don't try to decrypt non-existent files, update man pages

2 years ago · 73288eb3f0
parent a7fa6554e8
commit 73288eb3f0
8 changed files with 69 additions and 63 deletions
--- a/man/man1/git-secret-add.1
+++ b/man/man1/git-secret-add.1
@ -15,10 +15,13 @@ git secret add [\-v] [\-i] <pathspec>\.\.\.
 .fi
 .
 .SH "DESCRIPTION"
-\fBgit secret add\fR \- tells \fBgit secret\fR which files hold secrets, and adds filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR\. (It is not recommended to alter \fB\.gitsecret/paths/mapping\.cfg\fR manually\.)
+\fBgit secret add\fR \- tells \fBgit secret\fR which files hold secrets\.
 .
 .P
-As of 0\.2\.6, this command also ensures the filepath is mentioned \fB\.gitignore\fR as the contents are now considered secret and should not be committed into the repository unencrypted\.
+Adds filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR\. (It is not recommended to alter \fB\.gitsecret/paths/mapping\.cfg\fR manually\.)
+.
+.P
+As of 0\.2\.6, this command also ensures the filepath is in \fB\.gitignore\fR as the contents are now considered secret and should not be committed into the repository unencrypted\.
 .
 .P
 The \fBadd\fR action will fail unless there are already users in \fBgit\-secret\fR\'s keyring\.
--- a/man/man1/git-secret-cat.1
+++ b/man/man1/git-secret-cat.1
@ -15,7 +15,7 @@ git secret cat [\-d dir] [\-p password] filename [filenames]
 .fi
 .
 .SH "DESCRIPTION"
-\fBgit\-secret\-cat\fR \- Outputs the decrypted contents of the named files to stdout\.
+\fBgit\-secret\-cat\fR \- prints the decrypted contents of the passed files\.
 .
 .P
 As with \fBgit\-secret\-reveal\fR, you\'ll need to have the private key for one of the emails allowed to decrypt this repo in your personal keyring\.
--- a/man/man1/git-secret-changes.1
+++ b/man/man1/git-secret-changes.1
@ -15,7 +15,7 @@ git secret changes [\-h] [\-d dir] [\-p password] [pathspec]\.\.\.
 .fi
 .
 .SH "DESCRIPTION"
-\fBgit\-secret\-changes\fR \- show changes between the current versions of secret files and encrypted versions\.
+\fBgit\-secret\-changes\fR \- shows changes between the current versions of secret files and encrypted versions\.
 .
 .P
 If no filenames are provided, changes to all hidden files will be shown\. Alternately, provide any number of hidden files to this command as arguments, and it will show changes for those files\.
--- a/man/man1/git-secret-clean.1
+++ b/man/man1/git-secret-clean.1
@ -15,7 +15,10 @@ git secret clean [\-v]
 .fi
 .
 .SH "DESCRIPTION"
-\fBgit\-secret\-clean\fR deletes all files in the current \fBgit\-secret\fR repo that end with \fB\.secret\fR\.
+\fBgit\-secret\-clean\fR \- deletes all files in the current \fBgit\-secret\fR repo that end with \fB\.secret\fR\.
+.
+.P
+You can change the extension \fBgit\-secret\fR uses for encrypted files with the \fBSECRETS_EXTENSION\fR environment variable\.
 .
 .P
 Note that it will delete any files ending in \fB\.secret\fR, even if they are not tracked by \fBgit\-secret\fR\.
@ -26,9 +29,6 @@ Also note that this command does not delete unencrypted versions of files\.
 .P
 Verbose mode, enabled with the \fB\-v\fR option, displays the filenames deleted\.
 .
-.P
-You can change the extension \fBgit\-secret\fR uses for encrypted files with the \fBSECRETS_EXTENSION\fR environment variable\.
-.
 .SH "OPTIONS"
 .
 .nf
--- a/man/man1/git-secret-hide.1
+++ b/man/man1/git-secret-hide.1
@ -4,7 +4,7 @@
 .TH "GIT\-SECRET\-HIDE" "1" "April 2022" "sobolevn" "git-secret 0.5.0-alpha1"
 .
