mirror of
https://github.com/sobolevn/git-secret
synced 2024-11-08 19:10:31 +00:00
Merge branch 'master' of github.com:joshrabinowitz/git-secret
This commit is contained in:
commit
bf905106dc
@ -1,9 +1,9 @@
|
||||
FROM alpine:latest
|
||||
|
||||
# don't install coreutils on Alpine, so we get busybox versions of ps, stat, and ls. See #475
|
||||
RUN apk add --no-cache --update \
|
||||
bash \
|
||||
build-base \
|
||||
coreutils \
|
||||
curl \
|
||||
findutils \
|
||||
gcc \
|
||||
|
4
.github/FUNDING.yml
vendored
Normal file
4
.github/FUNDING.yml
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
# These are supported funding model platforms
|
||||
|
||||
patreon: sobolevn
|
||||
open_collective: git-secret
|
@ -9,7 +9,7 @@ matrix:
|
||||
# language: sh
|
||||
- os: osx
|
||||
name: osx-with-debug-output
|
||||
env: GITSECRET_DIST="brew" SECRETS_TEST_VERBOSE=1
|
||||
env: GITSECRET_DIST="brew"; SECRETS_TEST_VERBOSE=1
|
||||
sudo: required
|
||||
language: shell
|
||||
#language: ruby
|
||||
@ -21,7 +21,7 @@ matrix:
|
||||
#language: ruby
|
||||
#rvm: 2.6
|
||||
- os: linux
|
||||
env: KITCHEN_REGEXP="gnupg1-alpine-latest"
|
||||
env: KITCHEN_REGEXP="gnupg1-alpine-latest"; SECRETS_TEST_VERBOSE=1
|
||||
services: docker
|
||||
sudo: required
|
||||
language: ruby
|
||||
|
44
CHANGELOG.md
44
CHANGELOG.md
@ -1,25 +1,51 @@
|
||||
# Changelog
|
||||
|
||||
## {{Next Version}}
|
||||
## Version 0.3.2
|
||||
|
||||
### Bugfixes
|
||||
|
||||
- Fix mention of version in git-secret add man page (#544)
|
||||
|
||||
### Misc
|
||||
|
||||
- Update developer docs, especially regarding mac, docker, and test-kitchen (#195)
|
||||
- Update man pages to mention version documented (#420)
|
||||
|
||||
## Version 0.3.1
|
||||
|
||||
### Misc
|
||||
|
||||
- Update man pages
|
||||
|
||||
## Version 0.3.0
|
||||
|
||||
### Features
|
||||
|
||||
- Support SECRETS_PINENTRY env var for gnupg --pinentry-mode parameter (#221)
|
||||
- Show output from gnupg if 'hide' fails (#516)
|
||||
- Add support for Busybox (#478)
|
||||
|
||||
### Bugfixes
|
||||
|
||||
- Use OSX's mktemp on OSX, even if there's another version in PATH. (#485)
|
||||
- Make rsync a build requirement on debian (#500)
|
||||
- When tests specify gnupg1, use gnupg1, not gnupg2 (#241)
|
||||
- Ignore revoked gnupg keys (#508)
|
||||
- Use gnupg1, not gnupg2, when tests specify gnupg1 (#241)
|
||||
- Note dependencies gawk, bash, and coreutils in linux packages (#493)
|
||||
- Handle case of key having no email and a comment (#527)
|
||||
- Avoid blank lines from output of 'clean -v'
|
||||
|
||||
## Misc
|
||||
### Misc
|
||||
|
||||
- Improve messaging and logic around deleting tmp files.
|
||||
- Add note about secrets and old keys (#499)
|
||||
- Transition build process from python 2 to python 3 (#487)
|
||||
- Upgrade build process from ansible 2.5 to ansible 2.8
|
||||
- Fix in build process when installing gnupg2 source deps on Ubuntu
|
||||
- Fix build process when installing gnupg2 source deps on Ubuntu
|
||||
- Close file descriptor 3 when running gnupg subprocesses (#521)
|
||||
- Small optimization in 'hide'
|
||||
- Improve code comments
|
||||
- Update docs to note that git-secret repos modified by git-secret 0.2.3 and
|
||||
later are not backward compatible with pre-0.2.3 versions of git-secret. (#536)
|
||||
|
||||
## Version 0.2.6
|
||||
|
||||
@ -57,7 +83,7 @@
|
||||
- Respect DESTDIR when installing as per GNU/debian/etc recommendations (#424)
|
||||
- Use git check-ignore to test for files ignored by git
|
||||
|
||||
## Misc
|
||||
### Misc
|
||||
|
||||
- Improve docs about hide -m option (#467)
|
||||
- Document SECRETS_VERBOSE and improve env var docs (#396)
|
||||
@ -97,7 +123,7 @@
|
||||
- Require keys to be specified by email, as documented (#267)
|
||||
- Disallow 'git secret tell' or 'killperson' with emails that are not in keychain (also #267)
|
||||
|
||||
## Misc
|
||||
### Misc
|
||||
|
||||
- Added notes about packages and for package maintainers (#281)
|
||||
- Improve documentation regarding operation with different versions of GPG (#274, #182)
|
||||
@ -126,7 +152,9 @@
|
||||
### Features
|
||||
|
||||
- Added `-m` option to `hide` command, files will only be hidden when modifications are detected (#92)
|
||||
- Changed how path mappings file works: colon delimited FSDB (#92)
|
||||
- Changed how path mappings file works: colon delimited FSDB in `.gitsecret/paths/mapping.cfg', so git-secret
|
||||
can store checksums of hidden files. Note this means git-secret repos modified by git-secret 0.2.3
|
||||
or later are not backward compatible with pre-0.2.3 versions of git-secret. (#92)
|
||||
- `git secret init` now adds `random_seed` to `.gitignore` (#93)
|
||||
|
||||
### Bugfixes
|
||||
|
104
CONTRIBUTING.md
104
CONTRIBUTING.md
@ -17,41 +17,58 @@ For development with `git-secret` you should have these tools:
|
||||
- sha256sum (on freebsd and MacOS `shasum` is used instead)
|
||||
- [shellcheck](https://github.com/koalaman/shellcheck)
|
||||
|
||||
To test `git-secret` using test-kitchen, you will also need:
|
||||
To test `git-secret` using [test-kitchen](https://kitchen.ci/), which is optional and uses docker to test on multiple distributions,
|
||||
you will also need:
|
||||
|
||||
- docker
|
||||
- test-kitchen
|
||||
- aspell, to check your changes for spelling errors
|
||||
- [docker](https://www.docker.com/)
|
||||
- [test-kitchen](https://kitchen.ci/)
|
||||
|
||||
These are only required if dealing with manuals, `gh-pages` or releases:
|
||||
The below only required if dealing with manuals, `gh-pages` or releases:
|
||||
|
||||
- ruby, ruby-dev
|
||||
- [aspell](http://aspell.net/), to check your changes for spelling errors
|
||||
|
||||
### Environment MacOS
|
||||
|
||||
- install Homebrew
|
||||
- install [Homebrew](https://brew.sh/)
|
||||
- install gnupg2 with `brew install gnupg2`
|
||||
|
||||
#### For docker/test-kitchen
|
||||
#### For docker/test-kitchen (optional, for testing multiple distros locally using docker)
|
||||
|
||||
- install Docker for Mac
|
||||
- install Chef Developer Kit (?)
