EMAIL_ADDRESS"
  168. done
  169. echo " Computing current date header…"
  170. echo "Date: $(date -R)" > "$MAIL_DIR/$TEST_MAIL.box"
  171. # Support expired keys.
  172. [[ ! -z $KEY_EXPIRATION_DATE ]] && echo "Date: $KEY_EXPIRATION_DATE" > "$MAIL_DIR/$TEST_MAIL.box"
  173. echo " Constructing mail body…"
  174. cat "$MAIL_DIR/$TEST_MAIL.part1.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  175. echo " Encrypting message…"
  176. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always $FAKED_SYSTEM_TIME_ARG $FORCE_OCB_ARG $RECIPIENTS_ARG --encrypt < "$MAIL_DIR/$TEST_MAIL.message.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  177. echo " Ending mail file…"
  178. cat "$MAIL_DIR/$TEST_MAIL.part3.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  179. done
  180. echo "Generating encrypted + signed test mails"
  181. # Don't use dashes (-) in email addresses unless you know what you're doing!
  182. # shellcheck disable=SC2042
  183. for TEST_MAIL_SENDER_RECIPIENTS in mail-detached,pgp1@example.com,pgp2@example.com,pgp3@example.com mail-attached,pgp1@example.com,pgp2@example.com,pgp3@example.com
  184. do
  185. TEST_MAIL=${TEST_MAIL_SENDER_RECIPIENTS%,*,*,*}
  186. EMAIL_ADDRESSES=${TEST_MAIL_SENDER_RECIPIENTS#*,}
  187. SENDER_EMAIL_ADDRESS=${EMAIL_ADDRESSES%,*,*}
  188. # shellcheck disable=SC2206
  189. RECIPIENTS=(${EMAIL_ADDRESSES#*,})
  190. # shellcheck disable=SC2128
  191. IFS=',' read -r -a RECIPIENT_EMAIL_ADDRESSES <<< "$RECIPIENTS"
  192. echo "Processing mail: $TEST_MAIL"
  193. KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$SENDER_EMAIL_ADDRESS.pub.asc")
  194. KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
  195. KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
  196. KEY_EXPIRATION_DATE=$(date -d @$KEY_EXPIRES_AT -R 2>/dev/null || date -r $KEY_EXPIRES_AT -R)
  197. KEY_EXPIRE_ARG=$(date -d @$KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S')
  198. echo " Importing key for $SENDER_EMAIL_ADDRESS"
  199. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$SENDER_EMAIL_ADDRESS.asc"
  200. echo " Constructing signed message…"
  201. SIGNED_MESSAGE_DIR=$(mktemp -d)
  202. cat "$MAIL_DIR/$TEST_MAIL.message.part1.box" "$MAIL_DIR/$TEST_MAIL.message.part2.box" "$MAIL_DIR/$TEST_MAIL.message.part3.box" > "$SIGNED_MESSAGE_DIR/signed-message"
  203. echo " Signing message…"
  204. DETACH_SIGN_ARG=--detach-sign
  205. # Support attached signatures.
  206. [[ $TEST_MAIL =~ -attached$ ]] && unset DETACH_SIGN_ARG
  207. # Support expired keys.
  208. if [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]]; then
  209. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor $DETACH_SIGN_ARG --trust-model=always --faked-system-time=$KEY_EXPIRE_ARG --default-key $KEY_FINGERPRINT --sign < "$MAIL_DIR/$TEST_MAIL.message.part2.box" >> "$SIGNED_MESSAGE_DIR/signed-message"
  210. else
  211. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor $DETACH_SIGN_ARG --trust-model=always --default-key $KEY_FINGERPRINT --sign < "$MAIL_DIR/$TEST_MAIL.message.part2.box" >> "$SIGNED_MESSAGE_DIR/signed-message"
  212. fi
  213. echo " Ending signed message…"
  214. cat "$MAIL_DIR/$TEST_MAIL.message.part5.box" >> "$SIGNED_MESSAGE_DIR/signed-message"
  215. echo " Computing current date header…"
  216. echo "Date: $(date -R)" > "$MAIL_DIR/$TEST_MAIL.box"
  217. # Support expired keys.
  218. [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]] && echo "Date: $KEY_EXPIRATION_DATE" > "$MAIL_DIR/$TEST_MAIL.box"
  219. echo " Constructing mail body…"
  220. cat "$MAIL_DIR/$TEST_MAIL.part1.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  221. unset RECIPIENTS_ARG
  222. for RECIPIENT_EMAIL_ADDRESS in "${RECIPIENT_EMAIL_ADDRESSES[@]}"
  223. do
  224. echo " Importing public key for $RECIPIENT_EMAIL_ADDRESS"
  225. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$RECIPIENT_EMAIL_ADDRESS.pub.asc"
  226. SANITIZED_EMAIL_ADDRESS=${RECIPIENT_EMAIL_ADDRESS%-*}
  227. echo " Using $SANITIZED_EMAIL_ADDRESS as recipient…"
  228. RECIPIENTS_ARG="$RECIPIENTS_ARG --recipient $SANITIZED_EMAIL_ADDRESS"
  229. done
  230. echo " Encrypting message…"
  231. # Support expired keys.