 .SH "NAME"
-\fBgit\-secret\-hide\fR \- encrypts all added files with the inner keyring\.
+\fBgit\-secret\-hide\fR \- encrypts all added files with repo keyring\.
 .
 .SH "SYNOPSIS"
 .
@ -15,13 +15,16 @@ git secret hide [\-c] [\-F] [\-P] [\-v] [\-d] [\-m]
 .fi
 .
 .SH "DESCRIPTION"
-\fBgit\-secret\-hide\fR \- writes an encrypted version (typically called \fBfilename\.txt\.secret\fR) of each file added by \fBgit\-secret\-add\fR command\.
+\fBgit\-secret\-hide\fR \- writes an encrypted version of each file added by \fBgit\-secret\-add\fR command\.
 .
 .P
 Then anyone enabled via \fBgit secret tell\fR can decrypt these files\.
 .
 .P
-Under the hood, \fBgit\-secret\fR uses the keyring of public keys in \fB\.gitsecret/keys\fR to \fIencrypt\fR files\. Later a permitted user can use their secret key (typically from their home directory) to \fIdecrypt\fR files\.
+Under the hood, \fBgit\-secret\fR uses the keyring of public keys in \fB\.gitsecret/keys\fR to \fIencrypt\fR files, encrypted versions are typically called \fBfilename\.txt\.secret\fR\.
+.
+.P
+Later permitted users can use their secret key (typically from their home directory) to \fIdecrypt\fR files\.
 .
 .P
 It is recommended to encrypt (or re\-encrypt) all the files in a \fBgit\-secret\fR repo each time \fBgit secret hide\fR is run\.
--- a/man/man1/git-secret-removeperson.1
+++ b/man/man1/git-secret-removeperson.1
@ -4,7 +4,7 @@
 .TH "GIT\-SECRET\-REMOVEPERSON" "1" "April 2022" "sobolevn" "git-secret 0.5.0-alpha1"
 .
 .SH "NAME"
-\fBgit\-secret\-removeperson\fR \- deletes key identified by an email from the inner keyring\.
+\fBgit\-secret\-removeperson\fR \- removes user\'s public key from repo keyring\.
 .
 .SH "SYNOPSIS"
 .
--- a/man/man1/git-secret-reveal.1
+++ b/man/man1/git-secret-reveal.1
@ -15,13 +15,13 @@ git secret reveal [\-f] [\-F] [\-P] [\-v] [\-d dir] [\-p password] [pathspec]\.\
 .fi
 .
 .SH "DESCRIPTION"
-\fBgit\-secret\-reveal\fR \- decrypts passed files, or all files considered secret by \fBgit\-secret\fR
+\fBgit\-secret\-reveal\fR \- decrypts passed files, or all files considered secret by \fBgit\-secret\fR\.
 .
 .P
 Under the hood, \fBreveal\fR uses the \fBgpg \-\-decrypt\fR command and your private key (typically from your personal keyring in your home directory) to \fIdecrypt\fR files\.
 .
 .P
-Therefore, for this operation to succeed, your personal keyring must contain a private key matching one of the public keys which were used to encrypt the secrets \-\- i\.e\., one of the public keys in \fBgit\-secret\fR repo\'s keyring when the file was encrypted\.
+Therefore, for this operation to succeed, your personal keyring must contain a private key matching one of the public keys which were used to encrypt the secrets \-\- i\.e\., one of the public keys in your repo\'s \fBgit\-secret\fR keyring when the file was encrypted\.
 .
 .SH "OPTIONS"
 .
