diff --git a/.Dockerfiles/alpine/latest/Dockerfile b/.Dockerfiles/alpine/latest/Dockerfile index fcdb03c3..442daaab 100644 --- a/.Dockerfiles/alpine/latest/Dockerfile +++ b/.Dockerfiles/alpine/latest/Dockerfile @@ -1,9 +1,9 @@ FROM alpine:latest +# don't install coreutils on Alpine, so we get busybox versions of ps, stat, and ls. See #475 RUN apk add --no-cache --update \ bash \ build-base \ - coreutils \ curl \ findutils \ gcc \ diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..f129e230 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms + +patreon: sobolevn +open_collective: git-secret diff --git a/.travis.yml b/.travis.yml index e5a765d7..f1267e6b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,7 +9,7 @@ matrix: # language: sh - os: osx name: osx-with-debug-output - env: GITSECRET_DIST="brew" SECRETS_TEST_VERBOSE=1 + env: GITSECRET_DIST="brew"; SECRETS_TEST_VERBOSE=1 sudo: required language: shell #language: ruby @@ -21,7 +21,7 @@ matrix: #language: ruby #rvm: 2.6 - os: linux - env: KITCHEN_REGEXP="gnupg1-alpine-latest" + env: KITCHEN_REGEXP="gnupg1-alpine-latest"; SECRETS_TEST_VERBOSE=1 services: docker sudo: required language: ruby diff --git a/CHANGELOG.md b/CHANGELOG.md index f2620a04..7d548cdb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,25 +1,51 @@ # Changelog -## {{Next Version}} +## Version 0.3.2 + +### Bugfixes + +- Fix mention of version in git-secret add man page (#544) + +### Misc + +- Update developer docs, especially regarding mac, docker, and test-kitchen (#195) +- Update man pages to mention version documented (#420) + +## Version 0.3.1 + +### Misc + +- Update man pages + +## Version 0.3.0 ### Features - Support SECRETS_PINENTRY env var for gnupg --pinentry-mode parameter (#221) +- Show output from gnupg if 'hide' fails (#516) +- Add support for Busybox (#478) ### Bugfixes - Use OSX's mktemp on OSX, even if there's another version in PATH. (#485) - Make rsync a build requirement on debian (#500) -- When tests specify gnupg1, use gnupg1, not gnupg2 (#241) -- Ignore revoked gnupg keys (#508) +- Use gnupg1, not gnupg2, when tests specify gnupg1 (#241) +- Note dependencies gawk, bash, and coreutils in linux packages (#493) +- Handle case of key having no email and a comment (#527) +- Avoid blank lines from output of 'clean -v' -## Misc +### Misc +- Improve messaging and logic around deleting tmp files. - Add note about secrets and old keys (#499) - Transition build process from python 2 to python 3 (#487) - Upgrade build process from ansible 2.5 to ansible 2.8 -- Fix in build process when installing gnupg2 source deps on Ubuntu +- Fix build process when installing gnupg2 source deps on Ubuntu +- Close file descriptor 3 when running gnupg subprocesses (#521) +- Small optimization in 'hide' - Improve code comments +- Update docs to note that git-secret repos modified by git-secret 0.2.3 and + later are not backward compatible with pre-0.2.3 versions of git-secret. (#536) ## Version 0.2.6 @@ -57,7 +83,7 @@ - Respect DESTDIR when installing as per GNU/debian/etc recommendations (#424) - Use git check-ignore to test for files ignored by git -## Misc +### Misc - Improve docs about hide -m option (#467) - Document SECRETS_VERBOSE and improve env var docs (#396) @@ -97,7 +123,7 @@ - Require keys to be specified by email, as documented (#267) - Disallow 'git secret tell' or 'killperson' with emails that are not in keychain (also #267) -## Misc +### Misc - Added notes about packages and for package maintainers (#281) - Improve documentation regarding operation with different versions of GPG (#274, #182) @@ -126,7 +152,9 @@ ### Features - Added `-m` option to `hide` command, files will only be hidden when modifications are detected (#92) -- Changed how path mappings file works: colon delimited FSDB (#92) +- Changed how path mappings file works: colon delimited FSDB in `.gitsecret/paths/mapping.cfg', so git-secret + can store checksums of hidden files. Note this means git-secret repos modified by git-secret 0.2.3 + or later are not backward compatible with pre-0.2.3 versions of git-secret. (#92) - `git secret init` now adds `random_seed` to `.gitignore` (#93) ### Bugfixes diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1cfbed2f..f25108a3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -17,41 +17,58 @@ For development with `git-secret` you should have these tools: - sha256sum (on freebsd and MacOS `shasum` is used instead) - [shellcheck](https://github.com/koalaman/shellcheck) -To test `git-secret` using test-kitchen, you will also need: +To test `git-secret` using [test-kitchen](https://kitchen.ci/), which is optional and uses docker to test on multiple distributions, +you will also need: -- docker -- test-kitchen -- aspell, to check your changes for spelling errors +- [docker](https://www.docker.com/) +- [test-kitchen](https://kitchen.ci/) -These are only required if dealing with manuals, `gh-pages` or releases: +The below only required if dealing with manuals, `gh-pages` or releases: - ruby, ruby-dev +- [aspell](http://aspell.net/), to check your changes for spelling errors ### Environment MacOS -- install Homebrew +- install [Homebrew](https://brew.sh/) - install gnupg2 with `brew install gnupg2` -#### For docker/test-kitchen +#### For docker/test-kitchen (optional, for testing multiple distros locally using docker) + - install Docker for Mac -- install Chef Developer Kit (?) -- install ruby2.4 and kitchen dependencies with +- install ruby2.6 and kitchen dependencies with brew install rbenv ruby-build rbenv-vars; - rbenv install 2.4.4; rbenv rehash; rbenv global 2.4.4; - gem install bundler kitchen-ansible serverspec kitchen-docker kitchen-verifier-serverspec; + rbenv install 2.6.3; rbenv rehash; rbenv global 2.6.3; + +(You can also use `rvm` instead of `rbenv`, but brew packages `rbenv` for you.) + +then use + + gem install bundler kitchen-ansible serverspec kitchen-docker kitchen-verifier-serverspec + +If you have trouble getting test-kitchen and docker working on your mac to test git-secret with, see #534 +or let us know by filing an issue. ### Getting started 1. Create your own or pick an opened issue from the [tracker][tracker]. Take a look at the [`help-wanted` tag][help-wanted] -2. Fork and clone your repository: `git clone https://github.com/${YOUR_NAME}/git-secret.git` +2. Fork the git-secret repo and then clone the repository using a command like `git clone https://github.com/${YOUR_NAME}/git-secret.git` 3. Make sure that everything works on the current platform by running `make test`. - You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`. + You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`, which will + show you a lot of debug output while the tests are running. Note that 'experimental' features may change or be removed in a future version of `git-secret`. -4. [Run local CI tests](#running-local-ci-tests) to verify functionality on supported platforms `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`. +4. If you want to test on multiple operating systems, [Run local CI tests](#running-local-ci-tests) (optional; this will + automatically happen on [Travis-CI](https://travis-ci.org/sobolevn/git-secret) when