diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml new file mode 100644 index 00000000..7c221d74 --- /dev/null +++ b/.github/workflows/github-pages.yml @@ -0,0 +1,24 @@ +name: Deploy Documentation to Github Pages + +on: + push: + branches: + - master + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + with: + submodules: recursive + persist-credentials: false + + - name: Deploy to Pages + uses: JamesIves/github-pages-deploy-action@3.6.1 + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BRANCH: gh-pages # The branch the action should deploy to. + FOLDER: docs # The folder the action should deploy. + CLEAN: true # Automatically remove deleted files from the deploy branch diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2d01f351..e8bfa339 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -139,6 +139,7 @@ but don't worry, it's easy to `squash` PRs into a small number of commits when t ### Branches We have two long-live branches: `master` for the git-secret code and man pages, and `gh-pages` for the static web site. +The `gh-pages` branch tracks the `master` branch's `docs` folder, and is kept up-to-date using a GitHub Action. Development looks like this: @@ -196,7 +197,7 @@ pre-commit and post-commit hooks will trigger three events. - `pre-commit`: generate and update the manuals and add them to the current commit with `make build-man` -- `post-commit`: trigger `make build-gh-pages`, which will update and push manuals to the [git-secret site][git-secret-site]. +- `post-commit`: a GitHub Action will update the `gh-pages` branch to match the `docs` folder in the `master` branch, which will push updated manuals to the [git-secret site][git-secret-site]. - `post-commit`: new `git` tag (such as v0.3.1) will be automatically created if the version is changed, using something like diff --git a/Makefile b/Makefile index a68b6bc8..b681f045 100644 --- a/Makefile +++ b/Makefile @@ -61,11 +61,6 @@ build-man: install-ronn clean-man git-secret touch man/*/*.ronn export GITSECRET_VERSION=`./git-secret --version` && ronn --roff --organization="sobolevn" --manual="git-secret $${GITSECRET_VERSION}" man/*/*.ronn -.PHONY: build-gh-pages -build-gh-pages: - chmod +x "./utils/gh-branch.sh"; sync; \ - "./utils/gh-branch.sh" - # # Development: # diff --git a/docs/CNAME b/docs/CNAME new file mode 100644 index 00000000..6fdbf051 --- /dev/null +++ b/docs/CNAME @@ -0,0 +1 @@ +git-secret.io \ No newline at end of file diff --git a/docs/Makefile b/docs/Makefile new file mode 100644 index 00000000..be3e3d79 --- /dev/null +++ b/docs/Makefile @@ -0,0 +1,4 @@ +all: build + +build: + @/usr/bin/env bash ./create_posts.sh diff --git a/docs/_config.yml b/docs/_config.yml new file mode 100644 index 00000000..ad1c222a --- /dev/null +++ b/docs/_config.yml @@ -0,0 +1,27 @@ +# Welcome to Jekyll! +# +# This config file is meant for settings that affect your whole blog, values +# which you are expected to set up once and rarely need to edit after that. +# For technical reasons, this file is *NOT* reloaded automatically when you use +# 'jekyll serve'. If you change this file, please restart the server process. + +# Site settings +title: git-secret +email: mail@sobolevn.me +description: > # this means to ignore newlines until "baseurl:" + A bash-tool to store your private data inside a git repository. +baseurl: "" # the subpath of your site, e.g. /blog +url: "http://sobolevn.github.io" # the base hostname & protocol for your site + +# Github links: +github_username: sobolevn +github_changelog: "https://github.com/sobolevn/git-secret/blob/master/CHANGELOG.md" +github_plugins: "https://github.com/sobolevn/git-secret/wiki/Third-party-plugins" +github_using: "https://github.com/sobolevn/git-secret/wiki/Who-uses" + +# Seo settings: +gems: + - jekyll-seo-tag + +# Build settings +markdown: kramdown diff --git a/docs/_includes/favicons.html b/docs/_includes/favicons.html new file mode 100644 index 00000000..9d8db32d --- /dev/null +++ b/docs/_includes/favicons.html @@ -0,0 +1,33 @@ + + + + + + + + + + + + + + + + + + + diff --git a/docs/_includes/footer.html b/docs/_includes/footer.html new file mode 100644 index 00000000..2b651f71 --- /dev/null +++ b/docs/_includes/footer.html @@ -0,0 +1,38 @@ + diff --git a/docs/_includes/head.html b/docs/_includes/head.html new file mode 100644 index 00000000..0e13a06e --- /dev/null +++ b/docs/_includes/head.html @@ -0,0 +1,18 @@ + + + + + + {% if page.title %}{{ page.title }}{% else %}{{ site.title }}{% endif %} + + + + + + + {% include favicons.html %} + + {% seo %} + diff --git a/docs/_includes/header.html b/docs/_includes/header.html new file mode 100644 index 00000000..378740a5 --- /dev/null +++ b/docs/_includes/header.html @@ -0,0 +1,35 @@ +
+ +
+ + {{ site.title }} + +
+ + + + + + + + +
+ + + Download + +
+
+ +
+ + + +
diff --git a/docs/_includes/icon-github.html b/docs/_includes/icon-github.html new file mode 100644 index 00000000..bd2d099d --- /dev/null +++ b/docs/_includes/icon-github.html @@ -0,0 +1,4 @@ + + {% include icon-github.svg %} + {{ include.username }} + diff --git a/docs/_includes/icon-github.svg b/docs/_includes/icon-github.svg new file mode 100644 index 00000000..4422c4f5 --- /dev/null +++ b/docs/_includes/icon-github.svg @@ -0,0 +1 @@ + diff --git a/docs/_includes/icon-twitter.html b/docs/_includes/icon-twitter.html new file mode 100644 index 00000000..5fcd13aa --- /dev/null +++ b/docs/_includes/icon-twitter.html @@ -0,0 +1,4 @@ + + {% include icon-twitter.svg %} + {{ include.username }} + diff --git a/docs/_includes/icon-twitter.svg b/docs/_includes/icon-twitter.svg new file mode 100644 index 00000000..dcf660e7 --- /dev/null +++ b/docs/_includes/icon-twitter.svg @@ -0,0 +1 @@ + diff --git a/docs/_includes/why.md b/docs/_includes/why.md new file mode 100644 index 00000000..c70e4813 --- /dev/null +++ b/docs/_includes/why.md @@ -0,0 +1,16 @@ + +## Intro + +There's a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret-keys, OAuth secret keys and so on, outside of the git repository. Even if this repository is private, it is a security risk to just publish them into the world wide web. What are the drawbacks of storing them separately? + +1. These files are not version controlled. Filenames change, locations change, passwords change from time to time, some new information appears, other is removed. And you can not tell for sure which version of the configuration file was used with each commit. +2. When building the automated deployment system there will be one extra step: download and place these secret-configuration files where they need to be. So you have to maintain an extra secure server, where everything is stored. + +### How does `git-secret` solve these problems? + +1. `git-secret` encrypts files and stores them inside the `git` repository, so you will have all the changes for every commit. +2. `git-secret` doesn't require any other deploy operations rather than `git secret reveal`, so it will automatically decrypt all the required files. + +### What is `git-secret`? + +`git-secret` is a bash tool to store your private data inside a `git` repo. How's that? Basically, it just encrypts, using `gpg`, the tracked files with the public keys of all the users that you trust. So everyone of them can decrypt these files using only their personal secret key. Why deal with all this private-public keys stuff? Well, to make it easier for everyone to manage access rights. There are no passwords that change. When someone is out - just delete their public key, reencrypt the files, and they won't be able to decrypt secrets anymore. diff --git a/docs/_layouts/default.html b/docs/_layouts/default.html new file mode 100644 index 00000000..2cf9ed6a --- /dev/null +++ b/docs/_layouts/default.html @@ -0,0 +1,22 @@ + + + + {% include head.html %} + + + + {% include header.html %} + +
+
+ {{ content }} +
+
+ + {% include footer.html %} + + + + + + diff --git a/docs/_layouts/page.html b/docs/_layouts/page.html new file mode 100644 index 00000000..ce233ad7 --- /dev/null +++ b/docs/_layouts/page.html @@ -0,0 +1,14 @@ +--- +layout: default +--- +
+ +
+

{{ page.title }}

+
+ +
+ {{ content }} +
+ +
diff --git a/docs/_layouts/post.html b/docs/_layouts/post.html new file mode 100644 index 00000000..51ac5106 --- /dev/null +++ b/docs/_layouts/post.html @@ -0,0 +1,30 @@ +--- +layout: default +--- +
+ +
+

+ {{ page.title }} +

+ +

+ + + {% if page.author %} + • + {% endif %} +

+
+ +
+ {{ content }} +
+ +
diff --git a/docs/_posts/2020-09-20-git-secret-add.md b/docs/_posts/2020-09-20-git-secret-add.md new file mode 100644 index 00000000..2481005b --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-add.md @@ -0,0 +1,45 @@ +--- +layout: post +title: 'git-secret-add' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-add +categories: command +--- +git-secret-add - starts to track added files. +============================================= + +## SYNOPSIS + + git secret add [-i] ... + + +## DESCRIPTION +`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg` +and ensures the filepath is mentioned .gitignore. + +When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning +them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted. + +If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised. + +Use the `git secret add` command to add filenames to this file. +It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + +## OPTIONS + + -i - does nothing, adding paths to .gitignore is now the default behavior. + -h - shows this help. + + +## MANUAL + +Run `man git-secret-add` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal) diff --git a/docs/_posts/2020-09-20-git-secret-cat.md b/docs/_posts/2020-09-20-git-secret-cat.md new file mode 100644 index 00000000..cb27e43e --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-cat.md @@ -0,0 +1,39 @@ +--- +layout: post +title: 'git-secret-cat' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-cat +categories: command +--- +git-secret-cat - decrypts files passed on command line to stdout +============================================= + +## SYNOPSIS + + git secret cat [-d dir] [-p password] filename [filenames] + + +## DESCRIPTION +`git-secret-cat` - Outputs to stdout the contents of the files named on the command line. +As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to +decrypt this repo. + +Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See +(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`. + + +## OPTIONS + + -d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location. + -p - specifies password for noinput mode, adds `--passphrase` option for `gpg`. + -h - shows help. + + +## MANUAL + +Run `man git-secret-cat` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/_posts/2020-09-20-git-secret-changes.md b/docs/_posts/2020-09-20-git-secret-changes.md new file mode 100644 index 00000000..b9a9d3fe --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-changes.md @@ -0,0 +1,42 @@ +--- +layout: post +title: 'git-secret-changes' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-changes +categories: command +--- +git-secret-changes - view diff of the hidden files. +=================================================== + +## SYNOPSIS + + git secret changes [-h] [-d dir] [-p password] [pathspec]... + + +## DESCRIPTION +`git-secret-changes` - shows changes between the current version of hidden files and the ones already committed. +You can provide any number of hidden files to this command as arguments, and it will show changes for these files only. +Note that files must be specified by their encrypted names, typically `filename.yml.secret`. +If no arguments are provided, information about all hidden files will be shown. + +Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See +(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`. + + +## OPTIONS + + -d - specifies `--homedir` option for the `gpg`. Use this option if your store your keys in a custom location. + -p - specifies password for noinput mode, adds `--passphrase` option for `gpg`. + -h - shows help. + + +## MANUAL + +Run `man git-secret-changes` to see this note. + + +## SEE ALSO + +[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/_posts/2020-09-20-git-secret-clean.md b/docs/_posts/2020-09-20-git-secret-clean.md new file mode 100644 index 00000000..773b6ca6 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-clean.md @@ -0,0 +1,37 @@ +--- +layout: post +title: 'git-secret-clean' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-clean +categories: command +--- +git-secret-clean - removes all the hidden files. +================================================ + +## SYNOPSIS + + git secret clean [-v] + + +## DESCRIPTION +`git-secret-clean` deletes all the encrypted files. +Verbose output is enabled with the -v option, in which case the program prints which files are deleted. + + +## OPTIONS + + -v - verbose mode, shows which files are deleted. + -h - shows this help. + +You can also enable verbosity using the SECRETS_VERBOSE environment variable, +as documented at [git-secret(7)](http://git-secret.io/) + +## MANUAL + +Run `man git-secret-clean` to see this note. + + +## SEE ALSO + +[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson) diff --git a/docs/_posts/2020-09-20-git-secret-hide.md b/docs/_posts/2020-09-20-git-secret-hide.md new file