Bump JamesIves/github-pages-deploy-action from 4.6.4 to 4.6.8 (#1101)

Bumps [JamesIves/github-pages-deploy-action](https://github.com/jamesives/github-pages-deploy-action) from 4.6.4 to 4.6.8.
- [Release notes](https://github.com/jamesives/github-pages-deploy-action/releases)
- [Commits](https://github.com/jamesives/github-pages-deploy-action/compare/v4.6.4...v4.6.8)

---
updated-dependencies:
- dependency-name: JamesIves/github-pages-deploy-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.ci/docker-ci/alma/Dockerfile

@@ -1,4 +1,4 @@
-FROM centos:8
+FROM almalinux:8
 
 LABEL maintainer="mail@sobolevn.me"
 LABEL vendor="git-secret team"
@@ -12,6 +12,7 @@ RUN dnf -y update \
     gnupg \
     # Assumed to be present:
     diffutils \
+    file \
     findutils \
     procps \
     make \

.ci/docker-ci/alpine/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.20.3
 
 LABEL maintainer="mail@sobolevn.me"
 LABEL vendor="git-secret team"
@@ -12,5 +12,6 @@ RUN apk add --no-cache --update \
   git \
   gnupg \
   # Assumed to be present:
+  file \
   make \
   procps

.ci/docker-ci/arch/Dockerfile

@@ -0,0 +1,17 @@
+FROM archlinux:base-20220529.0.58327
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN pacman -Syu --needed --noconfirm \
+  # Direct dependencies:
+  bash \
+  gawk \
+  git \
+  gnupg \
+  # Assumed to be present:
+  diffutils \
+  file \
+  make \
+  procps
+

.ci/docker-ci/debian-gnupg1/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:10.9-slim
+FROM debian:12.7-slim
 
 LABEL maintainer="mail@sobolevn.me"
 LABEL vendor="git-secret team"
@@ -13,6 +13,7 @@ RUN apt-get update \
     git \
     gnupg1 \
     # Assumed to be present:
+    file \
     procps \
     make \
   # Cleaning cache:

.ci/docker-ci/debian-gnupg2/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:10.9-slim
+FROM debian:12.7-slim
 
 LABEL maintainer="mail@sobolevn.me"
 LABEL vendor="git-secret team"
@@ -12,6 +12,7 @@ RUN apt-get update \
     git \
     gnupg \
     # Assumed to be present:
+    file \
     procps \
     make \
   # Cleaning cache:

.ci/docker-ci/fedora/Dockerfile

@@ -1,4 +1,4 @@
-FROM fedora:34
+FROM fedora:40
 
 LABEL maintainer="mail@sobolevn.me"
 LABEL vendor="git-secret team"
@@ -12,6 +12,7 @@ RUN dnf -y update \
     gnupg \
     # Assumed to be present:
     diffutils \
+    file \
     findutils \
     procps \
     make \

.ci/docker-ci/rocky/Dockerfile

@@ -0,0 +1,20 @@
+FROM rockylinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    diffutils \
+    file \
+    findutils \
+    procps \
+    make \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/docker-ci/ubuntu/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:23.10
 
 LABEL maintainer="mail@sobolevn.me"
 LABEL vendor="git-secret team"
@@ -12,6 +12,7 @@ RUN apt-get update \
     git \
     gnupg \
     # Assumed to be present:
+    file \
     procps \
     make \
   # Cleaning cache:

.ci/github_release_script.sh

@@ -1,41 +1,39 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
+
+set -e
+
+# Installing additional deps:
+apk add --no-cache curl jq
 
-# https://github.com/travis-ci/dpl/issues/155
 # https://gist.github.com/Jaskaranbir/d5b065173b3a6f164e47a542472168c1
+USER="$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f1)"
+PROJECT="$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f2)"
 
-LAST_RELEASE_TAG=$(curl "https://api.github.com/repos/${TRAVIS_REPO_SLUG}/releases/latest" 2>/dev/null | jq .name | sed 's/"//g')
-
+LAST_RELEASE_TAG=$(curl \
+    --header "authorization: Bearer $GITHUB_TOKEN" \
+    --url "https://api.github.com/repos/$GITHUB_REPOSITORY/releases/latest" \
+  | jq .tag_name | sed 's/"//g'
+)
 echo "LAST_RELEASE_TAG=$LAST_RELEASE_TAG"
+if [ "$LAST_RELEASE_TAG" = 'null' ]; then
+  # Most likely, we are facing rate-limiting problems,
+  # just try again later.
+  exit 1
+fi
 
-# An automatic changelog generator
-gem install github_changelog_generator
+NEW_CHANGELOG='CHANGELOG-RELEASE.md'
 
-# move the manual log out of the way else it will be used by the tool.
-rm CHANGELOG.md
-
-# Generate CHANGELOG.md
+# Generate new CHANGELOG.md with just the last changes
 github_changelog_generator \
-  -u "$(cut -d "/" -f1 <<< "$TRAVIS_REPO_SLUG")" \
-  -p "$(cut -d "/" -f2 <<< "$TRAVIS_REPO_SLUG")" \
+  --user "$USER" \
+  --project "$PROJECT" \
   --token "$GITHUB_OAUTH_TOKEN" \
-  --since-tag "$LAST_RELEASE_TAG"
+  --since-tag "$LAST_RELEASE_TAG" \
+  --max-issues 100 \
+  --no-issues \
+  --release-branch 'master' \
+  --token "$GITHUB_TOKEN" \
+  --output "$NEW_CHANGELOG"
 
