gpg: Log gpg output to LogWriter (#2869)

* gpg: Log gpg output to LogWriter Signed-off-by: Doron Behar <[email protected]> * gpg/cli: Add more log messages Return a different error message if no trustable keys were found. Signed-off-by: Doron Behar <[email protected]> * Make leaf/write test always trust recipients Signed-off-by: Doron Behar <[email protected]> --------- Signed-off-by: Doron Behar <[email protected]>
gopasspw · Jul 7, 2024 · 70dbabe · 70dbabe
1 parent 3606030
commit 70dbabe
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 9 deletions.
diff --git a/internal/backend/crypto/gpg/cli/encrypt.go b/internal/backend/crypto/gpg/cli/encrypt.go
@@ -3,6 +3,9 @@ package cli
 import (
 	"bytes"
 	"context"
+	"errors"
+	"fmt"
+	"io"
 	"os"
 	"os/exec"
 
@@ -25,25 +28,35 @@ func (g *GPG) Encrypt(ctx context.Context, plaintext []byte, recipients []string
 		args = append(args, "--trust-model=always")
 	}
 
+	buf := &bytes.Buffer{}
+	if len(recipients) == 0 {
+		return buf.Bytes(), errors.New("recipients list is empty!")
+	}
+	var badRecipients []string
 	for _, r := range recipients {
 		kl, err := g.listKeys(ctx, "public", r)
 		if err != nil {
 			debug.Log("Failed to check key %s. Adding anyway. %s", err)
 		} else if len(kl.UseableKeys(gpg.IsAlwaysTrust(ctx))) < 1 {
-			out.Printf(ctx, "Not using invalid key %s for encryption. (Check its expiration date or its encryption capabilities.)", r)
+			badRecipients = append(badRecipients, r)
+			errmsg := fmt.Sprintf("Not using invalid key %q for encryption. Check its expiration date, its encryption capabilities and trust.", r)
+			debug.Log(errmsg)
+			out.Printf(ctx, errmsg)
 
 			continue
 		}
+		debug.Log("adding recipient %s", r)
 		args = append(args, "--recipient", r)
 	}
-
-	buf := &bytes.Buffer{}
+	if len(badRecipients) == len(recipients) {
+		return buf.Bytes(), errors.New("no valid and trusted recipients were found!")
+	}
 
 	cmd := exec.CommandContext(ctx, g.binary, args...)
 	cmd.Stdin = bytes.NewReader(plaintext)
-	// the encrypted blob is written to stdout
-	cmd.Stdout = buf
-	cmd.Stderr = os.Stderr
+	// the encrypted blob and errors are printed to the log file, and to stdout
+	cmd.Stdout = io.MultiWriter(buf, debug.LogWriter)
+	cmd.Stderr = io.MultiWriter(os.Stderr, debug.LogWriter)
 
 	debug.Log("%s %+v", cmd.Path, cmd.Args)
 	err := cmd.Run()

diff --git a/internal/backend/crypto/gpg/cli/gpg_others_test.go b/internal/backend/crypto/gpg/cli/gpg_others_test.go
@@ -19,7 +19,8 @@ func TestEncrypt(t *testing.T) {
 	g.binary = "true"
 
 	_, err := g.Encrypt(ctx, []byte("foo"), nil)
-	require.NoError(t, err)
+	// No recipients are configured so it will fail
+	require.Error(t, err)
 }
 
 func TestDecrypt(t *testing.T) {

diff --git a/internal/backend/crypto/gpg/cli/gpg_windows_test.go b/internal/backend/crypto/gpg/cli/gpg_windows_test.go
@@ -17,7 +17,9 @@ func TestEncrypt(t *testing.T) {
 	g.binary = "rundll32"
 
 	_, err := g.Encrypt(ctx, []byte("foo"), nil)
-	require.NoError(t, err)
+
+	// No recipients are configured so it will fail
+	require.Error(t, err)
 	cancel()
 }
 

diff --git a/internal/store/leaf/write_test.go b/internal/store/leaf/write_test.go
@@ -4,13 +4,14 @@ import (
 	"runtime"
 	"testing"
 
+	"github.com/gopasspw/gopass/internal/backend/crypto/gpg"
 	"github.com/gopasspw/gopass/internal/config"
 	"github.com/gopasspw/gopass/pkg/gopass/secrets"
 	"github.com/stretchr/testify/require"
 )
 
 func TestSet(t *testing.T) {
-	ctx := config.NewContextInMemory()
+	ctx := gpg.WithAlwaysTrust(config.NewContextInMemory(), true)
 
 	s, err := createSubStore(t)
 	require.NoError(t, err)