dup (helper + handler + example config) : don't pretend anymore that duplicity

can work without any passphrase ; thanks Micah for the bug report

diff --git a/ChangeLog b/ChangeLog
index ae871bfea9f9487fc46c7eb434431c8a0de6f232..c334bf577ea5c6fba2613945119ca15b6c6ecb0d 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,8 @@ version 0.9.4 -- unreleased
        dup:
         . Fixed improper include/exclude symlink dereference
         . Removed over zealous vsnames check
+        . Does not pretend anymore that duplicity can work without
+          any passphrase
        sys:
         . Many more system checks were added, thanks to Petr Klíma
     lib changes

diff --git a/NEWS b/NEWS
index af964bef8e1859010cba7bcf1f486f1bba5a0c6e..fbf66549baa8331249f92a98c43331bc80b86cc8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,5 @@
 WARNING FOR DUPLICITY USERS
 
-Old (pre-0.9.2) example.dup file used to give false information about the way
+Old (pre-0.9.4) example.dup file used to give false information about the way
 the GnuPG-related options are used. Please read the new example.dup file, and
 update your own configuration files if needed.

diff --git a/examples/example.dup b/examples/example.dup
index 8a880f891c779b4d4342af7615c48a5ca7d94e34..b90655140c1b56626eb3f6fc2fd6ea82f11d9a66 100644 (file)
--- a/examples/example.dup
+++ b/examples/example.dup
@@ -12,16 +12,18 @@ nicelevel = 19
 ## gpg section
 ## (how to encrypt and optionally sign the backups)
 ##
-## WARNING: old (pre-0.9.2) example.dup used to give wrong information about
+## WARNING: old (pre-0.9.4) example.dup used to give wrong information about
 ##          the way the following options are used. Please read the following
 ##          carefully.
 ##
 ## If the encryptkey variable is set:
 ##   - data is encrypted with the GnuPG public key specified by the encryptkey
 ##     variable
-##   - if signing is enabled, the password variable is used to unlock the GnuPG
-##     private key used for signing; otherwise, you do not need to set the password
-##     variable
+##   - if signing is enabled, data is signed with the GnuPG private
+##     key specified by the signkey variable
+##   - the password variable is used to unlock the GnuPG key(s) used
+##     for encryption and (optionnal) signing
+##
 ## If the encryptkey option is not set:
 ##   - data signing is not possible
 ##   - the password variable is used to encrypt the data with symmetric

diff --git a/handlers/dup b/handlers/dup
index e490aa533e239fef24f4879e10efc8ec980b1306..7c8a7c6383c78c207a547d323d14fc0160a3e49e 100644 (file)
--- a/handlers/dup
+++ b/handlers/dup
@@ -79,7 +79,6 @@ if [ -n "$encryptkey" ]; then
     execstr="${execstr}--encrypt-key $encryptkey "
     debug "Data will be encrypted with the GnuPG key $encryptkey."
 else
-    [ -n "$password" ] || fatal "The password option must be set when using symmetric encryption."
     debug "Data will be encrypted using symmetric encryption."
 fi
 
@@ -89,14 +88,15 @@ if [ "$sign" == yes ]; then
     [ -n "$encryptkey" ] || fatal "The encryptkey option must be set when signing."
     # if needed, initialize signkey to a value that is not empty (checked above)
     [ -n "$signkey" ] || signkey="$encryptkey"
-    # check password validity
-    [ -n "$password" ] || fatal "The password option must be set when signing."
     execstr="${execstr}--sign-key $signkey "
     debug "Data will be signed will the GnuPG key $signkey."
 else
     debug "Data won't be signed."
 fi
 
+# deal with GnuPG passphrase
+[ -n "$password" ] || fatal "The password option must be set."
+
 if [ "$keep" != "yes" ]; then
     if [ "`echo $keep | tr -d 0-9`" == "" ]; then
        keep="${keep}D"

diff --git a/handlers/dup.helper b/handlers/dup.helper
index 9fe27180b31042d8af7d107391f9cd198ef85c41..a18063dbd507de83a7e6b4f242a0c673c159ee6b 100644 (file)
--- a/handlers/dup.helper
+++ b/handlers/dup.helper
@@ -173,7 +173,7 @@ do_dup_gpg_signkey() {
 }
 
 do_dup_gpg_passphrase() {
-   local question="Enter the passphrase needed to $@:"
+   local question="Enter the passphrase needed to unlock the GnuPG key:"
    REPLY=
    while [ -z "$REPLY" -o -z "$dup_gpg_password" ]; do
       passwordBox "$dup_title - GnuPG" "$question"
@@ -201,19 +201,8 @@ do_dup_gpg() {
       fi
    fi
 
-   # a passphrase is only needed when signing, or when symmetric encryption is used
-   if [ "$dup_gpg_asymmetric_encryption" == "no" ]; then
-        do_dup_gpg_passphrase "encrypt the backups"
-        [ $? = 0 ] || return 1
-   elif [ "$dup_gpg_sign" == "yes" ]; then
-      if [ -z "$dup_gpg_signkey" ]; then
-        do_dup_gpg_passphrase "unlock the GnuPG key used to sign the backups"
-        [ $? = 0 ] || return 1
-      else
-        do_dup_gpg_passphrase "unlock the GnuPG key used to sign the backups"
-        [ $? = 0 ] || return 1
-      fi
-   fi
+   # a passphrase is alway needed
+   do_dup_gpg_passphrase
 
    _gpg_done="(DONE)"
    setDefault adv
@@ -278,16 +267,18 @@ testconnect = $dup_testconnect
 ## gpg section
 ## (how to encrypt and optionally sign the backups)
 ##
-## WARNING: old (pre-0.9.2) example.dup used to give wrong information about
+## WARNING: old (pre-0.9.4) example.dup used to give wrong information about
 ##          the way the following options are used. Please read the following
 ##          carefully.
 ##
 ## If the encryptkey variable is set:
 ##   - data is encrypted with the GnuPG public key specified by the encryptkey
 ##     variable
-##   - if signing is enabled, the password variable is used to unlock the GnuPG
-##     private key used for signing; otherwise, you do not need to set the password
-##     variable
+##   - if signing is enabled, data is signed with the GnuPG private
+##     key specified by the signkey variable
+##   - the password variable is used to unlock the GnuPG key(s) used
+##     for encryption and (optionnal) signing
+##
 ## If the encryptkey option is not set:
 ##   - data signing is not possible
 ##   - the password variable is used to encrypt the data with symmetric