you submit a PR). + +Running the CI tests locally is optional. The tests will happen automatically on Travis-CI +when you create a PR for `git-secret`, and again when any PR is merged. + +To verify functionality on supported platforms use `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`. +See `[test-kitchen](https://kitchen.ci/) and `kitchen help verify` for more info about using `kitchen verify`. ### Code style @@ -73,7 +90,7 @@ New features and changes should aim to be as clear, concise, simple, and consist Every code base has its own conventions and style that develop and accrete over time. Consistency also means that the inputs and outputs of git-secret should be as consistent as reasonable - with related unix and git tools, and follow the 'rule of least surprise', + with related Unix and git tools, and follow the 'rule of least surprise', also known as the 'principle of least astonishment': We wrote this to clarify our thinking about how git-secret should be written. Of course, these are philosophical goals, @@ -87,16 +104,16 @@ Also it's often best to implement larger or complex changes as a series of plann each making a small set of specific changes. This facilitates discussions of implementation, which often come to light only after seeing the actual code used to perform a task. -As mentioned above, we seek to be consistent with surrounding git and unix tools, so when writing changes to git-secret, -think about the input, output, and command-line options that similar unix commands use. +As mentioned above, we seek to be consistent with surrounding git and Unix tools, so when writing changes to git-secret, +think about the input, output, and command-line options that similar Unix commands use. -Our favor toward traditional unix and git command-style inputs and outputs can also mean it's appropriate to -lean heavily on git and widely-used unix command features instead of re-implementing them in code. +Our favor toward traditional Unix and git command-style inputs and outputs can also mean it's appropriate to +lean heavily on git and widely-used Unix command features instead of re-implementing them in code. ### Development Process -1. Firstly, you should need to setup development git hooks with `make install-hooks` -This will copy the git-secret development hooks from utils/hooks into .git/hooks/pre-commit and .git/hooks/post-commit +1. Firstly, you should setup git-secret's development git hooks with `make install-hooks` +This will copy the hooks from utils/hooks into .git/hooks/pre-commit and .git/hooks/post-commit 2. Make changes to the git secret files that need to be changed @@ -114,9 +131,10 @@ This will copy the git-secret development hooks from utils/hooks into .git/hooks 8. When running `git commit` the tests will run automatically, your commit will be canceled if they fail. You can run the tests manually with `make clean build test`. + If you want to make a commit and not run the pre- and post-commit hooks, use 'git commit -n' -9. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request; -otherwise PRs will probably be `squashed` into one commit when merged. +9. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request, +but don't worry, it's easy to `squash` PRs into a small number of commits when they're merged. ### Branches @@ -128,20 +146,26 @@ Development looks like this: - `master` branch is protected, so only fully tested code goes there. It is also used to create a new `git` tag and a `github` release -The `gh-pages` branch is used for the pages at `git-secret.io`. See 'Release Process' below. +By convention, you can name your branches like `issue-###-short-description`, but that's not required. +The `gh-pages` branch is used for the pages at `git-secret.io`. See 'Release Process' below. + ### Continuous integration Local CI is done with the help [`test-kitchen`](http://kitchen.ci/). `test-kitchen` handles multiple test-suites on various platforms. -`bundle exec kitchen list` will output the list of test suites to be run against supported platforms. +You can run our CI tests locally, but it is not strictly required in order to do development or testing of git-secret. When you have +`test-kitchen` installed, `bundle exec kitchen list` will output the list of test suites to be run against supported platforms. -Cloud CI is done with the help of `travis`. `travis` handles multiple environments: +Cloud CI is done with the help of [Travis-CI](https://travis-ci.org/sobolevn/git-secret), which handles testing on multiple environments using -- `Docker`-based jobs or so-called 'integration tests', these tests create a local release, install it with the package manager and then run unit-tests and system checks +- `Docker`-based jobs or so-called 'integration tests', which create a local release, install it with the package manager and then run unit-tests and system checks - `OSX` jobs, which handle basic unit-tests on `MacOS` (Travis still calls MacOS 'OSX') - Native `travis` jobs, which handle basic unit-tests and style checks -### Running local ci-tests +### Running local ci-tests with test-kitchen + +Ci-tests are only necessary if you want to test git-secret on multiple OS'es using docker and test-kitchen, +like we do on travis-ci. 1. Install required gems with `bundle install`. 2. Run ci-tests with `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"` @@ -159,13 +183,16 @@ output from commands. The release process is defined in the `git`-hooks and `.travis.yml`. -When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) the hooks will trigger three events. +When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) the +pre-commit and post-commit hooks will trigger three events. + +- `pre-commit`: run the test suite will be locally -- the test suite will be run locally +- `pre-commit`: generate and update the manuals and add them to the current commit with `make build-man` -- new manuals will be created and added to the current commit with `make build-man` on `pre-commit` hook. +- `post-commit`: trigger `make build-gh-pages`, which will update and push manuals to the [git-secret site][git-secret-site]. -- after the commit is successfully created it will also trigger `make build-gh-pages` target on `post-commit` hook, which will push new manuals to the [git-secret site][git-secret-site]. And the new `git` tag will be automatically created if the version is changed: +- `post-commit`: new `git` tag (such as v0.3.1) will be automatically created if the version is changed, using something like ```bash if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then @@ -182,13 +209,17 @@ Here are some links to gnupg documentation that might be useful for those workin #### Travis releases -After you commit a tag that matches the pattern '^v.