From ea95ca7dfab3c72d49eaeaec406ee3ae994160b5 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 28 Jan 2022 18:32:06 +0100 Subject: [PATCH] mail: Update mail-check to work with pass-coffin Updated code to be able to run a password command chosen individually, as well as a post-password command. Used in this instance to `pass open` a password store in a coffin/tomb before actually trying to read passwords out of it. --- mail/.config/isync/mbsyncrc | 4 ++-- mail/.local/bin/mail-check | 26 ++++++++++++++++++++------ 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/mail/.config/isync/mbsyncrc b/mail/.config/isync/mbsyncrc index d6da236..cba9b9a 100644 --- a/mail/.config/isync/mbsyncrc +++ b/mail/.config/isync/mbsyncrc @@ -3,8 +3,8 @@ IMAPAccount gmail # Address to connect to Host imap.gmail.com -UserCmd "gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask ~/.local/share/pass/misc/aerc-gmail-app-password.gpg | grep username | cut -d: -f2" -PassCmd "gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask ~/.local/share/pass/misc/aerc-gmail-app-password.gpg | head -n1" +UserCmd "pass show misc/aerc-gmail-app-password | grep username | cut -d: -f2" +PassCmd "pass show misc/aerc-gmail-app-password | head -n1" # To store the password in an encrypted file use PassCmd instead of Pass # PassCmd "gpg2 -q --for-your-eyes-only --no-tty -d ~/.mailpass.gpg" # diff --git a/mail/.local/bin/mail-check b/mail/.local/bin/mail-check index c7b7577..098052b 100755 --- a/mail/.local/bin/mail-check +++ b/mail/.local/bin/mail-check @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/usr/bin/env bash # # Runs mbsync, with pre-hooks and post-hooks # by default, the pre-hook first runs imapfilter @@ -38,7 +38,9 @@ # MBSYNC_NOTIFY=1 # MBSYNC_PASSWORD_FILE="/path/to/gpg/file.gpg" -PASSWORD_FILE="${MBSYNC_PASSWORD_FILE:-$HOME/.local/share/pass/misc/aerc-gmail-app-password.gpg}" +# What to run before and after decrypting the password file. +PASSWORD_CMD="pass open -t 1min" +# POST_PASSWORD_CMD="" prehook() { if [ -n "$MBSYNC_PRE" ]; then @@ -83,7 +85,7 @@ checkonline() { # warn user that he has to enter his password in a moment # to stop catching him offguard or entering something by accident checkwarnuser() { - agt=$(gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode cancel "$PASSWORD_FILE" 2>&1) + enablegpgagent if echo "$agt" | grep -qE 'No secret key'; then notify "Mail" "Password phrase needed!" sleep 2.5 @@ -91,10 +93,22 @@ checkwarnuser() { } enablegpgagent() { - ## get password from user - agt=$(gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask "$PASSWORD_FILE" 2>&1) + [ -n "$agt" ] && return + + if [ -n "$PASSWORD_CMD" ]; then + IFS=" " read -r -a PASSWORD_CMD <<<"$PASSWORD_CMD" + # shellcheck disable=SC2068 + agt=$(${PASSWORD_CMD[@]}) + fi + + if [ -n "$POST_PASSWORD_CMD" ]; then + IFS=" " read -r -a POST_PASSWORD_CMD <<<"$POST_PASSWORD_CMD" + "${POST_PASSWORD_CMD[@]}" + fi + ## exit program after first failed attempt - if echo "$agt" | grep -qE 'decryption failed'; then + if echo "$agt" | grep -qE 'decryption failed' || + echo "$agt" | grep -qE 'No such file'; then notify "Mail" "Process aborted." exit 1 fi