-body="$(cat CHANGELOG.md)"
-
-# GitHub API needs json data. here we use the mighty jq from https://stedolan.github.io/jq/
-jq -n \
-  --arg body "$body" \
-  --arg name "$TRAVIS_TAG" \
-  --arg tag_name "$TRAVIS_TAG" \
-  --arg target_commitish "$GIT_BRANCH" \
-  '{
-    body: $body,
-    name: $name,
-    tag_name: $tag_name,
-    target_commitish: $target_commitish,
-    draft: true,
-    prerelease: false
-  }' > CHANGELOG.md
-
-echo "Create release $TRAVIS_TAG for repo: $TRAVIS_REPO_SLUG, branch: $GIT_BRANCH"
-curl -H "Authorization: token $GITHUB_OAUTH_TOKEN" --data @CHANGELOG.md "https://api.github.com/repos/$TRAVIS_REPO_SLUG/releases"
+echo 'Done! Changelog:'
+cat "$NEW_CHANGELOG"

.ci/release-ci/alma/Dockerfile

@@ -0,0 +1,12 @@
+FROM almalinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/release-ci/alpine/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.20.3
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN apk add --no-cache --update \
+  # Required for our install script:
+  bash \
+  wget

.ci/release-ci/debian/Dockerfile

@@ -0,0 +1,23 @@
+FROM debian:12.7-slim
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Required to work with https-based repos and custom signed packages:
+    apt-transport-https \
+    ca-certificates \
+    # Required for our install script:
+    gnupg \
+    sudo \
+    wget \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/* \
+  && adduser --disabled-password nonroot \
+  && adduser nonroot sudo \
+  && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot

.ci/release-ci/fedora/Dockerfile

@@ -0,0 +1,16 @@
+FROM fedora:40
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum \
+  && adduser --password='' -m nonroot \
+  && echo 'nonroot ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot
+WORKDIR /home/nonroot

.ci/release-ci/rocky/Dockerfile

@@ -0,0 +1,12 @@
+FROM rockylinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/release-ci/ubuntu/Dockerfile

@@ -0,0 +1,23 @@
+FROM ubuntu:23.10
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Required to work with https-based repos and custom signed packages:
+    apt-transport-https \
+    ca-certificates \
+    # Required for our install script:
+    gnupg \
+    sudo \
+    wget \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/* \
+  && adduser --disabled-password nonroot \
+  && adduser nonroot sudo \
+  && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot

.ci/releaser/alpine/Dockerfile

@@ -0,0 +1,40 @@
+# Initially copied from
+# https://github.com/jordansissel/fpm/blob/master/Dockerfile
+FROM alpine:3.20.3
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+ENV CODE_DIR='/code'
+ENV SECRETS_PROJECT_ROOT="$CODE_DIR"
+ENV NFPM_VERSION='2.15.1'
+
+RUN apk add --no-cache --update \
+    # fpm deps:
+    ruby \
+    ruby-dev \
+    ruby-etc \
+    gcc \
+    libffi-dev \
+    make \
+    libc-dev \
+    rpm \
+    tar \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    curl \
+    # envsubst for `nfpm`:
+    gettext \
+  # Installing `nfpm`, it builds alpine packages:
+  && curl -sfL "https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz" --output 'nfpm.tar.gz' \
+  && tar -xf 'nfpm.tar.gz' nfpm \
+  && mv nfpm '/usr/local/bin' \
+  && chmod 755 '/usr/local/bin/nfpm' \
+  && rm -rf 'nfpm.tar.gz' \
+  # Installing `fpm`, it builds all other packages:
+  && gem install --no-document fpm
+
+WORKDIR $CODE_DIR

.gitattributes

@@ -1 +1,10 @@
+# Excluding from GitHub languages:
 vendor/ linguist-vendored
+
+# Excluding from GitHub diff:
+*.1 linguist-generated
+*.7 linguist-generated
+
+# Excluding from `git diff`:
+*.1 -diff
+*.7 -diff

.github/FUNDING.yml

@@ -1,4 +1,5 @@
 # These are supported funding model platforms
 
-patreon: sobolevn
+github: wemake-services
 open_collective: git-secret
+custom: https://boosty.to/sobolevn

.github/dependabot.yml

@@ -0,0 +1,83 @@
+# GitHub-native dependabot setup, configuration:
+# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
+version: 2
+
+updates:
+
+# Docs and GitHub Actions:
+
+- package-ecosystem: bundler
+  directory: "/docs"
+  schedule:
+    interval: daily
+
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+
+# Our CI and release docker images:
+
+- package-ecosystem: docker
+  directory: ".ci/releaser/alpine"
+  schedule:
+    interval: weekly
+
+# Release CI:
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/alpine"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/debian"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/ubuntu"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/centos"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/fedora"
+  schedule:
+    interval: weekly
+
+# Docker CI:
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/alpine"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/debian-gnupg1"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/debian-gnupg2"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/ubuntu"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/centos"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/fedora"
+  schedule:
+    interval: weekly

.github/workflows/build-man.yml

@@ -0,0 +1,25 @@
+
+name: build-man
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'docs/**/*'
+  pull_request:
+    paths:
+      - 'docs/**/*'
+  workflow_dispatch:
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}-build-man
+  cancel-in-progress: true
+
+jobs:
+  build-man:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Checks that manual generation works
+      run: make build-man

.github/workflows/github-pages.yml

@@ -1,22 +1,30 @@
-name: Deploy Documentation to Github Pages
+name: github-pages
 
 on:
   push:
     branches:
       - master
+    paths:
+      - 'man/**/*'
+      - 'docs/**/*'
+      - 'utils/*/install.sh'
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
 
     - name: Build docs
       run: make build-docs
 
     - name: Deploy to Pages
-      uses: JamesIves/github-pages-deploy-action@4.1.1
+      uses: JamesIves/github-pages-deploy-action@v4.6.8
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         branch: gh-pages # The branch the action should deploy to.