*$' and the tests succeed, Travis will publish new `deb` and `rpm` packages to [`bintray`][bintray]. +After you commit a tag that matches the pattern '^v' and the tests succeed, scripts run on [Travis-CI](https://travis-ci.org/sobolevn/git-secret) +will publish new `deb` and `rpm` packages to [`bintray`][bintray]. -If you wish to override a previous release (*be careful*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh` +(If you wish to override a previous release (*be careful, this is discouraged*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh`) #### Manual releases -Releases to `brew` are made manually. +Releases to `brew` are made manually, and involve opening a PR on the [Homebrew Core](https://github.com/Homebrew/homebrew-core) repo . +To get started, see the +[Homebrew docs about Formulae-related PRs](https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request#formulae-related-pull-request) +and `brew bump-formula-pr --help` #### Dockerhub releases @@ -210,7 +241,10 @@ There are several distributions and packaging systems that may already have git- First of all, thank you for packaging git-secret for your platform! We appreciate it. We also would like to welcome you to collaborate or discuss any issues, ideas or thoughts you have about -git-secret by submitting issue report (which can also be feature requests) or pull requests via the git repo at +git-secret by submitting [issue report](https://github.com/sobolevn/git-secret/issues) +(which can also be feature requests) or +[pull requests](https://help.github.com/en/articles/creating-a-pull-request) +via the git repo at [git-secret on github](https://github.com/sobolevn/git-secret) Please let us know if there are any changes you'd like to see to the source, diff --git a/Makefile b/Makefile index cd5129a8..a68b6bc8 100644 --- a/Makefile +++ b/Makefile @@ -57,8 +57,9 @@ clean-man: find "man/" -type f ! -name "*.ronn" -delete .PHONY: build-man -build-man: install-ronn clean-man - ronn --roff --organization="sobolevn" --manual="git-secret" man/*/*.ronn +build-man: install-ronn clean-man git-secret + touch man/*/*.ronn + export GITSECRET_VERSION=`./git-secret --version` && ronn --roff --organization="sobolevn" --manual="git-secret $${GITSECRET_VERSION}" man/*/*.ronn .PHONY: build-gh-pages build-gh-pages: diff --git a/README.md b/README.md index 953775d3..c3466973 100644 --- a/README.md +++ b/README.md @@ -7,14 +7,14 @@ ## What is `git-secret`? -`git-secret` is a bash tool which stores private data inside a git repo. +`git-secret` is a bash tool which stores private data inside a git repo. `git-secret` encrypts files with permitted users' public keys, -allowing users you trust to access encrypted data using pgp and their secret keys. +allowing users you trust to access encrypted data using pgp and their secret keys. -With `git-secret`, changes to access rights are simplified, and private-public key issues are handled for you. +With `git-secret`, changes to access rights are simplified, and private-public key issues are handled for you. When someone's permission is revoked, secrets do not need to be changed with `git-secret` - -just remove their key from the keychain using `git secret killperson their@email.com`, +just remove their key from the keychain using `git secret killperson their@email.com`, re-encrypt the files, and they won't be able to decrypt secrets anymore. If you think the user might have copied the secrets or keys when they had access, then you should also change the secrets. @@ -22,14 +22,14 @@ you should also change the secrets. ## Preview -[![git-secret terminal preview](https://asciinema.org/a/41811.png)](https://asciinema.org/a/41811?autoplay=1) +[![git-secret terminal preview](git-secret.gif)](https://asciinema.org/a/41811?autoplay=1) ## Installation `git-secret` supports `brew`, just type: `brew install git-secret` -It also supports `apt` and `yum`. You can also use `make` if you want to. +It also supports `apt` and `yum`. You can also use `make` if you want to. See the [installation section](http://git-secret.io/installation) for the details. ### Requirements @@ -45,7 +45,7 @@ See the [installation section](http://git-secret.io/installation) for the detail ## Contributing -Do you want to help the project? Find an [issue](https://github.com/sobolevn/git-secret/issues) +Do you want to help the project? Find an [issue](https://github.com/sobolevn/git-secret/issues) and send a PR. It is more than welcomed! See [CONTRIBUTING.md](CONTRIBUTING.md) on how to do that. ### Security @@ -64,13 +64,7 @@ If you found any security related issues, please do not disclose it in public. S ## Changelog -`git-secret` uses semver. See [CHANGELOG.md](CHANGELOG.md). - - -## Contributors - -This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)]. - +`git-secret` uses [semver](https://semver.org/). See [CHANGELOG.md](CHANGELOG.md). ## Packagers @@ -79,39 +73,38 @@ Thanks also to all the people and groups who package git-secret to be easier to Here are some packagings of git-secret that we're aware of: -- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret -- https://aur.archlinux.org/packages/git-secret/ +- https://formulae.brew.sh/formula/git-secret - https://packages.ubuntu.com/bionic/git-secret -- https://packages.debian.org/sid/git-secret - https://apps.fedoraproject.org/packages/git-secret +- https://aur.archlinux.org/packages/git-secret/ +- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret +- https://packages.debian.org/sid/git-secret +- https://github.com/void-linux/void-packages/blob/master/srcpkgs/git-secret/template -Such packages are considered 'downstream' because the git-secret code 'flows' from the git-secret repository +Such packages are considered 'downstream' because the git-secret code 'flows' from the git-secret repository to the various rpm/deb/dpkg/etc packages that are created for specific OSes and distributions. We have also added notes specifically for packagers in [CONTRIBUTING.md](CONTRIBUTING.md). -## Backers +## Sponsors -Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/git-secret#backer)] +Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/git-secret#sponsor)] - +[![Sponsors](https://opencollective.com/git-secret/tiers/sponsor.svg?width=890)](https://opencollective.com/git-secret) -## Sponsors +## Backers -Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/git-secret#sponsor)] +Thanks to all our backers! - - - - - - - - - - +[![Backers](https://opencollective.com/git-secret/tiers/backer.svg?width=890&avatarHeight=36)](https://opencollective.com/git-secret) + + +## Contributors + +This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)]. + ## License diff --git a/git-secret.gif b/git-secret.gif new file mode 100644 index 00000000..083c6e6d Binary files /dev/null and b/git-secret.gif differ diff --git a/man/man1/git-secret-add.1 b/man/man1/git-secret-add.1 index 4b9ca514..b238b4c6 100644 --- a/man/man1/git-secret-add.1 +++ b/man/man1/git-secret-add.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-ADD" "1" "March 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-ADD" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-add\fR \- starts to track added files\. @@ -18,16 +18,13 @@ git secret add [\-i] \.\.