mode 100644 index 00000000..65213ce6 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-hide.md @@ -0,0 +1,69 @@ +--- +layout: post +title: 'git-secret-hide' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-hide +categories: command +--- +git-secret-hide - encrypts all added files with the inner keyring. +================================================================== + +## SYNOPSIS + + git secret hide [-c] [-F] [-P] [-v] [-d] [-m] + + +## DESCRIPTION +`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`) +of each file added by `git-secret-add` command. +Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood, +`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files. + +It is recommended to encrypt (or re-encrypt) all the files in a git-secret repo each +time `git secret hide` is run. + +Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`), +may have changed since the last time the files were encrypted, and it's possible +to create a state where the users in the output of `git secret whoknows` +may not be able to decrypt the some files in the repo, or may be able decrypt files +they're not supposed to be able to. + +In other words, unless you re-encrypt all the files in a repo each time you 'hide' any, +it's possible to make it so some files can no longer be decrypted by users who should be +(and would appear) able to decrypt them, and vice-versa. + +If you know what you are doing and wish to encrypt or re-encrypt only a subset of the files +even after reading the above paragraphs, you can use the -F or -m option to only encrypted +a subset of files. The -F option forces `git secret hide` to skip any hidden files +where the unencrypted versions aren't present. The -m option skips any hidden files that have +not be modified since the last time they were encrypted. + +Also, it is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + +You can also enable verbosity using the SECRETS_VERBOSE environment variable, +as documented at [git-secret(7)](http://git-secret.io/) + + +## OPTIONS + + -v - verbose, shows extra information. + -c - deletes encrypted files before creating new ones. + -F - forces hide to continue if a file to encrypt is missing. + -P - preserve permissions of unencrypted file in encrypted file. + -d - deletes unencrypted files after encryption. + -m - encrypt files only when modified. + -h - shows help. + +## MANUAL + +Run `man git-secret-hide` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), +[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/_posts/2020-09-20-git-secret-init.md b/docs/_posts/2020-09-20-git-secret-init.md new file mode 100644 index 00000000..242e8555 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-init.md @@ -0,0 +1,42 @@ +--- +layout: post +title: 'git-secret-init' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-init +categories: command +--- +git-secret-init - initializes git-secret repository. +==================================================== + +## SYNOPSIS + + git secret init + + +## DESCRIPTION +`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret. +Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable. + +If a .gitsecret directory already exists, `git-secret-init` exits without making any changes. +Otherwise, a .gitsecret directory is created with appropriate sub-directories, +and patterns to ignore git-secret's `random_seed_file` +and not ignore `.secret` files are added to `.gitignore`. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder with the SECRETS_DIR environment variable, and changing the extension git-secret uses for secret files +with the SECRETS_EXTENSION environment variable. + + +## OPTIONS + + -h - shows this help. + + +## MANUAL + +Run `man git-secret-init` to see this note. + + +## SEE ALSO + +[git-secret-usage(1)](http://git-secret.io/git-secret-usage), [git-secret-tell(1)](http://git-secret.io/git-secret-tell) diff --git a/docs/_posts/2020-09-20-git-secret-killperson.md b/docs/_posts/2020-09-20-git-secret-killperson.md new file mode 100644 index 00000000..635a4355 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-killperson.md @@ -0,0 +1,35 @@ +--- +layout: post +title: 'git-secret-killperson' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-killperson +categories: command +--- +git-secret-killperson - deletes key identified by an email from the inner keyring. +================================================================================== + +## SYNOPSIS + + git secret killperson ... + + +## DESCRIPTION +This command removes the keys associated with the selected email addresses from the keyring. +If you remove a keypair's access with `git-secret-killperson`, and run `git-secret-reveal` and `git-secret-hide -r`, +it will be impossible for given users to decrypt the hidden files. + + +## OPTIONS + + -h - shows this help. + + +## MANUAL + +Run `man git-secret-killperson` to see this note. + + +## SEE ALSO + +[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-remove(1)](http://git-secret.io/git-secret-remove), +[git-secret-clean(1)](http://git-secret.io/git-secret-clean) diff --git a/docs/_posts/2020-09-20-git-secret-list.md b/docs/_posts/2020-09-20-git-secret-list.md new file mode 100644 index 00000000..f08efe26 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-list.md @@ -0,0 +1,37 @@ +--- +layout: post +title: 'git-secret-list' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-list +categories: command +--- +git-secret-list - prints all the added files. +============================================= + +## SYNOPSIS + + git secret list + + +## DESCRIPTION +`git-secret-list` prints all the currently added tracked files from the `.gitsecret/paths/mapping.cfg`. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + + +## OPTIONS + + -h - shows this help. + + +## MANUAL + +Run `man git-secret-list` to see this note. + + +## SEE ALSO + +[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), +[git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), [git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/_posts/2020-09-20-git-secret-remove.md b/docs/_posts/2020-09-20-git-secret-remove.md new file mode 100644 index 00000000..3a49fb36 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-remove.md @@ -0,0 +1,39 @@ +--- +layout: post +title: 'git-secret-remove' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-remove +categories: command +--- +git-secret-remove - removes files from index. +============================================= + +## SYNOPSIS + + git secret remove [-c] ... + + +## DESCRIPTION +`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`, +so they won't be encrypted or decrypted in the future. +There's also a -c option to delete existing encrypted versions of the files provided. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + + +## OPTIONS + + -c - deletes existing real encrypted files. + -h - shows help. + + +## MANUAL + +Run `man git-secret-remove` to see this note. + + +## SEE ALSO + +[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-clean(1)](http://git-secret.io/git-secret-clean), +[git-secret-killperson(1)](http://git-secret.io/git-secret-killperson) diff --git a/docs/_posts/2020-09-20-git-secret-reveal.md b/docs/_posts/2020-09-20-git-secret-reveal.md new file mode 100644 index 00000000..7fed39f7 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-reveal.md @@ -0,0 +1,47 @@ +--- +layout: post +title: 'git-secret-reveal' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-reveal +categories: command +--- +git-secret-reveal - decrypts all added files. +============================================= + +## SYNOPSIS + + git secret reveal [-f] [-F] [-P] [-v] [-d dir] [-p password] [pathspec]... + + +## DESCRIPTION +`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`, +or the passed `pathspec`s. +You will need to have imported the paired secret-key with one of the +public-keys which were used in the encryption. +Under the hood, this uses the `gpg --decrypt` command. + + +## OPTIONS + + -f - forces gpg to overwrite existing files without prompt. + -F - forces reveal to continue even if a file fails to decrypt. + -d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location. + -v - verbose, shows extra information. + -p - specifies password for noinput mode, adds `--passphrase` option for `gpg`. + -P - preserve permissions of encrypted file in unencrypted file. + -h - shows help. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + + +## MANUAL + +Run `man git-secret-reveal` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-cat(1)](http://git-secret.io/git-secret-cat), +[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide) diff --git a/docs/_posts/2020-09-20-git-secret-tell.md b/docs/_posts/2020-09-20-git-secret-tell.md new file mode 100644 index 00000000..e2c6eefe --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-tell.md @@ -0,0 +1,44 @@ +--- +layout: post +title: 'git-secret-tell' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-tell +categories: command +--- +git-secret-tell - adds a person, who can access private data. +=============================================================== + +## SYNOPSIS + + git secret tell [-m] [-d dir] [emails]... + + +## DESCRIPTION +`git-secret-tell` receives one or more email addresses as an input, searches for the `gpg`-key in the `gpg` +`homedir` by these emails, then imports the corresponding public key into `git-secret`'s inner keychain. +From this moment this person can encrypt new files with the keyring which contains their key, +but they cannot decrypt the old files, which were already encrypted without their key. +The files should be re-encrypted with the new keyring by someone who has the unencrypted files. + +Versions of `git-secret tell` after 0.3.2 will warn about keys that are expired, revoked, or otherwise invalid, +and also if multiple keys are found for a single email address. + +**Do not manually import secret keys into `git-secret`**. It won't work with imported secret keys anyway. + +## OPTIONS + + -m - takes your current `git config user.email` as an identifier for the key. + -d - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location. + -h - shows help. + + +## MANUAL + +Run `man git-secret-tell` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson) diff --git a/docs/_posts/2020-09-20-git-secret-usage.md b/docs/_posts/2020-09-20-git-secret-usage.md new file mode 100644 index 00000000..fd29c398 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-usage.md @@ -0,0 +1,34 @@ +--- +layout: post +title: 'git-secret-usage' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-usage +categories: command +--- +git-secret-usage - prints all the available commands. +===================================================== + +## SYNOPSIS + + git secret usage + + +## DESCRIPTION +`git-secret-usage` is used to print all the available commands. + + +## OPTIONS + + -h - shows this help. + + +## MANUAL + +Run `man git-secret-usage` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/_posts/2020-09-20-git-secret-whoknows.md b/docs/_posts/2020-09-20-git-secret-whoknows.md new file mode 100644 index 00000000..bbee51aa --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret-whoknows.md @@ -0,0 +1,35 @@ +--- +layout: post +title: 'git-secret-whoknows' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret-whoknows +categories: command +--- +git-secret-whoknows - prints email-labels for each key in the keyring. +====================================================================== + +## SYNOPSIS + + git secret whoknows + + +## DESCRIPTION +`git-secret-whoknows` prints list of email addresses whose keys are allowed to access the secrets in this repo. + + +## OPTIONS + + -l - 'long' output, shows key expiration dates. + -h - shows this help. + + +## MANUAL + +Run `man git-secret-whoknows` to see this note. + + +## SEE ALSO + +[git-secret-list(1)](http://git-secret.io/git-secret-list), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/_posts/2020-09-20-git-secret.md b/docs/_posts/2020-09-20-git-secret.md new file mode 100644 index 00000000..896dc359 --- /dev/null +++ b/docs/_posts/2020-09-20-git-secret.md @@ -0,0 +1,180 @@ +--- +layout: post +title: 'git-secret' +date: 2020-09-20 15:12:56 -0400 +permalink: git-secret +categories: usage +--- +git-secret - bash tool to store private data inside a git repo. +============================================= + +## Usage: Setting up git-secret in a repository + +These steps cover the basic process of using `git-secret`: + +0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address. + +1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information +to make `git-secret` hide and reveal files in this repository. + +2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created. +**Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file. +In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file. +By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file. + +3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`. + +4. Now it's time to add files you wish to encrypt inside the `git-secret` repository. +This can be done by running `git secret add ` command. Make sure these files are ignored by mentions in +`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you. + +5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command. +The data will be encrypted with the public-keys described by the `git secret tell` command. +After using `git secret hide` to encrypt your data, it is safe to commit your changes. +**NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes. + +6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the +`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password. +And you're done! + +### Usage: Adding someone to a repository using git-secret + +1. [Get their `gpg` public-key](#using-gpg). **You won't need their secret key.