|
||||
- install ruby2.4 and kitchen dependencies with
|
||||
- install ruby2.6 and kitchen dependencies with
|
||||
|
||||
brew install rbenv ruby-build rbenv-vars;
|
||||
rbenv install 2.4.4; rbenv rehash; rbenv global 2.4.4;
|
||||
gem install bundler kitchen-ansible serverspec kitchen-docker kitchen-verifier-serverspec;
|
||||
rbenv install 2.6.3; rbenv rehash; rbenv global 2.6.3;
|
||||
|
||||
(You can also use `rvm` instead of `rbenv`, but brew packages `rbenv` for you.)
|
||||
|
||||
then use
|
||||
|
||||
gem install bundler kitchen-ansible serverspec kitchen-docker kitchen-verifier-serverspec
|
||||
|
||||
If you have trouble getting test-kitchen and docker working on your mac to test git-secret with, see #534
|
||||
or let us know by filing an issue.
|
||||
|
||||
### Getting started
|
||||
|
||||
1. Create your own or pick an opened issue from the [tracker][tracker]. Take a look at the [`help-wanted` tag][help-wanted]
|
||||
|
||||
2. Fork and clone your repository: `git clone https://github.com/${YOUR_NAME}/git-secret.git`
|
||||
2. Fork the git-secret repo and then clone the repository using a command like `git clone https://github.com/${YOUR_NAME}/git-secret.git`
|
||||
|
||||
3. Make sure that everything works on the current platform by running `make test`.
|
||||
You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`.
|
||||
You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`, which will
|
||||
show you a lot of debug output while the tests are running.
|
||||
Note that 'experimental' features may change or be removed in a future version of `git-secret`.
|
||||
|
||||
4. [Run local CI tests](#running-local-ci-tests) to verify functionality on supported platforms `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`.
|
||||
4. If you want to test on multiple operating systems, [Run local CI tests](#running-local-ci-tests) (optional; this will
|
||||
automatically happen on [Travis-CI](https://travis-ci.org/sobolevn/git-secret) when you submit a PR).
|
||||
|
||||
Running the CI tests locally is optional. The tests will happen automatically on Travis-CI
|
||||
when you create a PR for `git-secret`, and again when any PR is merged.
|
||||
|
||||
To verify functionality on supported platforms use `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`.
|
||||
See `[test-kitchen](https://kitchen.ci/) and `kitchen help verify` for more info about using `kitchen verify`.
|
||||
|
||||
### Code style
|
||||
|
||||
@ -73,7 +90,7 @@ New features and changes should aim to be as clear, concise, simple, and consist
|
||||
Every code base has its own conventions and style that develop and accrete over time.
|
||||
|
||||
Consistency also means that the inputs and outputs of git-secret should be as consistent as reasonable
|
||||
with related unix and git tools, and follow the 'rule of least surprise',
|
||||
with related Unix and git tools, and follow the 'rule of least surprise',
|
||||
also known as the 'principle of least astonishment': <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>
|
||||
|
||||
We wrote this to clarify our thinking about how git-secret should be written. Of course, these are philosophical goals,
|
||||
@ -87,16 +104,16 @@ Also it's often best to implement larger or complex changes as a series of plann
|
||||
each making a small set of specific changes. This facilitates discussions of implementation, which often come to light
|
||||
only after seeing the actual code used to perform a task.
|
||||
|
||||
As mentioned above, we seek to be consistent with surrounding git and unix tools, so when writing changes to git-secret,
|
||||
think about the input, output, and command-line options that similar unix commands use.
|
||||
As mentioned above, we seek to be consistent with surrounding git and Unix tools, so when writing changes to git-secret,
|
||||
think about the input, output, and command-line options that similar Unix commands use.
|
||||
|
||||
Our favor toward traditional unix and git command-style inputs and outputs can also mean it's appropriate to
|
||||
lean heavily on git and widely-used unix command features instead of re-implementing them in code.
|
||||
Our favor toward traditional Unix and git command-style inputs and outputs can also mean it's appropriate to
|
||||
lean heavily on git and widely-used Unix command features instead of re-implementing them in code.
|
||||
|
||||
### Development Process
|
||||
|
||||
1. Firstly, you should need to setup development git hooks with `make install-hooks`
|
||||
This will copy the git-secret development hooks from utils/hooks into .git/hooks/pre-commit and .git/hooks/post-commit
|
||||
1. Firstly, you should setup git-secret's development git hooks with `make install-hooks`
|
||||
This will copy the hooks from utils/hooks into .git/hooks/pre-commit and .git/hooks/post-commit
|
||||
|
||||
2. Make changes to the git secret files that need to be changed
|
||||
|
||||
@ -114,9 +131,10 @@ This will copy the git-secret development hooks from utils/hooks into .git/hooks
|
||||
|
||||
8. When running `git commit` the tests will run automatically, your commit will be canceled if they fail.
|
||||
You can run the tests manually with `make clean build test`.
|
||||
If you want to make a commit and not run the pre- and post-commit hooks, use 'git commit -n'
|
||||
|
||||
9. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request;
|
||||
otherwise PRs will probably be `squashed` into one commit when merged.
|
||||
9. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request,
|
||||
but don't worry, it's easy to `squash` PRs into a small number of commits when they're merged.
|
||||
|
||||
### Branches
|
||||
|
||||
@ -128,20 +146,26 @@ Development looks like this:
|
||||
|
||||
- `master` branch is protected, so only fully tested code goes there. It is also used to create a new `git` tag and a `github` release
|
||||
|
||||
By convention, you can name your branches like `issue-###-short-description`, but that's not required.
|
||||
The `gh-pages` branch is used for the pages at `git-secret.io`. See 'Release Process' below.
|
||||
|
||||
|
||||
### Continuous integration
|
||||
|
||||
Local CI is done with the help [`test-kitchen`](http://kitchen.ci/). `test-kitchen` handles multiple test-suites on various platforms.
|
||||
`bundle exec kitchen list` will output the list of test suites to be run against supported platforms.
|
||||
You can run our CI tests locally, but it is not strictly required in order to do development or testing of git-secret. When you have
|
||||
`test-kitchen` installed, `bundle exec kitchen list` will output the list of test suites to be run against supported platforms.
|
||||
|
||||
Cloud CI is done with the help of `travis`. `travis` handles multiple environments:
|
||||
Cloud CI is done with the help of [Travis-CI](https://travis-ci.org/sobolevn/git-secret), which handles testing on multiple environments using
|
||||
|
||||
- `Docker`-based jobs or so-called 'integration tests', these tests create a local release, install it with the package manager and then run unit-tests and system checks
|
||||
- `Docker`-based jobs or so-called 'integration tests', which create a local release, install it with the package manager and then run unit-tests and system checks
|
||||
- `OSX` jobs, which handle basic unit-tests on `MacOS` (Travis still calls MacOS 'OSX')
|
||||
- Native `travis` jobs, which handle basic unit-tests and style checks
|
||||
|
||||
### Running local ci-tests
|
||||
### Running local ci-tests with test-kitchen
|
||||
|
||||
Ci-tests are only necessary if you want to test git-secret on multiple OS'es using docker and test-kitchen,
|
||||
like we do on travis-ci.
|
||||
|
||||
1. Install required gems with `bundle install`.
|
||||
2. Run ci-tests with `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`
|
||||
@ -159,13 +183,16 @@ output from commands.
|
||||
|
||||
The release process is defined in the `git`-hooks and `.travis.yml`.
|
||||
|
||||
When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) the hooks will trigger three events.
|
||||
When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) the
|
||||
pre-commit and post-commit hooks will trigger three events.
