Merge branch 'master' of github.com:joshrabinowitz/git-secret

This commit is contained in:
Josh Rabinowitz 2020-01-04 11:59:58 -05:00
commit bf905106dc
41 changed files with 394 additions and 153 deletions

View File

@ -1,9 +1,9 @@
FROM alpine:latest
# don't install coreutils on Alpine, so we get busybox versions of ps, stat, and ls. See #475
RUN apk add --no-cache --update \
bash \
build-base \
coreutils \
curl \
findutils \
gcc \

4
.github/FUNDING.yml vendored Normal file
View File

@ -0,0 +1,4 @@
# These are supported funding model platforms
patreon: sobolevn
open_collective: git-secret

View File

@ -9,7 +9,7 @@ matrix:
# language: sh
- os: osx
name: osx-with-debug-output
env: GITSECRET_DIST="brew" SECRETS_TEST_VERBOSE=1
env: GITSECRET_DIST="brew"; SECRETS_TEST_VERBOSE=1
sudo: required
language: shell
#language: ruby
@ -21,7 +21,7 @@ matrix:
#language: ruby
#rvm: 2.6
- os: linux
env: KITCHEN_REGEXP="gnupg1-alpine-latest"
env: KITCHEN_REGEXP="gnupg1-alpine-latest"; SECRETS_TEST_VERBOSE=1
services: docker
sudo: required
language: ruby

View File

@ -1,25 +1,51 @@
# Changelog
## {{Next Version}}
## Version 0.3.2
### Bugfixes
- Fix mention of version in git-secret add man page (#544)
### Misc
- Update developer docs, especially regarding mac, docker, and test-kitchen (#195)
- Update man pages to mention version documented (#420)
## Version 0.3.1
### Misc
- Update man pages
## Version 0.3.0
### Features
- Support SECRETS_PINENTRY env var for gnupg --pinentry-mode parameter (#221)
- Show output from gnupg if 'hide' fails (#516)
- Add support for Busybox (#478)
### Bugfixes
- Use OSX's mktemp on OSX, even if there's another version in PATH. (#485)
- Make rsync a build requirement on debian (#500)
- When tests specify gnupg1, use gnupg1, not gnupg2 (#241)
- Ignore revoked gnupg keys (#508)
- Use gnupg1, not gnupg2, when tests specify gnupg1 (#241)
- Note dependencies gawk, bash, and coreutils in linux packages (#493)
- Handle case of key having no email and a comment (#527)
- Avoid blank lines from output of 'clean -v'
## Misc
### Misc
- Improve messaging and logic around deleting tmp files.
- Add note about secrets and old keys (#499)
- Transition build process from python 2 to python 3 (#487)
- Upgrade build process from ansible 2.5 to ansible 2.8
- Fix in build process when installing gnupg2 source deps on Ubuntu
- Fix build process when installing gnupg2 source deps on Ubuntu
- Close file descriptor 3 when running gnupg subprocesses (#521)
- Small optimization in 'hide'
- Improve code comments
- Update docs to note that git-secret repos modified by git-secret 0.2.3 and
later are not backward compatible with pre-0.2.3 versions of git-secret. (#536)
## Version 0.2.6
@ -57,7 +83,7 @@
- Respect DESTDIR when installing as per GNU/debian/etc recommendations (#424)
- Use git check-ignore to test for files ignored by git
## Misc
### Misc
- Improve docs about hide -m option (#467)
- Document SECRETS_VERBOSE and improve env var docs (#396)
@ -97,7 +123,7 @@
- Require keys to be specified by email, as documented (#267)
- Disallow 'git secret tell' or 'killperson' with emails that are not in keychain (also #267)
## Misc
### Misc
- Added notes about packages and for package maintainers (#281)
- Improve documentation regarding operation with different versions of GPG (#274, #182)
@ -126,7 +152,9 @@
### Features
- Added `-m` option to `hide` command, files will only be hidden when modifications are detected (#92)
- Changed how path mappings file works: colon delimited FSDB (#92)
- Changed how path mappings file works: colon delimited FSDB in `.gitsecret/paths/mapping.cfg', so git-secret
can store checksums of hidden files. Note this means git-secret repos modified by git-secret 0.2.3
or later are not backward compatible with pre-0.2.3 versions of git-secret. (#92)
- `git secret init` now adds `random_seed` to `.gitignore` (#93)
### Bugfixes

View File

@ -17,41 +17,58 @@ For development with `git-secret` you should have these tools:
- sha256sum (on freebsd and MacOS `shasum` is used instead)
- [shellcheck](https://github.com/koalaman/shellcheck)
To test `git-secret` using test-kitchen, you will also need:
To test `git-secret` using [test-kitchen](https://kitchen.ci/), which is optional and uses docker to test on multiple distributions,
you will also need:
- docker
- test-kitchen
- aspell, to check your changes for spelling errors
- [docker](https://www.docker.com/)
- [test-kitchen](https://kitchen.ci/)
These are only required if dealing with manuals, `gh-pages` or releases:
The below only required if dealing with manuals, `gh-pages` or releases:
- ruby, ruby-dev
- [aspell](http://aspell.net/), to check your changes for spelling errors
### Environment MacOS
- install Homebrew
- install [Homebrew](https://brew.sh/)
- install gnupg2 with `brew install gnupg2`
#### For docker/test-kitchen
#### For docker/test-kitchen (optional, for testing multiple distros locally using docker)
- install Docker for Mac
- install Chef Developer Kit (?)
- install ruby2.4 and kitchen dependencies with
- install ruby2.6 and kitchen dependencies with
brew install rbenv ruby-build rbenv-vars;
rbenv install 2.4.4; rbenv rehash; rbenv global 2.4.4;
gem install bundler kitchen-ansible serverspec kitchen-docker kitchen-verifier-serverspec;
rbenv install 2.6.3; rbenv rehash; rbenv global 2.6.3;
(You can also use `rvm` instead of `rbenv`, but brew packages `rbenv` for you.)
then use
gem install bundler kitchen-ansible serverspec kitchen-docker kitchen-verifier-serverspec
If you have trouble getting test-kitchen and docker working on your mac to test git-secret with, see #534
or let us know by filing an issue.
