Merge pull request #205 from joshrabinowitz/gpg-error-checking

more careful error checking running gpg

src/_utils/_git_secret_tools.sh

@@ -553,7 +553,7 @@ function _user_required {
     # this might catch corner case where gpg --list-keys shows 
     # 'gpg: skipped packet of type 12 in keybox' warnings but succeeds? 
     # See #136
-    _abort "problem listing public keys in gpg: exit code $exit_code"
+    _abort "problem listing public keys with gpg: exit code $exit_code"
   fi
   if [[ -z "$keys_exist" ]]; then
     _abort "$error_message"
@@ -636,10 +636,17 @@ function _decrypt {
     base="$base --pinentry-mode loopback"
   fi
 
+  local exit_code
   if [[ ! -z "$passphrase" ]]; then
     echo "$passphrase" | $base --quiet --batch --yes --no-tty --passphrase-fd 0 \
       "$encrypted_filename"
+    exit_code=$?
   else
     $base --quiet "$encrypted_filename"
+    exit_code=$?
+  fi
+  if [[ "$exit_code" -ne 0 ]]; then
+    _abort "problem decrypting file with gpg: exit code $exit_code: $filename"
   fi
 }
+

src/commands/git_secret_hide.sh

@@ -161,6 +161,10 @@ function hide {
       # shellcheck disable=2086
       $gpg_local --use-agent --yes --trust-model=always --encrypt \
         $recipients -o "$output_path" "$input_path" > /dev/null 2>&1
+      local exit_code=$?
+      if [[ "$exit_code" -ne 0 ]]; then
+        _abort "problem encrypting file with gpg: exit code $exit_code: $filename"
+      fi
       # If -m option was provided, it will update unencrypted file hash
       local key="$filename"
       local hash="$file_hash"

src/commands/git_secret_killperson.sh

@@ -31,6 +31,10 @@ function killperson {
 
   for email in "${emails[@]}"; do
     $gpg_local --batch --yes --delete-key "$email"
+    local exit_code=$?
+    if [[ "$exit_code" -ne 0 ]]; then
+      _abort "problem deleting key for '$email' with gpg: exit code $exit_code"
+    fi
   done
 
   echo 'removed keys.'

src/commands/git_secret_tell.sh

@@ -11,6 +11,10 @@ function get_gpg_key_count {
   local gpg_local
   gpg_local=$(_get_gpg_local)
   $gpg_local --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT"
+  local exit_code=$?
+  if [[ "$exit_code" -ne 0 ]]; then
+    _abort "problem counting keys with gpg: exit code $exit_code"
+  fi
 }
 
 function tell {
@@ -68,12 +72,18 @@ function tell {
     # shellcheck disable=2154
     local keyfile="$filename"
 
+    local exit_code
     if [[ -z "$homedir" ]]; then
       $SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile"
+      exit_code=$?
     else
       # It means that homedir is set as an extra argument via `-d`:
       $SECRETS_GPG_COMMAND --no-permission-warning --homedir="$homedir" \
         --export -a "$email" > "$keyfile"
+      exit_code=$?
+    fi
+    if [[ "$exit_code" -ne 0 ]]; then
+      _abort "problem exporting public key for '$email' with gpg: exit code $exit_code"
     fi
 
     if [[ ! -s "$keyfile" ]]; then
@@ -84,6 +94,10 @@ function tell {
     local gpg_local
     gpg_local=$(_get_gpg_local)
     $gpg_local --import "$keyfile" > /dev/null 2>&1
+    exit_code=$?
+    if [[ "$exit_code" -ne 0 ]]; then
+      _abort "problem importing public key for '$email' with gpg: exit code $exit_code"
+    fi
   done
 
   echo "done. ${emails[*]} added as someone who know(s) the secret."