.github/workflows/misspell.yml

@@ -1,20 +0,0 @@
-name: misspell
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *'
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v2
-    - uses: sobolevn/misspell-fixer-action@0.1.0
-    - uses: peter-evans/create-pull-request@v3
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        commit-message: 'Fixes by misspell-fixer'
-        title: 'Typos fix by misspell-fixer'

.github/workflows/release-ci.yml

@@ -0,0 +1,91 @@
+name: release-ci
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+  # In case we change the some build scripts:
+  push:
+    branches:
+      - master
+    paths:
+      - 'utils/**'
+      - '.ci/release-ci/**'
+      - 'Makefile'
+      - '.github/workflows/release-ci.yml'
+  pull_request:
+    paths:
+      - 'utils/**'
+      - '.ci/release-ci/**'
+      - 'Makefile'
+      - '.github/workflows/release-ci.yml'
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  existing:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - release-type: deb
+            release-env: debian
+          - release-type: deb
+            release-env: ubuntu
+          - release-type: rpm
+            release-env: fedora
+          - release-type: rpm
+            release-env: rocky
+          - release-type: rpm
+            release-env: alma
+          #- release-type: apk      # temp removal of alpine releases for #881
+          #  release-env: alpine    # temp removal of alpine releases for #881
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      run: |
+        SECRETS_RELEASE_ENV="${{ matrix.release-env }}" \
+        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
+        make release-ci
+
+  # Keep in sync with `release.yml`:
+  dryrun:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-type:
+          - apk
+          - deb
+          - rpm
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run dry run of the release process
+      run: |
+        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
+        SECRETS_DEPLOY_DRY_RUN=1 \
+        SECRETS_ARTIFACTORY_CREDENTIALS='fake' \
+          make release
+
+  # https://github.community/t/run-github-actions-job-only-if-previous-job-has-failed/174786/2
+  create-issue-on-failure:
+    name: Create an issue if release-ci cron failed
+    runs-on: ubuntu-latest
+    needs: [existing, dryrun]
+    if: ${{ github.event_name == 'schedule' && github.repository == 'sobolevn/git-secret' && always() && (needs.existing.result == 'failure' || needs.dryrun.result == 'failure') }}
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.rest.issues.create({
+              owner: "sobolevn",
+              repo: "git-secret",
+              title: `release-ci failure on ${new Date().toDateString()}`,
+              body: "Details: https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml",
+            })

.github/workflows/release.yml

@@ -0,0 +1,45 @@
+name: release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+
+jobs:
+  release-packages:
+    environment:
+      name: artifactory
+      url: https://gitsecret.jfrog.io/artifactory
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-type:
+          - apk
+          # - deb
+          # - rpm
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      run: SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" make release
+      env:
+        SECRETS_ARTIFACTORY_CREDENTIALS: ${{ secrets.SECRETS_ARTIFACTORY_CREDENTIALS }}
+
+  # github-release:
+  #   runs-on: ubuntu-latest
+  #   needs: ['release-packages']
+  #   steps:
+  #   - uses: actions/checkout@v4
+  #   - run: make changelog
+  #     env:
+  #       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #   - uses: softprops/action-gh-release@v1
+  #     with:
+  #       # Generated above by `make changelog`:
+  #       body_path: CHANGELOG-RELEASE.md
+  #     env:
+  #       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -4,43 +4,86 @@ on:
   push:
     branches:
       - master
+    paths-ignore:
+      - 'docs/**'
   pull_request:
+    paths-ignore:
+      - 'docs/**'
   workflow_dispatch:
 
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}-test
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Shellcheck and Hadolint
       run: make lint
 
   docker-ci:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
-        docker-based-test:
+        docker-env:
+          - alma
+          - alpine
+          #- arch           # disable arch testing for now, see #916
           - debian-gnupg1  # We need to test legacy version of gnupg
           - debian-gnupg2
-          - ubuntu
-          - alpine
           - fedora
-          - centos
+          - rocky
+          - ubuntu
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Run checks
-      run: GITSECRET_DOCKER_ENV="${{ matrix.docker-based-test }}" make docker-ci
+      run: SECRETS_DOCKER_ENV="${{ matrix.docker-env }}" make docker-ci
 
   osx-ci:
     runs-on: macos-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        test-verbose: [0, 1]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
+    - name: Install deps
+      run: brew install gawk gnupg
     - name: Run checks
-      run: brew install gawk gnupg && make test
+      run: SECRETS_TEST_VERBOSE=${{ matrix.test-verbose }} make test
 
