66383
|
1 ;;; pgg-gpg.el --- GnuPG support for PGG.
|
|
2
|
|
3 ;; Copyright (C) 1999, 2000, 2002, 2003, 2004,
|
79721
|
4 ;; 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
|
66383
|
5
|
|
6 ;; Author: Daiki Ueno <ueno@unixuser.org>
|
69848
|
7 ;; Symmetric encryption and gpg-agent support added by:
|
|
8 ;; Sascha Wilde <wilde@sha-bang.de>
|
66383
|
9 ;; Created: 1999/10/28
|
|
10 ;; Keywords: PGP, OpenPGP, GnuPG
|
|
11
|
|
12 ;; This file is part of GNU Emacs.
|
|
13
|
94678
|
14 ;; GNU Emacs is free software: you can redistribute it and/or modify
|
66383
|
15 ;; it under the terms of the GNU General Public License as published by
|
94678
|
16 ;; the Free Software Foundation, either version 3 of the License, or
|
|
17 ;; (at your option) any later version.
|
66383
|
18
|
|
19 ;; GNU Emacs is distributed in the hope that it will be useful,
|
|
20 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
21 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
22 ;; GNU General Public License for more details.
|
|
23
|
|
24 ;; You should have received a copy of the GNU General Public License
|
94678
|
25 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
|
66383
|
26
|
|
27 ;;; Code:
|
|
28
|
|
29 (eval-when-compile
|
69819
|
30 (require 'cl) ; for gpg macros
|
66383
|
31 (require 'pgg))
|
|
32
|
|
33 (defgroup pgg-gpg ()
|
|
34 "GnuPG interface."
|
|
35 :group 'pgg)
|
|
36
|
|
37 (defcustom pgg-gpg-program "gpg"
|
|
38 "The GnuPG executable."
|
|
39 :group 'pgg-gpg
|
|
40 :type 'string)
|
|
41
|
|
42 (defcustom pgg-gpg-extra-args nil
|
|
43 "Extra arguments for every GnuPG invocation."
|
|
44 :group 'pgg-gpg
|
|
45 :type '(repeat (string :tag "Argument")))
|
|
46
|
|
47 (defcustom pgg-gpg-recipient-argument "--recipient"
|
|
48 "GnuPG option to specify recipient."
|
|
49 :group 'pgg-gpg
|
|
50 :type '(choice (const :tag "New `--recipient' option" "--recipient")
|
|
51 (const :tag "Old `--remote-user' option" "--remote-user")))
|
|
52
|
74714
|
53 (defcustom pgg-gpg-use-agent t
|
69848
|
54 "Whether to use gnupg agent for key caching."
|
|
55 :group 'pgg-gpg
|
|
56 :type 'boolean)
|
|
57
|
66383
|
58 (defvar pgg-gpg-user-id nil
|
|
59 "GnuPG ID of your default identity.")
|
|
60
|
69819
|
61 (defun pgg-gpg-process-region (start end passphrase program args)
|
75985
49a4f4e58561
(pgg-gpg-process-region): Make USE-AGENT nil if PASSPHRASE is given.
