5052677fd1
Fixed up the $mand bug in zrec. zrec-age seems to work in testing. I still wouldn't keep something mission critical in there, but I will start storing info in the patient database. I think incorporating onepassword cli for password prompts could be very useful too.
568 lines
23 KiB
Org Mode
568 lines
23 KiB
Org Mode
:PROPERTIES:
|
|
:GPTEL_MODEL: claude-opus-4-8
|
|
:GPTEL_BACKEND: Claude
|
|
:GPTEL_SYSTEM: Act as a Code Review Specialist. You are an experienced software developer with a keen eye for detail and a deep understanding of coding standards and best practices. \n\nYour task is to review the code provided by the user, focusing on areas such as:\n- Code quality and readability\n- Adherence to coding standards\n- Potential bugs and security vulnerabilities\n- Performance optimization\n\nYou will:\n- Provide constructive feedback on the code\n- Suggest improvements and refactoring where necessary\n- Highlight any security concerns\n- Ensure the code follows best practices\n\nRules:\n- Be objective and professional in your feedback\n- Prioritize clarity and maintainability in your suggestions\n- Consider the specific context and requirements provided with the code
|
|
:GPTEL_TOOLS:
|
|
:GPTEL_MAX_TOKENS: 10000
|
|
:GPTEL_BOUNDS: ((response (1310 15709) (15767 21231) (21271 23808)))
|
|
:END:
|
|
|
|
*** I have a script that helps me insert records into a recutils database that works well. I would like to adapt this to work when the recfile database is encrypted using age. Create a wrapper script that can take in recfiles encrypted with age then reencrypts them when finished. I would like this to work for both Ubuntu and MacOS.
|
|
|
|
* Code Review & Age-Encryption Wrapper
|
|
|
|
Before diving into the wrapper, let me share a few observations on your existing =zrec= script, then provide the encryption wrapper.
|
|
|
|
** Quick Review Notes on =zrec=
|
|
|
|
A few things worth flagging for the wrapper to work cleanly:
|
|
|
|
1. *Bug in mandatory/free-form prompts*: In the "Mandatory fields" and "Additional fields" loops, you call =prompt_field "$f" "$mand" ...= but =$mand= is not set in that scope (it's a leftover from the allowed-fields loop). For mandatory fields it should be ="yes"=; for free-form fields it should be ="no"=. This is a latent bug regardless of encryption.
|
|
|
|
2. *=recins= modifies the file in place*, which is exactly what our wrapper needs to intercept. Good news: the wrapper can stay decoupled by operating on a temp plaintext file and passing /that/ path to =zrec=.
|
|
|
|
3. The script reads from =recfile= via =recinf=/=awk= and writes via =recins= — so the wrapper just needs to hand =zrec= a decrypted temp file path.
|
|
|
|
---
|
|
|
|
** The Wrapper: =zrec-age=
|
|
|
|
This wrapper:
