git-gpgcrypt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

#!/bin/bash

set -e

if [ -z "$GIT_DIR" ]; then
    GIT_DIR=".git"
fi

CIPHER=aes-256-ecb
SALT="123456789abcdef"

init() {
    # From git 1.7.8+, the .git in submodule folder is a file containing the actual path of gitdir.
    if [ -f "$GIT_DIR" ]; then
        GIT_DIR=`cat $GIT_DIR | sed 's/^gitdir: //'`
    fi

    if [ ! -d "$GIT_DIR" ]; then
        echo "Not a git repository. Did you run 'git init'?"
        exit 1
    fi

    if [ ! -f .recipients ]; then
        echo "Before running 'init' create .recipients file, and add to it target key IDs"
        echo "(one per line). IDs can be either key fingerprints, substrings of user IDs"
        echo "(e.g., emails) or whatever else gpg accepts for --recipient option (man gpg)."
        exit 1
    fi

    if [ -f .gpgcrypt-key ]; then
        git diff-index --quiet HEAD
        clean=$?
        if [ $clean -eq 1 ]; then
            echo "Intended to initialize gpgcrypt in fresh clone, but your working copy/index"
            echo "is not clean. Not doing anything. If you intended to initialize a fresh"
            echo "clone either, something went wrong, you may need to clone again (or deal with"
            echo "pending changes, then run '$0 init' again, then"
            echo "'git checkout HEAD^; git checkout master', or remove everything but .git"
            echo "directory and run 'git checkout .', or )"
        else
            setup_filters
            git checkout -f .
            echo "Initialized a clone"
        fi
        return
    fi

    echo "* filter=encrypt diff=encrypt" >>.gitattributes
    echo "# You probably want to describe in README why one can't see anything useful in other files" >>.gitattributes
    echo "README !filter !diff" >>.gitattributes
    echo "# Don't encrypt recipient list, you can comment this to encrypt it" >>.gitattributes
    echo ".recipients !filter !diff" >>.gitattributes
    echo "# Never encrypt .gitattributes, .gpgcrypt-* files" >>.gitattributes
    echo ".gitattributes !filter !diff" >>.gitattributes
    echo ".gpgcrypt-* !filter !diff" >>.gitattributes
    echo "[merge]" >>.gitattributes
    echo "    renormalize=true" >>.gitattributes
    touch .recipients

    KEY=$(cat /dev/urandom | LC_ALL="C" tr -dc '!@#$%^&*()_A-Z-a-z-0-9' | head -c32)
    encrypt_key "$KEY"

    SALT=$(head -c 10 < /dev/random | md5sum | cut -c-16)
    echo $SALT >.gpgcrypt-salt

    setup_filters

    echo "git gpgcrypt initialized."
    echo

    git add .gitattributes .recipients .gpgcrypt-key .gpgcrypt-salt
    git commit .gitattributes .recipients .gpgcrypt-key .gpgcrypt-salt -m "Initialized git gpgcrypt state."
}

setup_filters() {
    git config filter.encrypt.smudge "git-gpgcrypt smudge"
    git config filter.encrypt.clean "git-gpgcrypt clean"
    git config diff.encrypt.textconv "git-gpgcrypt diff"
}

get_key() {
    set +e
    gpg -d -q .gpgcrypt-key
    rc=$?
    if [ $rc -ne 0 ]; then
        echo "*ERROR*: Unable to decrypt key, gpg result: $rc" >/dev/stderr
        echo "Are you among recipients of this repository? Is private key" >/dev/stderr
        echo "which can prove that available to GPG on this machine?" >/dev/stderr
        exit $rc
    fi
    set -e
}

get_salt() {
    cat .gpgcrypt-salt
}

encrypt_key() {
    echo "$1" | gpg -ea --group gr="$(sed -r -e 's/ +#[^#]*//' .recipients | tr '\n' ' ')" -r gr --output .gpgcrypt-key.tmp
    mv .gpgcrypt-key.tmp .gpgcrypt-key
}

# Try to get symmetric encryption key and fail fast if we
# can't do that, which means that GPG cannot decrypt it
# with user's private key.
get_key

case "$1" in
    init)
        init
        ;;
    update)
        encrypt_key "$(get_key)"
        ;;
    search-keys)
        echo "!!!!! WARNING !!!!!"
        echo "Be careful before importing keys and never use a keys whose"
        echo "fingerprint you didn't verify directly with the owner."
        echo "Press Enter if you are sure you want to continue or Ctrl+C to quit."
        echo "!!!!! WARNING !!!!!"
        read
        sed -r -e 's/ +#[^#]*//' .recipients | xargs -d "\n" -n1 gpg --keyserver keyserver.ubuntu.com --search-keys
        ;;
    clean)
        #gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr
        openssl enc -base64 -$CIPHER -S "$(get_salt)" -k "$(get_key)"
        ;;
    smudge)
        #gpg -d -q --batch --no-tty || cat
        openssl enc -d -base64 -$CIPHER -k "$(get_key)" 2> /dev/null || cat
        ;;
    diff)
        #gpg -d -q --batch --no-tty "$2" 2>/dev/null || cat "$2"
        openssl enc -d -base64 -$CIPHER -k "$(get_key)" -in "$2" 2> /dev/null || cat "$2"
        ;;
    *)
        echo "$0 - Set up transparent GPG encryption for files in git repository"
        echo "usage: $0 init|search-keys|update"
        exit 1
        ;;
esac