1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
#!/bin/bash
set -e
if [ -z "$GIT_DIR" ]; then
GIT_DIR=".git"
fi
CIPHER=aes-256-ecb
SALT="123456789abcdef"
init() {
# From git 1.7.8+, the .git in submodule folder is a file containing the actual path of gitdir.
if [ -f "$GIT_DIR" ]; then
GIT_DIR=`cat $GIT_DIR | sed 's/^gitdir: //'`
fi
if [ ! -d "$GIT_DIR" ]; then
echo "Not a git repository. Did you run 'git init'?"
exit 1
fi
if [ ! -f .recipients ]; then
echo "Before running 'init' create .recipients file, and add to it target key IDs"
echo "(one per line). IDs can be either key fingerprints, substrings of user IDs"
echo "(e.g., emails) or whatever else gpg accepts for --recipient option (man gpg)."
exit 1
fi
if [ -f .gpgcrypt-key ]; then
git diff-index --quiet HEAD
clean=$?
if [ $clean -eq 1 ]; then
echo "Intended to initialize gpgcrypt in fresh clone, but your working copy/index"
echo "is not clean. Not doing anything. If you intended to initialize a fresh"
echo "clone either, something went wrong, you may need to clone again (or deal with"
echo "pending changes, then run '$0 init' again, then"
echo "'git checkout HEAD^; git checkout master', or remove everything but .git"
echo "directory and run 'git checkout .', or )"
else
setup_filters
git checkout -f .
echo "Initialized a clone"
fi
return
fi
echo "* filter=encrypt diff=encrypt" >>.gitattributes
echo "# You probably want to describe in README why one can't see anything useful in other files" >>.gitattributes
echo "README !filter !diff" >>.gitattributes
echo "# Don't encrypt recipient list, you can comment this to encrypt it" >>.gitattributes
echo ".recipients !filter !diff" >>.gitattributes
echo "# Never encrypt .gitattributes, .gpgcrypt-* files" >>.gitattributes
echo ".gitattributes !filter !diff" >>.gitattributes
echo ".gpgcrypt-* !filter !diff" >>.gitattributes
echo "[merge]" >>.gitattributes
echo " renormalize=true" >>.gitattributes
touch .recipients
KEY=$(cat /dev/urandom | LC_ALL="C" tr -dc '!@#$%^&*()_A-Z-a-z-0-9' | head -c32)
encrypt_key "$KEY"
SALT=$(head -c 10 < /dev/random | md5sum | cut -c-16)
echo $SALT >.gpgcrypt-salt
setup_filters
echo "git gpgcrypt initialized."
echo
git add .gitattributes .recipients .gpgcrypt-key .gpgcrypt-salt
git commit .gitattributes .recipients .gpgcrypt-key .gpgcrypt-salt -m "Initialized git gpgcrypt state."
}
setup_filters() {
git config filter.encrypt.smudge "git-gpgcrypt smudge"
git config filter.encrypt.clean "git-gpgcrypt clean"
git config diff.encrypt.textconv "git-gpgcrypt diff"
}
get_key() {
set +e
gpg -d -q .gpgcrypt-key
rc=$?
if [ $rc -ne 0 ]; then
echo "*ERROR*: Unable to decrypt key, gpg result: $rc" >/dev/stderr
echo "Are you among recipients of this repository? Is private key" >/dev/stderr
echo "which can prove that available to GPG on this machine?" >/dev/stderr
exit $rc
fi
set -e
}
get_salt() {
cat .gpgcrypt-salt
}
encrypt_key() {
echo "$1" | gpg -ea --group gr="$(sed -r -e 's/ +#[^#]*//' .recipients | tr '\n' ' ')" -r gr --output .gpgcrypt-key.tmp
mv .gpgcrypt-key.tmp .gpgcrypt-key
}
# Try to get symmetric encryption key and fail fast if we
# can't do that, which means that GPG cannot decrypt it
# with user's private key.
get_key
case "$1" in
init)
init
;;
update)
encrypt_key "$(get_key)"
;;
search-keys)
echo "!!!!! WARNING !!!!!"
echo "Be careful before importing keys and never use a keys whose"
echo "fingerprint you didn't verify directly with the owner."
echo "Press Enter if you are sure you want to continue or Ctrl+C to quit."
echo "!!!!! WARNING !!!!!"
read
sed -r -e 's/ +#[^#]*//' .recipients | xargs -d "\n" -n1 gpg --keyserver keyserver.ubuntu.com --search-keys
;;
clean)
#gpg -ea --group gr="$(cat .recipients|tr '\n' ' ')" -r gr
openssl enc -base64 -$CIPHER -S "$(get_salt)" -k "$(get_key)"
;;
smudge)
#gpg -d -q --batch --no-tty || cat
openssl enc -d -base64 -$CIPHER -k "$(get_key)" 2> /dev/null || cat
;;
diff)
#gpg -d -q --batch --no-tty "$2" 2>/dev/null || cat "$2"
openssl enc -d -base64 -$CIPHER -k "$(get_key)" -in "$2" 2> /dev/null || cat "$2"
;;
*)
echo "$0 - Set up transparent GPG encryption for files in git repository"
echo "usage: $0 init|search-keys|update"
exit 1
;;
esac
|