small pixel drawing of a pufferfish pa

contrib/pa-rekey

#!/bin/sh
#
# rotate keys and reencrypt passwords
#
# Reuse identities file: export PA_IDENTITIES=~/.local/share/pa/identities
# Reuse recipients file: export PA_RECIPIENTS=~/.local/share/pa/recipients

basedir="${XDG_DATA_HOME:=$HOME/.local/share}/pa"
: "${PA_DIR:=$basedir/passwords}"

# Restrict permissions of any new files to only the current user.
umask 077

[ "$PA_IDENTITIES" ] && cp "$PA_IDENTITIES" "$basedir/identities.tmp"
[ "$PA_RECIPIENTS" ] && cp "$PA_RECIPIENTS" "$basedir/recipients.tmp"

if age_keygen=$(command -v age-keygen || command -v rage-keygen); then
    $age_keygen >>"$basedir/identities.tmp" 2>/dev/null
    $age_keygen -y "$basedir/identities.tmp" >>"$basedir/recipients.tmp" 2>/dev/null
fi

age=$(command -v age || command -v rage)

pa list | while read -r name; do
    pa show "$name" | $age -R "$basedir/recipients.tmp" -o "$PA_DIR/$name.tmp.age"
    mv "$PA_DIR/$name.tmp.age" "$PA_DIR/$name.age"
done

if [ "$age_keygen" ]; then
    mv "$basedir/identities.tmp" "$basedir/identities"
    mv "$basedir/recipients.tmp" "$basedir/recipients"
fi

if [ -z "${PA_NOGIT+x}" ] && [ -d "$PA_DIR/.git" ] && command -v git >/dev/null 2>&1; then
    git -C "$PA_DIR" add . && git -C "$PA_DIR" commit -m "rekey"
fi