|
|
- Decrypts an age file to a secure temp location
|
|
- Runs =zrec= against the plaintext
|
|
- Re-encrypts on success
|
|
- Cleans up plaintext securely (best-effort) on all exit paths
|
|
- Supports both *passphrase* and *identity/recipient key* workflows
|
|
- Works on Ubuntu and macOS
|
|
|
|
#+begin_src bash
|
|
#!/usr/bin/env bash
|
|
#
|
|
# zrec-age - Encrypted-recfile wrapper around zrec.
|
|
#
|
|
# Decrypts an age-encrypted recfile to a temporary plaintext file, runs zrec
|
|
# against it, then re-encrypts the result back to the original location.
|
|
#
|
|
# Usage:
|
|
# zrec-age [options] <encrypted-recfile> [record-type]
|
|
#
|
|
# Options:
|
|
# -i <identity-file> age identity (private key) file for DECRYPTION.
|
|
# May be repeated. (Implies key-based mode.)
|
|
# -r <recipient> age recipient (public key) for ENCRYPTION.
|
|
# May be repeated. (Implies key-based mode.)
|
|
# -R <recipients-file> File containing one recipient per line.
|
|
# -p Use passphrase (symmetric) mode for both
|
|
# decrypt and encrypt. (Default if no -i/-r/-R given.)
|
|
# -z <path-to-zrec> Path to the zrec script (default: looks on PATH,
|
|
# then alongside this script).
|
|
# -h Show this help.
|
|
#
|
|
# Environment:
|
|
# ZREC_BIN Overrides the zrec location (same as -z).
|
|
#
|
|
# Notes:
|
|
# * In passphrase mode you will be prompted up to three times by age
|
|
# (decrypt, then encrypt). This is unavoidable with symmetric age.
|
|
# * Plaintext only ever lives in a 0700 temp directory and is removed
|
|
# (best-effort shredded) on exit.
|
|
#
|
|
set -o pipefail
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Globals
|
|
# ---------------------------------------------------------------------------
|
|
PROG="$(basename "$0")"
|
|
WORKDIR=""
|
|
PLAINTEXT=""
|
|
PASSPHRASE_MODE="auto" # auto | yes | no
|
|
declare -a IDENTITIES=()
|
|
declare -a RECIPIENTS=()
|
|
declare -a RECIPIENT_FILES=()
|
|
ZREC_BIN="${ZREC_BIN:-}"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Logging helpers (all to stderr; stdout stays clean)
|
|
# ---------------------------------------------------------------------------
|
|
log() { printf '%s\n' "$*" >&2; }
|
|
err() { printf 'Error: %s\n' "$*" >&2; }
|
|
die() { err "$*"; exit 1; }
|
|
|
|
usage() {
|
|
sed -n '3,40p' "$0" | sed 's/^# \{0,1\}//' >&2
|
|
exit "${1:-1}"
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Dependency checks
|
|
# ---------------------------------------------------------------------------
|
|
check_deps() {
|
|
command -v age >/dev/null 2>&1 || die "'age' not found. Install it (brew install age / apt install age)."
|
|
|
|
if [ -z "$ZREC_BIN" ]; then
|
|
if command -v zrec >/dev/null 2>&1; then
|
|
ZREC_BIN="$(command -v zrec)"
|
|
else
|
|
# Fall back to a zrec sitting next to this wrapper.
|
|
local self_dir
|
|
self_dir="$(cd "$(dirname "$0")" && pwd)"
|
|
if [ -x "$self_dir/zrec" ]; then
|
|
ZREC_BIN="$self_dir/zrec"
|
|
fi
|
|
fi
|
|
fi
|
|
[ -n "$ZREC_BIN" ] && [ -x "$ZREC_BIN" ] \
|
|
|| die "Could not find an executable 'zrec' (use -z or set ZREC_BIN)."
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Cross-platform secure temp dir creation.
|
|
# ---------------------------------------------------------------------------
|
|
make_workdir() {
|
|
# mktemp -d differs slightly across platforms but -d <template> is portable.
|
|
WORKDIR="$(mktemp -d "${TMPDIR:-/tmp}/zrec-age.XXXXXX")" \
|
|
|| die "Failed to create temporary directory."
|
|
chmod 700 "$WORKDIR"
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Best-effort secure delete (cross-platform).
|
|
# ---------------------------------------------------------------------------
|
|
secure_rm() {
|
|
local f="$1"
|
|
[ -f "$f" ] || return 0
|
|
if command -v shred >/dev/null 2>&1; then
|
|
shred -u "$f" 2>/dev/null && return 0
|
|
fi
|
|
# macOS has no shred; overwrite once then unlink as a fallback.
|
|
if command -v dd >/dev/null 2>&1; then
|
|
local size
|
|
size="$(wc -c < "$f" 2>/dev/null | tr -d ' ')"
|
|
if [ -n "$size" ] && [ "$size" -gt 0 ]; then
|
|
dd if=/dev/urandom of="$f" bs="$size" count=1 conv=notrunc 2>/dev/null || true
|
|
fi
|
|
fi
|
|
rm -f "$f"
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Cleanup trap: shred plaintext, remove workdir. Runs on ANY exit.
|
|
# ---------------------------------------------------------------------------
|
|
cleanup() {
|
|
[ -n "$PLAINTEXT" ] && secure_rm "$PLAINTEXT"
|
|
[ -n "$WORKDIR" ] && [ -d "$WORKDIR" ] && rm -rf "$WORKDIR"
|
|
}
|
|
trap cleanup EXIT INT TERM HUP
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Build the age recipient argument array for encryption.