  232. if [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]]; then
  233. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always --faked-system-time=$KEY_EXPIRE_ARG $RECIPIENTS_ARG --encrypt < "$SIGNED_MESSAGE_DIR/signed-message" >> "$MAIL_DIR/$TEST_MAIL.box"
  234. else
  235. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always $RECIPIENTS_ARG --encrypt < "$SIGNED_MESSAGE_DIR/signed-message" >> "$MAIL_DIR/$TEST_MAIL.box"
  236. fi
  237. echo " Ending mail file…"
  238. cat "$MAIL_DIR/$TEST_MAIL.part3.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  239. # Cleanup.
  240. rm -rf $SIGNED_MESSAGE_DIR && unset SIGNED_MESSAGE_DIR
  241. done
  242. echo "Generating encrypted + signed test mails (combined)"
  243. # Don't use dashes (-) in email addresses unless you know what you're doing!
  244. # shellcheck disable=SC2042
  245. for TEST_MAIL_SENDER_RECIPIENTS in mail-combined,pgp1@example.com,pgp2@example.com,pgp3@example.com
  246. do
  247. TEST_MAIL=${TEST_MAIL_SENDER_RECIPIENTS%,*,*,*}
  248. EMAIL_ADDRESSES=${TEST_MAIL_SENDER_RECIPIENTS#*,}
  249. SENDER_EMAIL_ADDRESS=${EMAIL_ADDRESSES%,*,*}
  250. # shellcheck disable=SC2206
  251. RECIPIENTS=(${EMAIL_ADDRESSES#*,})
  252. # shellcheck disable=SC2128
  253. IFS=',' read -r -a RECIPIENT_EMAIL_ADDRESSES <<< "$RECIPIENTS"
  254. echo "Processing mail: $TEST_MAIL"
  255. KEY_INFO=$(gpg --batch --quiet --with-colons --with-fingerprint --fixed-list-mode --show-key "$KEY_DIR/$SENDER_EMAIL_ADDRESS.pub.asc")
  256. KEY_FINGERPRINT=$(echo "$KEY_INFO" | head -n 2 | tail -1 | cut -d: -f10)
  257. KEY_EXPIRES_AT=$(echo "$KEY_INFO" | head -n 1 | cut -d: -f7)
  258. KEY_EXPIRATION_DATE=$(date -d @$KEY_EXPIRES_AT -R 2>/dev/null || date -r $KEY_EXPIRES_AT -R)
  259. KEY_EXPIRE_ARG=$(date -d @$KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S' 2>/dev/null || date -r $KEY_EXPIRES_AT -u +'%Y%m%dT%H%M%S')
  260. echo " Importing key for $SENDER_EMAIL_ADDRESS"
  261. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$SENDER_EMAIL_ADDRESS.asc"
  262. echo " Computing current date header…"
  263. echo "Date: $(date -R)" > "$MAIL_DIR/$TEST_MAIL.box"
  264. # Support expired keys.
  265. [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]] && echo "Date: $KEY_EXPIRATION_DATE" > "$MAIL_DIR/$TEST_MAIL.box"
  266. echo " Constructing mail body…"
  267. cat "$MAIL_DIR/$TEST_MAIL.part1.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  268. for RECIPIENT_EMAIL_ADDRESS in "${RECIPIENT_EMAIL_ADDRESSES[@]}"
  269. do
  270. echo " Importing public key for $RECIPIENT_EMAIL_ADDRESS"
  271. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --yes --import < "$KEY_DIR/$RECIPIENT_EMAIL_ADDRESS.pub.asc"
  272. SANITIZED_EMAIL_ADDRESS=${RECIPIENT_EMAIL_ADDRESS%-*}
  273. echo " Using $SANITIZED_EMAIL_ADDRESS as recipient…"
  274. RECIPIENTS_ARG="$RECIPIENTS_ARG --recipient $SANITIZED_EMAIL_ADDRESS"
  275. done
  276. echo " Encrypting + signing message in one command…"
  277. # Support expired keys.
  278. if [[ $SENDER_EMAIL_ADDRESS =~ ^expired ]]; then
  279. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always --faked-system-time=$KEY_EXPIRE_ARG --default-key $KEY_FINGERPRINT --sign $RECIPIENTS_ARG --encrypt < "$MAIL_DIR/$TEST_MAIL.part2.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  280. else
  281. gpg --batch --quiet --pinentry=loopback --passphrase=$KEY_PASSPHRASE --armor --trust-model=always --default-key $KEY_FINGERPRINT --sign $RECIPIENTS_ARG --encrypt < "$MAIL_DIR/$TEST_MAIL.part2.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  282. fi
  283. echo " Ending mail file…"
  284. cat "$MAIL_DIR/$TEST_MAIL.part3.box" >> "$MAIL_DIR/$TEST_MAIL.box"
  285. done
  286. echo "Done."