Richard M. Stallman <rms@gnu.org>
diff
changeset
|
62 (let* ((use-agent (and (null passphrase) (pgg-gpg-use-agent-p)))
|
69848
|
63 (output-file-name (pgg-make-temp-file "pgg-output"))
|
66383
|
64 (args
|
69819
|
65 `("--status-fd" "2"
|
69848
|
66 ,@(if use-agent '("--use-agent")
|
|
67 (if passphrase '("--passphrase-fd" "0")))
|
69819
|
68 "--yes" ; overwrite
|
|
69 "--output" ,output-file-name
|
|
70 ,@pgg-gpg-extra-args ,@args))
|
|
71 (output-buffer pgg-output-buffer)
|
|
72 (errors-buffer pgg-errors-buffer)
|
66383
|
73 (orig-mode (default-file-modes))
|
69819
|
74 (process-connection-type nil)
|
72653
|
75 (inhibit-redisplay t)
|
|
76 process status exit-status
|
|
77 passphrase-with-newline
|
|
78 encoded-passphrase-with-new-line)
|
69819
|
79 (with-current-buffer (get-buffer-create errors-buffer)
|
|
80 (buffer-disable-undo)
|
|
81 (erase-buffer))
|
66383
|
82 (unwind-protect
|
|
83 (progn
|
|
84 (set-default-file-modes 448)
|
72632
|
85 (let ((coding-system-for-write 'binary))
|
|
86 (setq process
|
|
87 (apply #'start-process "*GnuPG*" errors-buffer
|
|
88 program args)))
|
|
89 (set-process-sentinel process #'ignore)
|
|
90 (when passphrase
|
72653
|
91 (setq passphrase-with-newline (concat passphrase "\n"))
|
72686
|
92 (if pgg-passphrase-coding-system
|
72653
|
93 (progn
|
|
94 (setq encoded-passphrase-with-new-line
|
74984
|
95 (encode-coding-string
|
|
96 passphrase-with-newline
|
|
97 (coding-system-change-eol-conversion
|
|
98 pgg-passphrase-coding-system 'unix)))
|
72653
|
99 (pgg-clear-string passphrase-with-newline))
|
|
100 (setq encoded-passphrase-with-new-line passphrase-with-newline
|
|
101 passphrase-with-newline nil))
|
|
102 (process-send-string process encoded-passphrase-with-new-line))
|
72632
|
103 (process-send-region process start end)
|
|
104 (process-send-eof process)
|
|
105 (while (eq 'run (process-status process))
|
|
106 (accept-process-output process 5))
|
|
107 (setq status (process-status process)
|
|
108 exit-status (process-exit-status process))
|
|
109 (delete-process process)
|
69819
|
110 (with-current-buffer (get-buffer-create output-buffer)
|
|
111 (buffer-disable-undo)
|
|
112 (erase-buffer)
|
|
113 (if (file-exists-p output-file-name)
|
69791
|
114 (let ((coding-system-for-read (if pgg-text-mode
|
|
115 'raw-text
|
|
116 'binary)))
|
69819
|
117 (insert-file-contents output-file-name)))
|
|
118 (set-buffer errors-buffer)
|
72632
|
119 (if (memq status '(stop signal))
|
|
120 (error "%s exited abnormally: '%s'" program exit-status))
|
|
121 (if (= 127 exit-status)
|
|
122 (error "%s could not be found" program))))
|
72653
|
123 (if passphrase-with-newline
|
|
124 (pgg-clear-string passphrase-with-newline))
|
|
125 (if encoded-passphrase-with-new-line
|
|
126 (pgg-clear-string encoded-passphrase-with-new-line))
|
72632
|
127 (if (and process (eq 'run (process-status process)))
|
|
128 (interrupt-process process))
|
69819
|
129 (if (file-exists-p output-file-name)
|
|
130 (delete-file output-file-name))
|
|
131 (set-default-file-modes orig-mode))))
|
69689
|
132
|
69819
|
133 (defun pgg-gpg-possibly-cache-passphrase (passphrase &optional key notruncate)
|
69848
|
134 (if (and passphrase
|
|
135 pgg-cache-passphrase
|
69819
|
136 (progn
|
|
137 (goto-char (point-min))
|
|
138 (re-search-forward "^\\[GNUPG:] \\(GOOD_PASSPHRASE\\>\\)\\|\\(SIG_CREATED\\)" nil t)))
|
|
139 (pgg-add-passphrase-to-cache
|
|
140 (or key
|
|
141 (progn
|
|
142 (goto-char (point-min))
|
|
143 (if (re-search-forward
|
|
144 "^\\[GNUPG:] NEED_PASSPHRASE\\(_PIN\\)? \\w+ ?\\w*" nil t)
|
|
145 (substring (match-string 0) -8))))
|
|
146 passphrase
|
|
147 notruncate)))
|
66383
|
148
|
69819
|
149 (defvar pgg-gpg-all-secret-keys 'unknown)
|
69689
|
150
|
69819
|
151 (defun pgg-gpg-lookup-all-secret-keys ()
|
|
152 "Return all secret keys present in secret key ring."