|
|
# Echoes nothing; populates a global array via name. We just assemble here.
|
|
# ---------------------------------------------------------------------------
|
|
build_recipient_args() {
|
|
AGE_ENC_ARGS=()
|
|
local r f
|
|
for r in "${RECIPIENTS[@]}"; do
|
|
AGE_ENC_ARGS+=(-r "$r")
|
|
done
|
|
for f in "${RECIPIENT_FILES[@]}"; do
|
|
[ -f "$f" ] || die "Recipients file not found: $f"
|
|
AGE_ENC_ARGS+=(-R "$f")
|
|
done
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Decrypt encrypted file -> $PLAINTEXT
|
|
# ---------------------------------------------------------------------------
|
|
decrypt_file() {
|
|
local encfile="$1"
|
|
|
|
if [ "$PASSPHRASE_MODE" = "yes" ]; then
|
|
log "Decrypting (passphrase mode)..."
|
|
age --decrypt -o "$PLAINTEXT" "$encfile" \
|
|
|| die "Decryption failed (wrong passphrase or corrupt file?)."
|
|
else
|
|
local -a id_args=()
|
|
local id
|
|
for id in "${IDENTITIES[@]}"; do
|
|
[ -f "$id" ] || die "Identity file not found: $id"
|
|
id_args+=(-i "$id")
|
|
done
|
|
[ "${#id_args[@]}" -gt 0 ] || die "Key-based decryption requires at least one -i <identity>."
|
|
log "Decrypting (key mode)..."
|
|
age --decrypt "${id_args[@]}" -o "$PLAINTEXT" "$encfile" \
|
|
|| die "Decryption failed (wrong identity or corrupt file?)."
|
|
fi
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Encrypt $PLAINTEXT -> encrypted file (atomic replace via temp + mv).
|
|
# ---------------------------------------------------------------------------
|
|
encrypt_file() {
|
|
local encfile="$1"
|
|
local tmp_enc="$WORKDIR/out.age"
|
|
|
|
if [ "$PASSPHRASE_MODE" = "yes" ]; then
|
|
log "Re-encrypting (passphrase mode)..."
|
|
age --passphrase -o "$tmp_enc" "$PLAINTEXT" \
|
|
|| die "Re-encryption failed; original file left UNCHANGED."
|
|
else
|
|
build_recipient_args
|
|
[ "${#AGE_ENC_ARGS[@]}" -gt 0 ] \
|
|
|| die "Key-based encryption requires at least one -r/-R recipient."
|
|
log "Re-encrypting (key mode)..."
|
|
age --encrypt "${AGE_ENC_ARGS[@]}" -o "$tmp_enc" "$PLAINTEXT" \
|
|
|| die "Re-encryption failed; original file left UNCHANGED."
|
|
fi
|
|
|
|
# Preserve original permissions where possible.
|
|
if [ -f "$encfile" ]; then
|
|
# Copy mode from the original encrypted file onto the new ciphertext.
|
|
if command -v stat >/dev/null 2>&1; then
|
|
local mode
|
|
# GNU stat vs BSD stat.
|
|
mode="$(stat -c '%a' "$encfile" 2>/dev/null || stat -f '%Lp' "$encfile" 2>/dev/null)"
|
|
[ -n "$mode" ] && chmod "$mode" "$tmp_enc" 2>/dev/null || true
|
|
fi
|
|
fi
|
|
|
|
# Atomic replace.
|
|
mv -f "$tmp_enc" "$encfile" \
|
|
|| die "Failed to move new ciphertext into place; original may be intact, check $tmp_enc."