\. \fBgit\-secret\-add\fR adds a filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR and ensures the filepath is mentioned \.gitignore\. . .P -When adding files to encrypt, \fBgit\-secret\-add\fR (as of 0\.3\.0) will ensure that they are ignored by \fBgit\fR by mentioning them in \.gitignore, since they must be secure and not be committed into the remote repository unencrypted\. +When adding files to encrypt, \fBgit\-secret\-add\fR (as of 0\.2\.6) will ensure that they are ignored by \fBgit\fR by mentioning them in \.gitignore, since they must be secure and not be committed into the remote repository unencrypted\. . .P If there\'s no users in the \fBgit\-secret\fR\'s keyring, when adding a file, an exception will be raised\. . .P -Use the \fBgit secret add\fR command to add filenames to this file\. -. -.br -It is not recommended to add filenames directly into \fB\.gitsecret/paths/mapping\.cfg\fR\. +Use the \fBgit secret add\fR command to add filenames to this file\. It is not recommended to add filenames directly into \fB\.gitsecret/paths/mapping\.cfg\fR\. . .P (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. diff --git a/man/man1/git-secret-add.1.ronn b/man/man1/git-secret-add.1.ronn index 669fdaf3..b6744a8c 100644 --- a/man/man1/git-secret-add.1.ronn +++ b/man/man1/git-secret-add.1.ronn @@ -10,12 +10,12 @@ git-secret-add - starts to track added files. `git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg` and ensures the filepath is mentioned .gitignore. -When adding files to encrypt, `git-secret-add` (as of 0.3.0) will ensure that they are ignored by `git` by mentioning +When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted. If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised. -Use the `git secret add` command to add filenames to this file. +Use the `git secret add` command to add filenames to this file. It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`. (See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret diff --git a/man/man1/git-secret-cat.1 b/man/man1/git-secret-cat.1 index 5d2df471..846ba15d 100644 --- a/man/man1/git-secret-cat.1 +++ b/man/man1/git-secret-cat.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-CAT" "1" "February 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-CAT" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-cat\fR \- decrypts files passed on command line to stdout @@ -17,6 +17,9 @@ git secret cat [\-d dir] [\-p password] filename [filenames] .SH "DESCRIPTION" \fBgit\-secret\-cat\fR \- Outputs to stdout the contents of the files named on the command line\. As with \fBgit\-secret\-reveal\fR, you\'ll need to have a public/private keypair that is allowed to decrypt this repo\. . +.P +Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\. +. .SH "OPTIONS" . .nf diff --git a/man/man1/git-secret-changes.1 b/man/man1/git-secret-changes.1 index 1cb0cefc..4921a4ce 100644 --- a/man/man1/git-secret-changes.1 +++ b/man/man1/git-secret-changes.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-CHANGES" "1" "February 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-CHANGES" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-changes\fR \- view diff of the hidden files\. @@ -17,6 +17,9 @@ git secret changes [\-h] [\-d dir] [\-p password] [pathspec]\.\.\. .SH "DESCRIPTION" \fBgit\-secret\-changes\fR \- shows changes between the current version of hidden files and the ones already committed\. You can provide any number of hidden files to this command as arguments, and it will show changes for these files only\. Note that files must be specified by their encrypted names, typically \fBfilename\.yml\.secret\fR\. If no arguments are provided, information about all hidden files will be shown\. . +.P +Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\. +. .SH "OPTIONS" . .nf diff --git a/man/man1/git-secret-clean.1 b/man/man1/git-secret-clean.1 index 3c84ac8d..06549a99 100644 --- a/man/man1/git-secret-clean.1 +++ b/man/man1/git-secret-clean.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-CLEAN" "1" "March 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-CLEAN" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-clean\fR \- removes all the hidden files\. diff --git a/man/man1/git-secret-hide.1 b/man/man1/git-secret-hide.1 index adf9529e..6f44bb83 100644 --- a/man/man1/git-secret-hide.1 +++ b/man/man1/git-secret-hide.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-HIDE" "1" "March 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-HIDE" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-hide\fR \- encrypts all added files with the inner keyring\. @@ -27,7 +27,7 @@ Otherwise the keychain (the one stored in \fB\.gitsecret/keys/*\.gpg\fR), may ha In other words, unless you re\-encrypt all the files in a repo each time you \'hide\' any, it\'s possible to make it so some files can no longer be decrypted by users who should be (and would appear) able to decrypt them, and vice\-versa\. . .P -If you know what you are doing and wish to encrypt or re\-encrypt only a subset of the files even after reading the above paragraphs, you can use the \-F option to force \fBgit secret hide\fR to skip any hidden files where the unencrypted versions aren\'t present\. +If you know what you are doing and wish to encrypt or re\-encrypt only a subset of the files even after reading the above paragraphs, you can use the \-F or \-m option to only encrypted a subset of files\. The \-F option forces \fBgit secret hide\fR to skip any hidden files where the unencrypted versions aren\'t present\. The \-m option skips any hidden files that have not be modified since the last time they were encrypted\. . .P Also, it is possible to modify the names of the encrypted files by setting \fBSECRETS_EXTENSION\fR variable\. @@ -35,6 +35,9 @@ Also, it is possible to modify the names of the encrypted files by setting \fBSE .P (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. . +.P +You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR +. .SH "OPTIONS" . .nf @@ -49,9 +52,6 @@ Also, it is possible to modify the names of the encrypted files by setting \fBSE . .fi . -.P -You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR -. .SH "MANUAL" Run \fBman git\-secret\-hide\fR to see this note\. . diff --git a/man/man1/git-secret-init.1 b/man/man1/git-secret-init.1 index d440c86e..01ce59e7 100644 --- a/man/man1/git-secret-init.1 +++ b/man/man1/git-secret-init.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-INIT" "1" "March 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-INIT" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-init\fR \- initializes git\-secret repository\. diff --git a/man/man1/git-secret-killperson.1 b/man/man1/git-secret-killperson.1 index 82cffd9a..6eace080 100644 --- a/man/man1/git-secret-killperson.1 +++ b/man/man1/git-secret-killperson.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-KILLPERSON" "1" "February 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-KILLPERSON" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-killperson\fR \- deletes key identified by an email from the inner keyring\. diff --git a/man/man1/git-secret-list.1 b/man/man1/git-secret-list.1 index a83122b4..9f0fc2f7 100644 --- a/man/man1/git-secret-list.1 +++ b/man/man1/git-secret-list.