|
||||
|
||||
- the test suite will be run locally
|
||||
- `pre-commit`: run the test suite will be locally
|
||||
|
||||
- new manuals will be created and added to the current commit with `make build-man` on `pre-commit` hook.
|
||||
- `pre-commit`: generate and update the manuals and add them to the current commit with `make build-man`
|
||||
|
||||
- after the commit is successfully created it will also trigger `make build-gh-pages` target on `post-commit` hook, which will push new manuals to the [git-secret site][git-secret-site]. And the new `git` tag will be automatically created if the version is changed:
|
||||
- `post-commit`: trigger `make build-gh-pages`, which will update and push manuals to the [git-secret site][git-secret-site].
|
||||
|
||||
- `post-commit`: new `git` tag (such as v0.3.1) will be automatically created if the version is changed, using something like
|
||||
|
||||
```bash
|
||||
if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then
|
||||
@ -182,13 +209,17 @@ Here are some links to gnupg documentation that might be useful for those workin
|
||||
|
||||
#### Travis releases
|
||||
|
||||
After you commit a tag that matches the pattern '^v.*$' and the tests succeed, Travis will publish new `deb` and `rpm` packages to [`bintray`][bintray].
|
||||
After you commit a tag that matches the pattern '^v' and the tests succeed, scripts run on [Travis-CI](https://travis-ci.org/sobolevn/git-secret)
|
||||
will publish new `deb` and `rpm` packages to [`bintray`][bintray].
|
||||
|
||||
If you wish to override a previous release (*be careful*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh`
|
||||
(If you wish to override a previous release (*be careful, this is discouraged*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh`)
|
||||
|
||||
#### Manual releases
|
||||
|
||||
Releases to `brew` are made manually.
|
||||
Releases to `brew` are made manually, and involve opening a PR on the [Homebrew Core](https://github.com/Homebrew/homebrew-core) repo .
|
||||
To get started, see the
|
||||
[Homebrew docs about Formulae-related PRs](https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request#formulae-related-pull-request)
|
||||
and `brew bump-formula-pr --help`
|
||||
|
||||
#### Dockerhub releases
|
||||
|
||||
@ -210,7 +241,10 @@ There are several distributions and packaging systems that may already have git-
|
||||
First of all, thank you for packaging git-secret for your platform! We appreciate it.
|
||||
|
||||
We also would like to welcome you to collaborate or discuss any issues, ideas or thoughts you have about
|
||||
git-secret by submitting issue report (which can also be feature requests) or pull requests via the git repo at
|
||||
git-secret by submitting [issue report](https://github.com/sobolevn/git-secret/issues)
|
||||
(which can also be feature requests) or
|
||||
[pull requests](https://help.github.com/en/articles/creating-a-pull-request)
|
||||
via the git repo at
|
||||
[git-secret on github](https://github.com/sobolevn/git-secret)
|
||||
|
||||
Please let us know if there are any changes you'd like to see to the source,
|
||||
|
5
Makefile
5
Makefile
@ -57,8 +57,9 @@ clean-man:
|
||||
find "man/" -type f ! -name "*.ronn" -delete
|
||||
|
||||
.PHONY: build-man
|
||||
build-man: install-ronn clean-man
|
||||
ronn --roff --organization="sobolevn" --manual="git-secret" man/*/*.ronn
|
||||
build-man: install-ronn clean-man git-secret
|
||||
touch man/*/*.ronn
|
||||
export GITSECRET_VERSION=`./git-secret --version` && ronn --roff --organization="sobolevn" --manual="git-secret $${GITSECRET_VERSION}" man/*/*.ronn
|
||||
|
||||
.PHONY: build-gh-pages
|
||||
build-gh-pages:
|
||||
|
49
README.md
49
README.md
@ -22,7 +22,7 @@ you should also change the secrets.
|
||||
|
||||
## Preview
|
||||
|
||||
[![git-secret terminal preview](https://asciinema.org/a/41811.png)](https://asciinema.org/a/41811?autoplay=1)
|
||||
[![git-secret terminal preview](git-secret.gif)](https://asciinema.org/a/41811?autoplay=1)
|
||||
|
||||
|
||||
## Installation
|
||||
@ -64,13 +64,7 @@ If you found any security related issues, please do not disclose it in public. S
|
||||
|
||||
## Changelog
|
||||
|
||||
`git-secret` uses semver. See [CHANGELOG.md](CHANGELOG.md).
|
||||
|
||||
|
||||
## Contributors
|
||||
|
||||
This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
|
||||
<a href="https://github.com/sobolevn/git-secret/graphs/contributors"><img src="https://opencollective.com/git-secret/contributors.svg?width=890" /></a>
|
||||
`git-secret` uses [semver](https://semver.org/). See [CHANGELOG.md](CHANGELOG.md).
|
||||
|
||||
|
||||
## Packagers
|
||||
@ -79,11 +73,13 @@ Thanks also to all the people and groups who package git-secret to be easier to
|
||||
|
||||
Here are some packagings of git-secret that we're aware of:
|
||||
|
||||
- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret
|
||||
- https://aur.archlinux.org/packages/git-secret/
|
||||
- https://formulae.brew.sh/formula/git-secret
|
||||
- https://packages.ubuntu.com/bionic/git-secret
|
||||
- https://packages.debian.org/sid/git-secret
|
||||
- https://apps.fedoraproject.org/packages/git-secret
|
||||
- https://aur.archlinux.org/packages/git-secret/
|
||||
- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret
|
||||
- https://packages.debian.org/sid/git-secret
|
||||
- https://github.com/void-linux/void-packages/blob/master/srcpkgs/git-secret/template
|
||||
|
||||
Such packages are considered 'downstream' because the git-secret code 'flows' from the git-secret repository
|
||||
to the various rpm/deb/dpkg/etc packages that are created for specific OSes and distributions.
|
||||
@ -91,27 +87,24 @@ to the various rpm/deb/dpkg/etc packages that are created for specific OSes and
|
||||
We have also added notes specifically for packagers in [CONTRIBUTING.md](CONTRIBUTING.md).
|
||||
|
||||
|
||||
## Backers
|
||||
|
||||
Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/git-secret#backer)]
|
||||
|
||||
<a href="https://opencollective.com/git-secret#backers" target="_blank"><img src="https://opencollective.com/git-secret/backers.svg?width=890"></a>
|
||||
|
||||
|
||||
## Sponsors
|
||||
|
||||
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/git-secret#sponsor)]
|
||||
|
||||
<a href="https://opencollective.com/git-secret/sponsor/0/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/0/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/1/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/1/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/2/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/2/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/3/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/3/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/4/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/4/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/5/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/5/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/6/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/6/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/7/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/7/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/8/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/8/avatar.svg"></a>
|
||||
<a href="https://opencollective.com/git-secret/sponsor/9/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/9/avatar.svg"></a>
|
||||
[![Sponsors](https://opencollective.com/git-secret/tiers/sponsor.svg?width=890)](https://opencollective.com/git-secret)
|
||||
|
||||
|
||||
## Backers
|
||||
|
||||
Thanks to all our backers!
|
||||
|
||||
[![Backers](https://opencollective.com/git-secret/tiers/backer.svg?width=890&avatarHeight=36)](https://opencollective.com/git-secret)
|
||||
|
||||
|
||||
## Contributors
|
||||
|
||||
This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
|
||||
<a href="https://github.com/sobolevn/git-secret/graphs/contributors"><img src="https://opencollective.com/git-secret/contributors.svg?width=890" /></a>
|
||||
|
||||
|
||||
## License
|
||||
|
BIN
git-secret.gif
Normal file
BIN
git-secret.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 555 KiB |
Binary file not shown.
