From baf6c4113b3680bdcd97a563156c8e6258ea4bf1 Mon Sep 17 00:00:00 2001 From: Josh Rabinowitz Date: Fri, 16 Aug 2019 16:53:57 -0400 Subject: [PATCH] Add SECRETS_PINENTRY env var and docs (#490) * Add SECRETS_PINENTRY env var * add docs and tests for SECRETS_PINENTRY * improve diagnostic output * fix regex example for bats-core diagnostics --- CHANGELOG.md | 6 ++++++ man/man1/git-secret-cat.1.ronn | 3 +++ man/man1/git-secret-changes.1.ronn | 3 +++ man/man1/git-secret-hide.1.ronn | 6 +++--- man/man1/git-secret-reveal.1.ronn | 6 +++--- man/man7/git-secret.7.ronn | 3 +++ src/_utils/_git_secret_tools.sh | 10 +++++++--- tests/test_reveal.bats | 20 ++++++++++++++++++++ utils/tests.sh | 4 ++-- 9 files changed, 50 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 939caf8c..78582769 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## {{Next Version}} + +### Bugfixes + +- Support SECRETS_PINENTRY env var for gnupg --pinentry-mode parameter (#221) + ## Version 0.2.6 ### Features diff --git a/man/man1/git-secret-cat.1.ronn b/man/man1/git-secret-cat.1.ronn index cab40252..a5206548 100644 --- a/man/man1/git-secret-cat.1.ronn +++ b/man/man1/git-secret-cat.1.ronn @@ -11,6 +11,9 @@ git-secret-cat - decrypts files passed on command line to stdout As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to decrypt this repo. +Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See +(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`. + ## OPTIONS diff --git a/man/man1/git-secret-changes.1.ronn b/man/man1/git-secret-changes.1.ronn index 89f905fc..b77b4375 100644 --- a/man/man1/git-secret-changes.1.ronn +++ b/man/man1/git-secret-changes.1.ronn @@ -12,6 +12,9 @@ You can provide any number of hidden files to this command as arguments, and it Note that files must be specified by their encrypted names, typically `filename.yml.secret`. If no arguments are provided, information about all hidden files will be shown. +Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See +(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`. + ## OPTIONS diff --git a/man/man1/git-secret-hide.1.ronn b/man/man1/git-secret-hide.1.ronn index 8cf97ebf..eb5e319f 100644 --- a/man/man1/git-secret-hide.1.ronn +++ b/man/man1/git-secret-hide.1.ronn @@ -36,6 +36,9 @@ Also, it is possible to modify the names of the encrypted files by setting `SECR (See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret folder using the SECRETS_DIR environment variable. +You can also enable verbosity using the SECRETS_VERBOSE environment variable, +as documented at [git-secret(7)](http://git-secret.io/) + ## OPTIONS @@ -47,9 +50,6 @@ folder using the SECRETS_DIR environment variable. -m - encrypt files only when modified. -h - shows help. -You can also enable verbosity using the SECRETS_VERBOSE environment variable, -as documented at [git-secret(7)](http://git-secret.io/) - ## MANUAL Run `man git-secret-hide` to see this note. diff --git a/man/man1/git-secret-reveal.1.ronn b/man/man1/git-secret-reveal.1.ronn index f4ee2b5f..71daceff 100644 --- a/man/man1/git-secret-reveal.1.ronn +++ b/man/man1/git-secret-reveal.1.ronn @@ -13,9 +13,6 @@ You will need to have imported the paired secret-key with one of the public-keys which were used in the encryption. Under the hood, this uses the `gpg --decrypt` command. -(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret -folder using the SECRETS_DIR environment variable. - ## OPTIONS @@ -27,6 +24,9 @@ folder using the SECRETS_DIR environment variable. -P - preserve permissions of encrypted file in unencrypted file. -h - shows help. +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + ## MANUAL diff --git a/man/man7/git-secret.7.ronn b/man/man7/git-secret.7.ronn index 451f0a82..1942edbf 100644 --- a/man/man7/git-secret.7.ronn +++ b/man/man7/git-secret.7.ronn @@ -67,6 +67,9 @@ After doing so rerun the tests to be sure that it won't break anything. Tested t * `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret. It can be changed to any valid directory name. +* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option. +See `gpg` docs for details about gpg's --pinentry option. + ## The `.gitsecret` folder (can be overridden with SECRETS_DIR) This folder contains information about the files encrypted by git-secret, diff --git a/src/_utils/_git_secret_tools.sh b/src/_utils/_git_secret_tools.sh index 3e76d486..22ce877b 100644 --- a/src/_utils/_git_secret_tools.sh +++ b/src/_utils/_git_secret_tools.sh @@ -95,7 +95,7 @@ AWK_GPG_VER_CHECK=' ' # This is 1 for gpg version 2.1 or greater, otherwise 0 -GPG_VER_21="$($SECRETS_GPG_COMMAND --version | gawk "$AWK_GPG_VER_CHECK")" +GPG_VER_MIN_21="$($SECRETS_GPG_COMMAND --version | gawk "$AWK_GPG_VER_CHECK")" # Bash: @@ -681,8 +681,12 @@ function _decrypt { args+=( "--homedir" "$homedir" ) fi - if [[ "$GPG_VER_21" -eq 1 ]]; then - args+=( "--pinentry-mode" "loopback" ) + if [[ "$GPG_VER_MIN_21" -eq 1 ]]; then + if [[ -n "$SECRETS_PINENTRY" ]]; then + args+=( "--pinentry-mode" "$SECRETS_PINENTRY" ) + else + args+=( "--pinentry-mode" "loopback" ) + fi fi if [[ -z "$_SECRETS_VERBOSE" ]]; then diff --git a/tests/test_reveal.bats b/tests/test_reveal.bats index 48fa1b24..4c7bc9cd 100644 --- a/tests/test_reveal.bats +++ b/tests/test_reveal.bats @@ -186,3 +186,23 @@ function teardown { # Cleaning up: uninstall_fixture_full_key "$TEST_SECOND_USER" "$second_fingerprint" } + +@test "run 'reveal' with SECRETS_PINENTRY=loopback" { + rm -f "$FILE_TO_HIDE" + + local password=$(test_user_password "$TEST_DEFAULT_USER") + SECRETS_PINENTRY=loopback run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password" + [ "$status" -eq 0 ] +} + +@test "run 'reveal' with SECRETS_PINENTRY=error" { + if [[ "$GPG_VER_MIN_21" -ne 1 ]]; then + skip "this test is skipped on gpg before version 2.1" + fi + + rm -f "$FILE_TO_HIDE" + + local password=$(test_user_password "$TEST_DEFAULT_USER") + SECRETS_PINENTRY=error run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password" + [ "$status" -ne 0 ] +} diff --git a/utils/tests.sh b/utils/tests.sh index c36a9a2f..f33d0986 100755 --- a/utils/tests.sh +++ b/utils/tests.sh @@ -8,7 +8,7 @@ TEST_DIR=/tmp/git-secret-test rm -rf "${TEST_DIR}" mkdir "${TEST_DIR}" -echo "Created dir: ${TEST_DIR}" +echo "# created dir: ${TEST_DIR}" chmod 0700 "${TEST_DIR}" ( @@ -21,7 +21,7 @@ chmod 0700 "${TEST_DIR}" export TMPDIR="${TEST_DIR}" echo "# TMPDIR is $TMPDIR" - # bats expects diagnostic lines to be sent to fd 3, matching regex '^ #' + # bats expects diagnostic lines to be sent to fd 3, matching regex '^# ' # (IE, like: `echo '# message here' >&3`). # bats ... 3>&1 shows diagnostic output bats "${SECRET_PROJECT_ROOT}/tests/" 3>&1