add a command to add additonal gpg keys

This also fixes a bug resolving remote names with the trust command.

Author: schiele

README.md

@@ -54,12 +54,10 @@ git incrypt init $URL $GPG_KEY_ID
 
 where `$URL` is the URL of the remote repository prefixed with `incrypt::` to
 be initialized and `$GPG_KEY_ID` is one or multiple GPG key IDs to be used to
-encrypt the data in the repository. Note that this version does not yet have a
-command to change the list of keys later, so give it a thought before setting
-up the repository. However if you need to change keys you can always delete
-the encrypted repository later and re-initialize it with other keys. For sure
-we should have a command in future versions that an re-encrypt the data with
-new keys in the future.
+encrypt the data in the repository.
+
+If needed you can later add additional keys using the `git incrypt add`
+command.
 
 From now on you can just use the regular git commands to communicate with the
 encrypted remote repository. They all should work in the ususal way but

git-incrypt

@@ -424,6 +424,7 @@ class MetaData:
         self.keyhash = None
         self.template = None
         self.defaultbranch = None
+        self.gpgkeys = []
 
     def init(self, gpgkeys, template, defaultbranch):
         'initialize the metadata'
@@ -447,6 +448,14 @@ class MetaData:
         self.write()
         return self
 
+    def addkey(self, gpgkeys):
+        'add gpg key'
+        self.gpgkeys += gpgkeys
+        cryptedkey = subprocess.check_output(
+            ['gpg', '-q', '-e'] + ['-r' + k for k in self.gpgkeys],
+            input=MetaData.KEYVER + b'\x00' + self.key)
+        self.files['key'] = self.repo.create_blob(cryptedkey)
+
     def read(self):
         'read the metadata'
         self.files = {}
@@ -468,6 +477,13 @@ class MetaData:
         keyver, self.key = data.split(b'\x00', 1)
         assert keyver == MetaData.KEYVER, \
             f'Key format is {keyver}, expected {MetaData.KEYVER}'
+        keydata = subprocess.check_output(
+            ['gpg', '-q', '--list-packets'],
+            input=obj.read_raw()).decode('utf-8').split('\n')
+        for k in keydata:
+            match = re.search(r'^:pubkey enc packet:.*keyid ([0-9A-F]+)', k)
+            if match:
+                self.gpgkeys.append(match.group(1))
         self.files['sig'] = tree['sig'].id
         obj = tree['msg']
         self.files['msg'] = obj.id
@@ -568,12 +584,27 @@ def init_command(args):
         crypt.push([])
 
 
+def addkey_command(args):
+    'add key to incrypt repository'
+    try:
+        url = pygit2.Repository('.').remotes[args.remote].url
+    except (KeyError, ValueError):
+        url = args.remote
+    assert url.startswith('incrypt::'), \
+        f'url `{url}` must start with incrypt::'
+    crypt = CryptRepo('.', url[9:])
+    crypt.meta.addkey(args.keys)
+    crypt.push([])
+
+
 def trust_command(args):
     'trust incrypt repository'
-    remotes = pygit2.Repository('.').remotes
-    url = remotes[args.remote].url if args.remote in remotes else args.remote
+    try:
+        url = pygit2.Repository('.').remotes[args.remote].url
+    except (KeyError, ValueError):
+        url = args.remote
     assert url.startswith('incrypt::'), \
-        'url must start with incrypt::'
+        f'url `{url}` must start with incrypt::'
     crypt = CryptRepo('.', url[9:], forcetrust=True)
     if args.sign:
         crypt.meta.sign()
@@ -607,6 +638,13 @@ def tool():
     init_parser.add_argument(
         'keys', nargs='+', help='GPG keys used to encrypt the data')
     init_parser.set_defaults(func=init_command)
+    addkey_parser = subparsers.add_parser(
+        'addkey', help='Add an encryption key')
+    addkey_parser.add_argument(
+        'remote', type=str, help='Name of the remote')
+    addkey_parser.add_argument(
+        'keys', nargs='+', help='GPG keys to add')
+    addkey_parser.set_defaults(func=addkey_command)
     trust_parser = subparsers.add_parser(
         'trust', help='Trust the remote repository')
     trust_parser.add_argument(

git-incrypt.adoc

@@ -10,6 +10,7 @@ SYNOPSIS
 --------
 [verse]
 'git incrypt' init [-n <name>] [-e <email>] [-d <date>] [-m <msg>] <repository> <key>...
+'git incrypt' addkey <repository> <key>...
 'git incrypt' trust [-s] <repository>
 
 
@@ -63,6 +64,19 @@ repository. If not provided, a standard message is used. Similar to
 the `git commit` command, this option can be specified multiple
 times to add multiple paragraphs to the commit message.
 
+addkey <repository> <key>...::
+	Add the given GPG key to the list of allowed keys for the
+	repository.
++
+<repository> is the URL of the remote repository to add the key to.
+It needs to start with `incrypt::` and the remainder needs to be a
+URL git can understand, e.g. `incrypt::https://github.com/foo/bar.git`.
+Alternatively, a registered remote name that points to a URL
+qualifying to the criteria above can be used.
++
+<key> is a list of GPG keys to add as allowed keys to access the
+repository.
+
 trust [-s] <repository>::
 	Mark the given repository as trusted. If the `-s` option is
 	given, the repository will also be signed with the users GPG