Cleanups 2022 04 (#824)

* change file desc we use to pass gnupg info * improve content and phrasing in docs * improve docs about locations of private/public keys * update changelog
2 years ago · 120edded4f
parent f5fe4ecb96
commit 120edded4f
21 changed files with 167 additions and 109 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,7 +7,7 @@
 - Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor`
  when encrypting files, so secret files are stored
  in text format rather than binary (#631)
- Do not suppress permission warnings from gnupg in verbose mode (#811)
+- Suppress fewer permission warnings from gnupg in verbose mode (#811)
 - `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811)

 ### Bugfixes
@ -20,9 +20,9 @@
 ### Misc

 - Rename `killperson` command to `removeperson` (#684)
- Refactor docs: new pages, new content 
- Upgrade bats-core to v1.6.0 (#755)
+- Improve, expand, correct, and update docs (#699)
 - Update docs for use with CI/CD server (#675)
+- Upgrade bats-core to v1.6.0 (#755)
 - Test, and build RPMS, with Rocky and Alma Linux instead of CentOS (#765)
 - Improve testing of .gitignore contents (#792)
 - Automate running verbose tests with SECRETS_TEST_VERBOSE=1 (#794)
@ -164,7 +164,7 @@
 - Show commands run by Makefile as per debian upstream recommendations (#386)
 - Upgrade bats-core to v1.1.0, import bats-core into vendor/bats-core (#377)
 - Use gawk to parse emails from gpg output
- Optimize code that parses keychains
+- Optimize code that parses keyrings
 - Remove unused code

 ## Version 0.2.5
@ -187,7 +187,7 @@
 - Issue error message when unable to hide a secret (#202, #238)
 - Accept gpg key with no name, only an email (#227)
 - Require keys to be specified by email, as documented (#267)
- Disallow 'git secret tell' or 'killperson' with emails that are not in keychain (also #267)
+- Disallow 'git secret tell' or 'killperson' with emails that are not in keyring (also #267)

 ### Misc

--- a/README.md
+++ b/README.md
@ -18,7 +18,7 @@ allowing users you trust to access encrypted data using pgp and their secret key
 With `git-secret`, changes to access rights are simplified, and private-public key issues are handled for you.

 When someone's permission is revoked, secrets do not need to be changed with `git-secret` -
-just remove their key from the keychain using `git secret removeperson their@email.com`,
+just remove their key from the repo's keyring using `git secret removeperson their@email.com`,
 re-encrypt the files, and they won't be able to decrypt secrets anymore.
 If you think the user might have copied the secrets or keys when they had access, then
 you should also change the secrets.
--- a/man/man1/git-secret-add.1.md
+++ b/man/man1/git-secret-add.1.md
@ -7,16 +7,15 @@ git-secret-add - starts to track added files.


 ## DESCRIPTION
-`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg`
-and ensures the filepath is mentioned `.gitignore`.
+`git secret add` - tells `git secret` which files hold secrets,
+and adds filepath(s) into `.gitsecret/paths/mapping.cfg`.
+(It is not recommended to alter `.gitsecret/paths/mapping.cfg` manually.)

-When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning
-them in `.gitignore`, since they must be secure and not be committed into the remote repository unencrypted.
+As of 0.2.6, this command also ensures the filepath is mentioned `.gitignore`
+as the contents are now considered secret and should not be committed into the repository unencrypted.

-If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
+The `add` action will fail unless there are already users in `git-secret`'s keyring.

-Use the `git secret add` command to add filenames to this file.
-It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`.

 (See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
 folder using the SECRETS_DIR environment variable.
@ -30,7 +29,7 @@ folder using the SECRETS_DIR environment variable.

 ## MANUAL

-Run `man git-secret-add` to see this note.
+Run `man git-secret-add` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-cat.1.md
+++ b/man/man1/git-secret-cat.1.md
@ -1,4 +1,4 @@
-git-secret-cat - decrypts files passed on command line to stdout
+git-secret-cat - decrypts files passed on command line to stdout.
 =============================================

 ## SYNOPSIS
@ -7,24 +7,25 @@ git-secret-cat - decrypts files passed on command line to stdout


 ## DESCRIPTION
-`git-secret-cat` - Outputs to stdout the contents of the files named on the command line.
-As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to
-decrypt this repo.
+`git-secret-cat` - Outputs the decrypted contents of the named files to stdout.

-Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
+As with `git-secret-reveal`, you'll need to have the private key for one of the emails allowed to
+decrypt this repo in your personal keyring.
+
+Note this command can be affected by the `SECRETS_PINENTRY` environment variable. See
 (See [git-secret(7)](https://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.


 ## OPTIONS

-    -d  - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
+    -d  - specifies `--homedir` option for the `gpg`, use this option if you store your keys in a custom location.
    -p  - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
    -h  - shows help.


 ## MANUAL

-Run `man git-secret-cat` to see this note.
+Run `man git-secret-cat` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-changes.1.md
+++ b/man/man1/git-secret-changes.1.md
@ -7,12 +7,15 @@ git-secret-changes - view diff of the hidden files.


 ## DESCRIPTION
-`git-secret-changes` - shows changes between the current version of hidden files and the ones already committed.
-You can provide any number of hidden files to this command as arguments, and it will show changes for these files only.
-Note that files must be specified by their encrypted names, typically `filename.yml.secret`.
-If no arguments are provided, information about all hidden files will be shown.
+`git-secret-changes` - show changes between the current versions of secret files and encrypted versions.

-Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
+If no filenames are provided, changes to all hidden files will be shown. Alternately,
+provide any number of hidden files to this command as arguments, and it will show changes for those files.
+
+Note files must be specified by their unencrypted names, without the `.secret` suffix,
+(or whatever is specified by the `SECRETS_EXTENSION` environment variable).
+
+Note also this command can be affected by the `SECRETS_PINENTRY` environment variable. See
 (See [git-secret(7)](https://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.


@ -25,7 +28,7 @@ Note also that this command can be affected by the `SECRETS_PINENTRY` environmen

 ## MANUAL

-Run `man git-secret-changes` to see this note.
+Run `man git-secret-changes` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-clean.1.md
+++ b/man/man1/git-secret-clean.1.md
@ -7,9 +7,16 @@ git-secret-clean - removes all the hidden files.


 ## DESCRIPTION
-`git-secret-clean` deletes all the encrypted files.
-Verbose output is enabled with the `-v` option, in which case the program prints which files are deleted.
+`git-secret-clean` deletes all files in the current `git-secret` repo that end with `.secret`.

+Note that it will delete any files ending in `.secret`, even if they are not tracked by `git-secret`. 
+
+Also note that this command does not delete unencrypted versions of files.
+
+Verbose mode, enabled with the `-v` option, displays the filenames deleted.
+
+You can change the extension `git-secret` uses for encrypted files
+with the `SECRETS_EXTENSION` environment variable.

 ## OPTIONS

@ -21,7 +28,7 @@ as documented at [git-secret(7)](https://git-secret.io/)

 ## MANUAL

-Run `man git-secret-clean` to see this note.
+Run `man git-secret-clean` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-hide.1.md
+++ b/man/man1/git-secret-hide.1.md
@ -7,15 +7,17 @@ git-secret-hide - encrypts all added files with the inner keyring.


 ## DESCRIPTION
-`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`)
+`git-secret-hide`  - writes an encrypted version (typically called `filename.txt.secret`)
 of each file added by `git-secret-add` command.
-Now anyone enabled via `git secret tell` can can decrypt these files. Under the hood,
-`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files.

-It is recommended to encrypt (or re-encrypt) all the files in a `git-secret` repo each
-time `git secret hide` is run.
+Then anyone enabled via `git secret tell` can decrypt these files. 
+
+Under the hood, `git-secret` uses the keyring of public keys in `.gitsecret/keys` to _encrypt_ files.
+Later a permitted user can use their secret key (typically from their home directory) to _decrypt_ files.

-Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`),
+It is recommended to encrypt (or re-encrypt) all the files in a `git-secret` repo each
+time `git secret hide` is run.  
+Otherwise the keyring (the one stored in `.gitsecret/keys/*.gpg`),
 may have changed since the last time the files were encrypted, and it's possible
 to create a state where the users in the output of `git secret whoknows`
 may not be able to decrypt the some files in the repo, or may be able decrypt files
@ -57,7 +59,7 @@ not be been modified since the last time they were encrypted.

 ## MANUAL

-Run `man git-secret-hide` to see this note.
+Run `man git-secret-hide` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-init.1.md
+++ b/man/man1/git-secret-init.1.md
@ -7,8 +7,11 @@ git-secret-init - initializes git-secret repository.