** + +2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import KEY_NAME.txt` + +3. Now add this person to your secrets repo by running `git secret tell persons@email.id` +(this will be the email address associated with the public key) + +4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using +`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files. +(The -d options deletes the unencrypted file after re-encrypting it). +Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`. + +Note that it is possible to add yourself to the git-secret repo without decrypting existing files. +It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't +want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook. + +### Using gpg + +You can follow a quick `gpg` tutorial at [devdungeon](https://www.devdungeon.com/content/gpg-tutorial). Here are the most useful commands to get started: + +To generate a RSA key-pair, run: + +```shell +gpg --gen-key +``` + +To export your public key, run: + +```shell +gpg --export your.email@address.com --armor > public-key.gpg +``` + +To import the public key of someone else (to share the secret with them for instance), run: + +```shell +gpg --import public-key.gpg +``` + +To make sure you get the original public keys of the indicated persons, be sure to use a secure channel to transfer it, or use a service you trust, preferably one that uses encryption such as Keybase, to retrieve their public key. Otherwise you could grant the wrong person access to your secrets by mistake! + +### Using git-secret for Continuous Integration / Continuous Deployment (CI/CD) + +When using `git-secret` for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated +with the changes in your code. + +One way of doing it is the following: + +1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp CodeShip ` +if your app is called MyApp and your CI/CD provider is CodeShip. It is easier not to define a password for that key. +2. run `gpg --export-secret-key myapp@codeship.com --armor` to get your private key value +3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value. +4. Then write your Continuous Deployment build script. For instance: + +```shell +# Install git-secret (https://git-secret.io/installation), for instance, for debian: +echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list +wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add - +sudo apt-get update && sudo apt-get install git-secret +# Create private key file +echo $GPG_PRIVATE_KEY > ./private_key.gpg +# Import private key +gpg --import ./private_key.gpg +# Reveal secrets +git secret reveal +# carry on with your build script, secret files are available ... +``` + +Note: your CI/CD might not allow you to create a multiline value. In that case, you can export it on one line with + +```shell +gpg --export-secret-key myapp@codeship.com --armor | tr '\n' ',' +``` + +You can then create your private key file with: + +```shell +echo $GPG_PRIVATE_KEY | tr ',' '\n' > ./private_key.gpg +``` + +## Environment Variables and Configuration + +You can configure the version of `gpg` used, or the extension your encrypted files use, to suit your workflow better. +To do so, just set the required variable to the value you need. +This can be done in your shell environment file or with each `git-secret` command. +See below, or the man page of `git-secret` for an explanation of the environment variables `git-secret` uses. + +The settings available to be changed are: + +* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical +to using `-v` on each command that supports it. + +* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`. +It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value. +After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`. + +* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension. + +* `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret. +It can be changed to any valid directory name. + +* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option. +See `gpg` docs for details about gpg's --pinentry option. + +## The `.gitsecret` folder (can be overridden with SECRETS_DIR) + +This folder contains information about the files encrypted by git-secret, +and about which public/private key sets can access the encrypted data. + +You can change the name of this directory using the SECRETS_DIR environment variable. + +Use the various 'git secret' commands to manipulate the files in `.gitsecret`, +you should not change the data in these files directly. + +Exactly which files exist in the `.gitsecret` folder and what their contents are +vary slightly across different versions of gpg. Thus it is best to use +git-secret with the same version of gpg being used by all users. +This can be forced using SECRETS_GPG_COMMAND environment variable. + +Specifically, there is an issue between gpg version 2.1.20 and later versions +which can cause problems reading and writing keyring files between systems +(this shows up in errors like 'gpg: skipped packet of type 12 in keybox'). + +The git-secret internal data is separated into two directories: + +### `.gitsecret/paths` + +This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted. +In other words, the path mappings: what files are tracked to be hidden and revealed. + +All the other internal data is stored in the directory: + +### `.gitsecret/keys` + +This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties. + +Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo. +By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file. + +Again, you can change the name of this directory using the SECRETS_DIR environment variable. diff --git a/docs/_sass/_base.scss b/docs/_sass/_base.scss new file mode 100644 index 00000000..e883b6fc --- /dev/null +++ b/docs/_sass/_base.scss @@ -0,0 +1,206 @@ +/** + * Reset some basic elements + */ +body, h1, h2, h3, h4, h5, h6, +p, blockquote, pre, hr, +dl, dd, ol, ul, figure { + margin: 0; + padding: 0; +} + + + +/** + * Basic styling + */ +body { + font: $base-font-weight #{$base-font-size}/#{$base-line-height} $base-font-family; + color: $text-color; + background-color: $background-color; + -webkit-text-size-adjust: 100%; + -webkit-font-feature-settings: "kern" 1; + -moz-font-feature-settings: "kern" 1; + -o-font-feature-settings: "kern" 1; + font-feature-settings: "kern" 1; + font-kerning: normal; +} + + + +/** + * Set `margin-bottom` to maintain vertical rhythm + */ +h1, h2, h3, h4, h5, h6, +p, blockquote, pre, +ul, ol, dl, figure, +%vertical-rhythm { + margin-bottom: $spacing-unit / 2; +} + + + +/** + * Images + */ +img { + max-width: 100%; + vertical-align: middle; +} + + + +/** + * Figures + */ +figure > img { + display: block; +} + +figcaption { + font-size: $small-font-size; +} + + + +/** + * Lists + */ +ul, ol { + margin-left: $spacing-unit; +} + +li { + > ul, + > ol { + margin-bottom: 0; + } +} + + + +/** + * Headings + */ +h1, h2, h3, h4, h5, h6 { + font-weight: $base-font-weight; +} + + + +/** + * Links + */ +a { + color: $brand-color; + text-decoration: none; + + &:visited { + color: darken($brand-color, 15%); + } + + &:hover { + color: $text-color; + text-decoration: underline; + } +} + + + +/** + * Blockquotes + */ +blockquote { + color: $purple-color; + border-left: 4px solid $purple-color-light; + padding-left: $spacing-unit / 2; + font-size: 18px; + letter-spacing: -1px; + font-style: italic; + + > :last-child { + margin-bottom: 0; + } +} + + + +/** + * Code formatting + */ +pre, +code { + font-size: 15px; + border: 1px solid $purple-color-light; + border-radius: 3px; + background-color: #eef; +} + +code { + padding: 1px 5px; +} + +pre { + padding: 8px 12px; + overflow-x: auto; + + > code { + border: 0; + padding-right: 0; + padding-left: 0; + } +} + + + +/** + * Wrapper + */ +.wrapper { + max-width: -webkit-calc(#{$content-width} - (#{$spacing-unit} * 2)); + max-width: calc(#{$content-width} - (#{$spacing-unit} * 2)); + margin-right: auto; + margin-left: auto; + padding-right: $spacing-unit; + padding-left: $spacing-unit; + @extend %clearfix; + + @include media-query($on-laptop) { + max-width: -webkit-calc(#{$content-width} - (#{$spacing-unit})); + max-width: calc(#{$content-width} - (#{$spacing-unit})); + padding-right: $spacing-unit / 2; + padding-left: $spacing-unit / 2; + } +} + + + +/** + * Clearfix + */ +%clearfix { + + &:after { + content: ""; + display: table; + clear: both; + } +} + + + +/** + * Icons + */ +.icon { + + > svg { + display: inline-block; + width: 16px; + height: 16px; + vertical-align: middle; + + path { + fill: $purple-color; + } + } +} diff --git a/docs/_sass/_layout.scss b/docs/_sass/_layout.scss new file mode 100644 index 00000000..d7683be0 --- /dev/null +++ b/docs/_sass/_layout.scss @@ -0,0 +1,276 @@ +/** + * Site header + */ +.site-header { + border-top: 5px solid $purple-color-dark; + border-bottom: 1px solid $purple-color-light; + min-height: 56px; + + // Positioning context for the mobile navigation icon + position: relative; +} + +.site-title { + font-size: 26px; + font-weight: 300; + line-height: 56px; + letter-spacing: -1px; + margin-bottom: 0; + float: left; + + &, + &:visited { + color: $purple-color-dark; + } +} + +.site-nav { + @extend %clearfix; + float: right; + line-height: 56px; + + .menu-icon { + display: none; + } + + .page-link { + color: $text-color; + line-height: $base-line-height; + + // Gaps between nav items, but not on the last one + &:not(:last-child) { + margin-right: 20px; + } + } + + @include media-query($on-palm) { + position: absolute; + top: 9px; + right: $spacing-unit / 2; + background-color: $background-color; + border: 1px solid $purple-color-light; + border-radius: 5px; + text-align: right; + + .menu-icon { + display: block; + float: right; + width: 36px; + height: 26px; + line-height: 0; + padding-top: 10px; + text-align: center; + + > svg { + width: 18px; + height: 15px; + + path { + fill: $purple-color-dark; + } + } + } + + .trigger { + clear: both; + display: none; + } + + &:hover .trigger, &:active .trigger { + display: block; + padding-bottom: 5px; + } + + .page-link { + display: block; + padding: 5px 10px; + + &:not(:last-child) { + margin-right: 0; + } + margin-left: 20px; + } + } + + .trigger { + padding-top: 13px; + } +} + + + +/** + * Site footer + */ +.site-footer { + border-top: 1px solid $purple-color-light; + padding: $spacing-unit 0; +} + +.footer-heading { + font-size: 18px; + margin-bottom: $spacing-unit / 2; +} + +.contact-list, +.social-media-list { + list-style: none; + margin-left: 0; +} + +.footer-col-wrapper { + font-size: 15px; + color: $grey-color; + margin-left: -$spacing-unit / 2; + @extend %clearfix; +} + +.footer-col { + float: left; + margin-bottom: $spacing-unit / 2; + padding-left: $spacing-unit / 2; +} + +.footer-col-1 { + width: -webkit-calc(35% - (#{$spacing-unit} / 2)); + width: calc(35% - (#{$spacing-unit} / 2)); +} + +.footer-col-2 { + width: -webkit-calc(20% - (#{$spacing-unit} / 2)); + width: calc(20% - (#{$spacing-unit} / 2)); +} + +.footer-col-3 { + width: -webkit-calc(45% - (#{$spacing-unit} / 2)); + width: calc(45% - (#{$spacing-unit} / 2)); +} + +@include media-query($on-laptop) { + .footer-col-1, + .footer-col-2 { + width: -webkit-calc(50% - (#{$spacing-unit} / 2)); + width: calc(50% - (#{$spacing-unit} / 2)); + } + + .footer-col-3 { + width: -webkit-calc(100% - (#{$spacing-unit} / 2)); + width: calc(100% - (#{$spacing-unit} / 2)); + } +} + +@include media-query($on-palm) { + .footer-col { + float: none; + width: -webkit-calc(100% - (#{$spacing-unit} / 2)); + width: calc(100% - (#{$spacing-unit} / 2)); + } +} + + + +/** + * Page content + */ +.page-content { + padding: $spacing-unit 0; +} + +.page-heading { + font-size: 20px; +} + +.post-list { + li { + margin-bottom: 10px; + } +} + +.post-meta { + font-size: $small-font-size; + color: $grey-color; +} + +.post-link { + display: block; + font-size: 24px; +} + + + +/** + * Posts + */ +.post-header { + margin-bottom: $spacing-unit; +} + +.post-title { + font-size: 42px; + letter-spacing: -1px; + line-height: 1; + + @include media-query($on-laptop) { + font-size: 36px; + } +} + +.post-content { + margin-bottom: $spacing-unit; + + h2 { + font-size: 32px; + + @include media-query($on-laptop) { + font-size: 28px; + } + } + + h3 { + font-size: 26px; + + @include media-query($on-laptop) { + font-size: 22px; + } + } + + h4 { + font-size: 20px; + + @include media-query($on-laptop) { + font-size: 18px; + } + } +} + + +/** + * Navigation + */ +.site-navigation { + @extend .wrapper; + + display: flex; + justify-content: space-between; + flex-wrap: wrap; + + a { + color: $purple-color-dark; + + @include media-query($on-laptop) { + flex-basis: 100%; + text-align: center; + } + } +} + + +/** + * Homepage + */ + .home { + .home-logo-image { + margin-top: 50px; + margin-bottom: 70px; + } + } diff --git a/docs/_sass/_syntax-highlighting.scss b/docs/_sass/_syntax-highlighting.scss new file mode 100644 index 00000000..8fac5977 --- /dev/null +++ b/docs/_sass/_syntax-highlighting.scss @@ -0,0 +1,71 @@ +/** + * Syntax highlighting styles + */ +.highlight { + background: #fff; + @extend %vertical-rhythm; + + .highlighter-rouge & { + background: #eef; + } + + .c { color: #998; font-style: italic } // Comment + .err { color: #a61717; background-color: #e3d2d2 } // Error + .k { font-weight: bold } // Keyword + .o { font-weight: bold } // Operator + .cm { color: #998; font-style: italic } // Comment.Multiline + .cp { color: #999; font-weight: bold } // Comment.Preproc + .c1 { color: #998; font-style: italic } // Comment.Single + .cs { color: #999; font-weight: bold; font-style: italic } // Comment.Special + .gd { color: #000; background-color: #fdd } // Generic.Deleted + .gd .x { color: #000; background-color: #faa } // Generic.Deleted.Specific + .ge { font-style: italic } // Generic.Emph + .gr { color: #a00 } // Generic.Error + .gh { color: #999 } // Generic.Heading + .gi { color: #000; background-color: #dfd } // Generic.Inserted + .gi .x { color: #000; background-color: #afa } // Generic.Inserted.Specific + .go { color: #888 } // Generic.Output + .gp { color: #555 } // Generic.Prompt + .gs { font-weight: bold } // Generic.Strong + .gu { color: #aaa } // Generic.Subheading + .gt { color: #a00 } // Generic.Traceback + .kc { font-weight: bold } // Keyword.Constant + .kd { font-weight: bold } // Keyword.Declaration + .kp { font-weight: bold } // Keyword.Pseudo + .kr { font-weight: bold } // Keyword.Reserved + .kt { color: #458; font-weight: bold } // Keyword.Type + .m { color: #099 } // Literal.Number + .s { color: #d14 } // Literal.String + .na { color: #008080 } // Name.Attribute + .nb { color: #0086B3 } // Name.Builtin + .nc { color: #458; font-weight: bold } // Name.Class + .no { color: #008080 } // Name.Constant + .ni { color: #800080 } // Name.Entity + .ne { color: #900; font-weight: bold } // Name.Exception + .nf { color: #900; font-weight: bold } // Name.Function + .nn { color: #555 } // Name.Namespace + .nt { color: #000080 } // Name.Tag + .nv { color: #008080 } // Name.Variable + .ow { font-weight: bold } // Operator.Word + .w { color: #bbb } // Text.Whitespace + .mf { color: #099 } // Literal.Number.Float + .mh { color: #099 } // Literal.Number.Hex + .mi { color: #099 } // Literal.Number.Integer + .mo { color: #099 } // Literal.Number.Oct + .sb { color: #d14 } // Literal.String.Backtick + .sc { color: #d14 } // Literal.String.Char + .sd { color: #d14 } // Literal.String.Doc + .s2 { color: #d14 } // Literal.String.Double + .se { color: #d14 } // Literal.String.Escape + .sh { color: #d14 } // Literal.String.Heredoc + .si { color: #d14 } // Literal.String.Interpol + .sx { color: #d14 } // Literal.String.Other + .sr { color: #009926 } // Literal.String.Regex + .s1 { color: #d14 } // Literal.String.Single + .ss { color: #990073 } // Literal.String.Symbol + .bp { color: #999 } // Name.Builtin.Pseudo + .vc { color: #008080 } // Name.Variable.Class + .vg { color: #008080 } // Name.Variable.Global + .vi { color: #008080 } // Name.Variable.Instance + .il { color: #099 } // Literal.Number.Integer.Long +} diff --git a/docs/create_posts.sh b/docs/create_posts.sh new file mode 100755 index 00000000..482e5cc3 --- /dev/null +++ b/docs/create_posts.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +set -e + +MAN_LOCATION="man/man1" +MAN7_LOCATION="man/man7" +POSTS_LOCATION="_posts" + + +function checkout_manuals { + git checkout master "$MAN_LOCATION" + git checkout master "$MAN7_LOCATION" + + # rm -f $MAN_LOCATION/*.1 +} + + +function copy_to_posts { + # Cleaning old files: + rm -f "$POSTS_LOCATION/*.md" + rm -rf "$POSTS_LOCATION" + mkdir -p "$POSTS_LOCATION" + + # Moving new command files: + local timestamp + local current_date + + timestamp=$(date "+%Y-%m-%d %H:%M:%S %z") + current_date=$(date "+%Y-%m-%d") + + # Creating command refernce: + for com in $MAN_LOCATION/git-secret-*.1.ronn; do + local short_name + short_name=$(echo "$com" | sed -n "s|$MAN_LOCATION/\(.*\)\.1\.ronn|\1|p") + local command_header="--- +layout: post +title: '${short_name}' +date: ${timestamp} +permalink: ${short_name} +categories: command +---" + + local post_filename="$POSTS_LOCATION/${current_date}-${short_name}.md" + echo "$command_header" > "$post_filename" + cat "$com" >> "$post_filename" + done + + # Creating main usage file: + local usage_header="--- +layout: post +title: 'git-secret' +date: ${timestamp} +permalink: git-secret +categories: usage +---" + local usage_filename="$POSTS_LOCATION/${current_date}-git-secret.md" + echo "$usage_header" > "$usage_filename" + cat "$MAN7_LOCATION/git-secret.7.ronn" >> "$usage_filename" +} + +checkout_manuals +copy_to_posts diff --git a/docs/css/main.scss b/docs/css/main.scss new file mode 100644 index 00000000..fdc3a393 --- /dev/null +++ b/docs/css/main.scss @@ -0,0 +1,58 @@ +--- +# Only the main Sass file needs front matter (the dashes are enough) +--- +@charset "utf-8"; + + + +// Our variables +$base-font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; +$base-font-size: 16px; +$base-font-weight: 400; +$small-font-size: $base-font-size * 0.875; +$base-line-height: 1.5; + +$spacing-unit: 30px; + +$text-color: #111; +$background-color: #fdfdfd; + +$grey-color: #828282; +$grey-color-light: lighten($grey-color, 40%); +$grey-color-dark: darken($grey-color, 25%); + +$purple-color: rgb(238, 81, 59); +$purple-color-light: lighten($purple-color, 40%); +$purple-color-dark: darken($purple-color, 25%); + +$brand-color: $purple-color; + +// Width of the content area +$content-width: 800px; + +$on-palm: 600px; +$on-laptop: 800px; + + + +// Use media queries like this: +// @include media-query($on-palm) { +// .wrapper { +// padding-right: $spacing-unit / 2; +// padding-left: $spacing-unit / 2; +// } +// } +@mixin media-query($device) { + @media screen and (max-width: $device) { + @content; + } +} + + + +// Import partials from `sass_dir` (defaults to `_sass`) +@import + "base", + "layout", + "syntax-highlighting" +; diff --git a/docs/feed.xml b/docs/feed.xml new file mode 100644 index 00000000..a6628bd8 --- /dev/null +++ b/docs/feed.xml @@ -0,0 +1,30 @@ +--- +layout: null +--- + + + + {{ site.title | xml_escape }} + {{ site.description | xml_escape }} + {{ site.url }}{{ site.baseurl }}/ + + {{ site.time | date_to_rfc822 }} + {{ site.time | date_to_rfc822 }} + Jekyll v{{ jekyll.version }} + {% for post in site.posts limit:10 %} + + {{ post.title | xml_escape }} + {{ post.content | xml_escape }} + {{ post.date | date_to_rfc822 }} + {{ post.url | prepend: site.baseurl | prepend: site.url }} + {{ post.url | prepend: site.baseurl | prepend: site.url }} + {% for tag in post.tags %} + {{ tag | xml_escape }} + {% endfor %} + {% for cat in post.categories %} + {{ cat | xml_escape }} + {% endfor %} + + {% endfor %} + + diff --git a/docs/images/favicons/android-icon-144x144.png b/docs/images/favicons/android-icon-144x144.png new file mode 100644 index 00000000..f461fe23 Binary files /dev/null and b/docs/images/favicons/android-icon-144x144.png differ diff --git a/docs/images/favicons/android-icon-192x192.png b/docs/images/favicons/android-icon-192x192.png new file mode 100644 index 00000000..b58f8dce Binary files /dev/null and b/docs/images/favicons/android-icon-192x192.png differ diff --git a/docs/images/favicons/android-icon-36x36.png b/docs/images/favicons/android-icon-36x36.png new file mode 100644 index 00000000..8e9b705a Binary files /dev/null and b/docs/images/favicons/android-icon-36x36.png differ diff --git a/docs/images/favicons/android-icon-48x48.png b/docs/images/favicons/android-icon-48x48.png new file mode 100644 index 00000000..3a72d5eb Binary files /dev/null and b/docs/images/favicons/android-icon-48x48.png differ diff --git a/docs/images/favicons/android-icon-72x72.png b/docs/images/favicons/android-icon-72x72.png new file mode 100644 index 00000000..13d3fc05 Binary files /dev/null and b/docs/images/favicons/android-icon-72x72.png differ diff --git a/docs/images/favicons/android-icon-96x96.png b/docs/images/favicons/android-icon-96x96.png new file mode 100644 index 00000000..f1bea38e Binary files /dev/null and b/docs/images/favicons/android-icon-96x96.png differ diff --git a/docs/images/favicons/apple-icon-114x114.png b/docs/images/favicons/apple-icon-114x114.png new file mode 100644 index 00000000..c4f32cc6 Binary files /dev/null and b/docs/images/favicons/apple-icon-114x114.png differ diff --git a/docs/images/favicons/apple-icon-120x120.png b/docs/images/favicons/apple-icon-120x120.png new file mode 100644 index 00000000..29170ea6 Binary files /dev/null and b/docs/images/favicons/apple-icon-120x120.png differ diff --git a/docs/images/favicons/apple-icon-144x144.png b/docs/images/favicons/apple-icon-144x144.png new file mode 100644 index 00000000..f461fe23 Binary files /dev/null and b/docs/images/favicons/apple-icon-144x144.png differ diff --git a/docs/images/favicons/apple-icon-152x152.png b/docs/images/favicons/apple-icon-152x152.png new file mode 100644 index 00000000..ff3eb18b Binary files /dev/null and b/docs/images/favicons/apple-icon-152x152.png differ diff --git a/docs/images/favicons/apple-icon-180x180.png b/docs/images/favicons/apple-icon-180x180.png new file mode 100644 index 00000000..94c7c070 Binary files /dev/null and b/docs/images/favicons/apple-icon-180x180.png differ diff --git a/docs/images/favicons/apple-icon-57x57.png b/docs/images/favicons/apple-icon-57x57.png new file mode 100644 index 00000000..4a577d70 Binary files /dev/null and b/docs/images/favicons/apple-icon-57x57.png differ diff --git a/docs/images/favicons/apple-icon-60x60.png b/docs/images/favicons/apple-icon-60x60.png new file mode 100644 index 00000000..5a1d7f20 Binary files /dev/null and b/docs/images/favicons/apple-icon-60x60.png differ diff --git a/docs/images/favicons/apple-icon-72x72.png b/docs/images/favicons/apple-icon-72x72.png new file mode 100644 index 00000000..13d3fc05 Binary files /dev/null and b/docs/images/favicons/apple-icon-72x72.png differ diff --git a/docs/images/favicons/apple-icon-76x76.png b/docs/images/favicons/apple-icon-76x76.png new file mode 100644 index 00000000..be49274b Binary files /dev/null and b/docs/images/favicons/apple-icon-76x76.png differ diff --git a/docs/images/favicons/apple-icon-precomposed.png b/docs/images/favicons/apple-icon-precomposed.png new file mode 100644 index 00000000..5f7d5bae Binary files /dev/null and b/docs/images/favicons/apple-icon-precomposed.png differ diff --git a/docs/images/favicons/apple-icon.png b/docs/images/favicons/apple-icon.png new file mode 100644 index 00000000..5f7d5bae Binary files /dev/null and b/docs/images/favicons/apple-icon.png differ diff --git a/docs/images/favicons/browserconfig.xml b/docs/images/favicons/browserconfig.xml new file mode 100644 index 00000000..c5541482 --- /dev/null +++ b/docs/images/favicons/browserconfig.xml @@ -0,0 +1,2 @@ + +#ffffff \ No newline at end of file diff --git a/docs/images/favicons/favicon-16x16.png b/docs/images/favicons/favicon-16x16.png new file mode 100644 index 00000000..ea132c51 Binary files /dev/null and b/docs/images/favicons/favicon-16x16.png differ diff --git a/docs/images/favicons/favicon-32x32.png b/docs/images/favicons/favicon-32x32.png new file mode 100644 index 00000000..7b5d6833 Binary files /dev/null and b/docs/images/favicons/favicon-32x32.png differ diff --git a/docs/images/favicons/favicon-96x96.png b/docs/images/favicons/favicon-96x96.png new file mode 100644 index 00000000..f1bea38e Binary files /dev/null and b/docs/images/favicons/favicon-96x96.png differ diff --git a/docs/images/favicons/favicon.ico b/docs/images/favicons/favicon.ico new file mode 100644 index 00000000..c24207a9 Binary files /dev/null and b/docs/images/favicons/favicon.ico differ diff --git a/docs/images/favicons/manifest.json b/docs/images/favicons/manifest.json new file mode 100644 index 00000000..013d4a6a --- /dev/null +++ b/docs/images/favicons/manifest.json @@ -0,0 +1,41 @@ +{ + "name": "App", + "icons": [ + { + "src": "\/android-icon-36x36.png", + "sizes": "36x36", + "type": "image\/png", + "density": "0.75" + }, + { + "src": "\/android-icon-48x48.png", + "sizes": "48x48", + "type": "image\/png", + "density": "1.0" + }, + { + "src": "\/android-icon-72x72.png", + "sizes": "72x72", + "type": "image\/png", + "density": "1.5" + }, + { + "src": "\/android-icon-96x96.png", + "sizes": "96x96", + "type": "image\/png", + "density": "2.0" + }, + { + "src": "\/android-icon-144x144.png", + "sizes": "144x144", + "type": "image\/png", + "density": "3.0" + }, + { + "src": "\/android-icon-192x192.png", + "sizes": "192x192", + "type": "image\/png", + "density": "4.0" + } + ] +} \ No newline at end of file diff --git a/docs/images/favicons/ms-icon-144x144.png b/docs/images/favicons/ms-icon-144x144.png new file mode 100644 index 00000000..f461fe23 Binary files /dev/null and b/docs/images/favicons/ms-icon-144x144.png differ diff --git a/docs/images/favicons/ms-icon-150x150.png b/docs/images/favicons/ms-icon-150x150.png new file mode 100644 index 00000000..27430f12 Binary files /dev/null and b/docs/images/favicons/ms-icon-150x150.png differ diff --git a/docs/images/favicons/ms-icon-310x310.png b/docs/images/favicons/ms-icon-310x310.png new file mode 100644 index 00000000..a87eb2e0 Binary files /dev/null and b/docs/images/favicons/ms-icon-310x310.png differ diff --git a/docs/images/favicons/ms-icon-70x70.png b/docs/images/favicons/ms-icon-70x70.png new file mode 100644 index 00000000..29dd1819 Binary files /dev/null and b/docs/images/favicons/ms-icon-70x70.png differ diff --git a/docs/images/git-secret-big.png b/docs/images/git-secret-big.png new file mode 100644 index 00000000..6ee3b4e7 Binary files /dev/null and b/docs/images/git-secret-big.png differ diff --git a/docs/images/git-secret-sm.png b/docs/images/git-secret-sm.png new file mode 100644 index 00000000..ea89405b Binary files /dev/null and b/docs/images/git-secret-sm.png differ diff --git a/docs/index.html b/docs/index.html new file mode 100644 index 00000000..7b4326b1 --- /dev/null +++ b/docs/index.html @@ -0,0 +1,43 @@ +--- +layout: default +--- + +
