Secure gpg entrypoint

- enable gpg protection
- remove set -x to prevent logging password
- add checks to prevent re-initing pass and gpg
- present passphrase unlock via docker env variable
  - Note: gpg-agent will not expire gpg-present-passphrases
- fix deb CMD to ENTRYPOINT

deb/Dockerfile

@@ -25,4 +25,4 @@ RUN apt-get update \
     && apt-get install -y --no-install-recommends /tmp/protonmail.deb socat pass libsecret-1-0 ca-certificates procps \
     && rm -rf /var/lib/apt/lists/*
 
-CMD ["bash", "/protonmail/entrypoint.sh"]
+ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]

deb/entrypoint.sh

@@ -1,38 +1,49 @@
 #!/bin/bash
 
-set -ex
+set -e
+
+if [ -z "$KEYRING_PASSPHRASE" ]; then
+    echo "KEYRING_PASSPHRASE cannot be empty"
+    exit 1
+fi
+
+gpg_present_phrase () {
+    /usr/lib/gnupg2/gpg-preset-passphrase -P "$KEYRING_PASSPHRASE" \
+      -c "$(basename "$HOME"/.gnupg/private-keys-v1.d/*.key .key)"
+}
+
+# Start gpg-agent to force allow presetting passphrase
+gpg-agent --homedir "$HOME"/.gnupg --daemon --allow-preset-passphrase
 
 # Initialize
 if [[ $1 == init ]]; then
 
-    # # Parse parameters
-    # TFP=""  # Default empty two factor passcode
-    # shift  # skip `init`
-    # while [[ $# -gt 0 ]]; do
-    #     key="$1"
-    #     case $key in
-    #         -u|--username)
-    #         USERNAME="$2"
-    #         ;;
-    #         -p|--password)
-    #         PASSWORD="$2"
-    #         ;;
-    #         -t|--twofactor)
-    #         TWOFACTOR="$2"
-    #         ;;
-    #     esac
-    #     shift
-    #     shift
-    # done
+    # Initialize GPG if no private key
+    # While -f can't handle globs, only one key can be generated
+    if [ ! -f "$HOME"/.gnupg/private-keys-v1.d/*.key ]; then
+      gpg --generate-key --passphrase "$KEYRING_PASSPHRASE" --pinentry-mode loopback \
+        --batch /protonmail/gpgparams
+    fi
 
-    # Initialize pass
-    gpg --generate-key --batch /protonmail/gpgparams
-    pass init pass-key
+    # Initialize pass if no password-store
+    if [ ! -d "$HOME"/.password-store ]; then
+      pass init pass-key
+    fi
+
+    gpg_present_phrase
+
+    # Kill the other instance as only one can be running at a time.
+    # This allows users to run entrypoint init inside a running conainter
+    # which is useful in a k8s environment.
+    # || true to make sure this would not fail in case there is no running instance.
+    pkill protonmail-bridge || true
 
     # Login
     protonmail-bridge --cli
 
 else
+    # Load passphrase into gpg-agent
+    gpg_present_phrase
 
     # socat will make the conn appear to come from 127.0.0.1
     # ProtonMail Bridge currently expects that.

deb/gpgparams

@@ -1,7 +1,6 @@
-%no-protection
 %echo Generating a basic OpenPGP key
 Key-Type: RSA
-Key-Length: 2048
+Key-Length: 4096
 Name-Real: pass-key
 Expire-Date: 0
 %commit