Package: obnam Version: 1.1-1 Severity: normal Hei,
in encryption_plugin.py: add_key calls add_to_userkeys for the shared toplevel and all listed clients, but add_to_userkeys only calls write_keyring whicht in turn only calls filter_write (which encrypts symmetrically) and then writes the new 'userkeys'. The symmetric key used to encrypt userkeys ('key') is never written, and indeed it remains encrypted only with the old key. Therefore, add-key effectively doesn't add a new key. For that, it had to somehow call obnamlib.encryption.encrypt_with_keyring, which it never does. It could of course also be possible, that I completely misunderstood the operation of add-key. Comparing to liw.fi/obnam/encryption, I think that I got it right in principle - 'key' should be encrypted with all keys in 'userkeys'. But "obnam --keyid=NEWKEY add-key [client …]" only updates the 'userkeys' without reencrypting 'key'. Maybe we need a new function in encryption_plugin.py as class function of EncryptionPlugin: def rewrite_symmetric_key(self, repo, toplevel): pubkeys = self.read_keyring(repo, toplevel) symmetric_key = self.get_symmetric_key(self, repo, toplevel) encrypted_symmetric_key = obnamlib.encrypt_with_keyring(symmetric_key, pubkeys) pathname = os.path.join(toplevel, 'key') self._overwrite_file(repo, pathname, encrypted_symmetric_key) which then needs to be called from add_key after self.add_to_userkeys. Another approach would be adding that work directly to write_keyring, as it is not really useful to add/remove a key from 'userkeys' without reencrypting the symmetric key. If you agree with my analysis, I could write a patch implementing either method (and maybe I can cook up a test, too). When this gets fixed existing repos should get their 'key' reencrypted, too, I guess. Terveiset, Mika -- System Information: Debian Release: wheezy/sid APT prefers testing-proposed-updates APT policy: (650, 'testing-proposed-updates'), (650, 'testing'), (450, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages obnam depends on: ii libc6 2.13-33 ii python 2.7.3~rc2-1 ii python-cliapp 1.20120630-1 ii python-larch 1.20120527-1 ii python-paramiko 1.7.7.1-2 ii python-tracing 0.6-2 ii python-ttystatus 0.19-1 ii python2.6 2.6.8-0.2 ii python2.7 2.7.3~rc2-2.1 obnam recommends no packages. obnam suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org