### Getting started
1. Create your own or pick an opened issue from the [tracker][tracker]. Take a look at the [`help-wanted` tag][help-wanted]
2. Fork and clone your repository: `git clone https://github.com/${YOUR_NAME}/git-secret.git`
2. Fork the git-secret repo and then clone the repository using a command like `git clone https://github.com/${YOUR_NAME}/git-secret.git`
3. Make sure that everything works on the current platform by running `make test`.
You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`.
You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`, which will
show you a lot of debug output while the tests are running.
Note that 'experimental' features may change or be removed in a future version of `git-secret`.
4. [Run local CI tests](#running-local-ci-tests) to verify functionality on supported platforms `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`.
4. If you want to test on multiple operating systems, [Run local CI tests](#running-local-ci-tests) (optional; this will
automatically happen on [Travis-CI](https://travis-ci.org/sobolevn/git-secret) when you submit a PR).
Running the CI tests locally is optional. The tests will happen automatically on Travis-CI
when you create a PR for `git-secret`, and again when any PR is merged.
To verify functionality on supported platforms use `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`.
See `[test-kitchen](https://kitchen.ci/) and `kitchen help verify` for more info about using `kitchen verify`.
### Code style
@ -73,7 +90,7 @@ New features and changes should aim to be as clear, concise, simple, and consist
Every code base has its own conventions and style that develop and accrete over time.
Consistency also means that the inputs and outputs of git-secret should be as consistent as reasonable
with related unix and git tools, and follow the 'rule of least surprise',
with related Unix and git tools, and follow the 'rule of least surprise',
also known as the 'principle of least astonishment': <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>
We wrote this to clarify our thinking about how git-secret should be written. Of course, these are philosophical goals,
@ -87,16 +104,16 @@ Also it's often best to implement larger or complex changes as a series of plann
each making a small set of specific changes. This facilitates discussions of implementation, which often come to light
only after seeing the actual code used to perform a task.
As mentioned above, we seek to be consistent with surrounding git and unix tools, so when writing changes to git-secret,
think about the input, output, and command-line options that similar unix commands use.
As mentioned above, we seek to be consistent with surrounding git and Unix tools, so when writing changes to git-secret,
think about the input, output, and command-line options that similar Unix commands use.
Our favor toward traditional unix and git command-style inputs and outputs can also mean it's appropriate to
lean heavily on git and widely-used unix command features instead of re-implementing them in code.
Our favor toward traditional Unix and git command-style inputs and outputs can also mean it's appropriate to
lean heavily on git and widely-used Unix command features instead of re-implementing them in code.
### Development Process
1. Firstly, you should need to setup development git hooks with `make install-hooks`
This will copy the git-secret development hooks from utils/hooks into .git/hooks/pre-commit and .git/hooks/post-commit
1. Firstly, you should setup git-secret's development git hooks with `make install-hooks`
This will copy the hooks from utils/hooks into .git/hooks/pre-commit and .git/hooks/post-commit
2. Make changes to the git secret files that need to be changed
@ -114,9 +131,10 @@ This will copy the git-secret development hooks from utils/hooks into .git/hooks
8. When running `git commit` the tests will run automatically, your commit will be canceled if they fail.
You can run the tests manually with `make clean build test`.
If you want to make a commit and not run the pre- and post-commit hooks, use 'git commit -n'
9. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request;
otherwise PRs will probably be `squashed` into one commit when merged.
9. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request,
but don't worry, it's easy to `squash` PRs into a small number of commits when they're merged.
### Branches
@ -128,20 +146,26 @@ Development looks like this:
- `master` branch is protected, so only fully tested code goes there. It is also used to create a new `git` tag and a `github` release
By convention, you can name your branches like `issue-###-short-description`, but that's not required.
The `gh-pages` branch is used for the pages at `git-secret.io`. See 'Release Process' below.
### Continuous integration
Local CI is done with the help [`test-kitchen`](http://kitchen.ci/). `test-kitchen` handles multiple test-suites on various platforms.
`bundle exec kitchen list` will output the list of test suites to be run against supported platforms.
You can run our CI tests locally, but it is not strictly required in order to do development or testing of git-secret. When you have
`test-kitchen` installed, `bundle exec kitchen list` will output the list of test suites to be run against supported platforms.
Cloud CI is done with the help of `travis`. `travis` handles multiple environments:
Cloud CI is done with the help of [Travis-CI](https://travis-ci.org/sobolevn/git-secret), which handles testing on multiple environments using
- `Docker`-based jobs or so-called 'integration tests', these tests create a local release, install it with the package manager and then run unit-tests and system checks
- `Docker`-based jobs or so-called 'integration tests', which create a local release, install it with the package manager and then run unit-tests and system checks
- `OSX` jobs, which handle basic unit-tests on `MacOS` (Travis still calls MacOS 'OSX')
- Native `travis` jobs, which handle basic unit-tests and style checks
### Running local ci-tests
### Running local ci-tests with test-kitchen
Ci-tests are only necessary if you want to test git-secret on multiple OS'es using docker and test-kitchen,
like we do on travis-ci.
1. Install required gems with `bundle install`.
2. Run ci-tests with `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`
@ -159,13 +183,16 @@ output from commands.
The release process is defined in the `git`-hooks and `.travis.yml`.
When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) the hooks will trigger three events.
When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) the
pre-commit and post-commit hooks will trigger three events.
- the test suite will be run locally
- `pre-commit`: run the test suite will be locally
- new manuals will be created and added to the current commit with `make build-man` on `pre-commit` hook.
- `pre-commit`: generate and update the manuals and add them to the current commit with `make build-man`
- after the commit is successfully created it will also trigger `make build-gh-pages` target on `post-commit` hook, which will push new manuals to the [git-secret site][git-secret-site]. And the new `git` tag will be automatically created if the version is changed:
- `post-commit`: trigger `make build-gh-pages`, which will update and push manuals to the [git-secret site][git-secret-site].