+ + git-secret + +

Synopsis

+ + {% capture markdown_file %} + {% include why.md %} + {% endcapture %} + + {{ markdown_file | markdownify }} + + {% for post in site.categories.usage %} + {{ post.content }} + {% endfor %} + +

Command Reference

+ + + +

+ subscribe + via RSS +

+ +
diff --git a/docs/installation.md b/docs/installation.md new file mode 100644 index 00000000..d412c451 --- /dev/null +++ b/docs/installation.md @@ -0,0 +1,90 @@ +--- +layout: default +--- + +# Installation + +## Dependencies + +`git-secret` relies on two dependencies: `git` and `gpg`. Download and install them before using this project. `git-secret` is tested to work with: + + git version 2.7.0 + gpg (GnuPG) 1.4.20 + +## Supported platforms + +`git-secret` works with `Mac OS X` >= 10.9, `Ubuntu` >= 14.04, `Debian` >= 8.3, and `Fedora`. +You can check the full list [here](https://travis-ci.org/sobolevn/git-secret). +You can add your platform to this list, if all the tests pass for you. +`Cygwin` support [is planned](https://github.com/sobolevn/git-secret/issues/40). + +## Installation process + +There are several ways to install `git-secret`: + +--- + +### Homebrew + +`brew install git-secret` + +--- + +### `deb` package + +You can find the `deb` repository [here](https://bintray.com/sobolevn/deb/git-secret). +Pre-requirements: make sure you have installed `apt-transport-https` + +```bash +echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list +wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add - +sudo apt-get update && sudo apt-get install git-secret +``` + +--- + +### `rpm` package + +You can find the `rpm` repository [here](https://bintray.com/sobolevn/rpm/git-secret). + +```bash +wget https://bintray.com/sobolevn/rpm/rpm -O bintray-sobolevn-rpm.repo +sudo mv bintray-sobolevn-rpm.repo /etc/yum.repos.d/ +sudo yum install git-secret +``` + +### Arch Linux + +The _Arch_ way to install git-secret is to use the directions for +"Installing Packages" at [Arch User Repository Documentation](https://wiki.archlinux.org/index.php/Arch_User_Repository#Installing_packages) +along with the `PKGBUILD` file from the [git-secret Arch Linux Package](https://aur.archlinux.org/packages/git-secret/) + +You can also install from the [AUR](https://aur.archlinux.org/) using your helper of choice by +installing the package `git-secret`, for example using [yay](https://github.com/Jguer/yay) + +```bash +yay -S git-secret +``` + +--- + +### Manual + +```bash +git clone https://github.com/sobolevn/git-secret.git git-secret +cd git-secret && make build +PREFIX="/usr/local" make install +``` + +Note that you can install to any prefix in your `PATH` + +--- + +### `antigen` plugin + +*Deprecated* + +1. Add line `antigen bundle sobolevn/git-secret` to your `~/.zshrc` +2. Run `source ~/.zshrc` or reopen the terminal + +--- diff --git a/docs/man/man1/git-secret-add.1 b/docs/man/man1/git-secret-add.1 new file mode 100644 index 00000000..fe29932a --- /dev/null +++ b/docs/man/man1/git-secret-add.1 @@ -0,0 +1,45 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-ADD" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-add\fR \- starts to track added files\. +. +.SH "SYNOPSIS" +. +.nf + +git secret add [\-i] \.\.\. +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-add\fR adds a filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR and ensures the filepath is mentioned \.gitignore\. +. +.P +When adding files to encrypt, \fBgit\-secret\-add\fR (as of 0\.2\.6) will ensure that they are ignored by \fBgit\fR by mentioning them in \.gitignore, since they must be secure and not be committed into the remote repository unencrypted\. +. +.P +If there\'s no users in the \fBgit\-secret\fR\'s keyring, when adding a file, an exception will be raised\. +. +.P +Use the \fBgit secret add\fR command to add filenames to this file\. It is not recommended to add filenames directly into \fB\.gitsecret/paths/mapping\.cfg\fR\. +. +.P +(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. +. +.SH "OPTIONS" +. +.nf + +\-i \- does nothing, adding paths to \.gitignore is now the default behavior\. +\-h \- shows this help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-add\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR diff --git a/docs/man/man1/git-secret-add.1.ronn b/docs/man/man1/git-secret-add.1.ronn new file mode 100644 index 00000000..b6744a8c --- /dev/null +++ b/docs/man/man1/git-secret-add.1.ronn @@ -0,0 +1,38 @@ +git-secret-add - starts to track added files. +============================================= + +## SYNOPSIS + + git secret add [-i] ... + + +## DESCRIPTION +`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg` +and ensures the filepath is mentioned .gitignore. + +When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning +them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted. + +If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised. + +Use the `git secret add` command to add filenames to this file. +It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + +## OPTIONS + + -i - does nothing, adding paths to .gitignore is now the default behavior. + -h - shows this help. + + +## MANUAL + +Run `man git-secret-add` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal) diff --git a/docs/man/man1/git-secret-cat.1 b/docs/man/man1/git-secret-cat.1 new file mode 100644 index 00000000..fcec3c13 --- /dev/null +++ b/docs/man/man1/git-secret-cat.1 @@ -0,0 +1,37 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-CAT" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-cat\fR \- decrypts files passed on command line to stdout +. +.SH "SYNOPSIS" +. +.nf + +git secret cat [\-d dir] [\-p password] filename [filenames] +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-cat\fR \- Outputs to stdout the contents of the files named on the command line\. As with \fBgit\-secret\-reveal\fR, you\'ll need to have a public/private keypair that is allowed to decrypt this repo\. +. +.P +Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\. +. +.SH "OPTIONS" +. +.nf + +\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if you store your keys in a custom location\. +\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\. +\-h \- shows help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-cat\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR diff --git a/docs/man/man1/git-secret-cat.1.ronn b/docs/man/man1/git-secret-cat.1.ronn new file mode 100644 index 00000000..a5206548 --- /dev/null +++ b/docs/man/man1/git-secret-cat.1.ronn @@ -0,0 +1,32 @@ +git-secret-cat - decrypts files passed on command line to stdout +============================================= + +## SYNOPSIS + + git secret cat [-d dir] [-p password] filename [filenames] + + +## DESCRIPTION +`git-secret-cat` - Outputs to stdout the contents of the files named on the command line. +As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to +decrypt this repo. + +Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See +(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`. + + +## OPTIONS + + -d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location. + -p - specifies password for noinput mode, adds `--passphrase` option for `gpg`. + -h - shows help. + + +## MANUAL + +Run `man git-secret-cat` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/man/man1/git-secret-changes.1 b/docs/man/man1/git-secret-changes.1 new file mode 100644 index 00000000..0bfa3a8e --- /dev/null +++ b/docs/man/man1/git-secret-changes.1 @@ -0,0 +1,37 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-CHANGES" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-changes\fR \- view diff of the hidden files\. +. +.SH "SYNOPSIS" +. +.nf + +git secret changes [\-h] [\-d dir] [\-p password] [pathspec]\.\.\. +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-changes\fR \- shows changes between the current version of hidden files and the ones already committed\. You can provide any number of hidden files to this command as arguments, and it will show changes for these files only\. Note that files must be specified by their encrypted names, typically \fBfilename\.yml\.secret\fR\. If no arguments are provided, information about all hidden files will be shown\. +. +.P +Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\. +. +.SH "OPTIONS" +. +.nf + +\-d \- specifies `\-\-homedir` option for the `gpg`\. Use this option if your store your keys in a custom location\. +\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\. +\-h \- shows help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-changes\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR diff --git a/docs/man/man1/git-secret-changes.1.ronn b/docs/man/man1/git-secret-changes.1.ronn new file mode 100644 index 00000000..b77b4375 --- /dev/null +++ b/docs/man/man1/git-secret-changes.1.ronn @@ -0,0 +1,35 @@ +git-secret-changes - view diff of the hidden files. +=================================================== + +## SYNOPSIS + + git secret changes [-h] [-d dir] [-p password] [pathspec]... + + +## DESCRIPTION +`git-secret-changes` - shows changes between the current version of hidden files and the ones already committed. +You can provide any number of hidden files to this command as arguments, and it will show changes for these files only. +Note that files must be specified by their encrypted names, typically `filename.yml.secret`. +If no arguments are provided, information about all hidden files will be shown. + +Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See +(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`. + + +## OPTIONS + + -d - specifies `--homedir` option for the `gpg`. Use this option if your store your keys in a custom location. + -p - specifies password for noinput mode, adds `--passphrase` option for `gpg`. + -h - shows help. + + +## MANUAL + +Run `man git-secret-changes` to see this note. + + +## SEE ALSO + +[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/man/man1/git-secret-clean.1 b/docs/man/man1/git-secret-clean.1 new file mode 100644 index 00000000..51d43323 --- /dev/null +++ b/docs/man/man1/git-secret-clean.1 @@ -0,0 +1,36 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-CLEAN" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-clean\fR \- removes all the hidden files\. +. +.SH "SYNOPSIS" +. +.nf + +git secret clean [\-v] +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-clean\fR deletes all the encrypted files\. Verbose output is enabled with the \-v option, in which case the program prints which files are deleted\. +. +.SH "OPTIONS" +. +.nf + +\-v \- verbose mode, shows which files are deleted\. +\-h \- shows this help\. +. +.fi +. +.P +You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR +. +.SH "MANUAL" +Run \fBman git\-secret\-clean\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-whoknows(1) \fIhttp://git\-secret\.io/git\-secret\-whoknows\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR diff --git a/docs/man/man1/git-secret-clean.1.ronn b/docs/man/man1/git-secret-clean.1.ronn new file mode 100644 index 00000000..980d5100 --- /dev/null +++ b/docs/man/man1/git-secret-clean.1.ronn @@ -0,0 +1,30 @@ +git-secret-clean - removes all the hidden files. +================================================ + +## SYNOPSIS + + git secret clean [-v] + + +## DESCRIPTION +`git-secret-clean` deletes all the encrypted files. +Verbose output is enabled with the -v option, in which case the program prints which files are deleted. + + +## OPTIONS + + -v - verbose mode, shows which files are deleted. + -h - shows this help. + +You can also enable verbosity using the SECRETS_VERBOSE environment variable, +as documented at [git-secret(7)](http://git-secret.io/) + +## MANUAL + +Run `man git-secret-clean` to see this note. + + +## SEE ALSO + +[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson) diff --git a/docs/man/man1/git-secret-hide.1 b/docs/man/man1/git-secret-hide.1 new file mode 100644 index 00000000..c3bc7617 --- /dev/null +++ b/docs/man/man1/git-secret-hide.1 @@ -0,0 +1,62 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-HIDE" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-hide\fR \- encrypts all added files with the inner keyring\. +. +.SH "SYNOPSIS" +. +.nf + +git secret hide [\-c] [\-F] [\-P] [\-v] [\-d] [\-m] +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-hide\fR