[CMake] Storing and auto-decrypting sensitive files in cmake SAFELY and SANELY

Jack Kelly endgame.dos at gmail.com
Sun Jun 17 12:59:58 EDT 2007 

Gavin Beatty wrote:
> Hello,
> 
> Apologies if this is silly/misplaced/misguided.
> 
> I'd like a way to automate decrypting (via gpg) a file, installing the
> decrypted form and removing the temporary decrypted file from the
> cmake dir.
> 
> I have tried:
> <code>
> MACRO(ETC_WPA_INSTALL src)
>    EXEC_PROGRAM(gpg
>                ARGS        -o ${src} -d "${src}.encrypted"
>                )
>    INSTALL(FILES           ${src}
>            DESTINATION     /etc/wpa_supplicant
>            PERMISSIONS     OWNER_READ OWNER_WRITE
>            RENAME          wpa_supplicant.conf
>            )
>    FILE(REMOVE ${src})
> ENDMACRO(ETC_WPA_INSTALL src)
> </code>
> 
> but the INSTALL doesn't actually run until `make install` (as
> expected) whereas everything else does. So I get a decrypted file
> which is immediately removed when I run `cmake .`! How silly of me
> 
> Is there a way to have the decryption as a dependency of install
> target and have the removal at the end also?
> 
> How would you implement this?

Something to think about:
You want to decrypt and install the file without leaving it around in 
the build dir. Why? If you're doing an install, the person installing it 
should be root and therefore trustworthy (they'll have read access to 
/etc/wpa_supplicant.conf, anyway). Then there's the problem of the 
decryption key. If your build system can get this key, surely the user 
can, too.

Killing the make process at the right moment would leave the decrypted 
file lying around, as well.

Is what you think you want what you actually need?

Perhaps you should look at INSTALL(CODE "<Some CMake Code>") which 
executes CMake code during installation. I'll stab in the dark here with:

FIND_PROGRAM(INSTALL_EXECUTABLE install)
IF(NOT INSTALL_EXECUTABLE)
   # Die, somehow
ENDIF(NOT INSTALL_EXECUTABLE)

FIND_PROGRAM(GPG_EXECUTABLE gpg)
IF(NOT GPG_EXECUTABLE)
   # Die
ENDIF(NOT GPG_EXECUTABLE)

MACRO(ETC_WPA_INSTALL FILE)
   EXEC_PROGRAM(${GPG_EXECUTABLE} ARGS -o ${FILE} -d ${FILE}.encrypted)
   EXEC_PROGRAM(${INSTALL_EXECUTABLE) -m 600 ${FILE} 
/etc/wpa_supplicant/wpa_supplicant.conf)
   FILE(REMOVE ${FILE})
ENDMACRO(ETC_WPA_INSTALL)

INSTALL(CODE "ETC_WPA_INSTALL(file)")

This isn't so great because it depends on an install program, but it 
might get you thinking.

-- Jack

More information about the CMake mailing list