-  build-man:
+  freebsd-ci:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Checks that manual generation works
-      run: make build-man
+    - uses: actions/checkout@v4
+    - name: Run checks
+      id: test
+      uses: vmactions/freebsd-vm@v1
+      with:
+        usesh: true
+        prepare: pkg install -y gnupg bash gmake git gawk
+        run: |
+          which -a bash
+          which -a shell
+          whoami
+          env
+          freebsd-version
+          gmake test
+
+  windows-wsl-ci:
+    runs-on: windows-latest
+    steps:
+    - uses: Vampire/setup-wsl@v3
+      with: 
+        update: 'true'
+        additional-packages: gnupg make man git gawk file
+    - run: git config --global core.autocrlf input
+    - uses: actions/checkout@v4
+    - shell: wsl-bash {0}
+      run: make test

.gitignore

@@ -135,3 +135,7 @@ build/
 
 # Docs:
 docs/man
+docs/_posts
+docs/_includes/install-*.sh
+docs/_includes/version.txt
+CHANGELOG-RELEASE.md

CHANGELOG.md

@@ -2,22 +2,70 @@
 
 ## {{Next Version}}
 
+### Misc
+
+- NOTE: Arch instructions now say to install from source. Arch tests removed temporarily (#916)
+- NOTE: there is an issue when repo directory (or a parent dir) contains a space (#135)
+- Improve error messaging when we cannot find git repo (#874)
+- Temporarily disable apk builds on alpine (#881)
+- Have `hide -v` show output from gnupg
+- Documentation updates and fixes
+
+
+## 0.5.0
+
+### Features
+
+- Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor`
+  when encrypting files, so secret files are stored
+  in text format rather than binary (#631)
+- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
+- `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811)
+- Improve verbose and non-verbose output
+
 ### Bugfixes
 
-- Escape filenames with special characters before adding to .gitignore
+- Fix adding newlines to `.gitignore` entries (#643)
+- Fix `cat` and `reveal` on named files while in repo subdir (#710)
+- Fix `clean`, `hide`, `reveal` so they only remove marked secret files (#833)
+- Fix for `removeperson` if same email is present multiple times (#638)
+- Correct error message about files missing from .gitignore
+
+### Misc
+
+- Rename `killperson` command to `removeperson` (#684)
+- Improve error messaging decrypting nonexistent files (#706)
+- Improve, expand, correct, and update docs (#699)
+- Update docs for use with CI/CD server (#675)
+- Upgrade bats-core to v1.6.0 (#755)
+- Test, and build RPMS, with Rocky and Alma Linux instead of CentOS (#765)
+- Automate testing code on windows using WSL (#846)
+- Automate testing code on FreeBSD (#455)
+- Improve testing of .gitignore contents (#792)
+- Automate running verbose tests with SECRETS_TEST_VERBOSE=1 (#794)
+- Improve documentation about installing on Windows (#843)
+
+
+## 0.4.0
+
+### Bugfixes
+
+- Escape filenames with special characters before adding to `.gitignore`
 - Better error handling around telling an email twice (#634)
+- Fix for `-P` (#647)
 
 ### Misc
 
 - Removed `test-kitchen`
 - Moved from `travis` to GitHub Actions
 - Changed almost all infrastructure code
-- Moved away from Bintray
+- Moved away from Bintray to Artifactory
 - Changes how GitHub Pages work
 - Add security disclaimer for git-secret-killperson
 - Improve documentation about releases
 - Man page improvements
 
+
 ## Version 0.3.3
 
 ### Bugfixes
@@ -34,7 +82,7 @@
 - Reflect changes in ruby bundler during build process
 - Upgrade build process to ansible 2.9
 - Use shellcheck 0.7.1 with CI, not 'latest' (#609)
-- Improve output of git-secret add
+- Improve output of `git-secret add`
 
 ## Version 0.3.2
 
@@ -134,7 +182,7 @@
 - Show commands run by Makefile as per debian upstream recommendations (#386)
 - Upgrade bats-core to v1.1.0, import bats-core into vendor/bats-core (#377)
 - Use gawk to parse emails from gpg output
-- Optimize code that parses keychains
+- Optimize code that parses keyrings
 - Remove unused code
 
 ## Version 0.2.5
@@ -157,7 +205,7 @@
 - Issue error message when unable to hide a secret (#202, #238)
 - Accept gpg key with no name, only an email (#227)
 - Require keys to be specified by email, as documented (#267)
-- Disallow 'git secret tell' or 'killperson' with emails that are not in keychain (also #267)
+- Disallow 'git secret tell' or 'killperson' with emails that are not in keyring (also #267)
 
 ### Misc
 

CONTRIBUTING.md

@@ -78,28 +78,24 @@ lean heavily on git and widely-used Unix command features instead of re-implemen
 
 ### Development Process
 
-1. Firstly, you should setup git-secret's development git hooks with `make install-hooks`
-This will copy the hooks from utils/hooks into .git/hooks/pre-commit and .git/hooks/post-commit
+1. Make changes to the git secret files that need to be changed
 
-2. Make changes to the git secret files that need to be changed
+2. When making changes to any files inside `src/`, for changes to take effect you will need to rebuild the `git-secret` script with `make clean && make build`
 
-3. When making changes to any files inside `src/`, for changes to take effect you will need to rebuild the `git-secret` script with `make clean && make build`
-
-4. Run `shellcheck` against all your changes with `make lint`.
+3. Run `shellcheck` against all your changes with `make lint`.
    You should also check your changes for spelling errors using 'aspell -c filename'.
 