--- a/src/_utils/_git_secret_tools.sh
+++ b/src/_utils/_git_secret_tools.sh
@ -776,57 +776,57 @@ function _decrypt {

  if [ ! -f "$encrypted_filename" ]; then
    _warn_or_abort "cannot find file to decrypt: $encrypted_filename" "1" "$error_ok"
-  fi
-
-  local args=( "--use-agent" "--decrypt" )
-
-  if [[ "$write_to_file" -eq 1 ]]; then
-    args+=( "-o" "$filename" )
-  fi
-
-  if [[ "$force" -eq 1 ]]; then
-    args+=( "--yes" )
-  fi
-
-  if [[ -n "$homedir" ]]; then
-    args+=( "--homedir" "$homedir" )
-  fi
-
-  if [[ "$GPG_VER_MIN_21" -eq 1 ]]; then
-    if [[ -n "$SECRETS_PINENTRY" ]]; then
-      args+=( "--pinentry-mode" "$SECRETS_PINENTRY" )
+  else
+    local args=( "--use-agent" "--decrypt" )
+  
+    if [[ "$write_to_file" -eq 1 ]]; then
+      args+=( "-o" "$filename" )
+    fi
+  
+    if [[ "$force" -eq 1 ]]; then
+      args+=( "--yes" )
+    fi
+  
+    if [[ -n "$homedir" ]]; then
+      args+=( "--homedir" "$homedir" )
+    fi
+  
+    if [[ "$GPG_VER_MIN_21" -eq 1 ]]; then
+      if [[ -n "$SECRETS_PINENTRY" ]]; then
+        args+=( "--pinentry-mode" "$SECRETS_PINENTRY" )
+      else
+        args+=( "--pinentry-mode" "loopback" )
+      fi
+    fi
+  
+    if [[ -z "$_SECRETS_VERBOSE" ]]; then
+      # we no longer use --no-permission-warning here, for #811
+      args+=( "--quiet" )
+    fi
+  
+    set +e   # disable 'set -e' so we can capture exit_code
+  
+    #echo "# gpg passphrase: $passphrase" >&3
+    local exit_code
+    if [[ -n "$passphrase" ]]; then
+      exec 5<<<"$passphrase"  # use 5, because descriptors 3 and 4 are used by bats
+      $SECRETS_GPG_COMMAND "${args[@]}" --batch --yes --no-tty --passphrase-fd 5 "$encrypted_filename"
+      exit_code=$?
+      exec 5>&-   # close file descriptor 5
    else
-      args+=( "--pinentry-mode" "loopback" )
+      $SECRETS_GPG_COMMAND "${args[@]}" "$encrypted_filename"
+      exit_code=$?
+    fi
+  
+    set -e  # re-enable set -e
+  
+    # note that according to https://github.com/sobolevn/git-secret/issues/238 ,
+    # it's possible for gpg to return a 0 exit code but not have decrypted the file
+    #echo "# gpg exit code: $exit_code, error_ok: $error_ok" >&3
+    if [[ "$exit_code" -ne "0" ]]; then
+      local msg="problem decrypting file with gpg: exit code $exit_code: $filename"
+      _warn_or_abort "$msg" "$exit_code" "$error_ok"
    fi
-  fi
-
-  if [[ -z "$_SECRETS_VERBOSE" ]]; then
-    # we no longer use --no-permission-warning here, for #811
-    args+=( "--quiet" )
-  fi
-
-  set +e   # disable 'set -e' so we can capture exit_code
-
-  #echo "# gpg passphrase: $passphrase" >&3
-  local exit_code
-  if [[ -n "$passphrase" ]]; then
-    exec 5<<<"$passphrase"  # use 5, because descriptors 3 and 4 are used by bats
-    $SECRETS_GPG_COMMAND "${args[@]}" --batch --yes --no-tty --passphrase-fd 5 "$encrypted_filename"
-    exit_code=$?
-    exec 5>&-   # close file descriptor 5
-  else
-    $SECRETS_GPG_COMMAND "${args[@]}" "$encrypted_filename"
-    exit_code=$?
-  fi
-
-  set -e  # re-enable set -e
-
-  # note that according to https://github.com/sobolevn/git-secret/issues/238 ,
-  # it's possible for gpg to return a 0 exit code but not have decrypted the file
-  #echo "# gpg exit code: $exit_code, error_ok: $error_ok" >&3
-  if [[ "$exit_code" -ne "0" ]]; then
-    local msg="problem decrypting file with gpg: exit code $exit_code: $filename"
-    _warn_or_abort "$msg" "$exit_code" "$error_ok"
  fi

  # at this point the file should be written to disk or output to stdout