Set gcrypt-publish-participants when setting up a gcrypt repository, to avoid unncessary passphrase prompts.

This is a security/usability tradeoff. To avoid exposing the gpg key ids
who can decrypt the repository, users can unset
gcrypt-publish-participants.

The gcrypt-publish-participants option is available in my fork of
git-remote-gcrypt.

This commit was sponsored by Christopher Kernahan.

4 files changed, 23 insertions, 2 deletions

diff --git a/Git/GCrypt.hs b/Git/GCrypt.hs
index fb99cf619..c2a5a98fe 100644
--- a/Git/GCrypt.hs
+++ b/Git/GCrypt.hs
@@ -99,6 +99,9 @@ getParticiantList globalconfigrepo repo remotename = KeyIds $ parse $ firstJust
 remoteParticipantConfigKey :: RemoteName -> String
 remoteParticipantConfigKey = remoteConfigKey "gcrypt-participants"
 
+remotePublishParticipantConfigKey :: RemoteName -> String
+remotePublishParticipantConfigKey = remoteConfigKey "gcrypt-publish-participants"
+
 remoteSigningKey :: RemoteName -> String
 remoteSigningKey = remoteConfigKey "gcrypt-signingkey"
 
diff --git a/Remote/GCrypt.hs b/Remote/GCrypt.hs
index 60c2df73e..b2dd6cdaf 100644
--- a/Remote/GCrypt.hs
+++ b/Remote/GCrypt.hs
@@ -263,10 +263,14 @@ shellOrRsync r ashell arsync = case method of
  - participants, which gcrypt requires is the case, and may not be
  - depending on system configuration.
  -
- - (For shared encryption, gcrypt's default behavior is used.) -}
+ - (For shared encryption, gcrypt's default behavior is used.)
+ -
+ - Also, sets gcrypt-publish-participants to avoid unncessary gpg
+ - passphrase prompts.
+ -}
 setGcryptEncryption :: RemoteConfig -> String -> Annex ()
 setGcryptEncryption c remotename = do
-	let participants = ConfigKey $ Git.GCrypt.remoteParticipantConfigKey remotename
+	let participants = remoteconfig Git.GCrypt.remoteParticipantConfigKey
 	case extractCipher c of
 		Nothing -> noCrypto
 		Just (EncryptedCipher _ _ (KeyIds { keyIds = ks})) -> do
@@ -278,6 +282,10 @@ setGcryptEncryption c remotename = do
 				(k:_) -> setConfig signingkey k
 		Just (SharedCipher _) ->
 			unsetConfig participants
+	setConfig (remoteconfig Git.GCrypt.remotePublishParticipantConfigKey)
+		(Git.Config.boolConfig True)
+  where
+	remoteconfig n = ConfigKey $ n remotename
 
 store :: Remote -> Remote.Rsync.RsyncOpts -> (Cipher, Key) -> Key -> MeterUpdate -> Annex Bool
 store r rsyncopts (cipher, enck) k p
diff --git a/debian/changelog b/debian/changelog
index 179a24dca..42ab381d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,11 @@ git-annex (5.20140710) UNRELEASED; urgency=medium
     (since 5.20140707).
   * sync: Fix git sync with local git remotes even when they don't have an
     annex.uuid set. (The assistant already did so.)
+  * Set gcrypt-publish-participants when setting up a gcrypt repository,
+    to avoid unncessary passphrase prompts.
+    This is a security/usability tradeoff. To avoid exposing the gpg key
+    ids who can decrypt the repository, users can unset
+    gcrypt-publish-participants.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 09 Jul 2014 23:29:21 -0400
 
diff --git a/doc/special_remotes/gcrypt.mdwn b/doc/special_remotes/gcrypt.mdwn
index ac98c43bb..2e07741d3 100644
--- a/doc/special_remotes/gcrypt.mdwn
+++ b/doc/special_remotes/gcrypt.mdwn
@@ -43,3 +43,8 @@ way git-remote-gcrypt encrypts the git repository, you will need to somehow
 force it to re-push everything again, so that the encrypted repository can
 be decrypted by the added keys. Probably this can be done by setting
 `GCRYPT_FULL_REPACK` and doing a forced push of branches.
+
+Recent versions of git-annex configure gcrypt-publish-participants when
+setting up a gcrypt repository. This is done to avoid unncessary gpg
+passphrase prompts, but it does publish the gpg keyids that can decrypt the
+repository. Unset it if you need to obscure that.