|
|
153 (when (eq pgg-gpg-all-secret-keys 'unknown)
|
|
154 (setq pgg-gpg-all-secret-keys '())
|
|
155 (let ((args (list "--with-colons" "--no-greeting" "--batch"
|
|
156 "--list-secret-keys")))
|
|
157 (with-temp-buffer
|
|
158 (apply #'call-process pgg-gpg-program nil t nil args)
|
|
159 (goto-char (point-min))
|
|
160 (while (re-search-forward
|
|
161 "^\\(sec\\|pub\\):[^:]*:[^:]*:[^:]*:\\([^:]*\\)" nil t)
|
|
162 (push (substring (match-string 2) 8)
|
|
163 pgg-gpg-all-secret-keys)))))
|
|
164 pgg-gpg-all-secret-keys)
|
66383
|
165
|
|
166 (defun pgg-gpg-lookup-key (string &optional type)
|
|
167 "Search keys associated with STRING."
|
|
168 (let ((args (list "--with-colons" "--no-greeting" "--batch"
|
|
169 (if type "--list-secret-keys" "--list-keys")
|
|
170 string)))
|
|
171 (with-temp-buffer
|
|
172 (apply #'call-process pgg-gpg-program nil t nil args)
|
|
173 (goto-char (point-min))
|
|
174 (if (re-search-forward "^\\(sec\\|pub\\):[^:]*:[^:]*:[^:]*:\\([^:]*\\)"
|
|
175 nil t)
|
|
176 (substring (match-string 2) 8)))))
|
|
177
|
69819
|
178 (defun pgg-gpg-lookup-key-owner (string &optional all)
|
|
179 "Search keys associated with STRING and return owner of identified key.
|
|
180
|
|
181 The value may be just the bare key id, or it may be a combination of the
|
|
182 user name associated with the key and the key id, with the key id enclosed
|
|
183 in \"<...>\" angle brackets.
|
|
184
|
|
185 Optional ALL non-nil means search all keys, including secret keys."
|
|
186 (let ((args (list "--with-colons" "--no-greeting" "--batch"
|
|
187 (if all "--list-secret-keys" "--list-keys")
|
|
188 string))
|
|
189 (key-regexp (concat "^\\(sec\\|pub\\)"
|
|
190 ":[^:]*:[^:]*:[^:]*:\\([^:]*\\):[^:]*"
|
|
191 ":[^:]*:[^:]*:[^:]*:\\([^:]*\\):")))
|
|
192 (with-temp-buffer
|
|
193 (apply #'call-process pgg-gpg-program nil t nil args)
|
|
194 (goto-char (point-min))
|
|
195 (if (re-search-forward key-regexp
|
|
196 nil t)
|
|
197 (match-string 3)))))
|
|
198
|
|
199 (defun pgg-gpg-key-id-from-key-owner (key-owner)
|
|
200 (cond ((not key-owner) nil)
|
|
201 ;; Extract bare key id from outermost paired angle brackets, if any:
|
|
202 ((string-match "[^<]*<\\(.+\\)>[^>]*" key-owner)
|
|
203 (substring key-owner (match-beginning 1)(match-end 1)))
|
|
204 (key-owner)))
|
|
205
|
66520
|
206 (defun pgg-gpg-encrypt-region (start end recipients &optional sign passphrase)
|
66383
|
207 "Encrypt the current region between START and END.
|
66520
|
208
|
69819
|
209 If optional argument SIGN is non-nil, do a combined sign and encrypt.
|
|
210
|
|
211 If optional PASSPHRASE is not specified, it will be obtained from the
|
|
212 passphrase cache or user."