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Argument parsing
|
|
# ---------------------------------------------------------------------------
|
|
parse_args() {
|
|
while getopts ":i:r:R:pz:h" opt; do
|
|
case "$opt" in
|
|
i) IDENTITIES+=("$OPTARG"); PASSPHRASE_MODE="no" ;;
|
|
r) RECIPIENTS+=("$OPTARG"); PASSPHRASE_MODE="no" ;;
|
|
R) RECIPIENT_FILES+=("$OPTARG"); PASSPHRASE_MODE="no" ;;
|
|
p) PASSPHRASE_MODE="yes" ;;
|
|
z) ZREC_BIN="$OPTARG" ;;
|
|
h) usage 0 ;;
|
|
\?) die "Unknown option: -$OPTARG" ;;
|
|
:) die "Option -$OPTARG requires an argument." ;;
|
|
esac
|
|
done
|
|
shift $((OPTIND - 1))
|
|
|
|
[ "$#" -ge 1 ] || usage 1
|
|
|
|
ENCFILE="$1"
|
|
shift
|
|
# Remaining args (record-type) get forwarded to zrec verbatim.
|
|
ZREC_EXTRA_ARGS=("$@")
|
|
|
|
# Resolve auto mode -> passphrase if no keys supplied.
|
|
[ "$PASSPHRASE_MODE" = "auto" ] && PASSPHRASE_MODE="yes"
|
|
|
|
# Sanity: in key mode, ensure we can both decrypt and re-encrypt.
|
|
if [ "$PASSPHRASE_MODE" = "no" ]; then
|
|
[ "${#IDENTITIES[@]}" -gt 0 ] \
|
|
|| die "Key mode: provide -i <identity> for decryption."
|
|
if [ "${#RECIPIENTS[@]}" -eq 0 ] && [ "${#RECIPIENT_FILES[@]}" -eq 0 ]; then
|
|
die "Key mode: provide -r/-R recipient(s) for re-encryption."
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Main
|
|
# ---------------------------------------------------------------------------
|
|
main() {
|
|
parse_args "$@"
|
|
check_deps
|
|
|
|
[ -f "$ENCFILE" ] || die "Encrypted recfile '$ENCFILE' does not exist."
|
|
[ -r "$ENCFILE" ] || die "Encrypted recfile '$ENCFILE' is not readable."
|
|
|
|
make_workdir
|
|
PLAINTEXT="$WORKDIR/recfile.rec"
|
|
|
|
decrypt_file "$ENCFILE"
|
|
|
|
# Snapshot to detect whether zrec actually changed anything.
|
|
local before_sum after_sum
|
|
before_sum="$(cksum < "$PLAINTEXT")"
|
|
|
|
log ""
|
|
log "Launching zrec on decrypted copy..."
|
|
log "----------------------------------------"
|
|
|
|
# Run zrec interactively against the plaintext temp file.
|
|
if "$ZREC_BIN" "$PLAINTEXT" "${ZREC_EXTRA_ARGS[@]}"; then
|
|
after_sum="$(cksum < "$PLAINTEXT")"
|
|
if [ "$before_sum" = "$after_sum" ]; then
|
|
log "No changes detected; skipping re-encryption."
|
|
else
|
|
encrypt_file "$ENCFILE"
|
|
log "Encrypted recfile updated: $ENCFILE"
|
|
fi
|
|
else
|
|
local rc=$?
|
|
err "zrec exited with status $rc; original encrypted file left UNCHANGED."
|
|
exit "$rc"
|
|
fi
|
|
}
|
|
|
|
main "$@"
|
|
#+end_src
|
|
|
|
---
|
|
|
|
** How to Use It
|
|
|
|
*Passphrase mode* (simplest — default when no keys given):
|
|
#+begin_src bash
|
|
zrec-age contacts.rec.age
|
|
zrec-age contacts.rec.age Person # pre-select a record type
|
|
#+end_src
|
|
|
|
*Key mode* (recommended for automation / shared files):
|
|
#+begin_src bash
|
|
zrec-age -i ~/.age/key.txt -r age1ql3z7hjy54... contacts.rec.age
|
|
# or with a recipients file:
|
|
zrec-age -i ~/.age/key.txt -R ~/.age/recipients.txt contacts.rec.age
|
|
#+end_src
|
|
|
|
---
|
|
|
|
** Design Decisions & Safety Highlights
|
|
|
|
| Concern | How it's handled |
|
|
|---|---|
|
|
| *Plaintext exposure* | Lives only in a =chmod 700= temp dir; shredded (or overwritten on macOS) on every exit path via =trap=. |
|
|
| *Crash/Ctrl-C safety* | =trap cleanup EXIT INT TERM HUP= guarantees cleanup. |
|
|
| *Don't corrupt originals* | Re-encryption goes to a temp =.age=, then =mv -f= (atomic same-filesystem replace). On any failure, the original ciphertext is untouched. |
|
|
| *No needless re-encrypt* | =cksum= comparison skips re-encryption if =zrec= made no changes (also avoids an extra passphrase prompt). |
|
|
| *macOS vs Ubuntu* | =shred= fallback to =dd=; =stat -c= vs =stat -f=; =${TMPDIR:-/tmp}=; portable =mktemp -d= template. |
|
|
| *Permission preservation* | Copies the original ciphertext's mode onto the new one. |
|
|
|
|
---
|
|
|
|
** Recommendations & Caveats
|
|
|
|
1. *Fix the =$mand= bug in =zrec= first.* As noted, the mandatory and free-form loops pass an unset =$mand=. This isn't an encryption issue, but it will produce incorrect prompts. Change those calls to ="yes"= and ="no"= respectively.
