summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Wilson2021-03-10 16:28:08 +1000
committerAlex Wilson2021-03-10 16:28:08 +1000
commit14eb7308203ad6a648be5bafe2a5f4825136d8ee (patch)
tree0fca06a95d2d2fafe714cea77fb38dc3ccf0cd42
parentef28e3a1858176eb2d25d0f7ff725f04d494aaf2 (diff)
downloadaur-14eb7308203ad6a648be5bafe2a5f4825136d8ee.tar.gz
Add implicit rekey after unlock in initcpio hook
Diffstat
-rw-r--r--.SRCINFO4
-rw-r--r--PKGBUILD4
-rw-r--r--zfs-pivy.hook3
3 files changed, 7 insertions, 4 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 3ef6b4e6b4d4..1540cdd9b869 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
pkgbase = pivy
pkgdesc = Tools for using PIV smartcards/Yubikeys with ssh-agent and disk encryption
pkgver = 0.8.0
- pkgrel = 1
+ pkgrel = 2
url = https://github.com/arekinath/pivy
arch = x86
arch = x86_64
@@ -22,7 +22,7 @@ pkgbase = pivy
source = https://github.com/arekinath/pivy/archive/v0.8.0.tar.gz
source = https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.0.tar.gz
source = https://github.com/arekinath/mini-pcsc/archive/v0.2.0.tar.gz
- sha256sums = dbabe4001bfc204ea82bff22fd40cc5526f74398fb067af6816ac3c7025664dd
+ sha256sums = 7925467b71227ae835cc5bf5ebf0b74ea6d740738af5d13be05e0416a78f8acc
sha256sums = 44b5a004a06ffe214df2810bb2d58a3ecb2bdcf1c892411a8d574afac935f678
sha256sums = c32b008a730ddc8661e4b0542408b30d46868ee66890612b7f1cbc84803eaf57
sha256sums = f91aad0c8fb9cbc67c910ad6dcffb401a819b4fd122007ea7f978638db044cf6
diff --git a/PKGBUILD b/PKGBUILD
index 085f8661c460..f69f55aaa8dd 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
# Maintainer: Alex Wilson <alex at cooperi dot net>
pkgname=pivy
pkgver=0.8.0
-pkgrel=1
+pkgrel=2
pkgdesc="Tools for using PIV smartcards/Yubikeys with ssh-agent and disk encryption"
url="https://github.com/arekinath/pivy"
license=('MPL2')
@@ -17,7 +17,7 @@ optdepends=('cryptsetup: LUKS encrypted disk support (pivy-luks)'
'zfs-utils: ZFS encrypted pool/fs support (pivy-zfs)'
'pam: PAM plugin (pam_pivy.so)')
makedepends=(pkgconf cryptsetup zfs-utils json-c pam)
-sha256sums=('dbabe4001bfc204ea82bff22fd40cc5526f74398fb067af6816ac3c7025664dd'
+sha256sums=('7925467b71227ae835cc5bf5ebf0b74ea6d740738af5d13be05e0416a78f8acc'
'44b5a004a06ffe214df2810bb2d58a3ecb2bdcf1c892411a8d574afac935f678'
'c32b008a730ddc8661e4b0542408b30d46868ee66890612b7f1cbc84803eaf57'
'f91aad0c8fb9cbc67c910ad6dcffb401a819b4fd122007ea7f978638db044cf6'
diff --git a/zfs-pivy.hook b/zfs-pivy.hook
index b5b8b75f2cb0..b78c4df92f31 100644
--- a/zfs-pivy.hook
+++ b/zfs-pivy.hook
@@ -52,6 +52,9 @@ zfs_decrypt_fs() {
! eval pivy-zfs unlock "${encryptionroot}"; do
sleep 2
done
+ # do an implicit re-key after unlock, so that the exchange we had with
+ # the yubikey is not replayable
+ pivy-zfs rekey "${encryptionroot}"
fi
# loop until we get the correct password or key is unlocked by another vector (SSH for instance)