|
66383
|
213 (let* ((pgg-gpg-user-id (or pgg-gpg-user-id pgg-default-user-id))
|
69819
|
214 (passphrase (or passphrase
|
69848
|
215 (when (and sign (not (pgg-gpg-use-agent-p)))
|
69819
|
216 (pgg-read-passphrase
|
|
217 (format "GnuPG passphrase for %s: "
|
|
218 pgg-gpg-user-id)
|
|
219 pgg-gpg-user-id))))
|
66383
|
220 (args
|
|
221 (append
|
69819
|
222 (list "--batch" "--armor" "--always-trust" "--encrypt")
|
|
223 (if pgg-text-mode (list "--textmode"))
|
66383
|
224 (if sign (list "--sign" "--local-user" pgg-gpg-user-id))
|
76110
|
225 (if (or recipients pgg-encrypt-for-me)
|
66383
|
226 (apply #'nconc
|
|
227 (mapcar (lambda (rcpt)
|
|
228 (list pgg-gpg-recipient-argument rcpt))
|
|
229 (append recipients
|
|
230 (if pgg-encrypt-for-me
|
69819
|
231 (list pgg-gpg-user-id)))))))))
|
|
232 (pgg-gpg-process-region start end passphrase pgg-gpg-program args)
|
|
233 (when sign
|
|
234 (with-current-buffer pgg-errors-buffer
|
|
235 ;; Possibly cache passphrase under, e.g. "jas", for future sign.
|
|
236 (pgg-gpg-possibly-cache-passphrase passphrase pgg-gpg-user-id)
|
|
237 ;; Possibly cache passphrase under, e.g. B565716F, for future decrypt.
|
|
238 (pgg-gpg-possibly-cache-passphrase passphrase)))
|
|
239 (pgg-process-when-success)))
|
66383
|
240
|
66520
|
241 (defun pgg-gpg-encrypt-symmetric-region (start end &optional passphrase)
|
69819
|
242 "Encrypt the current region between START and END with symmetric cipher.
|
|
243
|
|
244 If optional PASSPHRASE is not specified, it will be obtained from the
|
|
245 passphrase cache or user."
|
|
246 (let* ((passphrase (or passphrase
|
69848
|
247 (when (not (pgg-gpg-use-agent-p))
|
|
248 (pgg-read-passphrase
|
|
249 "GnuPG passphrase for symmetric encryption: "))))
|
69819
|
250 (args
|
|
251 (append (list "--batch" "--armor" "--symmetric" )
|
|
252 (if pgg-text-mode (list "--textmode")))))
|
|
253 (pgg-gpg-process-region start end passphrase pgg-gpg-program args)
|
|
254 (pgg-process-when-success)))
|
66520
|
255
|
|
256 (defun pgg-gpg-decrypt-region (start end &optional passphrase)
|
69819
|
257 "Decrypt the current region between START and END.
|
|
258
|
|
259 If optional PASSPHRASE is not specified, it will be obtained from the
|
|
260 passphrase cache or user."
|
|
261 (let* ((current-buffer (current-buffer))
|
|
262 (message-keys (with-temp-buffer
|
|
263 (insert-buffer-substring current-buffer)
|
|
264 (pgg-decode-armor-region (point-min) (point-max))))
|
|
265 (secret-keys (pgg-gpg-lookup-all-secret-keys))
|
|
266 ;; XXX the user is stuck if they need to use the passphrase for
|
|
267 ;; any but the first secret key for which the message is
|
|
268 ;; encrypted. ideally, we would incrementally give them a
|
|
269 ;; chance with subsequent keys each time they fail with one.
|
|
270 (key (pgg-gpg-select-matching-key message-keys secret-keys))
|
|
271 (key-owner (and key (pgg-gpg-lookup-key-owner key t)))
|
|
272 (key-id (pgg-gpg-key-id-from-key-owner key-owner))
|
|
273 (pgg-gpg-user-id (or key-id key
|
|
274 pgg-gpg-user-id pgg-default-user-id))
|
|
275 (passphrase (or passphrase
|
69848
|
276 (when (not (pgg-gpg-use-agent-p))
|
|
277 (pgg-read-passphrase
|
|
278 (format (if (pgg-gpg-symmetric-key-p message-keys)
|
|
279 "Passphrase for symmetric decryption: "
|
|
280 "GnuPG passphrase for %s: ")
|
|
281 (or key-owner "??"))