@ -10,7 +10,7 @@ git-secret-add - starts to track added files.
|
||||
`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg`
|
||||
and ensures the filepath is mentioned .gitignore.
|
||||
|
||||
When adding files to encrypt, `git-secret-add` (as of 0.3.0) will ensure that they are ignored by `git` by mentioning
|
||||
When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning
|
||||
them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted.
|
||||
|
||||
If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -28,6 +28,8 @@ fi
|
||||
: "${SECRETS_OCTAL_PERMS_COMMAND:="_os_based __get_octal_perms"}"
|
||||
: "${SECRETS_EPOCH_TO_DATE:="_os_based __epoch_to_date"}"
|
||||
|
||||
# Temp Dir
|
||||
: "${TMPDIR:=/tmp}"
|
||||
|
||||
# AWK scripts:
|
||||
# shellcheck disable=2016
|
||||
@ -195,7 +197,7 @@ function _temporary_file {
|
||||
# which will be removed on system exit.
|
||||
temporary_filename=$(_os_based __temp_file) # is not `local` on purpose.
|
||||
|
||||
trap 'if [[ -n "$_SECRETS_VERBOSE" ]] || [[ -n "$SECRETS_TEST_VERBOSE" ]]; then echo "git-secret: cleaning up: $temporary_filename"; fi; rm -f "$temporary_filename";' EXIT
|
||||
trap 'if [[ -f "$temporary_filename" ]]; then if [[ -n "$_SECRETS_VERBOSE" ]] || [[ -n "$SECRETS_TEST_VERBOSE" ]]; then echo "git-secret: cleaning up: $temporary_filename"; fi; rm -f "$temporary_filename"; fi;' EXIT
|
||||
}
|
||||
|
||||
|
||||
@ -464,14 +466,12 @@ function _find_and_clean_formatted {
|
||||
# required:
|
||||
local pattern="$1" # can be any string pattern
|
||||
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
echo && _message "cleaning:"
|
||||
fi
|
||||
local outputs
|
||||
outputs=$(_find_and_clean "$pattern" 2>&1)
|
||||
|
||||
_find_and_clean "$pattern"
|
||||
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
echo
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then
|
||||
# shellcheck disable=SC2001
|
||||
echo "$outputs" | sed "s/^/git-secret: cleaning: /"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -525,6 +525,21 @@ function _secrets_dir_is_not_ignored {
|
||||
}
|
||||
|
||||
|
||||
function _exe_is_busybox {
|
||||
local exe
|
||||
exe=$1
|
||||
|
||||
# we assume stat is from busybox if it's a symlink
|
||||
local is_busybox=0
|
||||
local stat_path
|
||||
stat_path=$(command -v "$exe")
|
||||
if [ -L "$stat_path" ]; then
|
||||
is_busybox=1
|
||||
fi
|
||||
echo "$is_busybox"
|
||||
}
|
||||
|
||||
|
||||
function _user_required {
|
||||
# This function does a bunch of validations:
|
||||
# 1. It calls `_secrets_dir_exists` to verify that "$_SECRETS_DIR" exists.
|
||||
@ -544,18 +559,20 @@ function _user_required {
|
||||
local secrets_dir_keys
|
||||
secrets_dir_keys=$(_get_secrets_dir_keys)
|
||||
|
||||
# see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
|
||||
local keys_exist
|
||||
keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys)
|
||||
keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys 3>&-)
|
||||
local exit_code=$?
|
||||
if [[ -z "$keys_exist" ]]; then
|
||||
_abort "$error_message"
|
||||
fi
|
||||
if [[ "$exit_code" -ne 0 ]]; then
|
||||
# this might catch corner case where gpg --list-keys shows
|
||||
# 'gpg: skipped packet of type 12 in keybox' warnings but succeeds?
|
||||
# See #136
|
||||
echo "$keys_exist" # show whatever _did_ come out of gpg
|
||||
_abort "problem listing public keys with gpg: exit code $exit_code"
|
||||
fi
|
||||
if [[ -z "$keys_exist" ]]; then
|
||||
_abort "$error_message"
|
||||
fi
|
||||
}
|
||||
|
||||
# note: this has the same 'username matching' issue described in
|
||||
@ -571,7 +588,8 @@ function _get_user_key_expiry {
|
||||
local secrets_dir_keys
|
||||
secrets_dir_keys=$(_get_secrets_dir_keys)
|
||||
|
||||
line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub:)
|
||||
# 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
|
||||
line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub: 3>&-)
|
||||
|
||||
local expiry_epoch
|
||||
expiry_epoch=$(echo "$line" | cut -d: -f7)
|
||||
@ -587,6 +605,9 @@ function _assert_keychain_contains_emails {
|
||||
local gpg_uids
|
||||
gpg_uids=$(_get_users_in_gpg_keyring "$homedir")
|
||||
for email in "${emails[@]}"; do
|
||||
if [[ $email != *"@"* ]]; then
|
||||
_abort "does not appear to be an email: $email"
|
||||
fi
|
||||
local email_ok=0
|
||||
for uid in $gpg_uids; do
|
||||
if [[ "$uid" == "$email" ]]; then
|
||||
@ -622,9 +643,14 @@ function _get_users_in_gpg_keyring {
|
||||
fi
|
||||
|
||||
# we use --fixed-list-mode so older versions of gpg emit 'uid:' lines.
|
||||
# here gawk splits on colon as --with-colon, exact matches field 1 as 'uid' that is not revoked (field 2 set to 'r') and selects field 10 "User-ID"
|
||||
# the gensub regex extracts email from <> within field 10. (If there's no <>, then field is just an email address anyway and the regex just passes it through.)
|
||||
result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | gawk -F: '$1~/uid/&&$2!="r"{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }')
|
||||
# here gawk splits on colon as --with-colon, exact matches field 1 as 'uid', and selects field 10 "User-ID"
|
||||
# the gensub regex extracts email from <> within field 10. (If there's no <>, then field is just an email address
|
||||
# (and maybe a comment) and the regex just passes it through.)
|
||||
# sed at the end removes any 'comment' that appears in parentheses, for #530
|
||||
# 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
|
||||
result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | \
|
||||
gawk -F: '$1~/uid/{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }' | \
|
||||
sed 's/([^)]*)//g' 3>&-)
|
||||
|
||||
echo "$result"
|
||||
}
|
||||
|
@ -10,7 +10,6 @@ function __replace_in_file_freebsd {
|
||||
|
||||
|
||||
function __temp_file_freebsd {
|
||||
: "${TMPDIR:=/tmp}"
|
||||
local filename
|
||||
# man mktemp on FreeBSD:
|
||||
# ...
|
||||
|
@ -8,7 +8,6 @@ function __replace_in_file_linux {
|
||||
|
||||
|
||||
function __temp_file_linux {
|
||||
: "${TMPDIR:=/tmp}"
|
||||
local filename
|
||||
# man mktemp on CentOS 7:
|
||||
# mktemp [OPTION]... [TEMPLATE]
|
||||
@ -35,9 +34,16 @@ function __sha256_linux {
|
||||
function __get_octal_perms_linux {
|
||||
local filename
|
||||
filename=$1
|
||||
local perms
|
||||
|
||||
local stat_is_busybox
|
||||
stat_is_busybox=_exe_is_busybox "stat"
|
||||
local perms # a string like '644'
|
||||
if [ "$stat_is_busybox" -eq 1 ]; then
|
||||
# special case for busybox, which doesn't understand --format
|
||||
perms=$(stat -c '%a' "$filename")
|
||||
else
|
||||
perms=$(stat --format '%a' "$filename")
|
||||
# a string like '0644'
|
||||
fi
|
||||
echo "$perms"
|
||||
}
|
||||
|
||||
|
@ -8,7 +8,6 @@ function __replace_in_file_osx {
|
||||
|
||||
|
||||
function __temp_file_osx {
|
||||
: "${TMPDIR:=/tmp}"
