Store private key in keychain

.github/workflows/ci.yaml

@@ -0,0 +1,121 @@
+# https://github.com/BamPeers/rust-ci-github-actions-workflow
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+name: CI
+
+concurrency:
+  group: ci/${{ github.event.pull_request.head.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    name: Check
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: nightly
+          override: true
+      - uses: actions-rs/cargo@v1
+        with:
+          command: check
+        env:
+          RUSTFLAGS: "-D warnings"
+
+  fmt:
+    name: Rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: nightly
+          override: true
+      - run: rustup component add rustfmt
+      - uses: actions-rs/cargo@v1
+        with:
+          command: fmt
+          args: --all -- --check
+
+  clippy:
+    name: Clippy
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions-rs/toolchain@v1
+        with:
+          toolchain: nightly
+          components: clippy
+          override: true
+      - uses: actions-rs/cargo@v1
+        with:
+          command: clippy
+          args: --all-features
+        env:
+          RUSTFLAGS: "-D warnings"
+
+  markdownlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: nosborn/[email protected]
+        with:
+          files: .
+
+  test:
+    name: Test
+    env:
+      PROJECT_NAME_UNDERSCORE: bpb_pkgx
+      CARGO_INCREMENTAL: 0
+      RUSTFLAGS: -Ccodegen-units=1 -Copt-level=0 -Clink-dead-code -Coverflow-checks=off -Zpanic_abort_tests -Cpanic=abort -D warnings
+      RUSTDOCFLAGS: -Cpanic=abort
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: nightly
+          override: true
+      - name: Cache dependencies
+        uses: actions/cache@v2
+        env:
+          cache-name: cache-dependencies
+        with:
+          path: |
+            ~/.cargo/.crates.toml
+            ~/.cargo/.crates2.json
+            ~/.cargo/bin
+            ~/.cargo/registry/index
+            ~/.cargo/registry/cache
+            target
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('Cargo.lock') }}
+      - uses: actions-rs/cargo@v1
+        with:
+          command: test
+          args: --all-features
+
+  # coverage:
+  #   name: Coverage
+  #   runs-on: macos-latest
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - uses: actions-rs/toolchain@v1
+  #       with:
+  #         profile: minimal
+  #         toolchain: nightly
+  #         override: true
+  #     - name: Generate test result and coverage report
+  #       run: |
+  #         cargo install cargo-tarpaulin
+  #         cargo tarpaulin --engine ptrace -o lcov --output-dir coverage --coveralls $COVERALLS_TOKEN
+  #       env:
+  #         COVERALLS_TOKEN: ${{ secrets.COVERALLS_TOKEN }}

Cargo.toml

@@ -11,8 +11,8 @@ authors = ["Without Boats <[email protected]>", "Jacob Heider <[email protected]>"]
 toml = "0.4.6"
 rand = { version = "0.8.5", features = ["std"] }
 sha2 = "0.7.1"
-serde_derive = "1.0.70"
-serde = "1.0.70"
+serde_derive = "1.0.215"
+serde = "1.0.215"
 hex = "0.3.2"
 failure = "0.1.1"
 

README.md

@@ -1,22 +1,29 @@
-# boats's personal barricade - pkgx updates
+# boats's personal barricade
 
 This is a tool to automatically sign git commits, replacing gpg for that
 purpose. It is very opinionated, and only useful if you use gpg the same way I
 do.
 
-## Updates
+## `pkgx` Updates
 
-updated to edition 2021 by pkgx
+- Updated to edition 2021 by pkgx
+- Stores the private key in the macOS keychain such that only this tool (when
+  codesigned) can access it.
 
-## How to install
+### TODO
+
+- [ ] Move keychain identifiers out to build variables in `config.rs`
+- [ ] Move keychain identifier out to a build variable in `keychain.rs`
+
+## How to Install
 
 ```sh
 git clone https://github.com/pkgxdev/bpb-pkgx
 cd bpb-pkgx
 cargo install --path .
 ```
 
-## How to set up
+## How to Set Up
 
 Once you've installed this program, you should run the `bpb init` subcommand.
 This command expects you to pass a userid argument. For example, this is how I
@@ -29,11 +36,13 @@ bpb init "withoutboats <[email protected]>"
 You can pass any string you want as your userid, but `"$NAME <$EMAIL>"` is the
 conventional standard for OpenPGP userids.
 
-This will create a file at ~/.bpb_keys.toml. This file contains your bpb public
-and private keys.
+This will create a file at ~/.bpb_keys.toml. This file contains your public
+key.
+
+The private and public keys are output as JSON. This is the only time this
+tool will expose your private key publicly.
 
-It also prints your public key in OpenPGP format, so that you can upload it
-again. You can print your public key more times with:
+You can print your public key more times with:
 
 ```sh
 bpb print
@@ -43,27 +52,19 @@ If you want to use it to sign git commits, you also need to inform git to call
 it instead of gpg. You can do this with this command:
 
 ```sh
-git config --global gpg.program bpb
+git config --global gpg.program bpb_pkgx
 ```
 
 You should also provide the public key to people who want to verify your
-commits. Personally, I just upload the public key to GitHub; you may have other
-requirements.
+commits. Personally, I just upload the public key to GitHub; you may have
+other requirements.
 
-## How it replaces gpg
+## How it Replaces GPG
 
-If this program receives a `-s` argument, it reads from stdin and then writes a
-signature to stdout. If it receives any arguments it doesn't recognize, it
+If this program receives a `-s` argument, it reads from stdin and then writes
+a signature to stdout. If it receives any arguments it doesn't recognize, it
 delegates to the gpg binary in your path.
 
 This means that this program can be used to replace gpg as a signing tool, but
-it does not replace any other functionality. For example, if you want to verify
-the signatures on other peoples' git commits, it will shell out to gpg.
-
-## Storing your private key
-
-By default, your private key is stored as a hex string in `~/.bpb_keys.toml`.
-However, if you are uncomfortable with the possibility of someone reading your
-private key from your home directory, you can instead store it somewhere else.
-To do this, replace the `key` field with a `program` field, and `bpb` will run
-this program, expecting it to print your key to stdout.
+it does not replace any other functionality. For example, if you want to
+verify the signatures on other peoples' git commits, it will shell out to gpg.