|
|
|
|
2. *Passphrase prompts twice.* Symmetric age inherently prompts on decrypt and again on encrypt. If that bothers you, prefer key mode. I deliberately did *not* cache the passphrase in a variable — keeping a passphrase in a shell variable/=age --passphrase= via env is a meaningful security regression.
|
|
|
|
3. *=mv= across filesystems.* If =$TMPDIR= is on a different filesystem than the recfile, =mv= becomes a copy+delete and loses atomicity. If you need strict atomicity, set =TMPDIR= to the same filesystem as the recfile, or write the temp ciphertext next to the target (e.g. =${ENCFILE}.tmp.$$=) instead of in =$WORKDIR=.
|
|
|
|
4. *Shredding on copy-on-write/SSD filesystems is unreliable* (APFS, btrfs, ext4 with journaling). The =secure_rm= here is best-effort; treat it as defense-in-depth, not a guarantee.
|
|
|
|
5. *Backup before first real use.* Test on a copy. A bug in either script could, in the worst case, leave you with a re-encrypted file you can't easily reconstruct.
|
|
|
|
6. *Consider verifying decrypt output is non-empty* before launching =zrec= — a zero-byte decrypt usually signals a silent failure on some =age= versions. You could add =[ -s "$PLAINTEXT" ] || die "Decryption produced empty output."= after =decrypt_file=.
|
|
|
|
Would you like me to also add a non-interactive =--backup= option (keeping a timestamped copy of the previous ciphertext), or a dry-run mode?
|
|
|
|
*** What is the $mand bug in zrec and how do I fix it?
|
|
|
|
- The =$mand= Bug in =zrec=
|
|
|
|
* What's Wrong
|
|
|
|
In your =main()= function, the variable =$mand= is a /local/ declared inside the /allowed-fields/ loop:
|
|
|
|
#+begin_src bash
|
|
# ---- 1. Prompt for ALLOWED fields (if defined) ------------------------
|
|
if [ -n "$allowed_fields" ]; then
|
|
...
|
|
for f in $allowed_fields; do
|
|
...
|
|
local mand="no" # <-- declared HERE
|
|
in_list "$f" $mandatory_fields && mand="yes"
|
|
...
|
|
val=$(prompt_field "$f" "$mand" "$ftype" "$label")
|
|
...
|
|
done
|
|
fi
|
|
#+end_src
|
|
|
|
That =local mand= only exists meaningfully within that loop. But you then reference =$mand= again in /two other loops/ where it was never set for those fields:
|
|
|
|
/Loop 2 — Mandatory fields:/
|
|
#+begin_src bash
|
|
for f in $mandatory_fields; do
|
|
if ! in_list "$f" $prompted; then
|
|
...
|
|
val=$(prompt_field "$f" "$mand" "$ftype" "$label") # <-- $mand is STALE
|
|
...
|
|
fi
|
|
done
|
|
#+end_src
|
|
|
|
/Loop 3 — Additional / free-form fields:/
|
|
#+begin_src bash
|
|
while true; do
|
|
...
|
|
val=$(prompt_field "$newfield" "$mand" "$ftype" "$label") # <-- $mand is STALE
|
|
...
