diff --git a/README.md b/README.md index e772fde..629241b 100644 --- a/README.md +++ b/README.md @@ -34,10 +34,10 @@ tag | description To initialize and add account to the bridge, run the following command. ``` -docker run --rm -it -v protonmail:/root shenxn/protonmail-bridge init +docker run --rm -it -e KEYRING_PASSPHRASE='' -v protonmail:/root shenxn/protonmail-bridge init ``` -If you want to use Docker Compose instead, you can create a copy of the provided example [docker-compose.yml](docker-compose.yml) file, modify it to suit your needs, and then run the following command: +If you want to use Docker Compose instead, you can create a copy of the provided example [docker-compose.yml](docker-compose.yml) file, modify it to suit your needs (making sure KEYRING_PASSPHRASE matches what was used during intitialization), and then run the following command: ``` docker compose run protonmail-bridge init @@ -50,7 +50,7 @@ Wait for the bridge to startup, then you will see a prompt appear for [Proton Ma To run the container, use the following command. ``` -docker run -d --name=protonmail-bridge -v protonmail:/root -p 1025:25/tcp -p 1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge +docker run -d --name=protonmail-bridge -e KEYRING_PASSPHRASE='' -v protonmail:/root -p 1025:25/tcp -p 1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge ``` Or, if using Docker Compose, use the following command. @@ -70,7 +70,7 @@ If you don't want to use Helm, you can also reference to the guide ([#6](https:/ Please be aware that running the command above will expose your bridge to the network. Remember to use firewall if you are going to run this in an untrusted network or on a machine that has public IP address. You can also use the following command to publish the port to only localhost, which is the same behavior as the official bridge package. ``` -docker run -d --name=protonmail-bridge -v protonmail:/root -p 127.0.0.1:1025:25/tcp -p 127.0.0.1:1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge +docker run -d --name=protonmail-bridge -e KEYRING_PASSPHRASE='' -v protonmail:/root -p 127.0.0.1:1025:25/tcp -p 127.0.0.1:1143:143/tcp --restart=unless-stopped shenxn/protonmail-bridge ``` Besides, you can publish only port 25 (SMTP) if you don't need to receive any email (e.g. as a email notification service). diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 1931087..24b9dac 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -1,14 +1,37 @@ #!/bin/bash -set -ex +set -e + +if [ -z "$KEYRING_PASSPHRASE" ]; then + echo "KEYRING_PASSPHRASE cannot be empty" + exit 1 +fi + +gpg_present_phrase () { + /usr/lib/gnupg2/gpg-preset-passphrase -P "$KEYRING_PASSPHRASE" \ + -c "$(basename "$HOME"/.gnupg/private-keys-v1.d/*.key .key)" +} + +# Start gpg-agent to force allow presetting passphrase +gpg-agent --homedir "$HOME"/.gnupg --daemon --allow-preset-passphrase # Initialize if [[ $1 == init ]]; then - # Initialize pass - gpg --generate-key --batch /protonmail/gpgparams - pass init pass-key - + # Initialize GPG if no private key + # While -f can't handle globs, only one key can be generated + if [ ! -f "$HOME"/.gnupg/private-keys-v1.d/*.key ]; then + gpg --generate-key --passphrase "$KEYRING_PASSPHRASE" --pinentry-mode loopback \ + --batch /protonmail/gpgparams + fi + + # Initialize pass if no password-store + if [ ! -d "$HOME"/.password-store ]; then + pass init pass-key + fi + + gpg_present_phrase + # Kill the other instance as only one can be running at a time. # This allows users to run entrypoint init inside a running conainter # which is useful in a k8s environment. @@ -16,9 +39,11 @@ if [[ $1 == init ]]; then pkill