-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrun_after_08-export-keychain.sh.tmpl
More file actions
40 lines (30 loc) · 1.62 KB
/
Copy pathrun_after_08-export-keychain.sh.tmpl
File metadata and controls
40 lines (30 loc) · 1.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/bash
set -euo pipefail
{{ template "shell-helpers" . }}
# Re-export managed secrets from the dotfiles keychain to iCloud Drive after every apply.
# Tokens file format (tab-separated): id<TAB>account<TAB>where<TAB>kind<TAB>comment<TAB>password
TOKENS_FILE="{{ .icloud_secrets }}/.keychain/tokens"
KEYCHAIN_NAME={{ .keychain_name | quote }}
KEYCHAIN="$HOME/Library/Keychains/${KEYCHAIN_NAME}.keychain-db"
[[ -f "$TOKENS_FILE" && -f "$KEYCHAIN" ]] || exit 0
tmpfile="$(mktemp)"
trap 'rm -f "$tmpfile"' EXIT
grep '^#' "$TOKENS_FILE" > "$tmpfile" 2>/dev/null || true
changed=false
# Read each managed (id, account) pair, then pull live kind/comment/password
# from the keychain (the source of truth) for the new tokens-file line.
while IFS=$'\t' read -r id account _ _ _ old_password; do
[[ -z "$id" || "$id" == \#* ]] && continue
password="$(security find-generic-password -l "$id" -a "$account" -w "$KEYCHAIN" 2>/dev/null)" || true
[[ -z "$password" ]] && continue
raw="$(security find-generic-password -l "$id" -a "$account" "$KEYCHAIN" 2>&1)"
where=$( printf '%s\n' "$raw" | sed -nE 's/^[[:space:]]*"svce"<blob>="([^"]*)".*$/\1/p')
kind=$( printf '%s\n' "$raw" | sed -nE 's/^[[:space:]]*"desc"<blob>="([^"]*)".*$/\1/p')
comment=$(printf '%s\n' "$raw" | sed -nE 's/^[[:space:]]*"icmt"<blob>="([^"]*)".*$/\1/p')
printf '%s\t%s\t%s\t%s\t%s\t%s\n' "$id" "$account" "$where" "$kind" "$comment" "$password" >> "$tmpfile"
[[ "$password" != "$old_password" ]] && changed=true
done < "$TOKENS_FILE"
if [[ "$changed" == true ]]; then
mv "$tmpfile" "$TOKENS_FILE"
_log success "Updated tokens file (keychain → iCloud Drive)"
fi