- `post-commit`: new `git` tag (such as v0.3.1) will be automatically created if the version is changed, using something like
```bash
if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then
@ -182,13 +209,17 @@ Here are some links to gnupg documentation that might be useful for those workin
#### Travis releases
After you commit a tag that matches the pattern '^v.*$' and the tests succeed, Travis will publish new `deb` and `rpm` packages to [`bintray`][bintray].
After you commit a tag that matches the pattern '^v' and the tests succeed, scripts run on [Travis-CI](https://travis-ci.org/sobolevn/git-secret)
will publish new `deb` and `rpm` packages to [`bintray`][bintray].
If you wish to override a previous release (*be careful*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh`
(If you wish to override a previous release (*be careful, this is discouraged*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh`)
#### Manual releases
Releases to `brew` are made manually.
Releases to `brew` are made manually, and involve opening a PR on the [Homebrew Core](https://github.com/Homebrew/homebrew-core) repo .
To get started, see the
[Homebrew docs about Formulae-related PRs](https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request#formulae-related-pull-request)
and `brew bump-formula-pr --help`
#### Dockerhub releases
@ -210,7 +241,10 @@ There are several distributions and packaging systems that may already have git-
First of all, thank you for packaging git-secret for your platform! We appreciate it.
We also would like to welcome you to collaborate or discuss any issues, ideas or thoughts you have about
git-secret by submitting issue report (which can also be feature requests) or pull requests via the git repo at
git-secret by submitting [issue report](https://github.com/sobolevn/git-secret/issues)
(which can also be feature requests) or
[pull requests](https://help.github.com/en/articles/creating-a-pull-request)
via the git repo at
[git-secret on github](https://github.com/sobolevn/git-secret)
Please let us know if there are any changes you'd like to see to the source,

View File

@ -57,8 +57,9 @@ clean-man:
find "man/" -type f ! -name "*.ronn" -delete
.PHONY: build-man
build-man: install-ronn clean-man
ronn --roff --organization="sobolevn" --manual="git-secret" man/*/*.ronn
build-man: install-ronn clean-man git-secret
touch man/*/*.ronn
export GITSECRET_VERSION=`./git-secret --version` && ronn --roff --organization="sobolevn" --manual="git-secret $${GITSECRET_VERSION}" man/*/*.ronn
.PHONY: build-gh-pages
build-gh-pages:

View File

@ -22,7 +22,7 @@ you should also change the secrets.
## Preview
[![git-secret terminal preview](https://asciinema.org/a/41811.png)](https://asciinema.org/a/41811?autoplay=1)
[![git-secret terminal preview](git-secret.gif)](https://asciinema.org/a/41811?autoplay=1)
## Installation
@ -64,13 +64,7 @@ If you found any security related issues, please do not disclose it in public. S
## Changelog
`git-secret` uses semver. See [CHANGELOG.md](CHANGELOG.md).
## Contributors
This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
<a href="https://github.com/sobolevn/git-secret/graphs/contributors"><img src="https://opencollective.com/git-secret/contributors.svg?width=890" /></a>
`git-secret` uses [semver](https://semver.org/). See [CHANGELOG.md](CHANGELOG.md).
## Packagers
@ -79,11 +73,13 @@ Thanks also to all the people and groups who package git-secret to be easier to
Here are some packagings of git-secret that we're aware of:
- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret
- https://aur.archlinux.org/packages/git-secret/
- https://formulae.brew.sh/formula/git-secret
- https://packages.ubuntu.com/bionic/git-secret
- https://packages.debian.org/sid/git-secret
- https://apps.fedoraproject.org/packages/git-secret
- https://aur.archlinux.org/packages/git-secret/
- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret
- https://packages.debian.org/sid/git-secret
- https://github.com/void-linux/void-packages/blob/master/srcpkgs/git-secret/template
Such packages are considered 'downstream' because the git-secret code 'flows' from the git-secret repository
to the various rpm/deb/dpkg/etc packages that are created for specific OSes and distributions.
@ -91,27 +87,24 @@ to the various rpm/deb/dpkg/etc packages that are created for specific OSes and
We have also added notes specifically for packagers in [CONTRIBUTING.md](CONTRIBUTING.md).
## Backers
Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/git-secret#backer)]
<a href="https://opencollective.com/git-secret#backers" target="_blank"><img src="https://opencollective.com/git-secret/backers.svg?width=890"></a>
## Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/git-secret#sponsor)]
<a href="https://opencollective.com/git-secret/sponsor/0/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/0/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/1/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/1/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/2/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/2/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/3/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/3/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/4/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/4/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/5/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/5/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/6/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/6/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/7/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/7/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/8/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/8/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/9/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/9/avatar.svg"></a>
[![Sponsors](https://opencollective.com/git-secret/tiers/sponsor.svg?width=890)](https://opencollective.com/git-secret)
## Backers
Thanks to all our backers!
[![Backers](https://opencollective.com/git-secret/tiers/backer.svg?width=890&avatarHeight=36)](https://opencollective.com/git-secret)
## Contributors
This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
<a href="https://github.com/sobolevn/git-secret/graphs/contributors"><img src="https://opencollective.com/git-secret/contributors.svg?width=890" /></a>
## License

BIN
git-secret.gif Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 555 KiB

Binary file not shown.

View File

@ -10,7 +10,7 @@ git-secret-add - starts to track added files.
`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg`
and ensures the filepath is mentioned .gitignore.
When adding files to encrypt, `git-secret-add` (as of 0.3.0) will ensure that they are ignored by `git` by mentioning
When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning
them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted.