creates an encrypted version (typically called \fBfilename\.txt\.secret\fR) of each file added by \fBgit\-secret\-add\fR command\. Now anyone enabled via \'git secret tell\' can can decrypt these files\. Under the hood, \fBgit\-secret\fR uses the keyring in \fB\.gitsecret/keys\fR and user\'s secret keys to decrypt the files\. +. +.P +It is recommended to encrypt (or re\-encrypt) all the files in a git\-secret repo each time \fBgit secret hide\fR is run\. +. +.P +Otherwise the keychain (the one stored in \fB\.gitsecret/keys/*\.gpg\fR), may have changed since the last time the files were encrypted, and it\'s possible to create a state where the users in the output of \fBgit secret whoknows\fR may not be able to decrypt the some files in the repo, or may be able decrypt files they\'re not supposed to be able to\. +. +.P +In other words, unless you re\-encrypt all the files in a repo each time you \'hide\' any, it\'s possible to make it so some files can no longer be decrypted by users who should be (and would appear) able to decrypt them, and vice\-versa\. +. +.P +If you know what you are doing and wish to encrypt or re\-encrypt only a subset of the files even after reading the above paragraphs, you can use the \-F or \-m option to only encrypted a subset of files\. The \-F option forces \fBgit secret hide\fR to skip any hidden files where the unencrypted versions aren\'t present\. The \-m option skips any hidden files that have not be modified since the last time they were encrypted\. +. +.P +Also, it is possible to modify the names of the encrypted files by setting \fBSECRETS_EXTENSION\fR variable\. +. +.P +(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. +. +.P +You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR +. +.SH "OPTIONS" +. +.nf + +\-v \- verbose, shows extra information\. +\-c \- deletes encrypted files before creating new ones\. +\-F \- forces hide to continue if a file to encrypt is missing\. +\-P \- preserve permissions of unencrypted file in encrypted file\. +\-d \- deletes unencrypted files after encryption\. +\-m \- encrypt files only when modified\. +\-h \- shows help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-hide\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, +. +.br +git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR diff --git a/docs/man/man1/git-secret-hide.1.ronn b/docs/man/man1/git-secret-hide.1.ronn new file mode 100644 index 00000000..eb5e319f --- /dev/null +++ b/docs/man/man1/git-secret-hide.1.ronn @@ -0,0 +1,62 @@ +git-secret-hide - encrypts all added files with the inner keyring. +================================================================== + +## SYNOPSIS + + git secret hide [-c] [-F] [-P] [-v] [-d] [-m] + + +## DESCRIPTION +`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`) +of each file added by `git-secret-add` command. +Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood, +`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files. + +It is recommended to encrypt (or re-encrypt) all the files in a git-secret repo each +time `git secret hide` is run. + +Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`), +may have changed since the last time the files were encrypted, and it's possible +to create a state where the users in the output of `git secret whoknows` +may not be able to decrypt the some files in the repo, or may be able decrypt files +they're not supposed to be able to. + +In other words, unless you re-encrypt all the files in a repo each time you 'hide' any, +it's possible to make it so some files can no longer be decrypted by users who should be +(and would appear) able to decrypt them, and vice-versa. + +If you know what you are doing and wish to encrypt or re-encrypt only a subset of the files +even after reading the above paragraphs, you can use the -F or -m option to only encrypted +a subset of files. The -F option forces `git secret hide` to skip any hidden files +where the unencrypted versions aren't present. The -m option skips any hidden files that have +not be modified since the last time they were encrypted. + +Also, it is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + +You can also enable verbosity using the SECRETS_VERBOSE environment variable, +as documented at [git-secret(7)](http://git-secret.io/) + + +## OPTIONS + + -v - verbose, shows extra information. + -c - deletes encrypted files before creating new ones. + -F - forces hide to continue if a file to encrypt is missing. + -P - preserve permissions of unencrypted file in encrypted file. + -d - deletes unencrypted files after encryption. + -m - encrypt files only when modified. + -h - shows help. + +## MANUAL + +Run `man git-secret-hide` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), +[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/man/man1/git-secret-init.1 b/docs/man/man1/git-secret-init.1 new file mode 100644 index 00000000..75bc5643 --- /dev/null +++ b/docs/man/man1/git-secret-init.1 @@ -0,0 +1,38 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-INIT" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-init\fR \- initializes git\-secret repository\. +. +.SH "SYNOPSIS" +. +.nf + +git secret init +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo to set up the \.gitsecret directory and initialize the repo for git\-secret\. Until repository is initialized with \fBgit secret init\fR, all other \fBgit\-secret\fR commands are unavailable\. +. +.P +If a \.gitsecret directory already exists, \fBgit\-secret\-init\fR exits without making any changes\. Otherwise, a \.gitsecret directory is created with appropriate sub\-directories, and patterns to ignore git\-secret\'s \fBrandom_seed_file\fR and not ignore \fB\.secret\fR files are added to \fB\.gitignore\fR\. +. +.P +(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder with the SECRETS_DIR environment variable, and changing the extension git\-secret uses for secret files with the SECRETS_EXTENSION environment variable\. +. +.SH "OPTIONS" +. +.nf + +\-h \- shows this help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-init\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-usage(1) \fIhttp://git\-secret\.io/git\-secret\-usage\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR diff --git a/docs/man/man1/git-secret-init.1.ronn b/docs/man/man1/git-secret-init.1.ronn new file mode 100644 index 00000000..bf672675 --- /dev/null +++ b/docs/man/man1/git-secret-init.1.ronn @@ -0,0 +1,35 @@ +git-secret-init - initializes git-secret repository. +==================================================== + +## SYNOPSIS + + git secret init + + +## DESCRIPTION +`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret. +Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable. + +If a .gitsecret directory already exists, `git-secret-init` exits without making any changes. +Otherwise, a .gitsecret directory is created with appropriate sub-directories, +and patterns to ignore git-secret's `random_seed_file` +and not ignore `.secret` files are added to `.gitignore`. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder with the SECRETS_DIR environment variable, and changing the extension git-secret uses for secret files +with the SECRETS_EXTENSION environment variable. + + +## OPTIONS + + -h - shows this help. + + +## MANUAL + +Run `man git-secret-init` to see this note. + + +## SEE ALSO + +[git-secret-usage(1)](http://git-secret.io/git-secret-usage), [git-secret-tell(1)](http://git-secret.io/git-secret-tell) diff --git a/docs/man/man1/git-secret-killperson.1 b/docs/man/man1/git-secret-killperson.1 new file mode 100644 index 00000000..0292f93a --- /dev/null +++ b/docs/man/man1/git-secret-killperson.1 @@ -0,0 +1,32 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-KILLPERSON" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-killperson\fR \- deletes key identified by an email from the inner keyring\. +. +.SH "SYNOPSIS" +. +.nf + +git secret killperson \.\.\. +. +.fi +. +.SH "DESCRIPTION" +This command removes the keys associated with the selected email addresses from the keyring\. If you remove a keypair\'s access with \fBgit\-secret\-killperson\fR, and run \fBgit\-secret\-reveal\fR and \fBgit\-secret\-hide \-r\fR, it will be impossible for given users to decrypt the hidden files\. +. +.SH "OPTIONS" +. +.nf + +\-h \- shows this help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-killperson\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-clean(1) \fIhttp://git\-secret\.io/git\-secret\-clean\fR diff --git a/docs/man/man1/git-secret-killperson.1.ronn b/docs/man/man1/git-secret-killperson.1.ronn new file mode 100644 index 00000000..a602d2dc --- /dev/null +++ b/docs/man/man1/git-secret-killperson.1.ronn @@ -0,0 +1,28 @@ +git-secret-killperson - deletes key identified by an email from the inner keyring. +================================================================================== + +## SYNOPSIS + + git secret killperson ... + + +## DESCRIPTION +This command removes the keys associated with the selected email addresses from the keyring. +If you remove a keypair's access with `git-secret-killperson`, and run `git-secret-reveal` and `git-secret-hide -r`, +it will be impossible for given users to decrypt the hidden files. + + +## OPTIONS + + -h - shows this help. + + +## MANUAL + +Run `man git-secret-killperson` to see this note. + + +## SEE ALSO + +[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-remove(1)](http://git-secret.io/git-secret-remove), +[git-secret-clean(1)](http://git-secret.io/git-secret-clean) diff --git a/docs/man/man1/git-secret-list.1 b/docs/man/man1/git-secret-list.1 new file mode 100644 index 00000000..7e9c5f5c --- /dev/null +++ b/docs/man/man1/git-secret-list.1 @@ -0,0 +1,35 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-LIST" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-list\fR \- prints all the added files\. +. +.SH "SYNOPSIS" +. +.nf + +git secret list +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-list\fR prints all the currently added tracked files from the \fB\.gitsecret/paths/mapping\.cfg\fR\. +. +.P +(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. +. +.SH "OPTIONS" +. +.nf + +\-h \- shows this help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-list\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-whoknows(1) \fIhttp://git\-secret\.io/git\-secret\-whoknows\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR diff --git a/docs/man/man1/git-secret-list.1.ronn b/docs/man/man1/git-secret-list.1.ronn new file mode 100644 index 00000000..10750b63 --- /dev/null +++ b/docs/man/man1/git-secret-list.1.ronn @@ -0,0 +1,30 @@ +git-secret-list - prints all the added files. +============================================= + +## SYNOPSIS + + git secret list + + +## DESCRIPTION +`git-secret-list` prints all the currently added tracked files from the `.gitsecret/paths/mapping.cfg`. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + + +## OPTIONS + + -h - shows this help. + + +## MANUAL + +Run `man git-secret-list` to see this note. + + +## SEE ALSO + +[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), +[git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), [git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/man/man1/git-secret-remove.1 b/docs/man/man1/git-secret-remove.1 new file mode 100644 index 00000000..03b9458c --- /dev/null +++ b/docs/man/man1/git-secret-remove.1 @@ -0,0 +1,36 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-REMOVE" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-remove\fR \- removes files from index\. +. +.SH "SYNOPSIS" +. +.nf + +git secret remove [\-c] \.\.\. +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-remove\fR deletes files from \fB\.gitsecret/paths/mapping\.cfg\fR, so they won\'t be encrypted or decrypted in the future\. There\'s also a \-c option to delete existing encrypted versions of the files provided\. +. +.P +(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. +. +.SH "OPTIONS" +. +.nf + +\-c \- deletes existing real encrypted files\. +\-h \- shows help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-remove\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-clean(1) \fIhttp://git\-secret\.io/git\-secret\-clean\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR diff --git a/docs/man/man1/git-secret-remove.1.ronn b/docs/man/man1/git-secret-remove.1.ronn new file mode 100644 index 00000000..6b28c7fb --- /dev/null +++ b/docs/man/man1/git-secret-remove.1.ronn @@ -0,0 +1,32 @@ +git-secret-remove - removes files from index. +============================================= + +## SYNOPSIS + + git secret remove [-c] ... + + +## DESCRIPTION +`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`, +so they won't be encrypted or decrypted in the future. +There's also a -c option to delete existing encrypted versions of the files provided. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + + +## OPTIONS + + -c - deletes existing real encrypted files. + -h - shows help. + + +## MANUAL + +Run `man git-secret-remove` to see this note. + + +## SEE ALSO + +[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-clean(1)](http://git-secret.io/git-secret-clean), +[git-secret-killperson(1)](http://git-secret.io/git-secret-killperson) diff --git a/docs/man/man1/git-secret-reveal.1 b/docs/man/man1/git-secret-reveal.1 new file mode 100644 index 00000000..1e5948c5 --- /dev/null +++ b/docs/man/man1/git-secret-reveal.1 @@ -0,0 +1,41 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-REVEAL" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-reveal\fR \- decrypts all added files\. +. +.SH "SYNOPSIS" +. +.nf + +git secret reveal [\-f] [\-F] [\-P] [\-v] [\-d dir] [\-p password] [pathspec]\.