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-LIST" "1" "February 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-LIST" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-list\fR \- prints all the added files\. diff --git a/man/man1/git-secret-remove.1 b/man/man1/git-secret-remove.1 index 548b8f8d..f3eeee7f 100644 --- a/man/man1/git-secret-remove.1 +++ b/man/man1/git-secret-remove.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-REMOVE" "1" "February 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-REMOVE" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-remove\fR \- removes files from index\. diff --git a/man/man1/git-secret-reveal.1 b/man/man1/git-secret-reveal.1 index d77df4d4..56dd2ac6 100644 --- a/man/man1/git-secret-reveal.1 +++ b/man/man1/git-secret-reveal.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-REVEAL" "1" "March 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-REVEAL" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-reveal\fR \- decrypts all added files\. @@ -17,9 +17,6 @@ git secret reveal [\-f] [\-F] [\-P] [\-v] [\-d dir] [\-p password] [pathspec]\.\ .SH "DESCRIPTION" \fBgit\-secret\-reveal\fR \- decrypts all the files in \fB\.gitsecret/paths/mapping\.cfg\fR, or the passed \fBpathspec\fRs\. You will need to have imported the paired secret\-key with one of the public\-keys which were used in the encryption\. Under the hood, this uses the \fBgpg \-\-decrypt\fR command\. . -.P -(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. -. .SH "OPTIONS" . .nf @@ -34,6 +31,9 @@ git secret reveal [\-f] [\-F] [\-P] [\-v] [\-d dir] [\-p password] [pathspec]\.\ . .fi . +.P +(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. +. .SH "MANUAL" Run \fBman git\-secret\-reveal\fR to see this note\. . diff --git a/man/man1/git-secret-tell.1 b/man/man1/git-secret-tell.1 index 496beb4a..4779cb1d 100644 --- a/man/man1/git-secret-tell.1 +++ b/man/man1/git-secret-tell.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-TELL" "1" "February 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-TELL" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-tell\fR \- adds a person, who can access private data\. diff --git a/man/man1/git-secret-usage.1 b/man/man1/git-secret-usage.1 index d68bfc40..d82ba7be 100644 --- a/man/man1/git-secret-usage.1 +++ b/man/man1/git-secret-usage.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-USAGE" "1" "February 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-USAGE" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-usage\fR \- prints all the available commands\. diff --git a/man/man1/git-secret-whoknows.1 b/man/man1/git-secret-whoknows.1 index e4382fa3..dd009cc0 100644 --- a/man/man1/git-secret-whoknows.1 +++ b/man/man1/git-secret-whoknows.1 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET\-WHOKNOWS" "1" "February 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET\-WHOKNOWS" "1" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\-whoknows\fR \- prints email\-labels for each key in the keyring\. diff --git a/man/man7/git-secret.7 b/man/man7/git-secret.7 index 02ce68ce..37ff9c9b 100644 --- a/man/man7/git-secret.7 +++ b/man/man7/git-secret.7 @@ -1,7 +1,7 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . -.TH "GIT\-SECRET" "7" "March 2019" "sobolevn" "git-secret" +.TH "GIT\-SECRET" "7" "September 2019" "sobolevn" "git-secret 0.3.2" . .SH "NAME" \fBgit\-secret\fR \- bash tool to store private data inside a git repo\. @@ -72,6 +72,9 @@ The settings available to be changed are: .IP "\(bu" 4 \fB$SECRETS_DIR\fR \- sets the directory where git\-secret stores its files, defaults to \.gitsecret\. It can be changed to any valid directory name\. . +.IP "\(bu" 4 +\fB$SECRETS_PINENTRY\fR \- allows user to specify a setting for \fBgpg\fR\'s \-\-pinentry option\. See \fBgpg\fR docs for details about gpg\'s \-\-pinentry option\. +. .IP "" 0 . .SH "The \.gitsecret folder (can be overridden with SECRETS_DIR)" diff --git a/src/_utils/_git_secret_tools.sh b/src/_utils/_git_secret_tools.sh index 82595fb8..5c72c625 100644 --- a/src/_utils/_git_secret_tools.sh +++ b/src/_utils/_git_secret_tools.sh @@ -28,6 +28,8 @@ fi : "${SECRETS_OCTAL_PERMS_COMMAND:="_os_based __get_octal_perms"}" : "${SECRETS_EPOCH_TO_DATE:="_os_based __epoch_to_date"}" +# Temp Dir +: "${TMPDIR:=/tmp}" # AWK scripts: # shellcheck disable=2016 @@ -195,7 +197,7 @@ function _temporary_file { # which will be removed on system exit. temporary_filename=$(_os_based __temp_file) # is not `local` on purpose. - trap 'if [[ -n "$_SECRETS_VERBOSE" ]] || [[ -n "$SECRETS_TEST_VERBOSE" ]]; then echo "git-secret: cleaning up: $temporary_filename"; fi; rm -f "$temporary_filename";' EXIT + trap 'if [[ -f "$temporary_filename" ]]; then if [[ -n "$_SECRETS_VERBOSE" ]] || [[ -n "$SECRETS_TEST_VERBOSE" ]]; then echo "git-secret: cleaning up: $temporary_filename"; fi; rm -f "$temporary_filename"; fi;' EXIT } @@ -464,14 +466,12 @@ function _find_and_clean_formatted { # required: local pattern="$1" # can be any string pattern - if [[ -n "$_SECRETS_VERBOSE" ]]; then - echo && _message "cleaning:" - fi + local outputs + outputs=$(_find_and_clean "$pattern" 2>&1) - _find_and_clean "$pattern" - - if [[ -n "$_SECRETS_VERBOSE" ]]; then - echo + if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then + # shellcheck disable=SC2001 + echo "$outputs" | sed "s/^/git-secret: cleaning: /" fi } @@ -525,6 +525,21 @@ function _secrets_dir_is_not_ignored { } +function _exe_is_busybox { + local exe + exe=$1 + + # we assume stat is from busybox if it's a symlink + local is_busybox=0 + local stat_path + stat_path=$(command -v "$exe") + if [ -L "$stat_path" ]; then + is_busybox=1 + fi + echo "$is_busybox" +} + + function _user_required { # This function does a bunch of validations: # 1. It calls `_secrets_dir_exists` to verify that "$_SECRETS_DIR" exists. @@ -544,18 +559,20 @@ function _user_required { local secrets_dir_keys secrets_dir_keys=$(_get_secrets_dir_keys) + # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&- local keys_exist - keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys) + keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys 3>&-) local exit_code=$? + if [[ -z "$keys_exist" ]]; then + _abort "$error_message" + fi if [[ "$exit_code" -ne 0 ]]; then # this might catch corner case where gpg --list-keys shows # 'gpg: skipped packet of type 12 in keybox' warnings but succeeds? # See #136 + echo "$keys_exist" # show whatever _did_ come out of gpg _abort "problem listing public keys with gpg: exit code $exit_code" fi - if [[ -z "$keys_exist" ]]; then - _abort "$error_message" - fi } # note: this has the same 'username matching' issue described in @@ -571,7 +588,8 @@ function _get_user_key_expiry { local secrets_dir_keys secrets_dir_keys=$(_get_secrets_dir_keys) - line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub:) + # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs + line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub: 3>&-) local expiry_epoch expiry_epoch=$(echo "$line" | cut -d: -f7) @@ -587,6 +605,9 @@ function _assert_keychain_contains_emails { local gpg_uids gpg_uids=$(_get_users_in_gpg_keyring "$homedir") for email in "${emails[@]}"; do + if [[ $email != *"@"* ]]; then + _abort "does not appear to be an email: $email" + fi local email_ok=0 for uid in $gpg_uids; do if [[ "$uid" == "$email" ]]; then @@ -622,9 +643,14 @@ function _get_users_in_gpg_keyring { fi # we use --fixed-list-mode so older versions of gpg emit 'uid:' lines. - # here gawk splits on colon as --with-colon, exact matches field 1 as 'uid' that is not revoked (field 2 set to 'r') and selects field 10 "User-ID" - # the gensub regex extracts email from <> within field 10. (If there's no <>, then field is just an email address anyway and the regex just passes it through.) - result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | gawk -F: '$1~/uid/&&$2!