fix: detect yubikey touches for the new gpg version (#58)

maximbaz · Nov 21, 2024 · 7c1dc46 · 7c1dc46
1 parent b59e0e9
commit 7c1dc46
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 15 deletions.
diff --git a/detector/gpg.go b/detector/gpg.go
@@ -12,17 +12,19 @@ import (
 )
 
 // WatchGPG watches for hints that YubiKey is maybe waiting for a touch on a GPG request
-func WatchGPG(gpgPubringPath string, requestGPGCheck chan bool) {
+func WatchGPG(filesToWatch []string, requestGPGCheck chan bool) {
 	// No need for a buffered channel,
 	// we are interested only in the first event, it's ok to skip all subsequent ones
 	events := make(chan notify.EventInfo)
 
 	initWatcher := func() {
-		if err := notify.Watch(gpgPubringPath, events, notify.InOpen, notify.InDeleteSelf, notify.InMoveSelf); err != nil {
-			log.Errorf("Cannot establish a watch on gpg's pubring.kbx file '%v': %v", gpgPubringPath, err)
-			return
+		for _, file := range filesToWatch {
+			if err := notify.Watch(file, events, notify.InOpen, notify.InDeleteSelf, notify.InMoveSelf); err != nil {
+				log.Errorf("Failed to establish a watch on GPG file '%s': %v\n", file, err)
+				return
+			}
+			log.Debugf("GPG watcher is watching '%s'...\n", file)
 		}
-		log.Debug("GPG watcher is successfully established")
 	}
 
 	initWatcher()
@@ -36,7 +38,7 @@ func WatchGPG(gpgPubringPath string, requestGPGCheck chan bool) {
 			default:
 			}
 		default:
-			log.Debugf("pubring.kbx received file event '%+v', recreating the watcher.", event.Event())
+			log.Debugf("GPG received file event '%+v', recreating the watcher.", event.Event())
 			notify.Stop(events)
 			time.Sleep(5 * time.Second)
 			initWatcher()

diff --git a/main.go b/main.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"os/signal"
 	"path"
+	"path/filepath"
 	"strings"
 	"sync"
 	"syscall"
@@ -78,21 +79,50 @@ func main() {
 	} else if ctx.SetProtocol(gpgme.ProtocolAssuan) != nil {
 		log.Debugf("Cannot initialize Assuan IPC: %v. Disabling GPG and SSH watchers.", err)
 	} else {
-		gpgPubringPath := path.Join(gpgme.GetDirInfo("homedir"), "pubring.kbx")
-		if _, err := os.Stat(gpgPubringPath); err == nil {
-
-			requestGPGCheck := make(chan bool)
-			go detector.CheckGPGOnRequest(requestGPGCheck, notifiers, ctx)
-			go detector.WatchGPG(gpgPubringPath, requestGPGCheck)
-			go detector.WatchSSH(requestGPGCheck, exits)
-		} else {
-			log.Debugf("'%v' could not be found. Disabling GPG and SSH watchers.", gpgPubringPath)
+		var gpgPrivateKeysDirPath = path.Join(gpgme.GetDirInfo("homedir"), "private-keys-v1.d")
+		if _, err := os.Stat(gpgPrivateKeysDirPath); err != nil {
+			log.Debugf("Directory '%s' does not exist or cannot stat it\n", gpgPrivateKeysDirPath)
+			return
 		}
+		filesToWatch, err := findShadowedPrivateKeys(gpgPrivateKeysDirPath)
+		if err != nil {
+			log.Debugf("Error finding shadowed private keys: %v\n", err)
+			return
+		}
+		if len(filesToWatch) == 0 {
+			log.Debugf("No shadowed private keys found.\n")
+			return
+		}
+		requestGPGCheck := make(chan bool)
+		go detector.CheckGPGOnRequest(requestGPGCheck, notifiers, ctx)
+		go detector.WatchGPG(filesToWatch, requestGPGCheck)
+		go detector.WatchSSH(requestGPGCheck, exits)
 	}
 	wait := make(chan bool)
 	<-wait
 }
 
+func findShadowedPrivateKeys(folderPath string) ([]string, error) {
+	var result []string
+	err := filepath.WalkDir(folderPath, func(path string, info os.DirEntry, err error) error {
+		if err != nil || info.IsDir() {
+			return err
+		}
+		data, err := os.ReadFile(path)
+		if err != nil {
+			return err
+		}
+		if strings.Contains(string(data), "shadowed-private-key") {
+			result = append(result, path)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return result, nil
+}
+
 func setupExitSignalWatch(exits *sync.Map) {
 	exitSignal := make(chan os.Signal, 1)
 	signal.Notify(exitSignal, os.Interrupt, syscall.SIGTERM)