If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -28,6 +28,8 @@ fi
: "${SECRETS_OCTAL_PERMS_COMMAND:="_os_based __get_octal_perms"}"
: "${SECRETS_EPOCH_TO_DATE:="_os_based __epoch_to_date"}"
# Temp Dir
: "${TMPDIR:=/tmp}"
# AWK scripts:
# shellcheck disable=2016
@ -195,7 +197,7 @@ function _temporary_file {
# which will be removed on system exit.
temporary_filename=$(_os_based __temp_file) # is not `local` on purpose.
trap 'if [[ -n "$_SECRETS_VERBOSE" ]] || [[ -n "$SECRETS_TEST_VERBOSE" ]]; then echo "git-secret: cleaning up: $temporary_filename"; fi; rm -f "$temporary_filename";' EXIT
trap 'if [[ -f "$temporary_filename" ]]; then if [[ -n "$_SECRETS_VERBOSE" ]] || [[ -n "$SECRETS_TEST_VERBOSE" ]]; then echo "git-secret: cleaning up: $temporary_filename"; fi; rm -f "$temporary_filename"; fi;' EXIT
}
@ -464,14 +466,12 @@ function _find_and_clean_formatted {
# required:
local pattern="$1" # can be any string pattern
if [[ -n "$_SECRETS_VERBOSE" ]]; then
echo && _message "cleaning:"
fi
local outputs
outputs=$(_find_and_clean "$pattern" 2>&1)
_find_and_clean "$pattern"
if [[ -n "$_SECRETS_VERBOSE" ]]; then
echo
if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then
# shellcheck disable=SC2001
echo "$outputs" | sed "s/^/git-secret: cleaning: /"
fi
}
@ -525,6 +525,21 @@ function _secrets_dir_is_not_ignored {
}
function _exe_is_busybox {
local exe
exe=$1
# we assume stat is from busybox if it's a symlink
local is_busybox=0
local stat_path
stat_path=$(command -v "$exe")
if [ -L "$stat_path" ]; then
is_busybox=1
fi
echo "$is_busybox"
}
function _user_required {
# This function does a bunch of validations:
# 1. It calls `_secrets_dir_exists` to verify that "$_SECRETS_DIR" exists.
@ -544,18 +559,20 @@ function _user_required {
local secrets_dir_keys
secrets_dir_keys=$(_get_secrets_dir_keys)
# see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
local keys_exist
keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys)
keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys 3>&-)
local exit_code=$?
if [[ -z "$keys_exist" ]]; then
_abort "$error_message"
fi
if [[ "$exit_code" -ne 0 ]]; then
# this might catch corner case where gpg --list-keys shows
# 'gpg: skipped packet of type 12 in keybox' warnings but succeeds?
# See #136
echo "$keys_exist" # show whatever _did_ come out of gpg
_abort "problem listing public keys with gpg: exit code $exit_code"
fi
if [[ -z "$keys_exist" ]]; then
_abort "$error_message"
fi
}
# note: this has the same 'username matching' issue described in
@ -571,7 +588,8 @@ function _get_user_key_expiry {
local secrets_dir_keys
secrets_dir_keys=$(_get_secrets_dir_keys)
line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub:)
# 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub: 3>&-)
local expiry_epoch
expiry_epoch=$(echo "$line" | cut -d: -f7)
@ -587,6 +605,9 @@ function _assert_keychain_contains_emails {
local gpg_uids
gpg_uids=$(_get_users_in_gpg_keyring "$homedir")
for email in "${emails[@]}"; do
if [[ $email != *"@"* ]]; then
_abort "does not appear to be an email: $email"
fi
local email_ok=0
for uid in $gpg_uids; do
if [[ "$uid" == "$email" ]]; then
@ -622,9 +643,14 @@ function _get_users_in_gpg_keyring {
fi
# we use --fixed-list-mode so older versions of gpg emit 'uid:' lines.
# here gawk splits on colon as --with-colon, exact matches field 1 as 'uid' that is not revoked (field 2 set to 'r') and selects field 10 "User-ID"
# the gensub regex extracts email from <> within field 10. (If there's no <>, then field is just an email address anyway and the regex just passes it through.)
result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | gawk -F: '$1~/uid/&&$2!="r"{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }')
# here gawk splits on colon as --with-colon, exact matches field 1 as 'uid', and selects field 10 "User-ID"
# the gensub regex extracts email from <> within field 10. (If there's no <>, then field is just an email address
# (and maybe a comment) and the regex just passes it through.)
# sed at the end removes any 'comment' that appears in parentheses, for #530
# 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | \
gawk -F: '$1~/uid/{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }' | \
sed 's/([^)]*)//g' 3>&-)
echo "$result"
}

View File

@ -10,7 +10,6 @@ function __replace_in_file_freebsd {
function __temp_file_freebsd {
: "${TMPDIR:=/tmp}"
local filename
# man mktemp on FreeBSD:
# ...

View File

@ -8,7 +8,6 @@ function __replace_in_file_linux {
function __temp_file_linux {
: "${TMPDIR:=/tmp}"
local filename
# man mktemp on CentOS 7:
# mktemp [OPTION]... [TEMPLATE]
@ -35,9 +34,16 @@ function __sha256_linux {
function __get_octal_perms_linux {
local filename
filename=$1
local perms
local stat_is_busybox
stat_is_busybox=_exe_is_busybox "stat"
local perms # a string like '644'
if [ "$stat_is_busybox" -eq 1 ]; then
# special case for busybox, which doesn't understand --format
perms=$(stat -c '%a' "$filename")
else
perms=$(stat --format '%a' "$filename")
# a string like '0644'
fi
echo "$perms"
}

View File

@ -8,7 +8,6 @@ function __replace_in_file_osx {
function __temp_file_osx {
: "${TMPDIR:=/tmp}"