-5. Add an entry to CHANGELOG.md, referring to the related issue # if appropriate
+4. Add an entry to CHANGELOG.md, referring to the related issue # if appropriate
 
-6. Change the `man` source file(s) (we write them in markdown) in `man/man1` and `man/man7` to document your changes if appropriate
+5. Change the `man` source file(s) (we write them in markdown) in `man/man1` and `man/man7` to document your changes if appropriate
 
-7. Now, add all your files to the commit with `git add --all` and commit changes with `git commit`.
+6. Now, add all your files to the commit with `git add --all` and commit changes with `git commit`.
    Write a good commit message which explains your work
 
-8. When running `git commit` the tests will run automatically, your commit will be canceled if they fail.
+7. When running `git commit` the tests will run automatically, your commit will be canceled if they fail.
    You can run the tests manually with `make clean build test`.
-   If you want to make a commit and not run the pre- and post-commit hooks, use 'git commit -n'
 
-9. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request,
+8. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request,
 but don't worry, it's easy to `squash` PRs into a small number of commits when they're merged.
 
 ### Branches
@@ -144,12 +140,17 @@ While CI is doing it's building and testing, finish the release on github by pus
 git push --tags
 ```
 
-and then go to https://github.com/sobolevn/git-secret/releases and 'draft a new release',
-setting up a production release like the previous ones.
+and then go to https://github.com/sobolevn/git-secret/releases to see that the new release is created. It might take some time.
 
 #### GitHub automated releases
 
-TODO
+We use GitHub actions to run the release process.
+We use `artifactory` as an environment for the release.
+You would need to get a review before release would be possible.
+
+It can be reproduced locally with `make release`, but you will need `SECRETS_ARTIFACTORY_CREDENTIALS`.
+
+After packages are released to https://gitsecret.jfrog.io we trigger `release-ci` workflow to test that installation works correctly.
 
 #### Manual releases
 

Makefile

@@ -1,4 +1,4 @@
-SHELL:=/usr/bin/env bash
+SHELL:=bash
 PREFIX?="/usr"
 DESTDIR?=
 
@@ -6,27 +6,27 @@ DESTDIR?=
 # Building:
 #
 
-git-secret: src/version.sh src/_utils/*.sh src/commands/*.sh src/main.sh
-	cat $^ > "$@"; \
-	chmod +x git-secret; sync
-
 .PHONY: all
 all: build
 
 .PHONY: clean
 clean:
-	rm -f git-secret
+	@rm -f git-secret
 
 .PHONY: build
-build: git-secret
+build:
+	@cat src/version.sh > git-secret
+	@cat src/_utils/*.sh src/commands/*.sh >> git-secret
+	@cat src/main.sh >> git-secret
+	@chmod +x git-secret; sync
 
 .PHONY: install
 install:
-	${SHELL} ./utils/install.sh "${DESTDIR}${PREFIX}"
+	"${SHELL}" ./utils/install.sh "${DESTDIR}${PREFIX}"
 
 .PHONY: uninstall
 uninstall:
-	${SHELL} ./utils/uninstall.sh "${DESTDIR}${PREFIX}"
+	"${SHELL}" ./utils/uninstall.sh "${DESTDIR}${PREFIX}"
 
 #
 # Testing and linting:
@@ -37,25 +37,26 @@ uninstall:
 # Using a sub-shell we get the raw *nix paths, e.g. /c/Something
 .PHONY: test
 test: clean build
-	export SECRET_PROJECT_ROOT="$(shell echo $${PWD})"; \
+	export SECRETS_PROJECT_ROOT="$(shell echo $${PWD})"; \
 	export PATH="$(shell echo $${PWD})/vendor/bats-core/bin:$(shell echo $${PWD}):$(shell echo $${PATH})"; \
-	${SHELL} ./utils/tests.sh
+	"${SHELL}" ./utils/tests.sh
 
 # We use this script in CI and you can do this too!
 # What happens here?
-# 1. We pass `GITSECRET_DOCKER_ENV` variable into this job
+# 1. We pass `SECRETS_DOCKER_ENV` variable into this job
 # 2. Based on it, we select a proper `docker` image to run test on
 # 3. We execute `make test` inside the `docker` container
 .PHONY: docker-ci
 docker-ci: clean
+	@[ -z "${SECRETS_DOCKER_ENV}" ] \
+		&& echo 'SECRETS_DOCKER_ENV is unset' && exit 1 || true
 	docker build \
-		-f ".ci/docker/$${GITSECRET_DOCKER_ENV}/Dockerfile" \
-		-t "gitsecret-$${GITSECRET_DOCKER_ENV}:latest" \
-		.
+		-f ".ci/docker-ci/$${SECRETS_DOCKER_ENV}/Dockerfile" \
+		-t "gitsecret-$${SECRETS_DOCKER_ENV}:latest" .
 	docker run --rm \
 		--volume="$${PWD}:/code" \
 		-w /code \
-		"gitsecret-$${GITSECRET_DOCKER_ENV}" \
+		"gitsecret-$${SECRETS_DOCKER_ENV}" \
 		make test
 
 .PHONY: lint-shell
@@ -64,7 +65,7 @@ lint-shell:
 	docker run \
 		--volume="$${PWD}:/code" \
 		-w /code \
-		-e SHELLCHECK_OPTS='-s bash -S warning -a' \