protonmail-bridge || true # Login - /protonmail/proton-bridge --cli $@ + /protonmail/proton-bridge --cli else + # Load passphrase into gpg-agent + gpg_present_phrase # socat will make the conn appear to come from 127.0.0.1 # ProtonMail Bridge currently expects that. @@ -30,6 +55,6 @@ else # Fake a terminal, so it does not quit because of EOF... rm -f faketty mkfifo faketty - cat faketty | /protonmail/proton-bridge --cli $@ + cat faketty | /protonmail/proton-bridge --cli fi diff --git a/build/gpgparams b/build/gpgparams index 355568e..05c6e77 100644 --- a/build/gpgparams +++ b/build/gpgparams @@ -1,7 +1,6 @@ -%no-protection %echo Generating a basic OpenPGP key Key-Type: RSA -Key-Length: 2048 +Key-Length: 4096 Name-Real: pass-key Expire-Date: 0 %commit diff --git a/deb/Dockerfile b/deb/Dockerfile index a0d8e2c..1cdd706 100644 --- a/deb/Dockerfile +++ b/deb/Dockerfile @@ -25,4 +25,4 @@ RUN apt-get update \ && apt-get install -y --no-install-recommends /tmp/protonmail.deb socat pass libsecret-1-0 ca-certificates procps \ && rm -rf /var/lib/apt/lists/* -CMD ["bash", "/protonmail/entrypoint.sh"] +ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"] diff --git a/deb/entrypoint.sh b/deb/entrypoint.sh old mode 100644 new mode 100755 index 13637e5..e87740c --- a/deb/entrypoint.sh +++ b/deb/entrypoint.sh @@ -1,38 +1,49 @@ #!/bin/bash -set -ex +set -e + +if [ -z "$KEYRING_PASSPHRASE" ]; then + echo "KEYRING_PASSPHRASE cannot be empty" + exit 1 +fi + +gpg_present_phrase () { + /usr/lib/gnupg2/gpg-preset-passphrase -P "$KEYRING_PASSPHRASE" \ + -c "$(basename "$HOME"/.gnupg/private-keys-v1.d/*.key .key)" +} + +# Start gpg-agent to force allow presetting passphrase +gpg-agent --homedir "$HOME"/.gnupg --daemon --allow-preset-passphrase # Initialize if [[ $1 == init ]]; then - # # Parse parameters - # TFP="" # Default empty two factor passcode - # shift # skip `init` - # while [[ $# -gt 0 ]]; do - # key="$1" - # case $key in - # -u|--username) - # USERNAME="$2" - # ;; - # -p|--password) - # PASSWORD="$2" - # ;; - # -t|--twofactor) - # TWOFACTOR="$2" - # ;; - # esac - # shift - # shift - # done + # Initialize GPG if no private key + # While -f can't handle globs, only one key can be generated + if [ ! -f "$HOME"/.gnupg/private-keys-v1.d/*.key ]; then + gpg --generate-key --passphrase "$KEYRING_PASSPHRASE" --pinentry-mode loopback \ + --batch /protonmail/gpgparams + fi - # Initialize pass - gpg --generate-key --batch /protonmail/gpgparams - pass init pass-key + # Initialize pass if no password-store + if [ ! -d "$HOME"/.password-store ]; then + pass init pass-key + fi + + gpg_present_phrase + + # Kill the other instance as only one can be running at a time. + # This allows users to run entrypoint init inside a running conainter + # which is useful in a k8s environment. + # || true to make sure this would not fail in case there is no running instance. + pkill protonmail-bridge || true # Login protonmail-bridge --cli else + # Load passphrase into gpg-agent + gpg_present_phrase # socat will make the conn appear to come from 127.0.0.1 # ProtonMail Bridge currently expects that. diff --git a/deb/gpgparams b/deb/gpgparams index 355568e..05c6e77 100644 --- a/deb/gpgparams +++ b/deb/gpgparams @@ -1,7 +1,6 @@ -%no-protection %echo Generating a basic OpenPGP key Key-Type: RSA -Key-Length: 2048 +Key-Length: 4096 Name-Real: pass-key Expire-Date: 0 %commit diff --git a/docker-compose.yml b/docker-compose.yml index fa91e7d..f563634 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,6 +3,8 @@ version: '2.1' services: protonmail-bridge: image: shenxn/protonmail-bridge + environment: + - KEYRING_PASSPHRASE= ports: - 1025:25/tcp - 1143:143/tcp