local filename
# man mktemp on OSX:
# ...

View File

@ -109,7 +109,7 @@ function hide {
[ "$1" = '--' ] && shift
if [ $# -ne 0 ]; then
_abort "clean does not understand params: $*"
_abort "hide does not understand params: $*"
fi
# We need user to continue:
@ -132,6 +132,12 @@ function hide {
to_hide+=("$record") # add record to array
done < "$path_mappings"
local recipients
recipients=$(_get_recipients)
local secrets_dir_keys
secrets_dir_keys=$(_get_secrets_dir_keys)
local counter=0
for record in "${to_hide[@]}"; do
local filename
@ -141,12 +147,6 @@ function hide {
fsdb_file_hash=$(_get_record_hash "$record")
encrypted_filename=$(_get_encrypted_filename "$filename")
local recipients
recipients=$(_get_recipients)
local secrets_dir_keys
secrets_dir_keys=$(_get_secrets_dir_keys)
local input_path
local output_path
input_path=$(_append_root_path "$filename")
@ -170,21 +170,28 @@ function hide {
set +e # disable 'set -e' so we can capture exit_code
if [[ -n "$_SECRETS_VERBOSE" ]]; then
# on at least some platforms, this doesn't output anything unless there's a warning or error
$SECRETS_GPG_COMMAND "${args[@]}"
else
$SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1
fi
# see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
local gpg_output
gpg_output=$($SECRETS_GPG_COMMAND "${args[@]}" 3>&-) # we leave stderr alone
local exit_code=$?
set -e # re-enable set -e
local error=0
if [[ "$exit_code" -ne 0 ]] || [[ ! -f "$output_path" ]]; then
error=1
fi
if [[ "$error" -ne 0 ]] || [[ -n "$_SECRETS_VERBOSE" ]]; then
if [[ -n "$gpg_output" ]]; then
echo "$gpg_output"
fi
fi
if [[ ! -f "$output_path" ]]; then
# if gpg can't encrypt a file we asked it to, that's an error unless in force_continue mode.
_warn_or_abort "problem encrypting file with gpg: exit code $exit_code: $filename" "$exit_code" "$force_continue"
fi
if [[ -f "$output_path" ]]; then
else
counter=$((counter+1))
if [[ "$preserve" == 1 ]]; then
local perms

View File

@ -31,7 +31,8 @@ function killperson {
_assert_keychain_contains_emails "$secrets_dir_keys" "${emails[@]}"
for email in "${emails[@]}"; do
$SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email"
# see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
$SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email" 3>&-
local exit_code=$?
if [[ "$exit_code" -ne 0 ]]; then
_abort "problem deleting key for '$email' with gpg: exit code $exit_code"

View File

@ -75,5 +75,5 @@ function reveal {
done
echo "git-secret: done. $counter of ${#to_show[@]} files are revealed."
_message "done. $counter of ${#to_show[@]} files are revealed."
}

View File

@ -10,7 +10,8 @@ END { print cnt }
function get_gpg_key_count {
local secrets_dir_keys
secrets_dir_keys=$(_get_secrets_dir_keys)
$SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT"
# 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
$SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT" 3>&-
local exit_code=$?
if [[ "$exit_code" -ne 0 ]]; then
_abort "problem counting keys with gpg: exit code $exit_code"
@ -75,14 +76,15 @@ function tell {
# shellcheck disable=2154
local keyfile="$temporary_filename"
# 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
local exit_code
if [[ -z "$homedir" ]]; then
$SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile"
$SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile" 3>&-
exit_code=$?
else
# It means that homedir is set as an extra argument via `-d`:
$SECRETS_GPG_COMMAND --no-permission-warning --homedir="$homedir" \
--export -a "$email" > "$keyfile"
--export -a "$email" > "$keyfile" 3>&-
exit_code=$?
fi
if [[ "$exit_code" -ne 0 ]]; then
@ -99,9 +101,9 @@ function tell {
local args=( --homedir "$secrets_dir_keys" --no-permission-warning --import "$keyfile" )
if [[ -z "$_SECRETS_VERBOSE" ]]; then
$SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1
$SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1 3>&-
else
$SECRETS_GPG_COMMAND "${args[@]}"
$SECRETS_GPG_COMMAND "${args[@]}" 3>&-
fi
exit_code=$?
@ -112,7 +114,7 @@ function tell {
fi
done
echo "done. ${emails[*]} added as someone who know(s) the secret."
_message "done. ${emails[*]} added as user(s) who know the secret."
# force re-encrypting of files if required
local fsdb

View File

@ -1,4 +1,4 @@
#!/usr/bin/env bash
# shellcheck disable=2034
GITSECRET_VERSION='0.2.6'
GITSECRET_VERSION='0.3.2'

View File

@ -7,6 +7,9 @@
source "$SECRET_PROJECT_ROOT/src/version.sh"
# shellcheck disable=SC1090
source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools.sh"
source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_freebsd.sh"
source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_linux.sh"
source "$SECRET_PROJECT_ROOT/src/_utils/_git_secret_tools_osx.sh"
# Constants:
FIXTURES_DIR="$BATS_TEST_DIRNAME/fixtures"
@ -36,9 +39,10 @@ BEGIN { OFS=":"; FS=":"; }
# This command is used with absolute homedir set and disabled warnings:
GPGTEST="$SECRETS_GPG_COMMAND --homedir=$TEST_GPG_HOMEDIR --no-permission-warning --batch"
# Personal data:
# Test key fixture data. Fixtures are at tests/fixtures/gpg/$email
# these two are 'normal' keys
# See tests/fixtures/gpg/README.md for more on key fixtures 'user[1-5]@gitsecret.io'
# these two are 'normal' keys.
export TEST_DEFAULT_USER="user1@gitsecret.io"
export TEST_SECOND_USER="user2@gitsecret.io"
@ -48,6 +52,8 @@ export TEST_NONAME_USER="user3@gitsecret.io"
# TEST_EXPIRED_USER (user4) has expired
export TEST_EXPIRED_USER="user4@gitsecret.io" # this key expires 2018-09-24
export TEST_NOEMAIL_COMMENT_USER="user5@gitsecret.io" # fixture filename is named this, but key has no email and a comment, as per #527
export TEST_ATTACKER_USER="attacker1@gitsecret.io"
@ -73,10 +79,16 @@ function stop_gpg_agent {
if [[ "$GITSECRET_DIST" == "windows" ]]; then
ps -l -u "$username" | gawk \
'/gpg-agent/ { if ( $0 !~ "awk" ) { system("kill "$1) } }' >> "$TEST_GPG_OUTPUT_FILE" 2>&1
else
local ps_is_busybox
ps_is_busybox=_exe_is_busybox "ps"
if [[ $ps_is_busybox -eq "1" ]]; then
echo "# git-secret: tests: not stopping gpg-agent on busybox" >&3
else
ps -wx -U "$username" | gawk \
'/gpg-agent --homedir/ { if ( $0 !~ "awk" ) { system("kill "$1) } }' >> "$TEST_GPG_OUTPUT_FILE" 2>&1
fi
fi
}

View File

@ -22,3 +22,8 @@
`gpg --export --armor user4 > tests/fixtures/gpg/user4/public.key`
and
`gpg --export-secret-keys --armor user4 > tests/fixtures/gpg/user4/private.key`
* user5 was created for issue #527 using `gpg --full-generate-key`.