 ## DESCRIPTION
-`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret.
-Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.
+`git-secret-init` - initializes a `git-secret` repo by setting up a `.gitsecret` directory.
+
+`git-secret-init` should be run inside a `git` repo, to create the 
+`.gitsecret` directory and initialize the repo for git-secret.
+Until a repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.

 If a `.gitsecret` directory already exists, `git-secret-init` exits without making any changes.
 Otherwise, 
@ -18,9 +21,9 @@ and to not ignore `.secret` files,

 * a .gitsecret directory is created with the sub-directories /keys and /paths,

-* The `.gitsecret/keys` subdirectory permissions are set to 700 to make gnupg happy.
+* The `.gitsecret/keys` subdirectory permission is set to 700 to make gnupg happy.

-(See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
+See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
 folder with the `SECRETS_DIR` environment variable, and changing the extension `git-secret` uses for secret files
 with the `SECRETS_EXTENSION` environment variable.

@ -32,7 +35,7 @@ with the `SECRETS_EXTENSION` environment variable.

 ## MANUAL

-Run `man git-secret-init` to see this note.
+Run `man git-secret-init` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-list.1.md
+++ b/man/man1/git-secret-list.1.md
@ -7,7 +7,9 @@ git-secret-list - prints all the added files.


 ## DESCRIPTION
-`git-secret-list` prints all the currently added tracked files from the `.gitsecret/paths/mapping.cfg`.
+`git-secret-list` - print the files currently considered secret in this repo.
+
+Shows tracked files from `.gitsecret/paths/mapping.cfg`.

 (See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
 folder using the `SECRETS_DIR` environment variable.
@ -20,7 +22,7 @@ folder using the `SECRETS_DIR` environment variable.

 ## MANUAL

-Run `man git-secret-list` to see this note.
+Run `man git-secret-list` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-remove.1.md
+++ b/man/man1/git-secret-remove.1.md
@ -7,10 +7,17 @@ git-secret-remove - removes files from index.


 ## DESCRIPTION
-`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`,
-so they won't be encrypted or decrypted in the future.
+`git-secret-remove` - stops files from being tracked by `git-secret`.
+
+This deletes filenames from `.gitsecret/paths/mapping.cfg`, 
+which stops these files from being tracked by `git-secret`, and from
+being encrypted to, or decrypted from, `.secret` encrypted versions.
+
 There's also a -c option to delete existing encrypted versions of the files provided.

+Note unlike `add`, which automatically add pathnames to `.gitignore`, 
+`remove` does not delete pathnames from `.gitignore`.
+
 (See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
 folder using the `SECRETS_DIR` environment variable.

@ -23,7 +30,7 @@ folder using the `SECRETS_DIR` environment variable.

 ## MANUAL

-Run `man git-secret-remove` to see this note.
+Run `man git-secret-remove` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-removeperson.1.md
+++ b/man/man1/git-secret-removeperson.1.md
@ -7,9 +7,12 @@ git-secret-removeperson - deletes key identified by an email from the inner keyr


 ## DESCRIPTION
-This command removes the keys associated with the selected email addresses from the keyring.
-If you remove a keypair's access with `git-secret-removeperson`, and run `git-secret-reveal` and `git-secret-hide -r`,
-it will be impossible for given users to decrypt the hidden files.
+`git-secret-removeperson` - removes public keys for passed email addresses from repo's `git-secret` keyring.
+
+This command is used to begin the process of disallowing a user from encrypting and decrypting secrets with `git-secret`.
+
+If you remove a user's access with `git-secret-removeperson`, and then run `git-secret-reveal` and `git-secret-hide -r`,
+that user will no longer be able user to decrypt the hidden files.


 ## OPTIONS
@ -19,7 +22,7 @@ it will be impossible for given users to decrypt the hidden files.

 ## MANUAL

-Run `man git-secret-removeperson` to see this note.
+Run `man git-secret-removeperson` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-reveal.1.md
+++ b/man/man1/git-secret-reveal.1.md
@ -7,11 +7,16 @@ git-secret-reveal - decrypts all added files.