+		-e SHELLCHECK_OPTS='-s bash -S style -a' \
 		--rm koalaman/shellcheck \
 		$$(find src .ci utils tests docs -type f \
 			-name '*.sh' -o -name '*.bash' -o -name '*.bats')
@@ -77,8 +78,8 @@ lint-docker:
 		-w /code \
 		--rm hadolint/hadolint \
 		hadolint \
-			--ignore=DL3008 --ignore=DL3018 --ignore=DL3041 \
-			.ci/docker/*/Dockerfile
+			--ignore=DL3008 --ignore=DL3018 --ignore=DL3041 --ignore=DL3028 \
+			.ci/*/**/Dockerfile
 
 .PHONY: lint
 lint: lint-shell lint-docker
@@ -89,10 +90,10 @@ lint: lint-shell lint-docker
 
 .PHONY: clean-man
 clean-man:
-	find "man/" -type f ! -name "*.md" -delete
+	@find "man/" -type f ! -name "*.md" -delete
 
 .PHONY: build-man
-build-man: git-secret
+build-man: build
 	docker pull msoap/ruby-ronn
 	export GITSECRET_VERSION="$$(./git-secret --version)" && docker run \
 		--volume="$${PWD}:/code" \
@@ -105,7 +106,7 @@ build-man: git-secret
 
 .PHONY: build-docs
 build-docs: build-man
-	${SHELL} docs/create_posts.sh
+	 "${SHELL}" docs/build.sh
 
 .PHONY: docs
 docs: build-docs
@@ -117,76 +118,60 @@ docs: build-docs
 		--rm jekyll/jekyll \
 		jekyll serve --safe --strict_front_matter
 
+.PHONY: changelog
+changelog:
+	@[ -z "${GITHUB_REPOSITORY}" ] \
+		&& echo 'GITHUB_REPOSITORY is unset' && exit 1 || true
+	@[ -z "${GITHUB_TOKEN}" ] \
+		&& echo 'GITHUB_TOKEN is unset' && exit 1 || true
+	docker pull githubchangeloggenerator/github-changelog-generator
+	docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		--entrypoint='' \
+		-e GITHUB_REPOSITORY \
+		-e GITHUB_TOKEN \
+		--rm githubchangeloggenerator/github-changelog-generator \
+		sh ".ci/github_release_script.sh"
+
 #
 # Packaging:
 #
 
-.PHONY: install-fpm
-install-fpm:
-	if [ ! `gem list fpm -i` == "true" ]; then gem install fpm; fi
+.PHONY: build-release
+build-release: clean build-man
+	@[ -z "${SECRETS_RELEASE_TYPE}" ] \
+		&& echo 'SECRETS_RELEASE_TYPE is unset' && exit 1 || true
+	docker build \
+		-f ".ci/releaser/alpine/Dockerfile" \
+		-t "gitsecret-releaser:latest" .
+	docker run \
+		--volume="$${PWD}:/code" \
+		--rm gitsecret-releaser \
+		bash "./utils/$${SECRETS_RELEASE_TYPE}/build.sh"
 
-# .apk:
+.PHONY: release
+release: build-release
+	@[ -z "${SECRETS_ARTIFACTORY_CREDENTIALS}" ] \
+		&& echo 'SECRETS_ARTIFACTORY_CREDENTIALS is unset' && exit 1 || true
+	docker run \
+		--volume="$${PWD}:/code" \
+		-e SECRETS_ARTIFACTORY_CREDENTIALS \
+		-e SECRETS_DEPLOY_DRY_RUN \
+		--rm gitsecret-releaser \
+		bash "./utils/$${SECRETS_RELEASE_TYPE}/deploy.sh"
 
-.PHONY: build-apk
-build-apk: clean build install-fpm
-	chmod +x "./utils/build-utils.sh"; sync; \
-	chmod +x "./utils/apk/apk-build.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/apk/apk-build.sh"
-
-.PHONY: test-apk-ci
-test-apk-ci: build-apk
-	chmod +x "./utils/apk/apk-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats-core/bin:${PATH}"; \
-	"./utils/apk/apk-ci.sh"
-
-.PHONY: deploy-apk
-deploy-apk: build-apk
-	chmod +x "./utils/apk/apk-deploy.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/apk/apk-deploy.sh"
-
-# .deb:
-
-.PHONY: build-deb
-build-deb: clean build install-fpm
-	chmod +x "./utils/build-utils.sh"; sync; \
-	chmod +x "./utils/deb/deb-build.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/deb/deb-build.sh"
-
-.PHONY: test-deb-ci
-test-deb-ci: build-deb
-	chmod +x "./utils/deb/deb-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats-core/bin:${PATH}"; \
-	"./utils/deb/deb-ci.sh"
-
-.PHONY: deploy-deb
-deploy-deb: build-deb
-	chmod +x "./utils/deb/deb-deploy.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/deb/deb-deploy.sh"
-
-# .rpm:
-
-.PHONY: build-rpm
-build-rpm: clean build install-fpm
-	chmod +x "./utils/build-utils.sh"; sync; \
-	chmod +x "./utils/rpm/rpm-build.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/rpm/rpm-build.sh"
-
-.PHONY: test-rpm-ci
-test-rpm-ci: build-rpm
-	chmod +x "./utils/rpm/rpm-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats-core/bin:${PATH}"; \
-	"./utils/rpm/rpm-ci.sh"
-
-.PHONY: deploy-rpm
-deploy-rpm: build-rpm
-	chmod +x "./utils/rpm/rpm-deploy.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/rpm/rpm-deploy.sh"
+.PHONY: release-ci
+release-ci:
+	@[ -z "${SECRETS_RELEASE_ENV}" ] \
+		&& echo 'SECRETS_RELEASE_ENV is unset' && exit 1 || true
+	@[ -z "${SECRETS_RELEASE_TYPE}" ] \
+		&& echo 'SECRETS_RELEASE_TYPE is unset' && exit 1 || true
+	docker build \
+		-f ".ci/release-ci/$${SECRETS_RELEASE_ENV}/Dockerfile" \
+		-t "gitsecret-release-$${SECRETS_RELEASE_ENV}:latest" .
