On Wed, Nov 13, 2019, at 03:19, Alexander Zangerl wrote:
> On Tue, 12 Nov 2019 17:10:40 -0500, "Michael Terry" writes:
> >I could throw you a patch tomorrow. And it could have the benefit of
> >being upstreamable too.
>
> that sounds very good; thanks for your time!
OK, attached is a patch that I also gave upstream, but no reply there yet
(https://code.launchpad.net/~mterry/duplicity/resume-encrypt-no-pass/+merge/375468)
It should be able to replace 01-reverify.
=== modified file 'duplicity/dup_main.py'
--- duplicity/dup_main.py 2019-09-22 23:44:56 +0000
+++ duplicity/dup_main.py 2019-11-13 04:19:44 +0000
@@ -153,14 +153,14 @@
# there is no sign_key and there are recipients
elif (action == u"full" and
(globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and not
- globals.gpg_profile.sign_key and not globals.restart):
+ globals.gpg_profile.sign_key):
return u""
# for an inc backup, we don't need a password if
# there is no sign_key and there are recipients
elif (action == u"inc" and
(globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and not
- globals.gpg_profile.sign_key and not globals.restart):
+ globals.gpg_profile.sign_key):
return u""
# Finally, ask the user for the passphrase
@@ -346,6 +346,13 @@
from encrypted to non in the middle of a backup chain), so we check
that the vol1 filename on the server matches the settings of this run.
"""
+ if ((globals.gpg_profile.recipients or globals.gpg_profile.hidden_recipients) and
+ not globals.gpg_profile.sign_key):
+ # When using gpg encryption without a signing key, we skip this validation
+ # step to ensure that we can still backup without needing the secret key
+ # on the machine.
+ return
+
vol1_filename = file_naming.get(backup_type, 1,
encrypted=globals.encryption,
gzipped=globals.compression)
=== modified file 'testing/functional/test_restart.py'
--- testing/functional/test_restart.py 2019-09-26 14:58:52 +0000
+++ testing/functional/test_restart.py 2019-11-13 04:19:44 +0000
@@ -79,6 +79,22 @@
self.backup(u"full", u"testfiles/largefiles")
self.verify(u"testfiles/largefiles")
+ def test_restart_encrypt_without_password(self):
+ u"""
+ Test that we can successfully restart a encrypt-key-only backup without
+ providing a password for it. (Normally, we'd need to decrypt the first
+ volume, but there is special code to skip that with an encrypt key.)
+ """
+ self.set_environ(u'PASSPHRASE', None)
+ self.set_environ(u'SIGN_PASSPHRASE', None)
+ self.make_largefiles()
+ enc_opts = [u"--encrypt-key", self.encrypt_key1]
+ self.backup(u"full", u"testfiles/largefiles", options=enc_opts, fail=2)
+ self.backup(u"full", u"testfiles/largefiles", options=enc_opts)
+
+ self.set_environ(u'PASSPHRASE', self.sign_passphrase)
+ self.verify(u"testfiles/largefiles")
+
def test_restart_sign_and_encrypt(self):
u"""
Test restarting a backup using same key for sign and encrypt
