Release v0.1.0

Nuckal777 · Nuckal777 · commit 8e88df5ed706 · 2021-08-21T13:57:01.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 /target
+.vscode
diff --git a/README.md b/README.md
@@ -11,9 +11,9 @@ Git on linux has basically 3 options to store credentials.
 - [git-credential-store](https://git-scm.com/docs/gitcredentials): stores credentials unencrypted on a filesystem, so anybody with access to the file can read them.
 - libsecret based implementations (like this [one](https://github.com/shugo/git-credential-gnomekeyring)): These store credentials encrypted, but bring a full secret management solution and require workarounds without a graphical session ([see here](https://superuser.com/questions/141036/use-of-gnome-keyring-daemon-without-x)).
 
-With GitHub's move to personal access tokens, I felt the need for a lightweight enrypting solution.
-Nicator works like git-credential-store but it encrypts the saved credentials.
-Therefore it should be decently secure.
+With GitHub's move to personal access tokens, I felt the need for a lightweight encrypting solution.
+Nicator works like git-credential-store but it encrypts the saved credentials, so it protects against the credentials file getting stolen.
+__It does not do anything about malicious code being executed or its sockets and process memory getting read, especially after unlocking.__
 Most of nicators dependencies are statically linked, so it does not require any uncommon dependencies.
 
 ## Usage
@@ -23,7 +23,7 @@ Most of nicators dependencies are statically linked, so it does not require any
 4. Execute `nicator unlock` to enable storing and fetching credentials.
 5. Execute `nicator lock` to disable storing and fetching credentials.
 
-`nicator unlock -t SECONDS` allows specifying a timeout after which the credentials become inaccessable. It defaults to 1 hour. It might be handy to create a shell alias to change it consitently. The `-c` and `-s` flags can be used to change the path used for the credentials file and socket file respectively. These should not leak any data as long these files are only readable and writeable by the the file's owner, which nicator takes care of.
+`nicator unlock -t SECONDS` allows specifying a timeout after which the credentials become inaccessible. It defaults to 1 hour. It might be handy to create a shell alias to change it consistently. The `-c` and `-s` flags can be used to change the path used for the credentials file and socket file respectively. These should not leak any data as long these files are only readable and writeable by the the file's owner, which nicator takes care of.
 
 ## How nicator works
 Unlocking will automatically launch a nicator server/daemon process listening on a unix socket with appropriate permissions (found in `/tmp`), which keeps the password in-memory.
@@ -35,3 +35,4 @@ The passphrase is hashed using Argon2id.
 ## Security considerations
 - You should trust the root user on your system.
 - When hibernating your nicator password may be written to the disk if a nicator server is still running
+- Malicious code may act like a valid the nicator client and read credentials from the unix socket after the credential store is unlocked
diff --git a/release-notes/v0.1.0.md b/release-notes/v0.1.0.md
@@ -0,0 +1 @@
+Initial release
diff --git a/src/lib.rs b/src/lib.rs
@@ -185,7 +185,7 @@ fn perform_init(options: &ProgramOptions) -> Exit {
 
 fn perform_lock(options: &ProgramOptions) -> Exit {
     with_client(options, |client| {
-        client.lock().expect("Failed to lock the nicator store")
+        client.lock().expect("Failed to lock the nicator store");
     })
 }
 
@@ -211,7 +211,7 @@ fn perform_unlock(options: &ProgramOptions) -> Exit {
             );
             client
                 .unlock(passphrase, store_path, options.timeout)
-                .expect("Failed to unlock the nicator store.")
+                .expect("Failed to unlock the nicator store.");
         }),
         Err(err) => {
             eprintln!(
@@ -233,7 +233,7 @@ fn perform_store(options: &ProgramOptions) -> Exit {
     with_client(options, |client| {
         client
             .store(credential)
-            .expect("Failed to store the credential.")
+            .expect("Failed to store the credential.");
     })
 }
 
@@ -265,7 +265,7 @@ fn perform_erase(options: &ProgramOptions) -> Exit {
     with_client(options, |client| {
         client
             .erase(credential)
-            .expect("Failed to erase the credential.")
+            .expect("Failed to erase the credential.");
     })
 }
 
diff --git a/src/store.rs b/src/store.rs
@@ -102,7 +102,7 @@ impl Store {
         let mut cipher = ChaCha20Poly1305::new(key);
         let nonce = Nonce::from_slice(&nonce_data);
         let plain = cipher
-            .decrypt(&nonce, store_data.as_slice())
+            .decrypt(nonce, store_data.as_slice())
             .map_err(|_| crate::Error::Crypto)?;
         let store = bincode::deserialize(&plain)?;
         Ok(store)