|
||||
local filename
|
||||
# man mktemp on OSX:
|
||||
# ...
|
||||
|
@ -109,7 +109,7 @@ function hide {
|
||||
[ "$1" = '--' ] && shift
|
||||
|
||||
if [ $# -ne 0 ]; then
|
||||
_abort "clean does not understand params: $*"
|
||||
_abort "hide does not understand params: $*"
|
||||
fi
|
||||
|
||||
# We need user to continue:
|
||||
@ -132,6 +132,12 @@ function hide {
|
||||
to_hide+=("$record") # add record to array
|
||||
done < "$path_mappings"
|
||||
|
||||
local recipients
|
||||
recipients=$(_get_recipients)
|
||||
|
||||
local secrets_dir_keys
|
||||
secrets_dir_keys=$(_get_secrets_dir_keys)
|
||||
|
||||
local counter=0
|
||||
for record in "${to_hide[@]}"; do
|
||||
local filename
|
||||
@ -141,12 +147,6 @@ function hide {
|
||||
fsdb_file_hash=$(_get_record_hash "$record")
|
||||
encrypted_filename=$(_get_encrypted_filename "$filename")
|
||||
|
||||
local recipients
|
||||
recipients=$(_get_recipients)
|
||||
|
||||
local secrets_dir_keys
|
||||
secrets_dir_keys=$(_get_secrets_dir_keys)
|
||||
|
||||
local input_path
|
||||
local output_path
|
||||
input_path=$(_append_root_path "$filename")
|
||||
@ -170,21 +170,28 @@ function hide {
|
||||
|
||||
set +e # disable 'set -e' so we can capture exit_code
|
||||
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
# on at least some platforms, this doesn't output anything unless there's a warning or error
|
||||
$SECRETS_GPG_COMMAND "${args[@]}"
|
||||
else
|
||||
$SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1
|
||||
fi
|
||||
# see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
|
||||
local gpg_output
|
||||
gpg_output=$($SECRETS_GPG_COMMAND "${args[@]}" 3>&-) # we leave stderr alone
|
||||
local exit_code=$?
|
||||
|
||||
set -e # re-enable set -e
|
||||
|
||||
local error=0
|
||||
if [[ "$exit_code" -ne 0 ]] || [[ ! -f "$output_path" ]]; then
|
||||
error=1
|
||||
fi
|
||||
|
||||
if [[ "$error" -ne 0 ]] || [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
if [[ -n "$gpg_output" ]]; then
|
||||
echo "$gpg_output"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ ! -f "$output_path" ]]; then
|
||||
# if gpg can't encrypt a file we asked it to, that's an error unless in force_continue mode.
|
||||
_warn_or_abort "problem encrypting file with gpg: exit code $exit_code: $filename" "$exit_code" "$force_continue"
|
||||
fi
|
||||
if [[ -f "$output_path" ]]; then
|
||||
else
|
||||
counter=$((counter+1))
|
||||
if [[ "$preserve" == 1 ]]; then
|
||||
local perms
|
||||
|
@ -31,7 +31,8 @@ function killperson {
|
||||
_assert_keychain_contains_emails "$secrets_dir_keys" "${emails[@]}"
|
||||
|
||||
for email in "${emails[@]}"; do
|
||||
$SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email"
|
||||
# see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
|
||||
$SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email" 3>&-
|
||||
local exit_code=$?
|
||||
if [[ "$exit_code" -ne 0 ]]; then
|
||||
_abort "problem deleting key for '$email' with gpg: exit code $exit_code"
|
||||
|
@ -75,5 +75,5 @@ function reveal {
|
||||
|
||||
done
|
||||
|
||||
echo "git-secret: done. $counter of ${#to_show[@]} files are revealed."
|
||||
_message "done. $counter of ${#to_show[@]} files are revealed."
|
||||
}
|
||||
|
@ -10,7 +10,8 @@ END { print cnt }
|
||||
function get_gpg_key_count {
|
||||
local secrets_dir_keys
|
||||
secrets_dir_keys=$(_get_secrets_dir_keys)
|
||||
$SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT"
|
||||
# 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
|
||||
$SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT" 3>&-
|
||||
local exit_code=$?
|
||||
if [[ "$exit_code" -ne 0 ]]; then
|
||||
_abort "problem counting keys with gpg: exit code $exit_code"
|
||||
@ -75,14 +76,15 @@ function tell {
|
||||
# shellcheck disable=2154
|
||||
local keyfile="$temporary_filename"
|
||||
|
||||
# 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
|
||||
local exit_code
|
||||
if [[ -z "$homedir" ]]; then
|
||||
$SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile"
|
||||
$SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile" 3>&-
|
||||
exit_code=$?
|
||||
else
|
||||
# It means that homedir is set as an extra argument via `-d`:
|
||||
$SECRETS_GPG_COMMAND --no-permission-warning --homedir="$homedir" \
|
||||
--export -a "$email" > "$keyfile"
|
||||
--export -a "$email" > "$keyfile" 3>&-
|
||||
exit_code=$?
|
||||
fi
|
||||
if [[ "$exit_code" -ne 0 ]]; then
|
||||
@ -99,9 +101,9 @@ function tell {
|
||||
|
||||
local args=( --homedir "$secrets_dir_keys" --no-permission-warning --import "$keyfile" )
|
||||
if [[ -z "$_SECRETS_VERBOSE" ]]; then
|
||||
$SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1
|
||||
$SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1 3>&-
|
||||
else
|
||||
$SECRETS_GPG_COMMAND "${args[@]}"
|
||||
$SECRETS_GPG_COMMAND "${args[@]}" 3>&-
|
||||
fi
|
||||
exit_code=$?
|
||||
|
||||
@ -112,7 +114,7 @@ function tell {
|
||||
fi
|
||||
done
|
||||
|
||||
echo "done. ${emails[*]} added as someone who know(s) the secret."
|
||||
_message "done. ${emails[*]} added as user(s) who know the secret."
|
||||
|
||||
# force re-encrypting of files if required
|
||||
local fsdb
|
||||
|
@ -1,4 +1,4 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# shellcheck disable=2034
|
||||
GITSECRET_VERSION='0.2.6'
|
||||
GITSECRET_VERSION='0.3.2'
|
||||
|
@ -7,6 +7,9 @@
|
||||
source "$SECRET_PROJECT_ROOT/src/version.sh"
|
||||
# shellcheck disable=SC1090
|
||||
source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools.sh"
|
||||
source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_freebsd.sh"
|
||||
source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_linux.sh"
|
||||
source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_osx.sh"
|
||||
|
||||
# Constants:
|
||||
FIXTURES_DIR="$BATS_TEST_DIRNAME/fixtures"
|
||||
@ -36,9 +39,10 @@ BEGIN { OFS=":"; FS=":"; }
|
||||
# This command is used with absolute homedir set and disabled warnings:
|
||||
GPGTEST="$SECRETS_GPG_COMMAND --homedir=$TEST_GPG_HOMEDIR --no-permission-warning --batch"