with name 'user5', no email address, the comment 'comment comment', and
the passphrase 'user5pass'. Keys were exported as above.

View File

@ -0,0 +1,59 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQPGBF1yX48BCAC7TVKvW81RjJKcGI21cI1iUEPkpWCqXwUjt9UsJ8g+2BW45gmX
9tLKPp5ax6hJoLQpcSkOsKcNdigSwHeB+TjIgGshAQOgOXLgnU6oETkobxrv3TcQ
L0gF09jgnUvdzaCSgqtLndgejG1g5SsYIzzHYSTAj/7t5WY2AQKVsiE9pELxUqLB
QQQ97YHklp26sNXT9FYBNZvLN661PvTB2fgMxMrLkE0i8brAC51zyp0/PCy7huDz
9zjryMCReKkwfVIpevBJspHx1P2HLNe+b+O28C4U0r8CuWSk116itbfKGCtWL8LL
khMUBD4j+6zO1E33HVeRR6hypU8ZhbDIX9BzABEBAAH+BwMCrMDlojZX/jjr0l3U
8acJEKVGWAq8dxt+UKNm5PSNZksQdcsz4E1JL/4JitfRhvrH24OGJnGrmMYeQJjH
Dw+dHUf8UDD8KpRigihCug44VM36ZtiCxfQ8+x01DQ8G6dntZmphg6B0dJbvhUJa
YEuRk1n5rVH1lMEitq3ZcnvnU4hJxWfKdo8qI+MReaiVtODk42y0kA6/7y+w+a1j
7wWtVsdHvvC5f698Z0FKzSGxHWGgE2bFWaRxhuX0WIBMgDsr2H+jcvb51c3SIWkd
eCTupBomcv99FYcBUHf4VnjJGgBn4ibU49BZtMbmTHeB4bNb/hTCwhWuW50mr2yt
GZ/Ued2y6khcaDXlsQGdqUn7/4KEe3vpwVU6RzKrxBMhaY2zZdwVEAb9c/2szSt6
+YOhopOmH23lWF5iu2pdRcU9pJtj614tpIGOLC4H8e+im+buy+jOIvj6eECH50zK
zHchOvrCWAG4qcVTSAv2J2Ywa1wzKxUfoPbpCZJ7pJvt2pjxa2Mh1vjlydle4/Tq
6qcu4OONdJPiDu2n0DvThfZXxWPqYrQKNPok/uIuOyux3U3JKgBdCKW9wj6wXvik
TakIRvsPjMsTkyP5J7GoFokw/7tTd8fww6+HK7o171+bT1/oEmp+ulE/U5mcaVTw
uabWtLt9gignidle6R4GlVI/xo/J/szcQyiv9/MA1z0tC5FIM2HYF4ADg2de8MbE
dQKyNZxkAoFtofE8WDsMVf/C2BzTpLp9yqTGhZptCWlkU+OpBxLaVIa1tlw0mbt0
PWujKEatkdFOHhuutjLCWGiB84FKkPPti0YkfJxPxbXDMa2p7KvCSSrrkZM2mKBq
13hcLm4ANUWQCFJHpCriMg79xLSL6zEL4Lt6V+Soi1dDtH5jwox+SsC273BZXyq8
rjOisteYwarjtBd1c2VyNSAoY29tbWVudCBjb21tZW50KYkBTgQTAQgAOBYhBPbR
jRmpf0xIpd59km5RnYONIUgfBQJdcl+PAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
AheAAAoJEG5RnYONIUgfhQQH/38uO9hvFdc72UnYjCADZXvdSa1T+vSKJfF9Sa+D
Se2F3JlwYPvpDnEovMmi7RuUJ1n7mGzTFJ6HLHs4Z26P6VtmC2e3ue2/OltK24zd
zeH80WfGmFfJ1cFShO5mGEk+ga3HhhCHPE9zkEM+HO+Dn+IDBuJL4PAvu6c6buVo
K9GDbo7tkCFB1+vw39CmEmnPuIoGygliJxKqiqHsS/Jn4KkNyecT8z5xaA41lGdA
Zbda6og4u0vsj7Uctder22tdVKDWg1Jwr23ORBYCD2ssQKUq31G/kvQeZxCTdZD8
t/V3pQz0uru/c/NvVLX1eZDXwM+viR/Ck5oyTETkHF9LZNedA8YEXXJfjwEIAMxn
JVMiOyZfPclOt1oQv51vrmbWyiKHSNn9OwtW2HQIWXT5cpA76ojceLxF2Gz3Lr8k
5ZqJQZb2jTB/HGDeJMVOQobsfJLD2llM99PFFdE/lAlu+/jQp90hu/gLo9egu+aI
ZP6YRmvJMLseB8t22dWGb8OpnZgTzAL9uk8vhYzMLGCiOezC0pzxKCDsIfBtpHDy
b9Z06cD4hywvtaRCJOXanUhv2rbPEcNRoYqY3kFlaV37NxMRyCplODq6HmrsxsUp
hJmHA227HtBHJzJtRcewyOcvHE3TovynDPDNtk+KtvZfiqvvKDwEXjrygYiB/xZP
iFvT5f4xB6hicJq8+78AEQEAAf4HAwJRNs0fBsU0LOueT8yhsPFyxg+XYBeAR5Hx
NyCFrIXaDSTY+TrTpbY0o2wrBgZtI+YAuVCgqkmQDzp8Dhb21Dcx2Zg4xJ92KHcE
dwq/VMz9l5l6JgfEg7Dt8XUCeetYKEkX/li9Q9urwBpZ3oPIjjhZoK74zfGA0Qtk
qRYCXHhBVme7pxAfirmX0jiLbDv5nV+fzJXqTzY/Zsaodw0w9CiuzZ5ftM7kk7QH
TGEeGB0yaEgm7LPupGxfkHnY7IU7f1g4e7QhQcFSHady2HrtEVYFgsdlxxCxSFzK
G3zctVTTTQKb67zVNKtblizSHRq21gx/uutReh+RZUhTJewfpOpup7e9oNDxpkSW
nkiHU91vNaOfdfuID7V6eIYKM3yCvrc5z9NKBYklGX2wYm9qEObBF1LrQD2c/M/+
Rn6gnJLdUo0Q95URwngCrchz1i7MVWje3VfsuiHRsB62NFLOGeDqkdoJ7PPCRHeS
WXaZUK7/a7B6wZuf4fafEVWSpgonWvL3bxCLlPau5zYvo40WLzFtIVT6gBCR/TBY
AhUVrrvn1Ssqrz1RRD7ebbFR59yDsEyJaL4cdJzVidB4+tp9XAJ0yjiGJyCJW5NR
eW0dR1jHDacBPMnxgqKtXpn7d0PMx0oghD0wFiQsGqi6aWJs8+qGWugCoHZUiJB2
R/N0MO7l4CuJYECSIiVqgu08h7ZQ3CgROGEFVYaBmkX50DFwLe9FkurOE83jNiJE
d7QKhc2IE6RQ0j9bS7GcBkNjED7jUCryLbwI8ITekHnSt0BiFnVb9rZ3cMYNArcS