\.\. +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-reveal\fR \- decrypts all the files in \fB\.gitsecret/paths/mapping\.cfg\fR, or the passed \fBpathspec\fRs\. You will need to have imported the paired secret\-key with one of the public\-keys which were used in the encryption\. Under the hood, this uses the \fBgpg \-\-decrypt\fR command\. +. +.SH "OPTIONS" +. +.nf + +\-f \- forces gpg to overwrite existing files without prompt\. +\-F \- forces reveal to continue even if a file fails to decrypt\. +\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if you store your keys in a custom location\. +\-v \- verbose, shows extra information\. +\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\. +\-P \- preserve permissions of encrypted file in unencrypted file\. +\-h \- shows help\. +. +.fi +. +.P +(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\. +. +.SH "MANUAL" +Run \fBman git\-secret\-reveal\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR diff --git a/docs/man/man1/git-secret-reveal.1.ronn b/docs/man/man1/git-secret-reveal.1.ronn new file mode 100644 index 00000000..71daceff --- /dev/null +++ b/docs/man/man1/git-secret-reveal.1.ronn @@ -0,0 +1,40 @@ +git-secret-reveal - decrypts all added files. +============================================= + +## SYNOPSIS + + git secret reveal [-f] [-F] [-P] [-v] [-d dir] [-p password] [pathspec]... + + +## DESCRIPTION +`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`, +or the passed `pathspec`s. +You will need to have imported the paired secret-key with one of the +public-keys which were used in the encryption. +Under the hood, this uses the `gpg --decrypt` command. + + +## OPTIONS + + -f - forces gpg to overwrite existing files without prompt. + -F - forces reveal to continue even if a file fails to decrypt. + -d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location. + -v - verbose, shows extra information. + -p - specifies password for noinput mode, adds `--passphrase` option for `gpg`. + -P - preserve permissions of encrypted file in unencrypted file. + -h - shows help. + +(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret +folder using the SECRETS_DIR environment variable. + + +## MANUAL + +Run `man git-secret-reveal` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-cat(1)](http://git-secret.io/git-secret-cat), +[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide) diff --git a/docs/man/man1/git-secret-tell.1 b/docs/man/man1/git-secret-tell.1 new file mode 100644 index 00000000..d18ce63b --- /dev/null +++ b/docs/man/man1/git-secret-tell.1 @@ -0,0 +1,40 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-TELL" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-tell\fR \- adds a person, who can access private data\. +. +.SH "SYNOPSIS" +. +.nf + +git secret tell [\-m] [\-d dir] [emails]\.\.\. +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-tell\fR receives one or more email addresses as an input, searches for the \fBgpg\fR\-key in the \fBgpg\fR \fBhomedir\fR by these emails, then imports the corresponding public key into \fBgit\-secret\fR\'s inner keychain\. From this moment this person can encrypt new files with the keyring which contains their key, but they cannot decrypt the old files, which were already encrypted without their key\. The files should be re\-encrypted with the new keyring by someone who has the unencrypted files\. +. +.P +Versions of \fBgit\-secret tell\fR after 0\.3\.2 will warn about keys that are expired, revoked, or otherwise invalid, and also if multiple keys are found for a single email address\. +. +.P +\fBDo not manually import secret keys into \fBgit\-secret\fR\fR\. It won\'t work with imported secret keys anyway\. +. +.SH "OPTIONS" +. +.nf + +\-m \- takes your current `git config user\.email` as an identifier for the key\. +\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if your store your keys in a custom location\. +\-h \- shows help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-tell\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR diff --git a/docs/man/man1/git-secret-tell.1.ronn b/docs/man/man1/git-secret-tell.1.ronn new file mode 100644 index 00000000..a86134d3 --- /dev/null +++ b/docs/man/man1/git-secret-tell.1.ronn @@ -0,0 +1,37 @@ +git-secret-tell - adds a person, who can access private data. +=============================================================== + +## SYNOPSIS + + git secret tell [-m] [-d dir] [emails]... + + +## DESCRIPTION +`git-secret-tell` receives one or more email addresses as an input, searches for the `gpg`-key in the `gpg` +`homedir` by these emails, then imports the corresponding public key into `git-secret`'s inner keychain. +From this moment this person can encrypt new files with the keyring which contains their key, +but they cannot decrypt the old files, which were already encrypted without their key. +The files should be re-encrypted with the new keyring by someone who has the unencrypted files. + +Versions of `git-secret tell` after 0.3.2 will warn about keys that are expired, revoked, or otherwise invalid, +and also if multiple keys are found for a single email address. + +**Do not manually import secret keys into `git-secret`**. It won't work with imported secret keys anyway. + +## OPTIONS + + -m - takes your current `git config user.email` as an identifier for the key. + -d - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location. + -h - shows help. + + +## MANUAL + +Run `man git-secret-tell` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson) diff --git a/docs/man/man1/git-secret-usage.1 b/docs/man/man1/git-secret-usage.1 new file mode 100644 index 00000000..e7110a87 --- /dev/null +++ b/docs/man/man1/git-secret-usage.1 @@ -0,0 +1,32 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-USAGE" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-usage\fR \- prints all the available commands\. +. +.SH "SYNOPSIS" +. +.nf + +git secret usage +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-usage\fR is used to print all the available commands\. +. +.SH "OPTIONS" +. +.nf + +\-h \- shows this help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-usage\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR diff --git a/docs/man/man1/git-secret-usage.1.ronn b/docs/man/man1/git-secret-usage.1.ronn new file mode 100644 index 00000000..06c2791a --- /dev/null +++ b/docs/man/man1/git-secret-usage.1.ronn @@ -0,0 +1,27 @@ +git-secret-usage - prints all the available commands. +===================================================== + +## SYNOPSIS + + git secret usage + + +## DESCRIPTION +`git-secret-usage` is used to print all the available commands. + + +## OPTIONS + + -h - shows this help. + + +## MANUAL + +Run `man git-secret-usage` to see this note. + + +## SEE ALSO + +[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/man/man1/git-secret-whoknows.1 b/docs/man/man1/git-secret-whoknows.1 new file mode 100644 index 00000000..28c890db --- /dev/null +++ b/docs/man/man1/git-secret-whoknows.1 @@ -0,0 +1,33 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET\-WHOKNOWS" "1" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\-whoknows\fR \- prints email\-labels for each key in the keyring\. +. +.SH "SYNOPSIS" +. +.nf + +git secret whoknows +. +.fi +. +.SH "DESCRIPTION" +\fBgit\-secret\-whoknows\fR prints list of email addresses whose keys are allowed to access the secrets in this repo\. +. +.SH "OPTIONS" +. +.nf + +\-l \- \'long\' output, shows key expiration dates\. +\-h \- shows this help\. +. +.fi +. +.SH "MANUAL" +Run \fBman git\-secret\-whoknows\fR to see this note\. +. +.SH "SEE ALSO" +git\-secret\-list(1) \fIhttp://git\-secret\.io/git\-secret\-list\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR diff --git a/docs/man/man1/git-secret-whoknows.1.ronn b/docs/man/man1/git-secret-whoknows.1.ronn new file mode 100644 index 00000000..3160ce33 --- /dev/null +++ b/docs/man/man1/git-secret-whoknows.1.ronn @@ -0,0 +1,28 @@ +git-secret-whoknows - prints email-labels for each key in the keyring. +====================================================================== + +## SYNOPSIS + + git secret whoknows + + +## DESCRIPTION +`git-secret-whoknows` prints list of email addresses whose keys are allowed to access the secrets in this repo. + + +## OPTIONS + + -l - 'long' output, shows key expiration dates. + -h - shows this help. + + +## MANUAL + +Run `man git-secret-whoknows` to see this note. + + +## SEE ALSO + +[git-secret-list(1)](http://git-secret.io/git-secret-list), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), +[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), +[git-secret-cat(1)](http://git-secret.io/git-secret-cat) diff --git a/docs/man/man7/git-secret.7 b/docs/man/man7/git-secret.7 new file mode 100644 index 00000000..34bd9694 --- /dev/null +++ b/docs/man/man7/git-secret.7 @@ -0,0 +1,219 @@ +.\" generated with Ronn/v0.7.3 +.\" http://github.com/rtomayko/ronn/tree/0.7.3 +. +.TH "GIT\-SECRET" "7" "March 2020" "sobolevn" "git-secret 0.3.2" +. +.SH "NAME" +\fBgit\-secret\fR \- bash tool to store private data inside a git repo\. +. +.SH "Usage: Setting up git\-secret in a repository" +These steps cover the basic process of using \fBgit\-secret\fR: +. +.IP "1." 4 +Before starting, \fImake sure you have created \fBgpg\fR RSA key\-pair\fR: public and secret key identified by your email address\. +. +.IP "2." 4 +Begin with an existing or new git repository\. You\'ll use the \'git secret\' commands to add the keyrings and information to make the git\-secret hide and reveal files in this repository\. +. +.IP "3." 4 +Initialize the \fBgit\-secret\fR repository by running \fBgit secret init\fR command\. the \fB\.gitsecret/\fR folder will be created, \fBNote\fR all the contents of the \fB\.gitsecret/\fR folder should be checked in, /except/ the \fBrandom_seed\fR file\. In other words, of the files in \.gitsecret, only the random_seed file should be mentioned in your \.gitignore file\. +. +.IP "4." 4 +Add the first user to the git\-secret repo keyring by running \fBgit secret tell your@gpg\.email\fR\. +. +.IP "5." 4 +Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. It can be done by running \fBgit secret add \fR command\. Make sure these files are ignored by mentions in \.gitignore, otherwise \fBgit\-secret\fR won\'t allow you to add them, as these files could be stored unencrypted\. +. +.IP "6." 4 +When done, run \fBgit secret hide\fR to encrypt all files which you have added by the \fBgit secret add\fR command\. The data will be encrypted with the public\-keys described by the \fBgit secret tell\fR command\. After using \fBgit secret hide\fR to encrypt your data, it is safe to commit your changes\. \fBNOTE:\fR\. It\'s recommended to add \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\. +. +.IP "7." 4 +Later you can decrypt files with the \fBgit secret reveal\fR command, or just show their contents to stdout with the \fBgit secret cat\fR command\. If you used a password on your GPG key (always recommended), it will ask you for your password\. And you\'re done! +. +.IP "" 0 +. +.SS "Usage: Adding someone to a repository using git\-secret" +. +.IP "1." 4 +\fIGet their \fBgpg\fR public\-key\fR\. \fBYou won\'t need their secret key\.\fR +. +.IP "2." 4 +Import this key into your \fBgpg\fR setup (in ~/\.gnupg or similar) by running \fBgpg \-\-import KEY_NAME\.txt\fR +. +.IP "3." 4 +Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address associated with the public key) +. +.IP "4." 4 +The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the files using \fBgit secret reveal; git secret hide \-d\fR, and then commit and push the newly encrypted files\. (The \-d options deletes the unencrypted file after re\-encrypting it)\. Now the newly added user be able to decrypt the files in the repo using \fBgit\-secret\fR\. +. +.IP "" 0 +. +.P +Note that it is possible to add yourself to the git\-secret repo without decrypting existing files\. It will be possible to decrypt them after re\-encrypting them with the new keyring\. So, if you don\'t want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\. +. +.SS "Using gpg" +You can follow a quick gpg tutorial at https://www\.devdungeon\.com/content/gpg\-tutorial\. Here are the most useful commands to get started: +. +.P +To generate a RSA key\-pair, run: +. +.IP "" 4 +. +.nf + +gpg \-\-gen\-key +. +.fi +. +.IP "" 0 +. +.P +To export your public key, run: +. +.IP "" 4 +. +.nf + +gpg \-\-export your\.email@address\.com \-\-armor > public\-key\.gpg +. +.fi +. +.IP "" 0 +. +.P +To import the public key of someone else (to share the secret with them for instance), run: +. +.IP "" 4 +. +.nf + +gpg \-\-import public\-key\.gpg +. +.fi +. +.IP "" 0 +. +.P +Be sure to use a secure channel to share your public key! +. +.SS "Using git\-secret for Continuous Integration / Continuous Deployment (CI/CD)" +When using git\-secret for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated with the changes in your code\. +. +.P +One way of doing it is the following: +. +.IP "1." 