Set passphrase only for the fingerprint being used (#123)

* If fingerprint input is provided it sets only the passphrase for that key

* Update README with how to use subkeys example

README.md

@@ -120,6 +120,51 @@ jobs:
  git push
 ```
 
+### Use a subkey
+
+With the input `fingerprint`, you can specify which one of the subkeys in a GPG key you want to use for signing.
+
+```yaml
+name: import-gpg
+
+on:
+ push:
+ branches: master
+
+jobs:
+ import-gpg:
+ runs-on: ubuntu-latest
+ steps:
+ -
+ name: Checkout
+ uses: actions/checkout@v2
+ -
+ name: Import GPG key
+ id: import_gpg
+ uses: crazy-max/ghaction-import-gpg@v4
+ with:
+ gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+ passphrase: ${{ secrets.PASSPHRASE }}
+ fingerprint: "C17D11ADF199F12A30A0910F1F80449BE0B08CB8"
+ -
+ name: List keys
+ run: gpg -K
+```
+
+For example, given this GPG key with a signing subkey:
+
+```s
+pub ed25519 2021-09-24 [C]
+ 87F257B89CE462100BEC0FFE6071D218380FDCC8
+ Keygrip = F5C3ABFAAB36B427FD98C4EDD0387E08EA1E8092
+uid [ unknown] Joe Bar <[email protected]>
+sub ed25519 2021-09-24 [S]
+ C17D11ADF199F12A30A0910F1F80449BE0B08CB8
+ Keygrip = DEE0FC98F441519CA5DE5D79773CB29009695FEB
+```
+
+You can use the subkey with signing capability whose fingerprint is `C17D11ADF199F12A30A0910F1F80449BE0B08CB8`.
+
 ## Customizing
 
 ### inputs

__tests__/fixtures/test-key-gpg-output.txt

@@ -0,0 +1,8 @@
+tru::1:1645715610:1661267528:3:1:5
+pub:-:4096:1:7D851EB72D73BDA0:1588448672:::-:::scESC::::::23::0:
+fpr:::::::::27571A53B86AF0C799B38BA77D851EB72D73BDA0:
+grp:::::::::3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627:
+uid:-::::1588448672::C1B25336F8F0F0F22BAF57137BE493ADEDA8CCAA::Joe Tester <[email protected]>::::::::::0:
+sub:-:4096:1:D523BD50DD70B0BA:1588448672::::::e::::::23:
+fpr:::::::::5A282E1460C0BC419615D34DD523BD50DD70B0BA:
+grp:::::::::BA83FC8947213477F28ADC019F6564A956456163:

__tests__/fixtures/test-subkey-gpg-output.txt

@@ -0,0 +1,8 @@
+tru::1:1645715610:1661267528:3:1:5
+pub:-:256:22:6071D218380FDCC8:1632521434:::-:::cSC:::::ed25519:::0:
+fpr:::::::::87F257B89CE462100BEC0FFE6071D218380FDCC8:
+grp:::::::::F5C3ABFAAB36B427FD98C4EDD0387E08EA1E8092:
+uid:-::::1632521434::019F22ECD701BC0F6AFE686ABD2B010B812B828E::Joe Bar <[email protected]>::::::::::0:
+sub:-:256:22:1F80449BE0B08CB8:1632521539::::::s:::::ed25519::
+fpr:::::::::C17D11ADF199F12A30A0910F1F80449BE0B08CB8:
+grp:::::::::DEE0FC98F441519CA5DE5D79773CB29009695FEB:

__tests__/gpg.test.ts

@@ -1,5 +1,6 @@
 import * as fs from 'fs';
 import * as gpg from '../src/gpg';
+import {parseKeygripFromGpgColonsOutput} from '../src/gpg';
 
 const userInfos = [
  {
@@ -20,6 +21,7 @@ const userInfos = [
  email: '[email protected]',
  keyID: '7D851EB72D73BDA0',
  fingerprint: '27571A53B86AF0C799B38BA77D851EB72D73BDA0',
+ fingerprints: ['27571A53B86AF0C799B38BA77D851EB72D73BDA0', '5A282E1460C0BC419615D34DD523BD50DD70B0BA'],
  keygrips: ['3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627', 'BA83FC8947213477F28ADC019F6564A956456163']
  },
  {
@@ -40,6 +42,7 @@ const userInfos = [
  email: '[email protected]',
  keyID: '6071D218380FDCC8',
  fingerprint: 'C17D11ADF199F12A30A0910F1F80449BE0B08CB8',
+ fingerprints: ['87F257B89CE462100BEC0FFE6071D218380FDCC8', 'C17D11ADF199F12A30A0910F1F80449BE0B08CB8'],
  keygrips: ['F5C3ABFAAB36B427FD98C4EDD0387E08EA1E8092', 'DEE0FC98F441519CA5DE5D79773CB29009695FEB']
  }
 ];
@@ -101,6 +104,19 @@ for (let userInfo of userInfos) {
  });
  });
 
+ describe('getKeygrip', () => {
+ it('returns the keygrip for a given fingerprint', async () => {
+ await gpg.importKey(userInfo.pgp);
+ for (let [i, fingerprint] of userInfo.fingerprints.entries()) {
+ await gpg.getKeygrip(fingerprint).then(keygrip => {
+ console.log(`Fingerprint: ${fingerprint}; Index: ${i}; Keygrip: ${keygrip}`);
+ expect(keygrip.length).toEqual(userInfo.keygrips[i].length);
+ expect(keygrip).toEqual(userInfo.keygrips[i]);