5rDZ4JQYsqGiGb03VZqW9VXD/40tTtkLU5EaN9tgroQiHovCfLiug4WbRYz26wZF
cnMHaQCPHYAKme72bAypjzooN4KT5KE8uyNQo3/1eEwd2AKRFEl4f2uBTNqJATYE
GAEIACAWIQT20Y0ZqX9MSKXefZJuUZ2DjSFIHwUCXXJfjwIbDAAKCRBuUZ2DjSFI
H+agCACVQyt3pbCPgJ8CXXhMaaH0Y16DJDxy/AXzQL7hxHzgqIrHuOygADCXvMcH
pb6kznMG4pVfeNZtm+FDoQ7rDPcY9T9eSQD6Fw2hzemysdWAoD9ZUNwynw125Og7
nmOmXIJLQ58J0bDVfb34zwYfdE45LTaQXO2ODx4foMpzCv86XUE4GboQSnUrU1VN
afrbVTSZ7Zna6yNzgtCVomSjxDhCZ+nnYQsTwXqERqby8v2KpgWM3yVV84q2ED2N
51JUIdXFjejFyHWjDHYfYPo4s/I75gYKsTCFo9lGqkcVKX13HMCI7J4KGrmxLVJq
swK2XO60K8/knDo78U2RvVf+Goat
=9tu1
-----END PGP PRIVATE KEY BLOCK-----

View File

@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF1yX48BCAC7TVKvW81RjJKcGI21cI1iUEPkpWCqXwUjt9UsJ8g+2BW45gmX
9tLKPp5ax6hJoLQpcSkOsKcNdigSwHeB+TjIgGshAQOgOXLgnU6oETkobxrv3TcQ
L0gF09jgnUvdzaCSgqtLndgejG1g5SsYIzzHYSTAj/7t5WY2AQKVsiE9pELxUqLB
QQQ97YHklp26sNXT9FYBNZvLN661PvTB2fgMxMrLkE0i8brAC51zyp0/PCy7huDz
9zjryMCReKkwfVIpevBJspHx1P2HLNe+b+O28C4U0r8CuWSk116itbfKGCtWL8LL
khMUBD4j+6zO1E33HVeRR6hypU8ZhbDIX9BzABEBAAG0F3VzZXI1IChjb21tZW50
IGNvbW1lbnQpiQFOBBMBCAA4FiEE9tGNGal/TEil3n2SblGdg40hSB8FAl1yX48C
GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQblGdg40hSB+FBAf/fy472G8V
1zvZSdiMIANle91JrVP69Iol8X1Jr4NJ7YXcmXBg++kOcSi8yaLtG5QnWfuYbNMU
nocsezhnbo/pW2YLZ7e57b86W0rbjN3N4fzRZ8aYV8nVwVKE7mYYST6BrceGEIc8
T3OQQz4c74Of4gMG4kvg8C+7pzpu5Wgr0YNuju2QIUHX6/Df0KYSac+4igbKCWIn
EqqKoexL8mfgqQ3J5xPzPnFoDjWUZ0Blt1rqiDi7S+yPtRy116vba11UoNaDUnCv
bc5EFgIPayxApSrfUb+S9B5nEJN1kPy39XelDPS6u79z829UtfV5kNfAz6+JH8KT
mjJMROQcX0tk17kBDQRdcl+PAQgAzGclUyI7Jl89yU63WhC/nW+uZtbKIodI2f07
C1bYdAhZdPlykDvqiNx4vEXYbPcuvyTlmolBlvaNMH8cYN4kxU5Chux8ksPaWUz3
08UV0T+UCW77+NCn3SG7+Auj16C75ohk/phGa8kwux4Hy3bZ1YZvw6mdmBPMAv26
Ty+FjMwsYKI57MLSnPEoIOwh8G2kcPJv1nTpwPiHLC+1pEIk5dqdSG/ats8Rw1Gh
ipjeQWVpXfs3ExHIKmU4OroeauzGxSmEmYcDbbse0EcnMm1Fx7DI5y8cTdOi/KcM
8M22T4q29l+Kq+8oPAReOvKBiIH/Fk+IW9Pl/jEHqGJwmrz7vwARAQABiQE2BBgB
CAAgFiEE9tGNGal/TEil3n2SblGdg40hSB8FAl1yX48CGwwACgkQblGdg40hSB/m
oAgAlUMrd6Wwj4CfAl14TGmh9GNegyQ8cvwF80C+4cR84KiKx7jsoAAwl7zHB6W+
pM5zBuKVX3jWbZvhQ6EO6wz3GPU/XkkA+hcNoc3psrHVgKA/WVDcMp8NduToO55j
plyCS0OfCdGw1X29+M8GH3ROOS02kFztjg8eH6DKcwr/Ol1BOBm6EEp1K1NVTWn6
21U0me2Z2usjc4LQlaJko8Q4Qmfp52ELE8F6hEam8vL9iqYFjN8lVfOKthA9jedS
VCHVxY3oxch1owx2H2D6OLPyO+YGCrEwhaPZRqpHFSl9dxzAiOyeChq5sS1SarMC
tlzutCvP5Jw6O/FNkb1X/hqGrQ==
=ghZU
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -5,9 +5,6 @@ load _test_base
FIRST_FILE="$TEST_DEFAULT_FILENAME"
SECOND_FILE="$TEST_SECOND_FILENAME"
FOLDER="somedir"
FILE_IN_FOLDER="${FOLDER}/file_to_hide3"
function setup {
install_fixture_key "$TEST_DEFAULT_USER"
@ -25,7 +22,6 @@ function setup {
function teardown {
# This also needs to be cleaned:
rm "$FIRST_FILE" "$SECOND_FILE"
rm -r "$FOLDER"
uninstall_fixture_key "$TEST_DEFAULT_USER"
unset_current_state

View File

@ -58,7 +58,6 @@ function teardown {
}
@test "run 'hide' with '-P'" {
# attempt to alter permissions on input file
chmod o-rwx "$FILE_TO_HIDE"
@ -74,17 +73,13 @@ function teardown {
local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE")
[ -f "$encrypted_file" ]
# permissions should match. We don't have access to SECRETS_OCTAL_PERMS_COMMAND here
## permissions should match.
local secret_perm