|
|
done
|
|
#+end_src
|
|
|
|
* Why It Matters
|
|
|
|
=$mand= is being used as the =is_mandatory= argument to =prompt_field=. Because it's a single =local= variable scoped to =main()=, its value /leaks/ from the allowed-fields loop into the other two loops, carrying whatever value it happened to hold on the last iteration.
|
|
|
|
The practical consequences:
|
|
|
|
| Scenario | Expected | Actual (buggy) behavior |
|
|
|---|---|---|
|
|
| /Mandatory fields loop/ | Each field should be ="yes"= (it's mandatory, by definition of this loop) | Uses leftover =$mand= — could be ="no"=, so a genuinely required field won't loop-until-non-empty. You can submit it empty. |
|
|
| /Free-form fields loop/ | Each field should be ="no"= (user-defined, optional) | Uses leftover =$mand= — could be ="yes"=, forcing the user to enter a non-empty value for a field they may want to skip. |
|
|
| /=$mand= never set at all/ | — | If =allowed_fields= is empty, the allowed-loop never runs, so =$mand= is /unset/empty/ in the other loops. =prompt_field= treats empty as "not mandatory". |
|
|
|
|
The subtlest case is the /mandatory fields loop being too lenient/: a field that's declared =%mandatory:= but /not/ in the =%allowed:= list could be left empty, and =recins= would then reject the record (or insert an invalid one). That's the opposite of what your interactive prompt is supposed to guarantee.
|
|
|
|
* The Fix
|
|
|
|
Set the correct, explicit value in each loop instead of relying on the leaked variable.
|
|
|
|
/Loop 2 — Mandatory fields/ (these are always mandatory, so hardcode ="yes"=):
|
|
#+begin_src bash
|
|
if [ -n "$mandatory_fields" ]; then
|
|
local f
|
|
local printed_header="no"
|
|
for f in $mandatory_fields; do
|
|
if ! in_list "$f" $prompted; then
|
|
if [ "$printed_header" = "no" ]; then
|
|
echo "== Mandatory fields ==" >&2
|
|
printed_header="yes"
|
|
fi
|
|
local info ftype label
|
|
info=$(get_field_type_info "$block" "$f")
|
|
ftype="${info%%"$TAB"*}"
|
|
label="${info#*"$TAB"}"
|
|
|
|
local val
|
|
val=$(prompt_field "$f" "yes" "$ftype" "$label") # <-- was "$mand"
|
|
args+=(-f "$f" -v "$val")
|
|
prompted="$prompted $f"
|
|
fi
|
|
done
|
|
fi
|
|
#+end_src
|
|
|
|
/Loop 3 — Additional / free-form fields/ (always optional, so hardcode ="no"=):
|
|
#+begin_src bash
|
|
while true; do
|
|
printf "Field name: " >&2
|
|
local newfield
|
|
IFS= read -r newfield
|
|
case "$newfield" in
|
|
"" | done | DONE | q | quit) break ;;
|
|
esac
|
|
|
|
local info ftype label
|
|
info=$(get_field_type_info "$block" "$newfield")
|
|
ftype="${info%%"$TAB"*}"
|
|
label="${info#*"$TAB"}"
|
|
|
|
local val
|
|
val=$(prompt_field "$newfield" "no" "$ftype" "$label") # <-- was "$mand"
|
|
|
|
args+=(-f "$newfield" -v "$val")
|
|
done
|
|
#+end_src
|
|
|
|
The /allowed-fields loop (Loop 1) is correct already/ — leave its =local mand="no"= / =in_list ... && mand="yes"= logic as-is, since it genuinely needs to check whether each allowed field is also mandatory.
|
|
|
|
* Recommended Hardening
|
|
|
|
To prevent this class of leak in the future, declare =mand= explicitly per-loop (or avoid the shared name entirely). Two options:
|
|
|
|
1. /Scope it inside each loop/ — declare =local mand="yes"= (or ="no"=) at the top of Loops 2 and 3 even though you hardcode it. This documents intent and prevents accidental reliance on an outer value.
