dup: fixed erroneous gpg-related options processing; example.dup: fixed...

dup: fixed erroneous gpg-related options processing; example.dup: fixed erroneous comments about the way gpg options are used

AUTHORS

@@ -14,3 +14,4 @@ Patches:
 cmccallum@thecsl.org
 Daniel.Bonniot@inria.fr
 Brad Fritz <brad@fritzfam.com> -- trac patch
+garcondumonde@riseup.net

ChangeLog

@@ -11,6 +11,8 @@ version 0.9.2 -- unreleased
 		duplicity:
 			. globbing support fixed in include and exclude options 
 			. different signing and encrypting key support added
+			. fixed erroneous comments in example.dup about the way
+			  GnuPG-related options are used
 		mysql:
 			. handler vserver bugs fixed and debug output enhanced
 	ninjahelper(s) changes

NEWS

+WARNING FOR DUPLICITY USERS
+
+Old (pre-0.9.2) example.dup file used to give false information about the way
+the GnuPG-related options are used. Please read the new example.dup file, and
+update your own configuration files if needed.

examples/example.dup

@@ -11,25 +11,42 @@ nicelevel = 19
 ######################################################
 ## gpg section
 ## (how to encrypt and optionnally sign the backups)
+##
+## WARNING: old (pre-0.9.2) example.dup used to give wrong information about
+##          the way the following options are used. Please read ahead
+##          carefully.
+##
+## If the encryptkey variable is set:
+##   - data is encrypted with the GnuPG public key specified by the encryptkey
+##     variable
+##   - if signing is enabled, the password variable is used to unlock the GnuPG
+##     private key used for signing; else, you do not need to set the password
+##     variable
+## If the encryptkey option is not set:
+##   - data signing is not possible
+##   - the password variable is used to encrypt the data with symmetric
+##     encryption: no GnuPG key pair is needed
 
 [gpg]
 
-# passphrase needed to unlock the GnuPG key
-# NB: do not quote it, and it should not contain any quote
-password = a_very_complicated_passphrase
-
+# when set to yes, encryptkey variable must be set bellow; if you want to use
+# two different keys for encryption and signing, you must also set the signkey
+# variable bellow.
 # default is no, for backward compatibility with backupninja <= 0.5.
-# when set to yes, either signkey or encryptkey option must be set below.
 sign = yes
 
-# key ID used for data encryption.
-# if not set, local root's default GnuPG key is used.
+# ID of the GnuPG public key used for data encryption.
+# if not set, symmetric encryption is used, and data signing is not possible.
 encryptkey = 04D9EA79
 
-# key ID used for data signing.
+# ID of the GnuPG private key used for data signing.
 # if not set, encryptkey will be used.
 #signkey = 04D9EA79
 
+# password
+# NB: do not quote it, and it should not contain any quote
+password = a_very_complicated_passphrase
+
 ######################################################
 ## source section
 ## (where the files to be backed up are coming from)

handlers/dup

@@ -31,7 +31,6 @@ destdir=${destdir%/}
 
 [ "$destdir" != "" ] || fatal "Destination directory not set"
 [ "$include" != "" ] || fatal "No source includes specified"
-[ "$password" != "" ] || fatal "No password specified"
 
 ### vservers stuff ###
 
@@ -80,17 +79,27 @@ scpoptions="$sshoptions"
 
 execstr="$options --no-print-statistics --scp-command 'scp $scpoptions' --ssh-command 'ssh $sshoptions' "
 
-# if encryptkey is set, add --encrypt-key to the command-line
-[ -z "$encryptkey" ] || execstr="${execstr}--encrypt-key $encryptkey "
-# if signkey is not set, set it to encryptkey
-[ -n "$signkey" ] || signkey="$encryptkey"
-# if needed, add --sign-key to command-line
-if [ "$sign" == "yes" ]; then
-    if [ -n "$signkey" ]; then
-	execstr="${execstr}--sign-key $signkey "
-    else
-	fatal "Either encryptkey or signkey option must be set when signing."
-    fi
+# deal with symmetric or asymmetric (public/private key pair) encryption
+if [ -n "$encryptkey" ]; then
+    execstr="${execstr}--encrypt-key $encryptkey "
+    debug "Data will be encrypted with the GnuPG key $encryptkey."
+else
+    [ -n "$password" ] || fatal "The password option must be set when using symmetric encryption."
+    debug "Data will be encrypted using symmetric encryption."
+fi
+
+# deal with data signing
+if [ "$sign" == yes ]; then
+    # duplicity is not able to sign data when using symmetric encryption
+    [ -n "$encryptkey" ] || fatal "The encryptkey option must be set when signing."
+    # if needed, initialize signkey to a value that is not empty (checked above)
+    [ -n "$signkey" ] || signkey="$encryptkey"
+    # check password validity
+    [ -n "$password" ] || fatal "The password option must be set when signing."
+    execstr="${execstr}--sign-key $signkey "
+    debug "Data will be signed will the GnuPG key $signkey."
+else
+    debug "Data won't be signed."
 fi
 
 if [ "$keep" != "yes" ]; then