|
|
282 pgg-gpg-user-id))))
|
69819
|
283 (args '("--batch" "--decrypt")))
|
|
284 (pgg-gpg-process-region start end passphrase pgg-gpg-program args)
|
|
285 (with-current-buffer pgg-errors-buffer
|
|
286 (pgg-gpg-possibly-cache-passphrase passphrase pgg-gpg-user-id)
|
|
287 (goto-char (point-min))
|
|
288 (re-search-forward "^\\[GNUPG:] DECRYPTION_OKAY\\>" nil t))))
|
|
289
|
|
290 ;;;###autoload
|
|
291 (defun pgg-gpg-symmetric-key-p (message-keys)
|
|
292 "True if decoded armor MESSAGE-KEYS has symmetric encryption indicator."
|
|
293 (let (result)
|
|
294 (dolist (key message-keys result)
|
|
295 (when (and (eq (car key) 3)
|
|
296 (member '(symmetric-key-algorithm) key))
|
|
297 (setq result key)))))
|
|
298
|
|
299 (defun pgg-gpg-select-matching-key (message-keys secret-keys)
|
|
300 "Choose a key from MESSAGE-KEYS that matches one of the keys in SECRET-KEYS."
|
|
301 (loop for message-key in message-keys
|
|
302 for message-key-id = (and (equal (car message-key) 1)
|
|
303 (cdr (assq 'key-identifier
|
|
304 (cdr message-key))))
|
|
305 for key = (and message-key-id (pgg-lookup-key message-key-id 'encrypt))
|
|
306 when (and key (member key secret-keys)) return key))
|
66383
|
307
|
66520
|
308 (defun pgg-gpg-sign-region (start end &optional cleartext passphrase)
|
66383
|
309 "Make detached signature from text between START and END."
|
|
310 (let* ((pgg-gpg-user-id (or pgg-gpg-user-id pgg-default-user-id))
|
69819
|
311 (passphrase (or passphrase
|
69848
|
312 (when (not (pgg-gpg-use-agent-p))
|
|
313 (pgg-read-passphrase
|
|
314 (format "GnuPG passphrase for %s: "
|
|
315 pgg-gpg-user-id)
|
|
316 pgg-gpg-user-id))))
|
66383
|
317 (args
|
68762
|
318 (append (list (if cleartext "--clearsign" "--detach-sign")
|
69819
|
319 "--armor" "--batch" "--verbose"
|
68762
|
320 "--local-user" pgg-gpg-user-id)
|
69819
|
321 (if pgg-text-mode (list "--textmode"))))
|
|
322 (inhibit-read-only t)
|
|
323 buffer-read-only)
|
|
324 (pgg-gpg-process-region start end passphrase pgg-gpg-program args)
|
|
325 (with-current-buffer pgg-errors-buffer
|
|
326 ;; Possibly cache passphrase under, e.g. "jas", for future sign.
|
|
327 (pgg-gpg-possibly-cache-passphrase passphrase pgg-gpg-user-id)
|
|
328 ;; Possibly cache passphrase under, e.g. B565716F, for future decrypt.
|
|
329 (pgg-gpg-possibly-cache-passphrase passphrase))
|
|
330 (pgg-process-when-success)))
|
66383
|
331
|
|
332 (defun pgg-gpg-verify-region (start end &optional signature)
|
|
333 "Verify region between START and END as the detached signature SIGNATURE."
