1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
#!/bin/bash
set -e
if [ -z "$GIT_DIR" ]; then
GIT_DIR=".git"
fi
CIPHER=aes-256-ecb
SALT="123456789abcdef"
init() {
# From git 1.7.8+, the .git in submodule folder is a file containing the actual path of gitdir.
if [ -f "$GIT_DIR" ]; then
GIT_DIR=`cat $GIT_DIR | sed 's/^gitdir: //'`
fi
if [ ! -d "$GIT_DIR" ]; then
echo "Not a git repository. Did you run 'git init'?"
exit 1
fi
if [ ! -f .recipients ]; then
echo "Before running 'init' create .recipients file, and add to it target key IDs"
echo "(one per line). IDs can be either key fingerprints, substrings of user IDs"
echo "(e.g., emails) or whatever else gpg accepts for --recipient option (man gpg)."
exit 1
fi
if [ -f .gpgcrypt-key ]; then
git diff-index --quiet HEAD
clean=$?
if [ $clean -eq 1 ]; then
echo "Intended to initialize gpgcrypt in fresh clone, but your working copy/index"
echo "is not clean. Not doing anything. If you intended to initialize a fresh"
echo "clone either, something went wrong, you may need to clone again (or deal with"
echo "pending changes, then run '$0 init' again, then"
echo "'git checkout HEAD^; git checkout master', or remove everything but .git"
echo "directory and run 'git checkout .', or )"
else
setup_filters
git checkout -f .
echo "Initialized a clone"
fi
return
fi
echo "* filter=encrypt diff=encrypt" >>.gitattributes
echo "# You probably want to describe in README why one can't see anything useful in other files" >>.gitattributes
echo "README !filter !diff" >>.gitattributes
echo "# Don't encrypt recipient list, you can comment this to encrypt it" >>.gitattributes
echo ".recipients !filter !diff" >>.gitattributes
echo "# Never encrypt .gitattributes, .gpgcrypt-* files" >>.gitattributes
echo ".gitattributes !filter !diff" >>.gitattributes
echo ".gpgcrypt-* !filter !diff" >>.gitattributes
echo "[merge]" >>.gitattributes
echo " renormalize=true" >>.gitattributes
touch .recipients
KEY=$(cat /dev/urandom | LC_ALL="C" tr -dc '!@#$%^&*()_A-Z-a-z-0-9' | head -c32)
encrypt_key "$KEY"
SALT=$(head -c 10 < /dev/random | md5sum | cut -c-16)
echo $SALT >.gpgcrypt-salt
setup_filters
echo "git gpgcrypt initialized."
echo
git add .gitattributes .recipients .gpgcrypt-key .gpgcrypt-salt
git commit .gitattributes .recipients .gpgcrypt-key .gpgcrypt-salt -m "Initialized git gpgcrypt state."
}
setup_filters() {
git config filter.encrypt.smudge "git-gpgcrypt smudge"
git config filter.encrypt.clean "git-gpgcrypt clean"
git config diff.encrypt.textconv "git-gpgcrypt diff"
}
get_key() {
gpg -d -q --batch --no-tty .gpgcrypt-key
}
get_salt() {
cat .gpgcrypt-salt
}
encrypt_key() {
echo "$1" | gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr --output .gpgcrypt-key
}
case "$1" in
init)
init
;;
update)
encrypt_key "$(get_key)"
;;
clean)
#gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr
openssl enc -base64 -$CIPHER -S "$(get_salt)" -k "$(get_key)"
;;
smudge)
#gpg -d -q --batch --no-tty || cat
openssl enc -d -base64 -$CIPHER -k "$(get_key)" 2> /dev/null || cat
;;
diff)
#gpg -d -q --batch --no-tty "$2" 2>/dev/null || cat "$2"
openssl enc -d -base64 -$CIPHER -k "$(get_key)" -in "$2" 2> /dev/null || cat "$2"
;;
*)
echo "$0 - Set up transparent GPG encryption for files in git repository"
echo "usage: $0 init"
exit 1
;;
esac
|