local file_perm
secret_perm=$(ls -l "$encrypted_file" | cut -d' ' -f1)
file_perm=$(ls -l "$FILE_TO_HIDE" | cut -d' ' -f1)
# text prefixed with '# ' and sent to file descriptor 3 is 'diagnostic' (debug) output for devs
file_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE")
secret_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$encrypted_file")
#echo "# '$BATS_TEST_DESCRIPTION': $secret_perm, file_perm: $file_perm" >&3
[ "$secret_perm" = "$file_perm" ]
}
@test "run 'hide' from inside subdirectory" {

View File

@ -85,14 +85,12 @@ function teardown {
[ "$status" -eq 0 ]
## permissions should match.
local secret_perm
local file_perm
secret_perm=$(ls -l "$FILE_TO_HIDE$SECRETS_EXTENSION" | cut -d' ' -f1)
file_perm=$(ls -l "$FILE_TO_HIDE" | cut -d' ' -f1)
# text prefixed with '# ' and sent to file descriptor 3 is 'diagnostic' (debug) output for devs
file_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE")
secret_perm=$($SECRETS_OCTAL_PERMS_COMMAND "$FILE_TO_HIDE$SECRETS_EXTENSION")
#echo "# secret_perm: $secret_perm, file_perm: $file_perm" >&3
[ "$secret_perm" = "$file_perm" ]
[ -f "$FILE_TO_HIDE" ]

View File

@ -159,6 +159,48 @@ function teardown {
}
@test "run 'tell' with key without email and with comment" {
# install works because it works on filename, not contents of keychain
install_fixture_key "$TEST_NOEMAIL_COMMENT_USER"
# Testing the command itself fails because you have to use an email address
run git secret tell -d "$TEST_GPG_HOMEDIR" "$TEST_NOEMAIL_COMMENT_USER"
# this should not succeed because we only support addressing users by email
[ "$status" -ne 0 ]
# Testing that these users are presented in the
# list of people who knows secret:
run git secret whoknows
[[ "$output" != *"$TEST_NOEMAIL_COMMENT_USER"* ]]
# Cleaning up: can't clean up by email
#uninstall_fixture_key "$TEST_NOEMAIL_COMMENT_USER"
}
@test "run 'tell' on non-email" {
install_fixture_key "$TEST_NOEMAIL_COMMENT_USER"
local name=$(echo "$TEST_NOEMAIL_COMMENT_USER" | sed -e 's/@.*//')
#echo "$name" | sed "s/^/# '$BATS_TEST_DESCRIPTION' name is: /" >&3
# Testing the command itself, should fail because you must use email
run git secret tell -d "$TEST_GPG_HOMEDIR" "$name"
# this should not succeed because we only support addressing users by email
[ "$status" -ne 0 ]
# Testing that these users are presented in the
# list of people who knows secret:
run git secret whoknows
[[ "$output" != *"$name"* ]]
# Cleaning up: can't clean up by email because key doesn't hold it
#uninstall_fixture_key "$TEST_NOEMAIL_COMMENT_USER"
}
@test "run 'tell' in subfolder" {
if [[ "$BATS_RUNNING_FROM_GIT" -eq 1 ]]; then
skip "this test is skipped while 'git commit'. See #334"

View File

@ -64,6 +64,7 @@ function build_package {
# Only requires `rpm`, `apk` or `deb` as first argument:
local build_type="$1"
# coreutils is for sha256sum
# See https://github.com/jordansissel/fpm for docs:
fpm \
-s dir \
@ -76,6 +77,9 @@ function build_package {
--maintainer "Nikita Sobolev (mail@sobolevn.me)" \
--license "MIT" \
-C "$SCRIPT_DEST_DIR" \
-d "bash" \
-d "coreutils" \
-d "gawk" \
-d "git" \
-d "gnupg" \
--deb-no-default-config-files \