="r"{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }') + # here gawk splits on colon as --with-colon, exact matches field 1 as 'uid', and selects field 10 "User-ID" + # the gensub regex extracts email from <> within field 10. (If there's no <>, then field is just an email address + # (and maybe a comment) and the regex just passes it through.) + # sed at the end removes any 'comment' that appears in parentheses, for #530 + # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs + result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | \ + gawk -F: '$1~/uid/{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }' | \ + sed 's/([^)]*)//g' 3>&-) echo "$result" } diff --git a/src/_utils/_git_secret_tools_freebsd.sh b/src/_utils/_git_secret_tools_freebsd.sh index eb81c36d..13f81dde 100644 --- a/src/_utils/_git_secret_tools_freebsd.sh +++ b/src/_utils/_git_secret_tools_freebsd.sh @@ -10,7 +10,6 @@ function __replace_in_file_freebsd { function __temp_file_freebsd { - : "${TMPDIR:=/tmp}" local filename # man mktemp on FreeBSD: # ... diff --git a/src/_utils/_git_secret_tools_linux.sh b/src/_utils/_git_secret_tools_linux.sh index b69c8016..4ca580f1 100644 --- a/src/_utils/_git_secret_tools_linux.sh +++ b/src/_utils/_git_secret_tools_linux.sh @@ -8,7 +8,6 @@ function __replace_in_file_linux { function __temp_file_linux { - : "${TMPDIR:=/tmp}" local filename # man mktemp on CentOS 7: # mktemp [OPTION]... [TEMPLATE] @@ -35,9 +34,16 @@ function __sha256_linux { function __get_octal_perms_linux { local filename filename=$1 - local perms - perms=$(stat --format '%a' "$filename") - # a string like '0644' + + local stat_is_busybox + stat_is_busybox=_exe_is_busybox "stat" + local perms # a string like '644' + if [ "$stat_is_busybox" -eq 1 ]; then + # special case for busybox, which doesn't understand --format + perms=$(stat -c '%a' "$filename") + else + perms=$(stat --format '%a' "$filename") + fi echo "$perms" } diff --git a/src/_utils/_git_secret_tools_osx.sh b/src/_utils/_git_secret_tools_osx.sh index 1e660000..bfb52a9b 100644 --- a/src/_utils/_git_secret_tools_osx.sh +++ b/src/_utils/_git_secret_tools_osx.sh @@ -8,7 +8,6 @@ function __replace_in_file_osx { function __temp_file_osx { - : "${TMPDIR:=/tmp}" local filename # man mktemp on OSX: # ... diff --git a/src/commands/git_secret_hide.sh b/src/commands/git_secret_hide.sh index 2989a2ae..8769570c 100644 --- a/src/commands/git_secret_hide.sh +++ b/src/commands/git_secret_hide.sh @@ -109,7 +109,7 @@ function hide { [ "$1" = '--' ] && shift if [ $# -ne 0 ]; then - _abort "clean does not understand params: $*" + _abort "hide does not understand params: $*" fi # We need user to continue: @@ -132,6 +132,12 @@ function hide { to_hide+=("$record") # add record to array done < "$path_mappings" + local recipients + recipients=$(_get_recipients) + + local secrets_dir_keys + secrets_dir_keys=$(_get_secrets_dir_keys) + local counter=0 for record in "${to_hide[@]}"; do local filename @@ -141,12 +147,6 @@ function hide { fsdb_file_hash=$(_get_record_hash "$record") encrypted_filename=$(_get_encrypted_filename "$filename") - local recipients - recipients=$(_get_recipients) - - local secrets_dir_keys - secrets_dir_keys=$(_get_secrets_dir_keys) - local input_path local output_path input_path=$(_append_root_path "$filename") @@ -170,21 +170,28 @@ function hide { set +e # disable 'set -e' so we can capture exit_code - if [[ -n "$_SECRETS_VERBOSE" ]]; then - # on at least some platforms, this doesn't output anything unless there's a warning or error - $SECRETS_GPG_COMMAND "${args[@]}" - else - $SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1 - fi + # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&- + local gpg_output + gpg_output=$($SECRETS_GPG_COMMAND "${args[@]}" 3>&-) # we leave stderr alone local exit_code=$? set -e # re-enable set -e + local error=0 if [[ "$exit_code" -ne 0 ]] || [[ ! -f "$output_path" ]]; then + error=1 + fi + + if [[ "$error" -ne 0 ]] || [[ -n "$_SECRETS_VERBOSE" ]]; then + if [[ -n "$gpg_output" ]]; then + echo "$gpg_output" + fi + fi + + if [[ ! -f "$output_path" ]]; then # if gpg can't encrypt a file we asked it to, that's an error unless in force_continue mode. _warn_or_abort "problem encrypting file with gpg: exit code $exit_code: $filename" "$exit_code" "$force_continue" - fi - if [[ -f "$output_path" ]]; then + else counter=$((counter+1)) if [[ "$preserve" == 1 ]]; then local perms diff --git a/src/commands/git_secret_killperson.sh b/src/commands/git_secret_killperson.sh index 43ad9dbb..5133df74 100644 --- a/src/commands/git_secret_killperson.sh +++ b/src/commands/git_secret_killperson.sh @@ -31,7 +31,8 @@ function killperson { _assert_keychain_contains_emails "$secrets_dir_keys" "${emails[@]}" for email in "${emails[@]}"; do - $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email" + # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&- + $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email" 3>&- local exit_code=$? if [[ "$exit_code" -ne 0 ]]; then _abort "problem deleting key for '$email' with gpg: exit code $exit_code" diff --git a/src/commands/git_secret_reveal.sh b/src/commands/git_secret_reveal.sh index cd4b9dfd..572f64e9 100644 --- a/src/commands/git_secret_reveal.sh +++ b/src/commands/git_secret_reveal.sh @@ -75,5 +75,5 @@ function reveal { done - echo "git-secret: done. $counter of ${#to_show[@]} files are revealed." + _message "done. $counter of ${#to_show[@]} files are revealed." } diff --git a/src/commands/git_secret_tell.sh b/src/commands/git_secret_tell.sh index 4180b774..af22db24 100644 --- a/src/commands/git_secret_tell.sh +++ b/src/commands/git_secret_tell.sh @@ -10,7 +10,8 @@ END { print cnt } function get_gpg_key_count { local secrets_dir_keys secrets_dir_keys=$(_get_secrets_dir_keys) - $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT" + # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs + $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT" 3>&- local exit_code=$? if [[ "$exit_code" -ne 0 ]]; then _abort "problem counting keys with gpg: exit code $exit_code" @@ -75,14 +76,15 @@ function tell { # shellcheck disable=2154 local keyfile="$temporary_filename" + # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs local exit_code if [[ -z "$homedir" ]]; then - $SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile" + $SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile" 3>&- exit_code=$? else # It means that homedir is set as an extra argument via `-d`: $SECRETS_GPG_COMMAND --no-permission-warning --homedir="$homedir" \ - --export -a "$email" > "$keyfile" + --export -a "$email" > "$keyfile" 3>&- exit_code=$? fi if [[ "$exit_code" -ne 0 ]]; then @@ -99,9 +101,9 @@ function tell { local args=( --homedir "$secrets_dir_keys" --no-permission-warning --import "$keyfile" ) if [[ -z "$_SECRETS_VERBOSE" ]]; then - $SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1 + $SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1 3>&- else - $SECRETS_GPG_COMMAND "${args[@]}" + $SECRETS_GPG_COMMAND "${args[@]}" 3>&- fi exit_code=$? @@ -112,7 +114,7 @@ function tell { fi done - echo "done. ${emails[*]} added as someone who know(s) the secret." + _message "done. ${emails[*]} added as user(s) who know the secret." # force re-encrypting of files if required local fsdb diff --git a/src/version.sh b/src/version.sh index 728adf5e..d6232d66 100644 --- a/src/version.sh +++ b/src/version.sh @@ -1,4 +1,4 @@ #!