Fix hangs when interrupting tests on OSX (#522)

* close fd 3 on gnupg subprocesses, for bats-core
* update changelog

CHANGELOG.md

@@ -17,7 +17,8 @@
 - Add note about secrets and old keys (#499)
 - Transition build process from python 2 to python 3 (#487)
 - Upgrade build process from ansible 2.5 to ansible 2.8
-- Fix in build process when installing gnupg2 source deps on Ubuntu
+- Fix build process when installing gnupg2 source deps on Ubuntu
+- Close file descriptor 3 when running gnupg subprocesses (#521)
 - Small optimization in 'hide'
 - Improve code comments
 

src/_utils/_git_secret_tools.sh

@@ -544,8 +544,9 @@ function _user_required {
   local secrets_dir_keys
   secrets_dir_keys=$(_get_secrets_dir_keys)
 
+  # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
   local keys_exist
-  keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys)
+  keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys 3>&-)
   local exit_code=$?
   if [[ "$exit_code" -ne 0 ]]; then
     # this might catch corner case where gpg --list-keys shows 
@@ -571,7 +572,8 @@ function _get_user_key_expiry {
   local secrets_dir_keys
   secrets_dir_keys=$(_get_secrets_dir_keys)
 
-  line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub:)
+  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
+  line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub: 3>&-)
 
   local expiry_epoch
   expiry_epoch=$(echo "$line" | cut -d: -f7)
@@ -624,7 +626,8 @@ function _get_users_in_gpg_keyring {
   # we use --fixed-list-mode so older versions of gpg emit 'uid:' lines.
   # here gawk splits on colon as --with-colon, exact matches field 1 as 'uid', and selects field 10 "User-ID" 
   # the gensub regex extracts email from <> within field 10. (If there's no <>, then field is just an email address anyway and the regex just passes it through.)
-  result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | gawk -F: '$1~/uid/{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }')
+  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
+  result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | gawk -F: '$1~/uid/{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }' 3>&-)
 
   echo "$result"
 }

src/commands/git_secret_hide.sh

@@ -171,10 +171,11 @@ function hide {
         set +e   # disable 'set -e' so we can capture exit_code
 
         if [[ -n "$_SECRETS_VERBOSE" ]]; then
+      	  # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
           # on at least some platforms, this doesn't output anything unless there's a warning or error
-          $SECRETS_GPG_COMMAND "${args[@]}"
+          $SECRETS_GPG_COMMAND "${args[@]}" 3>&-
         else 
-          $SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1
+          $SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1 3>&-
         fi
         local exit_code=$?
 

src/commands/git_secret_killperson.sh

@@ -31,7 +31,8 @@ function killperson {
   _assert_keychain_contains_emails "$secrets_dir_keys" "${emails[@]}"
 
   for email in "${emails[@]}"; do
-    $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email"
+    # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
+    $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email" 3>&-
     local exit_code=$?
     if [[ "$exit_code" -ne 0 ]]; then
       _abort "problem deleting key for '$email' with gpg: exit code $exit_code"

src/commands/git_secret_tell.sh

@@ -10,7 +10,8 @@ END { print cnt }
 function get_gpg_key_count {
   local secrets_dir_keys
   secrets_dir_keys=$(_get_secrets_dir_keys)
-  $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT"
+  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
+  $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT" 3>&-
   local exit_code=$?
   if [[ "$exit_code" -ne 0 ]]; then
     _abort "problem counting keys with gpg: exit code $exit_code"
@@ -75,14 +76,15 @@ function tell {
     # shellcheck disable=2154
     local keyfile="$temporary_filename"
 
+    # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
     local exit_code
     if [[ -z "$homedir" ]]; then
-      $SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile"
+      $SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile" 3>&-
       exit_code=$?
     else
       # It means that homedir is set as an extra argument via `-d`:
       $SECRETS_GPG_COMMAND --no-permission-warning --homedir="$homedir" \
-        --export -a "$email" > "$keyfile"
+        --export -a "$email" > "$keyfile" 3>&-
       exit_code=$?
     fi
     if [[ "$exit_code" -ne 0 ]]; then
@@ -99,9 +101,9 @@ function tell {
 
     local args=( --homedir "$secrets_dir_keys" --no-permission-warning --import "$keyfile" )
     if [[ -z "$_SECRETS_VERBOSE" ]]; then
-      $SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1
+      $SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1 3>&-
     else
-      $SECRETS_GPG_COMMAND "${args[@]}"
+      $SECRETS_GPG_COMMAND "${args[@]}" 3>&-
     fi
     exit_code=$?