 ## DESCRIPTION
-`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`,
-or the passed `pathspec`s.
-You will need to have imported the paired secret-key with one of the
-public-keys which were used in the encryption.
-Under the hood, this uses the `gpg --decrypt` command.
+`git-secret-reveal` - decrypts passed files, or all files considered secret by `git-secret` 
+
+Under the hood, `reveal` uses the `gpg --decrypt` command
+and your private key (typically from your personal keyring in your
+home directory) to _decrypt_ files.
+
+Therefore, for this operation to succeed, your personal keyring must contain a private key 
+matching one of the public keys which were used to encrypt the secrets --
+i.e., one of the public keys in `git-secret` repo's keyring when the file was encrypted. 
+


 ## OPTIONS
@ -37,7 +42,7 @@ Under the hood, this uses the `gpg --decrypt` command.

 ## MANUAL

-Run `man git-secret-reveal` to see this note.
+Run `man git-secret-reveal` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-tell.1.md
+++ b/man/man1/git-secret-tell.1.md
@ -1,4 +1,4 @@
-git-secret-tell - adds a person, who can access private data.
+git-secret-tell - adds person who can access private data.
 ===============================================================

 ## SYNOPSIS
@ -7,31 +7,38 @@ git-secret-tell - adds a person, who can access private data.


 ## DESCRIPTION
-`git-secret tell` receives one or more email addresses as an input, searches for the `gpg`-key in the `gpg`
-`homedir` by these emails, then imports the corresponding public key into `git-secret`'s inner keychain.
-From this moment this person can encrypt new files with the keyring which contains their key,
-but they cannot decrypt the old files, which were already encrypted without their key.
-The files should be re-encrypted with the new keyring by someone who has the unencrypted files.
+`git-secret tell` - adds user(s) to the list of those able to encypt/decrypt secrets.

-Because `git-secret tell` works with only email addresses, it will exit with an error if you have
-multiple keys in your keychain with specified email addresses, or if one of the specified emails
-is already associated with a key in the `git-secret` keychain.
+This lets the specified user encrypt new files,
+but will not immediately be able to decrypt existing files, which were encrypted without their key.
+Files should be re-encrypted with the new keyring by someone who already has access
+in order for the new user to be able to decrypt the files.

-Versions of `git-secret tell` after `0.3.2` will warn about keys that are expired, revoked, or otherwise invalid,
-and also if multiple keys are found for a single email address.
+`git-secret tell` works only with email addresses, and will exit with an error if you have
+multiple keys in your keyring with specified email addresses, or if one of the specified emails
+is already associated with a key in the `git-secret` repo's keyring.
+
+Under the hood, `git-secret-tell` searches in the current user's `gnupg` keyring for public key(s) of passed
+email(s), then imports the corresponding public key(s) into your `git-secret` repo's keyring.
+
+Versions of `git-secret tell` after `0.3.2` will warn about keys that are expired, revoked, or otherwise invalid.
+It will also warn if multiple keys are found for a single email address.

 **Do not manually import secret keys into `git-secret`**. It won't work with imported secret keys anyway.

+For more details about how `git-secret` uses public and private keys,
+see the documentation for `git-secret-hide` and `git-secret-reveal`.
+
 ## OPTIONS

-    -m  - takes your current `git config user.email` as an identifier for the key.
-    -d  - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location.
+    -m  - uses your current `git config user.email` setting as an identifier for the key.
+    -d  - specifies `--homedir` option for `gpg`, basically use this option if your store your keys in a custom location.
    -h  - shows help.


 ## MANUAL

-Run `man git-secret-tell` to see this note.
+Run `man git-secret-tell` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-usage.1.md
+++ b/man/man1/git-secret-usage.1.md
@ -7,7 +7,7 @@ git-secret-usage - prints all the available commands.


 ## DESCRIPTION
-`git-secret-usage` is used to print all the available commands.
+`git-secret-usage` - prints all the available `git-secret` commands.


 ## OPTIONS
@ -17,7 +17,7 @@ git-secret-usage - prints all the available commands.

 ## MANUAL

-Run `man git-secret-usage` to see this note.
+Run `man git-secret-usage` to see this document.


 ## SEE ALSO
--- a/man/man1/git-secret-whoknows.1.md
+++ b/man/man1/git-secret-whoknows.1.md
@ -1,4 +1,4 @@
-git-secret-whoknows - prints email-labels for each key in the keyring.
+git-secret-whoknows - print email for each key in the keyring.
 ======================================================================

 ## SYNOPSIS
@ -7,7 +7,7 @@ git-secret-whoknows - prints email-labels for each key in the keyring.


 ## DESCRIPTION
-`git-secret-whoknows` prints list of email addresses whose keys are allowed to access the secrets in this repo.
+`git-secret-whoknows` - print email addresses allowed to access the secrets in this repo.