/usr/bin/env bash # shellcheck disable=2034 -GITSECRET_VERSION='0.2.6' +GITSECRET_VERSION='0.3.2' diff --git a/tests/_test_base.bash b/tests/_test_base.bash index d74a98aa..fb04cea3 100644 --- a/tests/_test_base.bash +++ b/tests/_test_base.bash @@ -7,6 +7,9 @@ source "$SECRET_PROJECT_ROOT/src/version.sh" # shellcheck disable=SC1090 source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools.sh" +source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_freebsd.sh" +source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_linux.sh" +source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_osx.sh" # Constants: FIXTURES_DIR="$BATS_TEST_DIRNAME/fixtures" @@ -36,9 +39,10 @@ BEGIN { OFS=":"; FS=":"; } # This command is used with absolute homedir set and disabled warnings: GPGTEST="$SECRETS_GPG_COMMAND --homedir=$TEST_GPG_HOMEDIR --no-permission-warning --batch" -# Personal data: +# Test key fixture data. Fixtures are at tests/fixtures/gpg/$email -# these two are 'normal' keys +# See tests/fixtures/gpg/README.md for more on key fixtures 'user[1-5]@gitsecret.io' +# these two are 'normal' keys. export TEST_DEFAULT_USER="user1@gitsecret.io" export TEST_SECOND_USER="user2@gitsecret.io" @@ -48,6 +52,8 @@ export TEST_NONAME_USER="user3@gitsecret.io" # TEST_EXPIRED_USER (user4) has expired export TEST_EXPIRED_USER="user4@gitsecret.io" # this key expires 2018-09-24 +export TEST_NOEMAIL_COMMENT_USER="user5@gitsecret.io" # fixture filename is named this, but key has no email and a comment, as per #527 + export TEST_ATTACKER_USER="attacker1@gitsecret.io" @@ -74,8 +80,14 @@ function stop_gpg_agent { ps -l -u "$username" | gawk \ '/gpg-agent/ { if ( $0 !~ "awk" ) { system("kill "$1) } }' >> "$TEST_GPG_OUTPUT_FILE" 2>&1 else - ps -wx -U "$username" | gawk \ - '/gpg-agent --homedir/ { if ( $0 !~ "awk" ) { system("kill "$1) } }' >> "$TEST_GPG_OUTPUT_FILE" 2>&1 + local ps_is_busybox + ps_is_busybox=_exe_is_busybox "ps" + if [[ $ps_is_busybox -eq "1" ]]; then + echo "# git-secret: tests: not stopping gpg-agent on busybox" >&3 + else + ps -wx -U "$username" | gawk \ + '/gpg-agent --homedir/ { if ( $0 !~ "awk" ) { system("kill "$1) } }' >> "$TEST_GPG_OUTPUT_FILE" 2>&1 + fi fi } diff --git a/tests/fixtures/gpg/README.md b/tests/fixtures/gpg/README.md index c4dd8ad2..9d0f48e5 100644 --- a/tests/fixtures/gpg/README.md +++ b/tests/fixtures/gpg/README.md @@ -22,3 +22,8 @@ `gpg --export --armor user4 > tests/fixtures/gpg/user4/public.key` and `gpg --export-secret-keys --armor user4 > tests/fixtures/gpg/user4/private.key` + +* user5 was created for issue #527 using `gpg --full-generate-key`. + with name 'user5', no email address, the comment 'comment comment', and + the passphrase 'user5pass'. Keys were exported as above. + diff --git a/tests/fixtures/gpg/user5@gitsecret.io/private.key b/tests/fixtures/gpg/user5@gitsecret.io/private.key new file mode 100644 index 00000000..54fc0f88 --- /dev/null +++ b/tests/fixtures/gpg/user5@gitsecret.io/private.key @@ -0,0 +1,59 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- + +lQPGBF1yX48BCAC7TVKvW81RjJKcGI21cI1iUEPkpWCqXwUjt9UsJ8g+2BW45gmX +9tLKPp5ax6hJoLQpcSkOsKcNdigSwHeB+TjIgGshAQOgOXLgnU6oETkobxrv3TcQ +L0gF09jgnUvdzaCSgqtLndgejG1g5SsYIzzHYSTAj/7t5WY2AQKVsiE9pELxUqLB +QQQ97YHklp26sNXT9FYBNZvLN661PvTB2fgMxMrLkE0i8brAC51zyp0/PCy7huDz +9zjryMCReKkwfVIpevBJspHx1P2HLNe+b+O28C4U0r8CuWSk116itbfKGCtWL8LL +khMUBD4j+6zO1E33HVeRR6hypU8ZhbDIX9BzABEBAAH+BwMCrMDlojZX/jjr0l3U +8acJEKVGWAq8dxt+UKNm5PSNZksQdcsz4E1JL/4JitfRhvrH24OGJnGrmMYeQJjH +Dw+dHUf8UDD8KpRigihCug44VM36ZtiCxfQ8+x01DQ8G6dntZmphg6B0dJbvhUJa +YEuRk1n5rVH1lMEitq3ZcnvnU4hJxWfKdo8qI+MReaiVtODk42y0kA6/7y+w+a1j +7wWtVsdHvvC5f698Z0FKzSGxHWGgE2bFWaRxhuX0WIBMgDsr2H+jcvb51c3SIWkd +eCTupBomcv99FYcBUHf4VnjJGgBn4ibU49BZtMbmTHeB4bNb/hTCwhWuW50mr2yt +GZ/Ued2y6khcaDXlsQGdqUn7/4KEe3vpwVU6RzKrxBMhaY2zZdwVEAb9c/2szSt6 ++YOhopOmH23lWF5iu2pdRcU9pJtj614tpIGOLC4H8e+im+buy+jOIvj6eECH50zK +zHchOvrCWAG4qcVTSAv2J2Ywa1wzKxUfoPbpCZJ7pJvt2pjxa2Mh1vjlydle4/Tq +6qcu4OONdJPiDu2n0DvThfZXxWPqYrQKNPok/uIuOyux3U3JKgBdCKW9wj6wXvik +TakIRvsPjMsTkyP5J7GoFokw/7tTd8fww6+HK7o171+bT1/oEmp+ulE/U5mcaVTw +uabWtLt9gignidle6R4GlVI/xo/J/szcQyiv9/MA1z0tC5FIM2HYF4ADg2de8MbE +dQKyNZxkAoFtofE8WDsMVf/C2BzTpLp9yqTGhZptCWlkU+OpBxLaVIa1tlw0mbt0 +PWujKEatkdFOHhuutjLCWGiB84FKkPPti0YkfJxPxbXDMa2p7KvCSSrrkZM2mKBq +13hcLm4ANUWQCFJHpCriMg79xLSL6zEL4Lt6V+Soi1dDtH5jwox+SsC273BZXyq8 +rjOisteYwarjtBd1c2VyNSAoY29tbWVudCBjb21tZW50KYkBTgQTAQgAOBYhBPbR +jRmpf0xIpd59km5RnYONIUgfBQJdcl+PAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B +AheAAAoJEG5RnYONIUgfhQQH/38uO9hvFdc72UnYjCADZXvdSa1T+vSKJfF9Sa+D +Se2F3JlwYPvpDnEovMmi7RuUJ1n7mGzTFJ6HLHs4Z26P6VtmC2e3ue2/OltK24zd +zeH80WfGmFfJ1cFShO5mGEk+ga3HhhCHPE9zkEM+HO+Dn+IDBuJL4PAvu6c6buVo +K9GDbo7tkCFB1+vw39CmEmnPuIoGygliJxKqiqHsS/Jn4KkNyecT8z5xaA41lGdA +Zbda6og4u0vsj7Uctder22tdVKDWg1Jwr23ORBYCD2ssQKUq31G/kvQeZxCTdZD8 +t/V3pQz0uru/c/NvVLX1eZDXwM+viR/Ck5oyTETkHF9LZNedA8YEXXJfjwEIAMxn +JVMiOyZfPclOt1oQv51vrmbWyiKHSNn9OwtW2HQIWXT5cpA76ojceLxF2Gz3Lr8k +5ZqJQZb2jTB/HGDeJMVOQobsfJLD2llM99PFFdE/lAlu+/jQp90hu/gLo9egu+aI +ZP6YRmvJMLseB8t22dWGb8OpnZgTzAL9uk8vhYzMLGCiOezC0pzxKCDsIfBtpHDy +b9Z06cD4hywvtaRCJOXanUhv2rbPEcNRoYqY3kFlaV37NxMRyCplODq6HmrsxsUp +hJmHA227HtBHJzJtRcewyOcvHE3TovynDPDNtk+KtvZfiqvvKDwEXjrygYiB/xZP +iFvT5f4xB6hicJq8+78AEQEAAf4HAwJRNs0fBsU0LOueT8yhsPFyxg+XYBeAR5Hx +NyCFrIXaDSTY+TrTpbY0o2wrBgZtI+YAuVCgqkmQDzp8Dhb21Dcx2Zg4xJ92KHcE +dwq/VMz9l5l6JgfEg7Dt8XUCeetYKEkX/li9Q9urwBpZ3oPIjjhZoK74zfGA0Qtk +qRYCXHhBVme7pxAfirmX0jiLbDv5nV+fzJXqTzY/Zsaodw0w9CiuzZ5ftM7kk7QH +TGEeGB0yaEgm7LPupGxfkHnY7IU7f1g4e7QhQcFSHady2HrtEVYFgsdlxxCxSFzK +G3zctVTTTQKb67zVNKtblizSHRq21gx/uutReh+RZUhTJewfpOpup7e9oNDxpkSW +nkiHU91vNaOfdfuID7V6eIYKM3yCvrc5z9NKBYklGX2wYm9qEObBF1LrQD2c/M/+ +Rn6gnJLdUo0Q95URwngCrchz1i7MVWje3VfsuiHRsB62NFLOGeDqkdoJ7PPCRHeS +WXaZUK7/a7B6wZuf4fafEVWSpgonWvL3bxCLlPau5zYvo40WLzFtIVT6gBCR/TBY +AhUVrrvn1Ssqrz1RRD7ebbFR59yDsEyJaL4cdJzVidB4+tp9XAJ0yjiGJyCJW5NR +eW0dR1jHDacBPMnxgqKtXpn7d0PMx0oghD0wFiQsGqi6aWJs8+qGWugCoHZUiJB2 +R/N0MO7l4CuJYECSIiVqgu08h7ZQ3CgROGEFVYaBmkX50DFwLe9FkurOE83jNiJE +d7QKhc2IE6RQ0j9bS7GcBkNjED7jUCryLbwI8ITekHnSt0BiFnVb9rZ3cMYNArcS +5rDZ4JQYsqGiGb03VZqW9VXD/40tTtkLU5EaN9tgroQiHovCfLiug4WbRYz26wZF +cnMHaQCPHYAKme72bAypjzooN4KT5KE8uyNQo3/1eEwd2AKRFEl4f2uBTNqJATYE +GAEIACAWIQT20Y0ZqX9MSKXefZJuUZ2DjSFIHwUCXXJfjwIbDAAKCRBuUZ2DjSFI +H+agCACVQyt3pbCPgJ8CXXhMaaH0Y16DJDxy/AXzQL7hxHzgqIrHuOygADCXvMcH +pb6kznMG4pVfeNZtm+FDoQ7rDPcY9T9eSQD6Fw2hzemysdWAoD9ZUNwynw125Og7 +nmOmXIJLQ58J0bDVfb34zwYfdE45LTaQXO2ODx4foMpzCv86XUE4GboQSnUrU1VN +afrbVTSZ7Zna6yNzgtCVomSjxDhCZ+nnYQsTwXqERqby8v2KpgWM3yVV84q2ED2N +51JUIdXFjejFyHWjDHYfYPo4s/I75gYKsTCFo9lGqkcVKX13HMCI7J4KGrmxLVJq +swK2XO60K8/knDo78U2RvVf+Goat +=9tu1 +-----END PGP PRIVATE KEY BLOCK----- diff --git a/tests/fixtures/gpg/user5@gitsecret.io/public.key b/tests/fixtures/gpg/user5@gitsecret.io/public.key new file mode 100644 index 00000000..b1d7792a --- /dev/null +++ b/tests/fixtures/gpg/user5@gitsecret.io/public.key @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF1yX48BCAC7TVKvW81RjJKcGI21cI1iUEPkpWCqXwUjt9UsJ8g+2BW45gmX +9tLKPp5ax6hJoLQpcSkOsKcNdigSwHeB+TjIgGshAQOgOXLgnU6oETkobxrv3TcQ +L0gF09jgnUvdzaCSgqtLndgejG1g5SsYIzzHYSTAj/7t5WY2AQKVsiE9pELxUqLB +QQQ97YHklp26sNXT9FYBNZvLN661PvTB2fgMxMrLkE0i8brAC51zyp0/PCy7huDz +9zjryMCReKkwfVIpevBJspHx1P2HLNe+b+O28C4U0r8CuWSk116itbfKGCtWL8LL +khMUBD4j+6zO1E33HVeRR6hypU8ZhbDIX9BzABEBAAG0F3VzZXI1IChjb21tZW50 +IGNvbW1lbnQpiQFOBBMBCAA4FiEE9tGNGal/TEil3n2SblGdg40hSB8FAl1yX48C +GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQblGdg40hSB+FBAf/fy472G8V +1zvZSdiMIANle91JrVP69Iol8X1Jr4NJ7YXcmXBg++kOcSi8yaLtG5QnWfuYbNMU +nocsezhnbo/pW2YLZ7e57b86W0rbjN3N4fzRZ8aYV8nVwVKE7mYYST6BrceGEIc8 +T3OQQz4c74Of4gMG4kvg8C+7pzpu5Wgr0YNuju2QIUHX6/Df0KYSac+4igbKCWIn +EqqKoexL8mfgqQ3J5xPzPnFoDjWUZ0Blt1rqiDi7S+yPtRy116vba11UoNaDUnCv +bc5EFgIPayxApSrfUb+S9B5nEJN1kPy39XelDPS6u79z829UtfV5kNfAz6+JH8KT +mjJMROQcX0tk17kBDQRdcl+PAQgAzGclUyI7Jl89yU63WhC/nW+uZtbKIodI2f07 +C1bYdAhZdPlykDvqiNx4vEXYbPcuvyTlmolBlvaNMH8cYN4kxU5Chux8ksPaWUz3 +08UV0T+UCW77+NCn3SG7+Auj16C75ohk/phGa8kwux4Hy3bZ1YZvw6mdmBPMAv26 +Ty+FjMwsYKI57MLSnPEoIOwh8G2kcPJv1nTpwPiHLC+1pEIk5dqdSG/ats8Rw1Gh +ipjeQWVpXfs3ExHIKmU4OroeauzGxSmEmYcDbbse0EcnMm1Fx7DI5y8cTdOi/KcM +8M22T4q29l+Kq+8oPAReOvKBiIH/Fk+IW9Pl/jEHqGJwmrz7vwARAQABiQE2BBgB +CAAgFiEE9tGNGal/TEil3n2SblGdg40hSB8FAl1yX48CGwwACgkQblGdg40hSB/m +oAgAlUMrd6Wwj4CfAl14TGmh9GNegyQ8cvwF80C+4cR84KiKx7jsoAAwl7zHB6W+ +pM5zBuKVX3jWbZvhQ6EO6wz3GPU/XkkA+hcNoc3psrHVgKA/WVDcMp8NduToO55j +plyCS0OfCdGw1X29+M8GH3ROOS02kFztjg8eH6DKcwr/Ol1BOBm6EEp1K1NVTWn6 +21U0me2Z2usjc4LQlaJko8Q4Qmfp52ELE8F6hEam8vL9iqYFjN8lVfOKthA9jedS +VCHVxY3oxch1owx2H2D6OLPyO+YGCrEwhaPZRqpHFSl9dxzAiOyeChq5sS1SarMC +tlzutCvP5Jw6O/FNkb1X/hqGrQ== +=ghZU +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/test_clean.bats b/tests/test_clean.bats index db524fc7..60195553 100644 --- a/tests/test_clean.bats +++ b/tests/test_clean.bats @@ -5,9 +5,6 @@ load _test_base FIRST_FILE="$TEST_DEFAULT_FILENAME" SECOND_FILE="$TEST_SECOND_FILENAME" -FOLDER="somedir" -FILE_IN_FOLDER="${FOLDER}/file_to_hide3" - function setup { install_fixture_key "$TEST_DEFAULT_USER" @@ -25,7 +22,6 @@ function setup { function teardown { # This also needs to be cleaned: rm "$FIRST_FILE" "$SECOND_FILE" - rm -r "$FOLDER" uninstall_fixture_key "$TEST_DEFAULT_USER" unset_current_state diff --git a/tests/test_hide.bats b/tests/test_hide.bats index 93f4aaff..087aec3c 100644 --- a/tests/test_hide.bats +++ b/tests/test_hide.bats @@ -58,7 +58,6 @@ function teardown { } @test "run 'hide' with '-P'" { - # attempt to alter permissions on input file chmod o-rwx "$FILE_TO_HIDE" @@ -74,17 +73,13 @@ function teardown { local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE") [ -f "$encrypted_file" ] - # permissions should match. We don't have access to SECRETS_OCTAL_PERMS_COMMAND here + ## permissions should match. local secret_perm local file_perm - secret_perm=$(ls -l "$encrypted_file" | cut -d' ' -f1) - file_perm=$(ls -l "$FILE_TO_HIDE" | cut -d' ' -f1) - - # text prefixed with '# ' and sent to file descriptor 3 is 'diagnostic' (debug) output for devs + file_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE") + secret_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$encrypted_file") #echo "# '$BATS_TEST_DESCRIPTION': $secret_perm, file_perm: $file_perm" >&3 - [ "$secret_perm" = "$file_perm" ] - } @test "run 'hide' from inside subdirectory" { diff --git a/tests/test_reveal.bats b/tests/test_reveal.bats index 4c7bc9cd..f8f8cb2f 100644 --- a/tests/test_reveal.bats +++ b/tests/test_reveal.bats @@ -85,14 +85,12 @@ function teardown { [ "$status" -eq 0 ] + ## permissions should match. local secret_perm local file_perm - secret_perm=$(ls -l "$FILE_TO_HIDE$SECRETS_EXTENSION" | cut -d' ' -f1) - file_perm=$(ls -l "$FILE_TO_HIDE" | cut -d' ' -f1) - - # text prefixed with '# ' and sent to file descriptor 3 is 'diagnostic' (debug) output for devs + file_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE") + secret_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE$SECRETS_EXTENSION") #echo "# secret_perm: $secret_perm, file_perm: $file_perm" >&3 - [ "$secret_perm" = "$file_perm" ] [ -f "$FILE_TO_HIDE" ] diff --git a/tests/test_tell.bats b/tests/test_tell.bats index 9e386c93..fcf52bed 100644 --- a/tests/test_tell.bats +++ b/tests/test_tell.bats @@ -159,6 +159,48 @@ function teardown { } +@test "run 'tell' with key without email and with comment" { + # install works because it works on filename, not contents of keychain + install_fixture_key "$TEST_NOEMAIL_COMMENT_USER" + + # Testing the command itself fails because you have to use an email address + run git secret tell -d "$TEST_GPG_HOMEDIR" "$TEST_NOEMAIL_COMMENT_USER" + + # this should not succeed because we only support addressing users by email + [ "$status" -ne 0 ] + + # Testing that these users are presented in the + # list of people who knows secret: + run git secret whoknows + + [[ "$output" != *"$TEST_NOEMAIL_COMMENT_USER"* ]] + + # Cleaning up: can't clean up by email + #uninstall_fixture_key "$TEST_NOEMAIL_COMMENT_USER" +} + +@test "run 'tell' on non-email" { + install_fixture_key "$TEST_NOEMAIL_COMMENT_USER" + + local name=$(echo "$TEST_NOEMAIL_COMMENT_USER" | sed -e 's/@.*//') + #echo "$name" | sed "s/^/# '$BATS_TEST_DESCRIPTION' name is: /" >&3 + + # Testing the command itself, should fail because you must use email + run git secret tell -d "$TEST_GPG_HOMEDIR" "$name" + + # this should not succeed because we only support addressing users by email + [ "$status" -ne 0 ] + + # Testing that these users are presented in the + # list of people who knows secret: + run git secret whoknows + + [[ "$output" != *"$name"* ]] + + # Cleaning up: can't clean up by email because key doesn't hold it + #uninstall_fixture_key "$TEST_NOEMAIL_COMMENT_USER" +} + @test "run 'tell' in subfolder" { if [[ "$BATS_RUNNING_FROM_GIT" -eq 1 ]]; then skip "this test is skipped while 'git commit'. See #334" diff --git a/utils/build-utils.sh b/utils/build-utils.sh index 2a4cc6e0..d60f4d91 100644 --- a/utils/build-utils.sh +++ b/utils/build-utils.sh @@ -64,6 +64,7 @@ function build_package { # Only requires `rpm`, `apk` or `deb` as first argument: local build_type="$1" + # coreutils is for sha256sum # See https://github.com/jordansissel/fpm for docs: fpm \ -s dir \ @@ -76,6 +77,9 @@ function build_package { --maintainer "Nikita Sobolev (mail@sobolevn.me)" \ --license "MIT" \ -C "$SCRIPT_DEST_DIR" \ + -d "bash" \ + -d "coreutils" \ + -d "gawk" \ -d "git" \ -d "gnupg" \ --deb-no-default-config-files \