+	docker run --rm \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		"gitsecret-release-$${SECRETS_RELEASE_ENV}" \
+		bash -c "set -e; bash "./utils/$${SECRETS_RELEASE_TYPE}/install.sh""

README.md

@@ -1,11 +1,12 @@
 # git-secret
 
-[![Backers on Open Collective](https://opencollective.com/git-secret/backers/badge.svg)](#backers)
-[![Sponsors on Open Collective](https://opencollective.com/git-secret/sponsors/badge.svg)](#sponsors)
-[![test](https://github.com/sobolevn/git-secret/actions/workflows/test.yml/badge.svg?branch=master&event=push)](https://github.com/sobolevn/git-secret/actions/workflows/test.yml)
-[![Homebrew](https://img.shields.io/homebrew/v/git-secret.svg)](https://formulae.brew.sh/formula/git-secret)
 
-[![git-secret](https://raw.githubusercontent.com/sobolevn/git-secret/gh-pages/images/git-secret-big.png)](http://git-secret.io/)
+[![test](https://github.com/sobolevn/git-secret/actions/workflows/test.yml/badge.svg?branch=master&event=push)](https://github.com/sobolevn/git-secret/actions/workflows/test.yml)
+[![release-ci](https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml/badge.svg)](https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml)
+[![Homebrew](https://img.shields.io/homebrew/v/git-secret.svg)](https://formulae.brew.sh/formula/git-secret)
+[![Supporters](https://img.shields.io/opencollective/all/git-secret.svg?color=gold&label=supporters)](https://opencollective.com/git-secret)
+
+[![git-secret](https://raw.githubusercontent.com/sobolevn/git-secret/gh-pages/images/git-secret-big.png)](https://git-secret.io/)
 
 
 ## What is `git-secret`?
@@ -17,7 +18,7 @@ allowing users you trust to access encrypted data using pgp and their secret key
 With `git-secret`, changes to access rights are simplified, and private-public key issues are handled for you.
 
 When someone's permission is revoked, secrets do not need to be changed with `git-secret` -
-just remove their key from the keychain using `git secret killperson their@email.com`,
+just remove their key from the repo's keyring using `git secret removeperson their@email.com`,
 re-encrypt the files, and they won't be able to decrypt secrets anymore.
 If you think the user might have copied the secrets or keys when they had access, then
 you should also change the secrets.
@@ -30,10 +31,10 @@ you should also change the secrets.
 
 ## Installation
 
-`git-secret` supports `brew`, just type: `brew install git-secret`
+`git-secret` [supports `brew`](https://formulae.brew.sh/formula/git-secret), just type: `brew install git-secret`
 
 It also supports `apt` and `yum`. You can also use `make` if you want to.
-See the [installation section](http://git-secret.io/installation) for the details.
+See the [installation section](https://sobolevn.me/git-secret/installation) for the details.
 
 ### Requirements
 
@@ -62,7 +63,7 @@ If your secret file holds more data than just a single password these
 precautions should not be necessary, but could be followed for greater
 security.
 
-If you found any security related issues, please do not disclose it in public. Send an email to `security@wemake.services`
+If you found any security related issues, please do not disclose it in public. Send an email to `mail@sobolevn.me`
 
 
 ## Changelog
@@ -72,9 +73,11 @@ If you found any security related issues, please do not disclose it in public. S
 
 ## Packagers
 
-Thanks also to all the people and groups who package git-secret to be easier to install on particular OSes or distributions!
+Thanks to all the people and groups who package `git-secret` for easier install on particular OSes and distributions!
 
-Here are some packagings of git-secret that we're aware of:
+[![Packaging status](https://repology.org/badge/vertical-allrepos/git-secret.svg)](https://repology.org/project/git-secret/versions)
+
+Here are some packagings of `git-secret` that we're aware of:
 
 - https://formulae.brew.sh/formula/git-secret
 - https://packages.ubuntu.com/bionic/git-secret
@@ -84,7 +87,7 @@ Here are some packagings of git-secret that we're aware of:
 - https://packages.debian.org/sid/git-secret
 - https://github.com/void-linux/void-packages/blob/master/srcpkgs/git-secret/template
 
-Such packages are considered 'downstream' because the git-secret code 'flows' from the git-secret repository
+Such packages are considered 'downstream' because the git-secret code 'flows' from the `git-secret` [repository](https://git-secret.io/installation)