|
||||
|
||||
# Personal data:
|
||||
# Test key fixture data. Fixtures are at tests/fixtures/gpg/$email
|
||||
|
||||
# these two are 'normal' keys
|
||||
# See tests/fixtures/gpg/README.md for more on key fixtures 'user[1-5]@gitsecret.io'
|
||||
# these two are 'normal' keys.
|
||||
export TEST_DEFAULT_USER="user1@gitsecret.io"
|
||||
export TEST_SECOND_USER="user2@gitsecret.io"
|
||||
|
||||
@ -48,6 +52,8 @@ export TEST_NONAME_USER="user3@gitsecret.io"
|
||||
# TEST_EXPIRED_USER (user4) has expired
|
||||
export TEST_EXPIRED_USER="user4@gitsecret.io" # this key expires 2018-09-24
|
||||
|
||||
export TEST_NOEMAIL_COMMENT_USER="user5@gitsecret.io" # fixture filename is named this, but key has no email and a comment, as per #527
|
||||
|
||||
export TEST_ATTACKER_USER="attacker1@gitsecret.io"
|
||||
|
||||
|
||||
@ -73,10 +79,16 @@ function stop_gpg_agent {
|
||||
if [[ "$GITSECRET_DIST" == "windows" ]]; then
|
||||
ps -l -u "$username" | gawk \
|
||||
'/gpg-agent/ { if ( $0 !~ "awk" ) { system("kill "$1) } }' >> "$TEST_GPG_OUTPUT_FILE" 2>&1
|
||||
else
|
||||
local ps_is_busybox
|
||||
ps_is_busybox=_exe_is_busybox "ps"
|
||||
if [[ $ps_is_busybox -eq "1" ]]; then
|
||||
echo "# git-secret: tests: not stopping gpg-agent on busybox" >&3
|
||||
else
|
||||
ps -wx -U "$username" | gawk \
|
||||
'/gpg-agent --homedir/ { if ( $0 !~ "awk" ) { system("kill "$1) } }' >> "$TEST_GPG_OUTPUT_FILE" 2>&1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
5
tests/fixtures/gpg/README.md
vendored
5
tests/fixtures/gpg/README.md
vendored
@ -22,3 +22,8 @@
|
||||
`gpg --export --armor user4 > tests/fixtures/gpg/user4/public.key`
|
||||
and
|
||||
`gpg --export-secret-keys --armor user4 > tests/fixtures/gpg/user4/private.key`
|
||||
|
||||
* user5 was created for issue #527 using `gpg --full-generate-key`.
|
||||
with name 'user5', no email address, the comment 'comment comment', and
|
||||
the passphrase 'user5pass'. Keys were exported as above.
|
||||
|
||||
|
59
tests/fixtures/gpg/user5@gitsecret.io/private.key
vendored
Normal file
59
tests/fixtures/gpg/user5@gitsecret.io/private.key
vendored
Normal file
@ -0,0 +1,59 @@
|
||||
-----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||
|
||||
lQPGBF1yX48BCAC7TVKvW81RjJKcGI21cI1iUEPkpWCqXwUjt9UsJ8g+2BW45gmX
|
||||
9tLKPp5ax6hJoLQpcSkOsKcNdigSwHeB+TjIgGshAQOgOXLgnU6oETkobxrv3TcQ
|
||||
L0gF09jgnUvdzaCSgqtLndgejG1g5SsYIzzHYSTAj/7t5WY2AQKVsiE9pELxUqLB
|
||||
QQQ97YHklp26sNXT9FYBNZvLN661PvTB2fgMxMrLkE0i8brAC51zyp0/PCy7huDz
|
||||
9zjryMCReKkwfVIpevBJspHx1P2HLNe+b+O28C4U0r8CuWSk116itbfKGCtWL8LL
|
||||
khMUBD4j+6zO1E33HVeRR6hypU8ZhbDIX9BzABEBAAH+BwMCrMDlojZX/jjr0l3U
|
||||
8acJEKVGWAq8dxt+UKNm5PSNZksQdcsz4E1JL/4JitfRhvrH24OGJnGrmMYeQJjH
|
||||
Dw+dHUf8UDD8KpRigihCug44VM36ZtiCxfQ8+x01DQ8G6dntZmphg6B0dJbvhUJa
|
||||
YEuRk1n5rVH1lMEitq3ZcnvnU4hJxWfKdo8qI+MReaiVtODk42y0kA6/7y+w+a1j
|
||||
7wWtVsdHvvC5f698Z0FKzSGxHWGgE2bFWaRxhuX0WIBMgDsr2H+jcvb51c3SIWkd
|
||||
eCTupBomcv99FYcBUHf4VnjJGgBn4ibU49BZtMbmTHeB4bNb/hTCwhWuW50mr2yt
|
||||
GZ/Ued2y6khcaDXlsQGdqUn7/4KEe3vpwVU6RzKrxBMhaY2zZdwVEAb9c/2szSt6
|
||||
+YOhopOmH23lWF5iu2pdRcU9pJtj614tpIGOLC4H8e+im+buy+jOIvj6eECH50zK
|
||||
zHchOvrCWAG4qcVTSAv2J2Ywa1wzKxUfoPbpCZJ7pJvt2pjxa2Mh1vjlydle4/Tq
|
||||
6qcu4OONdJPiDu2n0DvThfZXxWPqYrQKNPok/uIuOyux3U3JKgBdCKW9wj6wXvik
|
||||
TakIRvsPjMsTkyP5J7GoFokw/7tTd8fww6+HK7o171+bT1/oEmp+ulE/U5mcaVTw
|
||||
uabWtLt9gignidle6R4GlVI/xo/J/szcQyiv9/MA1z0tC5FIM2HYF4ADg2de8MbE
|
||||
dQKyNZxkAoFtofE8WDsMVf/C2BzTpLp9yqTGhZptCWlkU+OpBxLaVIa1tlw0mbt0
|
||||
PWujKEatkdFOHhuutjLCWGiB84FKkPPti0YkfJxPxbXDMa2p7KvCSSrrkZM2mKBq
|
||||
13hcLm4ANUWQCFJHpCriMg79xLSL6zEL4Lt6V+Soi1dDtH5jwox+SsC273BZXyq8
|
||||
rjOisteYwarjtBd1c2VyNSAoY29tbWVudCBjb21tZW50KYkBTgQTAQgAOBYhBPbR
|
||||
jRmpf0xIpd59km5RnYONIUgfBQJdcl+PAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
|
||||
AheAAAoJEG5RnYONIUgfhQQH/38uO9hvFdc72UnYjCADZXvdSa1T+vSKJfF9Sa+D
|
||||
Se2F3JlwYPvpDnEovMmi7RuUJ1n7mGzTFJ6HLHs4Z26P6VtmC2e3ue2/OltK24zd
|
||||
zeH80WfGmFfJ1cFShO5mGEk+ga3HhhCHPE9zkEM+HO+Dn+IDBuJL4PAvu6c6buVo
|
||||
K9GDbo7tkCFB1+vw39CmEmnPuIoGygliJxKqiqHsS/Jn4KkNyecT8z5xaA41lGdA
|
||||
Zbda6og4u0vsj7Uctder22tdVKDWg1Jwr23ORBYCD2ssQKUq31G/kvQeZxCTdZD8
|
||||
t/V3pQz0uru/c/NvVLX1eZDXwM+viR/Ck5oyTETkHF9LZNedA8YEXXJfjwEIAMxn
|
||||
JVMiOyZfPclOt1oQv51vrmbWyiKHSNn9OwtW2HQIWXT5cpA76ojceLxF2Gz3Lr8k
|
||||
5ZqJQZb2jTB/HGDeJMVOQobsfJLD2llM99PFFdE/lAlu+/jQp90hu/gLo9egu+aI
|
||||