|
69819
|
334 (let ((args '("--batch" "--verify")))
|
66383
|
335 (when (stringp signature)
|
|
336 (setq args (append args (list signature))))
|
69819
|
337 (setq args (append args '("-")))
|
|
338 (pgg-gpg-process-region start end nil pgg-gpg-program args)
|
|
339 (with-current-buffer pgg-errors-buffer
|
|
340 (goto-char (point-min))
|
|
341 (while (re-search-forward "^gpg: \\(.*\\)\n" nil t)
|
|
342 (with-current-buffer pgg-output-buffer
|
|
343 (insert-buffer-substring pgg-errors-buffer
|
|
344 (match-beginning 1) (match-end 0)))
|
|
345 (delete-region (match-beginning 0) (match-end 0)))
|
|
346 (goto-char (point-min))
|
|
347 (re-search-forward "^\\[GNUPG:] GOODSIG\\>" nil t))))
|
66383
|
348
|
|
349 (defun pgg-gpg-insert-key ()
|
|
350 "Insert public key at point."
|
|
351 (let* ((pgg-gpg-user-id (or pgg-gpg-user-id pgg-default-user-id))
|
69819
|
352 (args (list "--batch" "--export" "--armor"
|
|
353 pgg-gpg-user-id)))
|
|
354 (pgg-gpg-process-region (point)(point) nil pgg-gpg-program args)
|
66383
|
355 (insert-buffer-substring pgg-output-buffer)))
|
|
356
|
|
357 (defun pgg-gpg-snarf-keys-region (start end)
|
|
358 "Add all public keys in region between START and END to the keyring."
|
69819
|
359 (let ((args '("--import" "--batch" "-")) status)
|
|
360 (pgg-gpg-process-region start end nil pgg-gpg-program args)
|
|
361 (set-buffer pgg-errors-buffer)
|
|
362 (goto-char (point-min))
|
|
363 (when (re-search-forward "^\\[GNUPG:] IMPORT_RES\\>" nil t)
|
|
364 (setq status (buffer-substring (match-end 0)
|
|
365 (progn (end-of-line)(point)))
|
|
366 status (vconcat (mapcar #'string-to-number (split-string status))))
|
|
367 (erase-buffer)
|
|
368 (insert (format "Imported %d key(s).
|
|
369 \tArmor contains %d key(s) [%d bad, %d old].\n"
|
|
370 (+ (aref status 2)
|
|
371 (aref status 10))
|
|
372 (aref status 0)
|
|
373 (aref status 1)
|
|
374 (+ (aref status 4)
|
|
375 (aref status 11)))
|
|
376 (if (zerop (aref status 9))
|
|
377 ""
|
|
378 "\tSecret keys are imported.\n")))
|
|
379 (append-to-buffer pgg-output-buffer (point-min)(point-max))
|
|
380 (pgg-process-when-success)))
|
69631
|
381
|
69848
|
382 (defun pgg-gpg-update-agent ()
|
|
383 "Try to connet to gpg-agent and send UPDATESTARTUPTTY."
|
|
384 (if (fboundp 'make-network-process)
|
|
385 (let* ((agent-info (getenv "GPG_AGENT_INFO"))
|
|
386 (socket (and agent-info
|
|
387 (string-match "^\\([^:]*\\)" agent-info)
|
|
388 (match-string 1 agent-info)))
|
|
389 (conn (and socket
|
|
390 (make-network-process :name "gpg-agent-process"
|
|
391 :host 'local :family 'local
|
|
392 :service socket))))
|
|
393 (when (and conn (eq (process-status conn) 'open))
|
|
394 (process-send-string conn "UPDATESTARTUPTTY\n")
|
|
395 (delete-process conn)
|
|
396 t))
|
|
397 ;; We can't check, so assume gpg-agent is up.
|
|
398 t))
|
|
399
|
|
400 (defun pgg-gpg-use-agent-p ()
|
|
401 "Return t if `pgg-gpg-use-agent' is t and gpg-agent is available."
|
|
402 (and pgg-gpg-use-agent (pgg-gpg-update-agent)))
|
|
403
|
66383
|
404 (provide 'pgg-gpg)
|
|
405
|
93975
|
406 ;; arch-tag: 2aa5d5d8-93a0-4865-9312-33e29830e000
|
66383
|
407 ;;; pgg-gpg.el ends here
|