+ });
+ }
+ });
+ });
+
  describe('presetPassphrase', () => {
  it('presets passphrase', async () => {
  await gpg.importKey(userInfo.pgp);
@@ -128,3 +144,29 @@ describe('killAgent', () => {
  await gpg.killAgent();
  });
 });
+
+describe('parseKeygripFromGpgColonsOutput', () => {
+ it('returns the keygrip of a given fingerprint from a GPG command output using the option: --with-colons', async () => {
+ const outputUsingTestKey = fs.readFileSync('__tests__/fixtures/test-key-gpg-output.txt', {
+ encoding: 'utf8',
+ flag: 'r'
+ });
+
+ const keygripPrimaryTestKey = parseKeygripFromGpgColonsOutput(outputUsingTestKey, '27571A53B86AF0C799B38BA77D851EB72D73BDA0');
+ expect(keygripPrimaryTestKey).toBe('3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627');
+
+ const keygripSubkeyTestKey = parseKeygripFromGpgColonsOutput(outputUsingTestKey, '5A282E1460C0BC419615D34DD523BD50DD70B0BA');
+ expect(keygripSubkeyTestKey).toBe('BA83FC8947213477F28ADC019F6564A956456163');
+
+ const outputUsingTestSubkey = fs.readFileSync('__tests__/fixtures/test-subkey-gpg-output.txt', {
+ encoding: 'utf8',
+ flag: 'r'
+ });
+
+ const keygripPrimaryTestSubkey = parseKeygripFromGpgColonsOutput(outputUsingTestSubkey, '87F257B89CE462100BEC0FFE6071D218380FDCC8');
+ expect(keygripPrimaryTestSubkey).toBe('F5C3ABFAAB36B427FD98C4EDD0387E08EA1E8092');
+
+ const keygripSubkeyTestSubkey = parseKeygripFromGpgColonsOutput(outputUsingTestSubkey, 'C17D11ADF199F12A30A0910F1F80449BE0B08CB8');
+ expect(keygripSubkeyTestSubkey).toBe('DEE0FC98F441519CA5DE5D79773CB29009695FEB');
+ });
+});

src/gpg.ts

@@ -159,6 +159,39 @@ export const getKeygrips = async (fingerprint: string): Promise<Array<string>> =
  });
 };
 
+export const parseKeygripFromGpgColonsOutput = (output: string, fingerprint: string): string => {
+ let keygrip = '';
+ let fingerPrintFound = false;
+ const lines = output.replace(/\r/g, '').trim().split(/\n/g);
+
+ for (let line of lines) {
+ if (line.startsWith(`fpr:`) && line.includes(`:${fingerprint}:`)) {
+ // We reach the record with the matching fingerprint.
+ // The next keygrip record is the keygrip for this fingerprint.
+ fingerPrintFound = true;
+ continue;
+ }
+
+ if (line.startsWith('grp:') && fingerPrintFound) {
+ keygrip = line.replace(/(grp|:)/g, '').trim();
+ break;
+ }
+ }
+
+ return keygrip;
+};
+
+export const getKeygrip = async (fingerprint: string): Promise<string> => {
+ return await exec
+ .getExecOutput('gpg', ['--batch', '--with-colons', '--with-keygrip', '--list-secret-keys', fingerprint], {
+ ignoreReturnCode: true,
+ silent: true
+ })
+ .then(res => {
+ return parseKeygripFromGpgColonsOutput(res.stdout, fingerprint);
+ });
+};
+
 export const configureAgent = async (config: string): Promise<void> => {
  const gpgAgentConf = path.join(await getGnupgHome(), 'gpg-agent.conf');
  await fs.writeFile(gpgAgentConf, config, function (err) {

src/main.ts

@@ -48,7 +48,9 @@ async function run(): Promise<void> {
  });
  });
 
- if (inputs.passphrase) {
+ if (inputs.passphrase && !inputs.fingerprint) {
+ // Set the passphrase for all subkeys
+
  core.info('Configuring GnuPG agent');
  await gpg.configureAgent(gpg.agentConfig);
 
@@ -62,6 +64,21 @@ async function run(): Promise<void> {
  });
  }
 
+ if (inputs.passphrase && inputs.fingerprint) {
+ // Set the passphrase only for the subkey specified in the input `fingerprint`
+
+ core.info('Configuring GnuPG agent');
+ await gpg.configureAgent(gpg.agentConfig);
+
+ await core.group(`Getting keygrip for fingerprint`, async () => {
+ const keygrip = await gpg.getKeygrip(fingerprint);
+ core.info(`Presetting passphrase for key ${fingerprint} with keygrip ${keygrip}`);
+ await gpg.presetPassphrase(keygrip, inputs.passphrase).then(stdout => {
+ core.debug(stdout);
+ });
+ });
+ }
+
  await core.group(`Setting outputs`, async () => {
  core.info(`fingerprint=${fingerprint}`);
  context.setOutput('fingerprint', fingerprint);