ZP6YRmvJMLseB8t22dWGb8OpnZgTzAL9uk8vhYzMLGCiOezC0pzxKCDsIfBtpHDy
|
||||
b9Z06cD4hywvtaRCJOXanUhv2rbPEcNRoYqY3kFlaV37NxMRyCplODq6HmrsxsUp
|
||||
hJmHA227HtBHJzJtRcewyOcvHE3TovynDPDNtk+KtvZfiqvvKDwEXjrygYiB/xZP
|
||||
iFvT5f4xB6hicJq8+78AEQEAAf4HAwJRNs0fBsU0LOueT8yhsPFyxg+XYBeAR5Hx
|
||||
NyCFrIXaDSTY+TrTpbY0o2wrBgZtI+YAuVCgqkmQDzp8Dhb21Dcx2Zg4xJ92KHcE
|
||||
dwq/VMz9l5l6JgfEg7Dt8XUCeetYKEkX/li9Q9urwBpZ3oPIjjhZoK74zfGA0Qtk
|
||||
qRYCXHhBVme7pxAfirmX0jiLbDv5nV+fzJXqTzY/Zsaodw0w9CiuzZ5ftM7kk7QH
|
||||
TGEeGB0yaEgm7LPupGxfkHnY7IU7f1g4e7QhQcFSHady2HrtEVYFgsdlxxCxSFzK
|
||||
G3zctVTTTQKb67zVNKtblizSHRq21gx/uutReh+RZUhTJewfpOpup7e9oNDxpkSW
|
||||
nkiHU91vNaOfdfuID7V6eIYKM3yCvrc5z9NKBYklGX2wYm9qEObBF1LrQD2c/M/+
|
||||
Rn6gnJLdUo0Q95URwngCrchz1i7MVWje3VfsuiHRsB62NFLOGeDqkdoJ7PPCRHeS
|
||||
WXaZUK7/a7B6wZuf4fafEVWSpgonWvL3bxCLlPau5zYvo40WLzFtIVT6gBCR/TBY
|
||||
AhUVrrvn1Ssqrz1RRD7ebbFR59yDsEyJaL4cdJzVidB4+tp9XAJ0yjiGJyCJW5NR
|
||||
eW0dR1jHDacBPMnxgqKtXpn7d0PMx0oghD0wFiQsGqi6aWJs8+qGWugCoHZUiJB2
|
||||
R/N0MO7l4CuJYECSIiVqgu08h7ZQ3CgROGEFVYaBmkX50DFwLe9FkurOE83jNiJE
|
||||
d7QKhc2IE6RQ0j9bS7GcBkNjED7jUCryLbwI8ITekHnSt0BiFnVb9rZ3cMYNArcS
|
||||
5rDZ4JQYsqGiGb03VZqW9VXD/40tTtkLU5EaN9tgroQiHovCfLiug4WbRYz26wZF
|
||||
cnMHaQCPHYAKme72bAypjzooN4KT5KE8uyNQo3/1eEwd2AKRFEl4f2uBTNqJATYE
|
||||
GAEIACAWIQT20Y0ZqX9MSKXefZJuUZ2DjSFIHwUCXXJfjwIbDAAKCRBuUZ2DjSFI
|
||||
H+agCACVQyt3pbCPgJ8CXXhMaaH0Y16DJDxy/AXzQL7hxHzgqIrHuOygADCXvMcH
|
||||
pb6kznMG4pVfeNZtm+FDoQ7rDPcY9T9eSQD6Fw2hzemysdWAoD9ZUNwynw125Og7
|
||||
nmOmXIJLQ58J0bDVfb34zwYfdE45LTaQXO2ODx4foMpzCv86XUE4GboQSnUrU1VN
|
||||
afrbVTSZ7Zna6yNzgtCVomSjxDhCZ+nnYQsTwXqERqby8v2KpgWM3yVV84q2ED2N
|
||||
51JUIdXFjejFyHWjDHYfYPo4s/I75gYKsTCFo9lGqkcVKX13HMCI7J4KGrmxLVJq
|
||||
swK2XO60K8/knDo78U2RvVf+Goat
|
||||
=9tu1
|
||||
-----END PGP PRIVATE KEY BLOCK-----
|
30
tests/fixtures/gpg/user5@gitsecret.io/public.key
vendored
Normal file
30
tests/fixtures/gpg/user5@gitsecret.io/public.key
vendored
Normal file
@ -0,0 +1,30 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBF1yX48BCAC7TVKvW81RjJKcGI21cI1iUEPkpWCqXwUjt9UsJ8g+2BW45gmX
|
||||
9tLKPp5ax6hJoLQpcSkOsKcNdigSwHeB+TjIgGshAQOgOXLgnU6oETkobxrv3TcQ
|
||||
L0gF09jgnUvdzaCSgqtLndgejG1g5SsYIzzHYSTAj/7t5WY2AQKVsiE9pELxUqLB
|
||||
QQQ97YHklp26sNXT9FYBNZvLN661PvTB2fgMxMrLkE0i8brAC51zyp0/PCy7huDz
|
||||
9zjryMCReKkwfVIpevBJspHx1P2HLNe+b+O28C4U0r8CuWSk116itbfKGCtWL8LL
|
||||
khMUBD4j+6zO1E33HVeRR6hypU8ZhbDIX9BzABEBAAG0F3VzZXI1IChjb21tZW50
|
||||
IGNvbW1lbnQpiQFOBBMBCAA4FiEE9tGNGal/TEil3n2SblGdg40hSB8FAl1yX48C
|
||||
GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQblGdg40hSB+FBAf/fy472G8V
|
||||
1zvZSdiMIANle91JrVP69Iol8X1Jr4NJ7YXcmXBg++kOcSi8yaLtG5QnWfuYbNMU
|
||||
nocsezhnbo/pW2YLZ7e57b86W0rbjN3N4fzRZ8aYV8nVwVKE7mYYST6BrceGEIc8
|
||||
T3OQQz4c74Of4gMG4kvg8C+7pzpu5Wgr0YNuju2QIUHX6/Df0KYSac+4igbKCWIn
|
||||
EqqKoexL8mfgqQ3J5xPzPnFoDjWUZ0Blt1rqiDi7S+yPtRy116vba11UoNaDUnCv
|
||||
bc5EFgIPayxApSrfUb+S9B5nEJN1kPy39XelDPS6u79z829UtfV5kNfAz6+JH8KT
|
||||
mjJMROQcX0tk17kBDQRdcl+PAQgAzGclUyI7Jl89yU63WhC/nW+uZtbKIodI2f07
|
||||
C1bYdAhZdPlykDvqiNx4vEXYbPcuvyTlmolBlvaNMH8cYN4kxU5Chux8ksPaWUz3
|
||||
08UV0T+UCW77+NCn3SG7+Auj16C75ohk/phGa8kwux4Hy3bZ1YZvw6mdmBPMAv26
|
||||
Ty+FjMwsYKI57MLSnPEoIOwh8G2kcPJv1nTpwPiHLC+1pEIk5dqdSG/ats8Rw1Gh
|
||||
ipjeQWVpXfs3ExHIKmU4OroeauzGxSmEmYcDbbse0EcnMm1Fx7DI5y8cTdOi/KcM
|
||||
8M22T4q29l+Kq+8oPAReOvKBiIH/Fk+IW9Pl/jEHqGJwmrz7vwARAQABiQE2BBgB
|
||||
CAAgFiEE9tGNGal/TEil3n2SblGdg40hSB8FAl1yX48CGwwACgkQblGdg40hSB/m
|
||||
oAgAlUMrd6Wwj4CfAl14TGmh9GNegyQ8cvwF80C+4cR84KiKx7jsoAAwl7zHB6W+
|
||||
pM5zBuKVX3jWbZvhQ6EO6wz3GPU/XkkA+hcNoc3psrHVgKA/WVDcMp8NduToO55j
|
||||
plyCS0OfCdGw1X29+M8GH3ROOS02kFztjg8eH6DKcwr/Ol1BOBm6EEp1K1NVTWn6
|
||||
21U0me2Z2usjc4LQlaJko8Q4Qmfp52ELE8F6hEam8vL9iqYFjN8lVfOKthA9jedS
|
||||
VCHVxY3oxch1owx2H2D6OLPyO+YGCrEwhaPZRqpHFSl9dxzAiOyeChq5sS1SarMC
|
||||
tlzutCvP5Jw6O/FNkb1X/hqGrQ==
|
||||
=ghZU
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
@ -5,9 +5,6 @@ load _test_base
|
||||
FIRST_FILE="$TEST_DEFAULT_FILENAME"
|
||||
SECOND_FILE="$TEST_SECOND_FILENAME"
|
||||
|
||||
FOLDER="somedir"
|
||||
FILE_IN_FOLDER="${FOLDER}/file_to_hide3"
|
||||
|
||||
|
||||
function setup {
|
||||
install_fixture_key "$TEST_DEFAULT_USER"
|
||||
@ -25,7 +22,6 @@ function setup {
|
||||
function teardown {
|
||||
# This also needs to be cleaned:
|
||||
rm "$FIRST_FILE" "$SECOND_FILE"
|
||||
rm -r "$FOLDER"
|
||||
|
||||
uninstall_fixture_key "$TEST_DEFAULT_USER"
