regpg

#!/usr/bin/env bash

[ $# -eq 0 ] && set -- -h

# For future reference:
# $ help getops
# note the "opt" in getopts call, and "$opt" in case block
# the x=1 bit is to allow us to strip out all processed options to keep $@ "clean"
x=1
while getopts "hpr:sv" opt; do
	case "$opt" in
		p) preserve=true;;
		r) recipient="${OPTARG}";;
		s) sign='--sign';;
		v) verify=true;;
		h|\?) printf 'Usage: %s [-p] [-r RECIPIENT] [-s] FILE...
	-p	Preserve permissions, owners, and timestamp of files
	-r	New recipient (default is existing recipient)
	-s	Sign and encrypt (default is encrypt only)
	-v	Verify if file is encrypted AND signed then exit\n' "$(basename "$0")"; exit 0;;
	esac
	x=$OPTIND
done
shift $(($x-1))

for i in chmod chown grep sed; do
	if hash g${i} 2>/dev/null; then
		hash -p "$(hash -t g${i})" ${i}
	fi
done

if [ "$verify" ]; then
	for i; do
		printf 'Checking %s... ' "$i"
		if gpg --status-fd 3 --decrypt "$i" 3>&1 2> /dev/null 1> /dev/null | grep -qPzl '(?s)GOODSIG.*\n.*DECRYPTION_OKAY'; then
			echo "done"
		else
			echo "failed" | sed -e 's/^.*$/\x1b[41m\x1b[37m&\x1b[0m/'
			failed=true
		fi
	done
	if [ "$failed" ]; then
		exit 1
	else
		exit 0
	fi
fi

# `for` without `in` defaults to iterating through $@
for i; do
	if [ ! -e "$i" ]; then
		printf '%b: file not found, skipping\n' "$i" >&2
		continue
	fi

	if [ "$recipient" ]; then
		temprecipient="$recipient"
	else
		temprecipient="$(gpg --batch --list-packets "$i" 2> /dev/null | awk '/^:pubkey.*keyid / { print $9 }')"
	fi

	tempfile=$(mktemp)

	printf 'Re-encrypting "%b" with gpg --recipient "%b" %b... ' "$i" "$temprecipient" $sign
	gpg --batch --decrypt "$i" 2>/dev/null | gpg --batch --yes --encrypt --local-user "$temprecipient" --recipient "$temprecipient" $sign --output "$tempfile" 2>/dev/null && printf 'done\n'

	if [ $preserve ]; then
		chmod --reference="$i" "$tempfile"
		chown --reference="$i" "$tempfile"
		touch -r "$i" "$tempfile"
	fi

	mv -f "$tempfile" "$i"
done