Package: obnam
Version: 1.1-1
Severity: normal
Hei,
in encryption_plugin.py:
add_key calls add_to_userkeys for the shared toplevel and all
listed clients, but add_to_userkeys only calls write_keyring
whicht in turn only calls filter_write (which encrypts symmetrically)
and then writes the new 'userkeys'. The symmetric key used to
encrypt userkeys ('key') is never written, and indeed it remains
encrypted only with the old key. Therefore, add-key effectively
doesn't add a new key. For that, it had to somehow call
obnamlib.encryption.encrypt_with_keyring, which it never does.
It could of course also be possible, that I completely misunderstood
the operation of add-key. Comparing to liw.fi/obnam/encryption, I think
that I got it right in principle - 'key' should be encrypted with all
keys in 'userkeys'. But "obnam --keyid=NEWKEY add-key [client …]" only
updates the 'userkeys' without reencrypting 'key'. Maybe we need a new
function in encryption_plugin.py as class function of EncryptionPlugin:
def rewrite_symmetric_key(self, repo, toplevel):
pubkeys = self.read_keyring(repo, toplevel)
symmetric_key = self.get_symmetric_key(self, repo, toplevel)
encrypted_symmetric_key = obnamlib.encrypt_with_keyring(symmetric_key,
pubkeys)
pathname = os.path.join(toplevel, 'key')
self._overwrite_file(repo, pathname, encrypted_symmetric_key)
which then needs to be called from add_key after self.add_to_userkeys.
Another approach would be adding that work directly to write_keyring,
as it is not really useful to add/remove a key from 'userkeys' without
reencrypting the symmetric key.
If you agree with my analysis, I could write a patch implementing
either method (and maybe I can cook up a test, too).
When this gets fixed existing repos should get their 'key' reencrypted, too,
I guess.
Terveiset,
Mika
-- System Information:
Debian Release: wheezy/sid
APT prefers testing-proposed-updates
APT policy: (650, 'testing-proposed-updates'), (650, 'testing'), (450,
'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages obnam depends on:
ii libc6 2.13-33
ii python 2.7.3~rc2-1
ii python-cliapp 1.20120630-1
ii python-larch 1.20120527-1
ii python-paramiko 1.7.7.1-2
ii python-tracing 0.6-2
ii python-ttystatus 0.19-1
ii python2.6 2.6.8-0.2
ii python2.7 2.7.3~rc2-2.1
obnam recommends no packages.
obnam suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