4 +\fIcreate a gpg key\fR for your CI/CD environment\. You can chose any name and email address you want: for instance \fBMyApp CodeShip \fR if your app is called MyApp and your CI/CD provider is CodeShip\. It is easier not to define a password for that key\. +. +.IP "2." 4 +run \fBgpg \-\-export\-secret\-key myapp@codeship\.com \-\-armor\fR to get your private key value +. +.IP "3." 4 +Create an env var on your CI/CD server \fBGPG_PRIVATE_KEY\fR and assign it the private key value\. +. +.IP "4." 4 +Then write your Continuous Deployment build script\. For instance: +. +.IP "" 0 +. +.IP "" 4 +. +.nf + +# Install git\-secret (https://git\-secret\.io/installation), for instance, for debian: +echo "deb https://dl\.bintray\.com/sobolevn/deb git\-secret main" | sudo tee \-a /etc/apt/sources\.list +wget \-qO \- https://api\.bintray\.com/users/sobolevn/keys/gpg/public\.key | sudo apt\-key add \- +sudo apt\-get update && sudo apt\-get install git\-secret +# Create private key file +echo $GPG_PRIVATE_KEY > \./private_key\.gpg +# Import private key +gpg \-\-import \./private_key\.gpg +# Reveal secrets +git secret reveal +# carry on with your build script, secret files are available \.\.\. +. +.fi +. +.IP "" 0 +. +.P +Note: your CI/CD might not allow you to create a multiline value\. In that case, you can export it on one line with +. +.IP "" 4 +. +.nf + +gpg \-\-export\-secret\-key myapp@codeship\.com \-\-armor | tr \'\en\' \',\' +. +.fi +. +.IP "" 0 +. +.P +You can then create your private key file with: +. +.IP "" 4 +. +.nf + +echo $GPG_PRIVATE_KEY | tr \',\' \'\en\' > \./private_key\.gpg +. +.fi +. +.IP "" 0 +. +.SH "Environment Variables and Configuration" +You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better\. To do so, just set the required variable to the value you need\. This can be done in your shell environment file or with each \fBgit\-secret\fR command\. +. +.P +The settings available to be changed are: +. +.IP "\(bu" 4 +\fB$SECRETS_VERBOSE\fR \- sets the verbose flag to on for all \fBgit\-secret\fR commands; is identical to using \fB\-v\fR on each command that supports it\. +. +.IP "\(bu" 4 +\fB$SECRETS_GPG_COMMAND\fR \- sets the \fBgpg\fR alternatives, defaults to \fBgpg\fR\. It can be changed to \fBgpg\fR, \fBgpg2\fR, \fBpgp\fR, \fB/usr/local/gpg\fR or any other value\. After doing so rerun the tests to be sure that it won\'t break anything\. Tested to be working with: \fBgpg\fR, \fBgpg2\fR\. +. +.IP "\(bu" 4 +\fB$SECRETS_EXTENSION\fR \- sets the secret files extension, defaults to \fB\.secret\fR\. It can be changed to any valid file extension\. +. +.IP "\(bu" 4 +\fB$SECRETS_DIR\fR \- sets the directory where git\-secret stores its files, defaults to \.gitsecret\. It can be changed to any valid directory name\. +. +.IP "\(bu" 4 +\fB$SECRETS_PINENTRY\fR \- allows user to specify a setting for \fBgpg\fR\'s \-\-pinentry option\. See \fBgpg\fR docs for details about gpg\'s \-\-pinentry option\. +. +.IP "" 0 +. +.SH "The \.gitsecret folder (can be overridden with SECRETS_DIR)" +This folder contains information about the files encrypted by git\-secret, and about which public/private key sets can access the encrypted data\. +. +.P +You can change the name of this directory using the SECRETS_DIR environment variable\. +. +.P +Use the various \'git secret\' commands to manipulate the files in \fB\.gitsecret\fR, you should not change the data in these files directly\. +. +.P +Exactly which files exist in the \fB\.gitsecret\fR folder and what their contents are vary slightly across different versions of gpg\. Thus it is best to use git\-secret with the same version of gpg being used by all users\. This can be forced using SECRETS_GPG_COMMAND environment variable\. +. +.P +Specifically, there is an issue between gpg version 2\.1\.20 and later versions which can cause problems reading and writing keyring files between systems (this shows up in errors like \'gpg: skipped packet of type 12 in keybox\')\. +. +.P +The git\-secret internal data is separated into two directories: +. +.SS "\.gitsecret/paths" +This directory currently contains only the file \fBmapping\.cfg\fR, which lists all the files your storing encrypted\. In other words, the path mappings: what files are tracked to be hidden and revealed\. +. +.P +All the other internal data is stored in the directory: +. +.SS "\.gitsecret/keys" +This directory contains data used by git\-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties\. +. +.P +Generally speaking, all the files in this directory \fIexcept\fR \fBrandom_seed\fR should be checked into your repo\. By default, \fBgit secret init\fR will add the file \fB\.gitsecret/keys/random_seed\fR to your \.gitignore file\. +. +.P +Again, you can change the name of this directory using the SECRETS_DIR environment variable\. diff --git a/docs/man/man7/git-secret.7.ronn b/docs/man/man7/git-secret.7.ronn new file mode 100644 index 00000000..1bbc925c --- /dev/null +++ b/docs/man/man7/git-secret.7.ronn @@ -0,0 +1,173 @@ +git-secret - bash tool to store private data inside a git repo. +============================================= + +## Usage: Setting up git-secret in a repository + +These steps cover the basic process of using `git-secret`: + +0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address. + +1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information +to make `git-secret` hide and reveal files in this repository. + +2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created. +**Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file. +In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file. +By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file. + +3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`. + +4. Now it's time to add files you wish to encrypt inside the `git-secret` repository. +This can be done by running `git secret add ` command. Make sure these files are ignored by mentions in +`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you. + +5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command. +The data will be encrypted with the public-keys described by the `git secret tell` command. +After using `git secret hide` to encrypt your data, it is safe to commit your changes. +**NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes. + +6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the +`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password. +And you're done! + +### Usage: Adding someone to a repository using git-secret + +1. [Get their `gpg` public-key](#using-gpg). **You won't need their secret key.** + +2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import KEY_NAME.txt` + +3. Now add this person to your secrets repo by running `git secret tell persons@email.id` +(this will be the email address associated with the public key) + +4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using +`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files. +(The -d options deletes the unencrypted file after re-encrypting it). +Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`. + +Note that it is possible to add yourself to the git-secret repo without decrypting existing files. +It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't +want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook. + +### Using gpg + +You can follow a quick `gpg` tutorial at [devdungeon](https://www.devdungeon.com/content/gpg-tutorial). Here are the most useful commands to get started: + +To generate a RSA key-pair, run: + +```shell +gpg --gen-key +``` + +To export your public key, run: + +```shell +gpg --export your.email@address.com --armor > public-key.gpg +``` + +To import the public key of someone else (to share the secret with them for instance), run: + +```shell +gpg --import public-key.gpg +``` + +To make sure you get the original public keys of the indicated persons, be sure to use a secure channel to transfer it, or use a service you trust, preferably one that uses encryption such as Keybase, to retrieve their public key. Otherwise you could grant the wrong person access to your secrets by mistake! + +### Using git-secret for Continuous Integration / Continuous Deployment (CI/CD) + +When using `git-secret` for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated +with the changes in your code. + +One way of doing it is the following: + +1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp CodeShip ` +if your app is called MyApp and your CI/CD provider is CodeShip. It is easier not to define a password for that key. +2. run `gpg --export-secret-key myapp@codeship.com --armor` to get your private key value +3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value. +4. Then write your Continuous Deployment build script. For instance: + +```shell +# Install git-secret (https://git-secret.io/installation), for instance, for debian: +echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list +wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add - +sudo apt-get update && sudo apt-get install git-secret +# Create private key file +echo $GPG_PRIVATE_KEY > ./private_key.gpg +# Import private key +gpg --import ./private_key.gpg +# Reveal secrets +git secret reveal +# carry on with your build script, secret files are available ... +``` + +Note: your CI/CD might not allow you to create a multiline value. In that case, you can export it on one line with + +```shell +gpg --export-secret-key myapp@codeship.com --armor | tr '\n' ',' +``` + +You can then create your private key file with: + +```shell +echo $GPG_PRIVATE_KEY | tr ',' '\n' > ./private_key.gpg +``` + +## Environment Variables and Configuration + +You can configure the version of `gpg` used, or the extension your encrypted files use, to suit your workflow better. +To do so, just set the required variable to the value you need. +This can be done in your shell environment file or with each `git-secret` command. +See below, or the man page of `git-secret` for an explanation of the environment variables `git-secret` uses. + +The settings available to be changed are: + +* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical +to using `-v` on each command that supports it. + +* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`. +It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value. +After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`. + +* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension. + +* `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret. +It can be changed to any valid directory name. + +* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option. +See `gpg` docs for details about gpg's --pinentry option. + +## The `.gitsecret` folder (can be overridden with SECRETS_DIR) + +This folder contains information about the files encrypted by git-secret, +and about which public/private key sets can access the encrypted data. + +You can change the name of this directory using the SECRETS_DIR environment variable. + +Use the various 'git secret' commands to manipulate the files in `.gitsecret`, +you should not change the data in these files directly. + +Exactly which files exist in the `.gitsecret` folder and what their contents are +vary slightly across different versions of gpg. Thus it is best to use +git-secret with the same version of gpg being used by all users. +This can be forced using SECRETS_GPG_COMMAND environment variable. + +Specifically, there is an issue between gpg version 2.1.20 and later versions +which can cause problems reading and writing keyring files between systems +(this shows up in errors like 'gpg: skipped packet of type 12 in keybox'). + +The git-secret internal data is separated into two directories: + +### `.gitsecret/paths` + +This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted. +In other words, the path mappings: what files are tracked to be hidden and revealed. + +All the other internal data is stored in the directory: + +### `.gitsecret/keys` + +This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties. + +Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo. +By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file. + +Again, you can change the name of this directory using the SECRETS_DIR environment variable. diff --git a/utils/gh-branch.sh b/utils/gh-branch.sh deleted file mode 100755 index e97f8bb6..00000000 --- a/utils/gh-branch.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bash - -set -e - - -function update_gh_branch { - local branch_name - - branch_name=$(git branch | grep '\*' | sed 's/* //') - - git checkout 'gh-pages' - make - - git add --all '_posts' - git commit -m 'documentation update' - git checkout "$branch_name" -} - -update_gh_branch diff --git a/utils/hooks/post-commit.sh b/utils/hooks/post-commit.sh index 9ba12623..ead77495 100755 --- a/utils/hooks/post-commit.sh +++ b/utils/hooks/post-commit.sh @@ -5,9 +5,6 @@ set -e BRANCH_NAME=$(git branch | grep '\*' | sed 's/* //') if [[ "$BRANCH_NAME" == 'master' ]]; then - # Build new web documentation: - make build-gh-pages - # Compare script version and the latest tag: NEWEST_TAG=$(git describe --abbrev=0 --tags) SCRIPT_VERSION=$(bash "${PWD}/git-secret" --version)