Radish alpha
h
heartwood
Radicle Heartwood Protocol & Stack
Radicle
Git (anonymous pull)
Log in to clone via SSH
Commits
radicle-node: support loading key material from file
✓ CI success Skye Soss committed 1 day ago
commit abf25499ed43c7b1c85760c304e678999abf946d
parent 080790d84eb64504406e8f4d309e9049bdfa89ad
1 passed (1 total) View logs
4 files changed +29 -9
modified crates/radicle/src/profile.rs
@@ -45,6 +45,8 @@ pub mod env {
    pub const RAD_SOCKET: &str = "RAD_SOCKET";

    /// Passphrase for the encrypted Radicle secret key.

    pub const RAD_PASSPHRASE: &str = "RAD_PASSPHRASE";
+ 
    /// Passphrase file for the encrypted Radicle secret key.
+ 
    pub const RAD_PASSPHRASE_FILE: &str = "RAD_PASSPHRASE_FILE";

    /// RNG seed. Must be convertible to a `u64`.

    pub const RAD_RNG_SEED: &str = "RAD_RNG_SEED";

    /// Private key seed. Used for generating deterministic keypairs.
@@ -104,8 +106,19 @@ pub mod env {


    /// Get the Radicle passphrase from the environment.

    pub fn passphrase() -> Option<super::Passphrase> {
- 
        let Ok(passphrase) = var(RAD_PASSPHRASE) else {
- 
            return None;
+ 
        let passphrase = match var(RAD_PASSPHRASE) {
+ 
            Ok(passphrase) => passphrase,
+ 
            Err(_) => {
+ 
                let passfile = var(RAD_PASSPHRASE_FILE).ok()?;
+ 
                match std::fs::read_to_string(&passfile) {
+ 
                    Ok(content) => content,
+ 
                    Err(e) => {
+ 
                        log::info!(target: "radicle", "Unable to open {}: {}",
+ 
                            passfile, e);
+ 
                        return None;
+ 
                    }
+ 
                }
+ 
            }

        };

        if passphrase.is_empty() {

            // `ssh-keygen` treats the empty string as no passphrase,
modified rad.1.adoc
@@ -26,7 +26,8 @@ There are a few important requirements for running the Radicle CLI: first, a
recent version of *git* (*2.34.0* or later) must be installed. You can check

your installation by running *git --version*. Second, *ssh-agent* must be

installed and running. To bypass ssh-agent, it's possible to set the
- 
*RAD_PASSPHRASE* environment variable. See the _Environment_ section.
+ 
*RAD_PASSPHRASE* or *RAD_PASSPHRASE_FILE* environment variables.
+ 
See the _Environment_ section.



== Getting started
@@ -221,3 +222,9 @@ be located at *~/.radicle*.
If you would like to bypass *ssh-agent*, you can store your passphrase in this

environment variable. Note that this is not secure and is equivalent to having

an unencrypted secret key.
+
+ 
*RAD_PASSPHRASE_FILE*::
+
+ 
If *RAD_PASSPHRASE* is unset, *radicle-node* will read the passphrase from
+ 
the filepath in this variable. Depending on how this file is stored, it could
+ 
be more secure than the *RAD_PASSPHRASE* option.
modified systemd/system/radicle-node.service
@@ -26,9 +26,9 @@ NoNewPrivileges=true
MemoryDenyWriteExecute=true



# If your Radicle key is passphrase-protected, you will have to set the
- 
# `RAD_PASSPHRASE` environment variable to the passphrase supplied during
- 
# `rad auth`.
- 
#Environment=RAD_PASSPHRASE=snickerdoodle
+ 
# `RAD_PASSPHRASE_FILE` environment variable to a file containing the
+ 
# passphrase supplied during `rad auth`.
+ 
#Environment=RAD_PASSPHRASE_FILE=/path/to/passphrase



User=seed

Group=seed
modified systemd/user/radicle-node.service
@@ -25,9 +25,9 @@ ProtectHome=true
MemoryDenyWriteExecute=true



# If your Radicle key is passphrase-protected, you will have to set the
- 
# `RAD_PASSPHRASE` environment variable to the passphrase supplied during
- 
# `rad auth`.
- 
#Environment=RAD_PASSPHRASE=snickerdoodle
+ 
# `RAD_PASSPHRASE_FILE` environment variable to a file containing the
+ 
# passphrase supplied during `rad auth`.
+ 
#Environment=RAD_PASSPHRASE_FILE=/path/to/passphrase

Environment=RAD_HOME=/home/seed/.radicle RUST_BACKTRACE=1



# Basic hardening options. For more, please refer to `systemd-analyze security`.