|
|
|
|
2. /Enable strict mode/ during development to catch unset variables:
|
|
#+begin_src bash
|
|
set -u # treat unset variables as an error
|
|
#+end_src
|
|
With =set -u=, the empty-=$mand= case (when =allowed_fields= is empty) would have surfaced immediately as an error rather than silently passing an empty string. Be aware this requires auditing the rest of the script for other unguarded unset-variable references first.
|
|
|
|
* Quick Verification
|
|
|
|
After applying the fix, test these cases:
|
|
|
|
1. A recfile where a =%mandatory:= field is /not/ in =%allowed:= — confirm the prompt now refuses an empty value (loops until you type something).
|
|
2. A free-form recfile (no =%allowed:=) — confirm the "Additional fields" prompts let you submit fields with empty values without being forced to re-enter.
|
|
3. A recfile with no =%allowed:= and a =%mandatory:= field — confirm mandatory enforcement still works.
|
|
|
|
This bug is independent of the age wrapper, so fix it directly in =zrec= and the wrapper will benefit automatically.
|
|
|
|
*** PROG in zrec-age appears unused.
|
|
|
|
Good catch — you're right.
|
|
|
|
- Unused Variable: =PROG=
|
|
|
|
In =zrec-age=, this global is declared but never referenced:
|
|
|
|
#+begin_src bash
|
|
PROG="$(basename "$0")"
|
|
#+end_src
|
|
|
|
The reason it's dead: I route usage output through =usage()=, which extracts the header comment block directly from the script file rather than composing an error string from =$PROG=. And the =die()=/=err()=/=log()= helpers print plain messages without a program-name prefix. So =PROG= never gets used.
|
|
|
|
- Two Ways to Resolve It
|
|
|
|
* Option A — Remove it (simplest)
|
|
|
|
Just delete the line:
|
|
|
|
#+begin_src bash
|
|
# ---------------------------------------------------------------------------
|
|
# Globals
|
|
# ---------------------------------------------------------------------------
|
|
WORKDIR=""
|
|
PLAINTEXT=""
|
|
PASSPHRASE_MODE="auto" # auto | yes | no
|
|
declare -a IDENTITIES=()
|
|
declare -a RECIPIENTS=()
|
|
declare -a RECIPIENT_FILES=()
|
|
ZREC_BIN="${ZREC_BIN:-}"
|
|
#+end_src
|
|
|
|
* Option B — Actually use it (better UX)
|
|
|
|
Prefixing diagnostics with the program name is a common, useful convention — it makes messages traceable when =zrec-age= is invoked from a pipeline, cron job, or another script. If you'd like that, keep =PROG= and wire it into the logging helpers:
|
|
|
|
#+begin_src bash
|
|
err() { printf '%s: Error: %s\n' "$PROG" "$*" >&2; }
|
|
die() { err "$*"; exit 1; }
|
|
#+end_src
|
|
|
|
You could optionally prefix =log()= too, though I'd leave =log()= unprefixed since it carries interactive/progress messages meant for the human at the terminal:
|
|
|
|
#+begin_src bash
|
|
log() { printf '%s\n' "$*" >&2; } # leave as-is
|
|
#+end_src
|
|
|
|
With Option B, output changes from:
|
|
|
|
#+begin_example
|
|
Error: 'age' not found. Install it ...
|
|
#+end_example
|
|
|
|
to:
|
|
|
|
#+begin_example
|
|
zrec-age: Error: 'age' not found. Install it ...
|
|
#+end_example
|
|
|
|
- Recommendation
|
|
|
|
I'd go with /Option B/ — the prefix costs almost nothing and improves diagnosability, which matters for a security-sensitive wrapper that may run non-interactively. But if you prefer to keep messages terse and =zrec-age= is only ever run interactively, /Option A/ is perfectly fine.
|
|
|
|
- Prevention Tip
|
|
|
|
This is exactly the kind of thing a linter catches automatically. Running =shellcheck= over both scripts would have flagged it as:
|
|
|
|
#+begin_example
|
|
SC2034: PROG appears unused. Verify use (or export if used externally).
|
|
#+end_example
|
|
|
|
I'd recommend adding =shellcheck= to your workflow — it will also catch a number of other subtle issues (unquoted expansions, unset-variable risks like the =$mand= bug we discussed, etc.) across both =zrec= and =zrec-age=.
|