 ## OPTIONS
@ -18,7 +18,7 @@ git-secret-whoknows - prints email-labels for each key in the keyring.

 ## MANUAL

-Run `man git-secret-whoknows` to see this note.
+Run `man git-secret-whoknows` to see this document.


 ## SEE ALSO
--- a/man/man7/git-secret.7.md
+++ b/man/man7/git-secret.7.md
@ -3,30 +3,39 @@ git-secret - bash tool to store private data inside a git repo.

 ## Usage: Setting up git-secret in a repository

-These steps cover the basic process of using `git-secret`:
+These steps cover the basic process of using `git-secret`
+to specify users and files that will interact with `git-secret`, 
+and to encrypt and decrypt secrets.

-0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address.
+0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): 
+which are a public key and a secret key pair, identified by your email address and
+stored with your gpg configuration.
+Generally this gpg configuration and keys will be stored somewhere in your home directory.

-1. Begin with an existing or new git repository. You'll use the `git-secret` commands to add the keyrings and information
-to make `git-secret` hide and reveal files in this repository.
+1. Begin with an existing or new git repository. 
+
+2. Initialize the `git-secret` repository by running `git secret init`. The `.gitsecret/` folder will be created,
+with subdirectories `keys/` and `paths/`, 
+`.gitsecret/keys/random_seed` will be added to `.gitignore`,
+and `.gitignore` will be configured to _not_ ignore `.secret` files.

-2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created.
 **Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file.
 In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file.
-By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.

-3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`.
+3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@email.id`.

 4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
-This can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
-`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you.
+This can be done by running `git secret add <filenames...>` command, which will also (as of 0.2.6) 
+add entries to `.gitignore`, stopping those files from being be added or committed to the repo unencrypted. 
+
+5. Then run `git secret hide` to encrypt the files you added with `git secret add`.
+The files will be encrypted with the public keys in your git-secret repo's keyring,
+each corresponding to a user's email that you used with `tell`.

-5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
-The data will be encrypted with the public-keys described by the `git secret tell` command.
 After using `git secret hide` to encrypt your data, it is safe to commit your changes.
 **NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.

-6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the
+6. Later you can decrypt files with the `git secret reveal` command, or print their contents to stdout with the
 `git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
 And you're done!

@ -39,15 +48,17 @@ And you're done!
 3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
 (this will be the email address associated with their public key)

-4. Now remove the other user's public key from your personal keychain with `gpg --delete-keys persons@email.id`
+4. Now remove the other user's public key from your personal keyring with `gpg --delete-keys persons@email.id`

 5. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
 `git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
 (The -d options deletes the unencrypted file after re-encrypting it).
 Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`.

-Note that it is possible to add yourself to the git-secret repo without being able decrypting existing files.
-It will be possible to decrypt them after re-encrypting them with the new keyring. If you do not
+Note that when you first add a user to a git-secret repo, they will not be able to decrypt existing files
+until another user re-encrypts the files with the new keyring.  
+
+If you do not
 want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.

 ### Using gpg
@ -128,7 +139,7 @@ The settings available to be changed are:

 * `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
 It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
-After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
+After doing so rerun the tests to be sure that it won't break anything. Tested with `gpg` and `gpg2`.

 * `$SECRETS_GPG_ARMOR` - sets the `gpg` [`--armor` mode](https://www.gnupg.org/gph/en/manual/r1290.html). Can be set to `1` to store secrets file as text. By default is `0` and store files as binaries.

@ -149,13 +160,16 @@ Use the various `git-secret` commands to manipulate the files in `.gitsecret`,
 you should not change the data in these files directly.

 Exactly which files exist in the `.gitsecret` folder and what their contents are
-vary slightly across different versions of gpg. Thus it is best to use
-git-secret with the same version of gpg being used by all users.
-This can be forced using `SECRETS_GPG_COMMAND` environment variable.
+vary slightly across different versions of gpg, and some versions of gpg
+might not work well with keyrings created with newer versions of gpg. 
+Thus it is best to use git-secret with the same version of gpg being used by all users.
+This can be forced by installing matching versions of gpg 
+and using `SECRETS_GPG_COMMAND` environment variable.

-Specifically, there is an issue between `gpg` version 2.1.20 and later versions
+For example, there is an issue between `gpg` version 2.1.20 and later versions
 which can cause problems reading and writing keyring files between systems
 (this shows up in errors like 'gpg: skipped packet of type 12 in keybox').
+This is not the only issue it is possible to encounter.

 The `git-secret` internal data is separated into two directories:

@ -170,6 +184,12 @@ All the other internal data is stored in the directory:

 This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties.