|
||||
unset_current_state
|
||||
|
@ -58,7 +58,6 @@ function teardown {
|
||||
}
|
||||
|
||||
@test "run 'hide' with '-P'" {
|
||||
|
||||
# attempt to alter permissions on input file
|
||||
chmod o-rwx "$FILE_TO_HIDE"
|
||||
|
||||
@ -74,17 +73,13 @@ function teardown {
|
||||
local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE")
|
||||
[ -f "$encrypted_file" ]
|
||||
|
||||
# permissions should match. We don't have access to SECRETS_OCTAL_PERMS_COMMAND here
|
||||
## permissions should match.
|
||||
local secret_perm
|
||||
local file_perm
|
||||
secret_perm=$(ls -l "$encrypted_file" | cut -d' ' -f1)
|
||||
file_perm=$(ls -l "$FILE_TO_HIDE" | cut -d' ' -f1)
|
||||
|
||||
# text prefixed with '# ' and sent to file descriptor 3 is 'diagnostic' (debug) output for devs
|
||||
file_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE")
|
||||
secret_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$encrypted_file")
|
||||
#echo "# '$BATS_TEST_DESCRIPTION': $secret_perm, file_perm: $file_perm" >&3
|
||||
|
||||
[ "$secret_perm" = "$file_perm" ]
|
||||
|
||||
}
|
||||
|
||||
@test "run 'hide' from inside subdirectory" {
|
||||
|
@ -85,14 +85,12 @@ function teardown {
|
||||
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
## permissions should match.
|
||||
local secret_perm
|
||||
local file_perm
|
||||
secret_perm=$(ls -l "$FILE_TO_HIDE$SECRETS_EXTENSION" | cut -d' ' -f1)
|
||||
file_perm=$(ls -l "$FILE_TO_HIDE" | cut -d' ' -f1)
|
||||
|
||||
# text prefixed with '# ' and sent to file descriptor 3 is 'diagnostic' (debug) output for devs
|
||||
file_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE")
|
||||
secret_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE$SECRETS_EXTENSION")
|
||||
#echo "# secret_perm: $secret_perm, file_perm: $file_perm" >&3
|
||||
|
||||
[ "$secret_perm" = "$file_perm" ]
|
||||
|
||||
[ -f "$FILE_TO_HIDE" ]
|
||||
|
@ -159,6 +159,48 @@ function teardown {
|
||||
}
|
||||
|
||||
|
||||
@test "run 'tell' with key without email and with comment" {
|
||||
# install works because it works on filename, not contents of keychain
|
||||
install_fixture_key "$TEST_NOEMAIL_COMMENT_USER"
|
||||
|
||||
# Testing the command itself fails because you have to use an email address
|
||||
run git secret tell -d "$TEST_GPG_HOMEDIR" "$TEST_NOEMAIL_COMMENT_USER"
|
||||
|
||||
# this should not succeed because we only support addressing users by email
|
||||
[ "$status" -ne 0 ]
|
||||
|
||||
# Testing that these users are presented in the
|
||||
# list of people who knows secret:
|
||||
run git secret whoknows
|
||||
|
||||
[[ "$output" != *"$TEST_NOEMAIL_COMMENT_USER"* ]]
|
||||
|
||||
# Cleaning up: can't clean up by email
|
||||
#uninstall_fixture_key "$TEST_NOEMAIL_COMMENT_USER"
|
||||
}
|
||||
|
||||
@test "run 'tell' on non-email" {
|
||||
install_fixture_key "$TEST_NOEMAIL_COMMENT_USER"
|
||||
|
||||
local name=$(echo "$TEST_NOEMAIL_COMMENT_USER" | sed -e 's/@.*//')
|
||||
#echo "$name" | sed "s/^/# '$BATS_TEST_DESCRIPTION' name is: /" >&3
|
||||
|
||||
# Testing the command itself, should fail because you must use email
|
||||
run git secret tell -d "$TEST_GPG_HOMEDIR" "$name"
|
||||
|
||||
# this should not succeed because we only support addressing users by email
|
||||
[ "$status" -ne 0 ]
|
||||
|
||||
# Testing that these users are presented in the
|
||||
# list of people who knows secret:
|
||||
run git secret whoknows
|
||||
|
||||
[[ "$output" != *"$name"* ]]
|
||||
|
||||
# Cleaning up: can't clean up by email because key doesn't hold it
|
||||
#uninstall_fixture_key "$TEST_NOEMAIL_COMMENT_USER"
|
||||
}
|
||||
|
||||
@test "run 'tell' in subfolder" {
|
||||
if [[ "$BATS_RUNNING_FROM_GIT" -eq 1 ]]; then
|
||||
skip "this test is skipped while 'git commit'. See #334"
|
||||
|
@ -64,6 +64,7 @@ function build_package {
|
||||
# Only requires `rpm`, `apk` or `deb` as first argument:
|
||||
local build_type="$1"
|
||||
|
||||
# coreutils is for sha256sum
|
||||
# See https://github.com/jordansissel/fpm for docs:
|
||||
fpm \
|
||||
-s dir \
|
||||
@ -76,6 +77,9 @@ function build_package {
|
||||
--maintainer "Nikita Sobolev (mail@sobolevn.me)" \
|
||||
--license "MIT" \
|
||||
-C "$SCRIPT_DEST_DIR" \
|
||||
-d "bash" \
|
||||
-d "coreutils" \
|
||||
-d "gawk" \
|
||||
-d "git" \
|
||||
-d "gnupg" \
|
||||
--deb-no-default-config-files \
|
||||
|
Loading…
Reference in New Issue
Block a user