+In particular, this directory contains a keyring with all the public keys for the emails used with `tell`.
+This is the keyring used to encrypt files with `git-secret-hide`. 
+`git-secret-reveal` and `git-secret-cat` 
+instead use the user's private keys (which probably reside somewhere like ~/.gnupg/)
+and which are not in the `.gitsecret/keys` directory.
+
 Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.
 By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.

--- a/src/_utils/_git_secret_tools.sh
+++ b/src/_utils/_git_secret_tools.sh
@ -465,7 +465,7 @@ function _warn_or_abort {
 }


-function _find_and_clean {
+function _find_and_remove_secrets {
  # required:
  local pattern="$1" # can be any string pattern

@ -482,12 +482,12 @@ function _find_and_clean {
 }


-function _find_and_clean_formatted {
+function _find_and_remove_secrets_formatted {
  # required:
  local pattern="$1" # can be any string pattern

  local outputs
-  outputs=$(_find_and_clean "$pattern")
+  outputs=$(_find_and_remove_secrets "$pattern")

  if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then
    # shellcheck disable=SC2001
@ -806,9 +806,7 @@ function _decrypt {
  fi

  if [[ -z "$_SECRETS_VERBOSE" ]]; then
-    args+=( "--quiet" )
-  else
-    args+=( "--no-permission-warning" )
+    args+=( "--quiet" "--no-permission-warning" )
  fi

  set +e   # disable 'set -e' so we can capture exit_code
@ -816,9 +814,10 @@ function _decrypt {
  #echo "# gpg passphrase: $passphrase" >&3
  local exit_code
  if [[ -n "$passphrase" ]]; then
-    exec 4<<<"$passphrase"  # use 4, because descriptor 3 is used by bats
-    $SECRETS_GPG_COMMAND "${args[@]}" --batch --yes --no-tty --passphrase-fd 4 "$encrypted_filename"
+    exec 5<<<"$passphrase"  # use 5, because descriptors 3 and 4 are used by bats
+    $SECRETS_GPG_COMMAND "${args[@]}" --batch --yes --no-tty --passphrase-fd 5 "$encrypted_filename"
    exit_code=$?
+    exec 5>&-   # close file descriptor 5
  else
    $SECRETS_GPG_COMMAND "${args[@]}" "$encrypted_filename"
    exit_code=$?
--- a/src/commands/git_secret_changes.sh
+++ b/src/commands/git_secret_changes.sh
@ -58,7 +58,7 @@ function changes {
    local decrypted
    decrypted_x=$(_decrypt "$path" "0" "0" "$homedir" "$passphrase"; echo x$?)
    decrypted="${decrypted_x%x*}"
-    # we ignore the exit code because _decrypt will _abort if appropriate.
+    # we ignore the exit code because _decrypt will abort_ if appropriate.


    _message "changes in ${path}:"
--- a/src/commands/git_secret_clean.sh
+++ b/src/commands/git_secret_clean.sh
@ -25,5 +25,5 @@ function clean {
  _user_required

  # User should see properly formatted output:
-  _find_and_clean_formatted "*$SECRETS_EXTENSION"
+  _find_and_remove_secrets_formatted "*$SECRETS_EXTENSION"
 }
--- a/src/commands/git_secret_hide.sh
+++ b/src/commands/git_secret_hide.sh
@ -19,7 +19,7 @@ function _optional_clean {
  local clean="$1"

  if [[ $clean -eq 1 ]]; then
-    _find_and_clean_formatted "*$SECRETS_EXTENSION"
+    _find_and_remove_secrets_formatted "*$SECRETS_EXTENSION"
  fi
 }

@ -40,7 +40,7 @@ function _optional_delete {
      # So the formatting would not be repeated several times here:
      local filename
      filename=$(_get_record_filename "$line")
-      _find_and_clean "*$filename"
+      _find_and_remove_secrets "*$filename"
    done < "$path_mappings"

    if [[ -n "$_SECRETS_VERBOSE" ]]; then
--- a/tests/test_tell.bats
+++ b/tests/test_tell.bats
@ -175,7 +175,7 @@ function teardown {


@test "run 'tell' with key without email and with comment" {
-  # install works because it works on filename, not contents of keychain
+  # install works because it works on filename, not contents of keyring
  install_fixture_key "$TEST_NOEMAIL_COMMENT_USER"

  # Testing the command itself fails because you have to use an email address