 to the various rpm/deb/dpkg/etc packages that are created for specific OSes and distributions.
 
 We have also added notes specifically for packagers in [CONTRIBUTING.md](CONTRIBUTING.md).

docs/CNAME

@@ -1 +0,0 @@
-git-secret.io

docs/Gemfile

@@ -2,5 +2,5 @@ source "https://rubygems.org"
 
 group :jekyll_plugins do
   gem "jekyll", ">= 3.6.3"
-  gem "jekyll-seo-tag", "~> 2.7.1"
+  gem "jekyll-seo-tag", "~> 2.8.0"
 end

docs/Gemfile.lock

@@ -1,70 +1,81 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    bigdecimal (3.1.8)
     colorator (1.1.0)
-    concurrent-ruby (1.1.7)
-    em-websocket (0.5.2)
+    concurrent-ruby (1.3.4)
+    em-websocket (0.5.3)
       eventmachine (>= 0.12.9)
-      http_parser.rb (~> 0.6.0)
+      http_parser.rb (~> 0)
     eventmachine (1.2.7)
-    ffi (1.14.2)
+    ffi (1.17.0-x86_64-linux-gnu)
+    ffi (1.17.0-x86_64-linux-musl)
     forwardable-extended (2.6.0)
-    http_parser.rb (0.6.0)
-    i18n (1.8.5)
+    google-protobuf (4.28.1-x86_64-linux)
+      bigdecimal
+      rake (>= 13)
+    http_parser.rb (0.8.0)
+    i18n (1.14.6)
       concurrent-ruby (~> 1.0)
-    jekyll (4.2.0)
+    jekyll (4.3.4)
       addressable (~> 2.4)
       colorator (~> 1.0)
       em-websocket (~> 0.5)
       i18n (~> 1.0)
-      jekyll-sass-converter (~> 2.0)
+      jekyll-sass-converter (>= 2.0, < 4.0)
       jekyll-watch (~> 2.0)
-      kramdown (~> 2.3)
+      kramdown (~> 2.3, >= 2.3.1)
       kramdown-parser-gfm (~> 1.0)
       liquid (~> 4.0)
-      mercenary (~> 0.4.0)
+      mercenary (>= 0.3.6, < 0.5)
       pathutil (~> 0.9)
-      rouge (~> 3.0)
+      rouge (>= 3.0, < 5.0)
       safe_yaml (~> 1.0)
-      terminal-table (~> 2.0)
-    jekyll-sass-converter (2.1.0)
-      sassc (> 2.0.1, < 3.0)
-    jekyll-seo-tag (2.7.1)
+      terminal-table (>= 1.8, < 4.0)
+      webrick (~> 1.7)
+    jekyll-sass-converter (3.0.0)
+      sass-embedded (~> 1.54)
+    jekyll-seo-tag (2.8.0)
       jekyll (>= 3.8, < 5.0)
     jekyll-watch (2.2.1)
       listen (~> 3.0)
-    kramdown (2.3.0)
+    kramdown (2.4.0)
       rexml
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
-    liquid (4.0.3)
-    listen (3.3.3)
+    liquid (4.0.4)
+    listen (3.9.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
     mercenary (0.4.0)
     pathutil (0.16.2)
       forwardable-extended (~> 2.6)
-    public_suffix (4.0.6)
-    rb-fsevent (0.10.4)
-    rb-inotify (0.10.1)
+    public_suffix (6.0.1)
+    rake (13.2.1)
+    rb-fsevent (0.11.2)
+    rb-inotify (0.11.1)
       ffi (~> 1.0)
-    rexml (3.2.3)
-    rouge (3.26.0)
+    rexml (3.3.7)
+    rouge (4.4.0)
     safe_yaml (1.0.5)
-    sassc (2.4.0)
-      ffi (~> 1.9)
-    terminal-table (2.0.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
-    unicode-display_width (1.7.0)
+    sass-embedded (1.78.0-x86_64-linux-gnu)
+      google-protobuf (~> 4.27)
+    sass-embedded (1.78.0-x86_64-linux-musl)
+      google-protobuf (~> 4.27)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    unicode-display_width (2.6.0)
+    webrick (1.8.1)
 
 PLATFORMS
+  x86_64-linux
   x86_64-linux-musl
 
 DEPENDENCIES
   jekyll (>= 3.6.3)
-  jekyll-seo-tag (~> 2.7.1)
+  jekyll-seo-tag (~> 2.8.0)
 
 BUNDLED WITH
    2.2.2

docs/_config.yml

@@ -1,26 +1,16 @@
-# Welcome to Jekyll!
-#
-# This config file is meant for settings that affect your whole blog, values
-# which you are expected to set up once and rarely need to edit after that.
-# For technical reasons, this file is *NOT* reloaded automatically when you use
-# 'jekyll serve'. If you change this file, please restart the server process.
-
 # Site settings
 title: git-secret
 email: mail@sobolevn.me
-description: > # this means to ignore newlines until "baseurl:"
-  A bash-tool to store your private data inside a git repository.
-baseurl: "" # the subpath of your site, e.g. /blog
-url: "git-secret.io" # the base hostname & protocol for your site
+description: Shell scripts to encrypt your private data inside a git repository.
+baseurl: "/git-secret" # the subpath of your site, e.g. /blog
+url: "https://sobolevn.me" # the base hostname & protocol for your site
 
-# Github links:
+# GitHub links:
 github_username: sobolevn
 github_changelog: "https://github.com/sobolevn/git-secret/blob/master/CHANGELOG.md"
-github_plugins: "https://github.com/sobolevn/git-secret/wiki/Third-party-plugins"
-github_using: "https://github.com/sobolevn/git-secret/wiki/Who-uses"
 
 # Seo settings:
-gems:
+plugins:
   - jekyll-seo-tag
 
 # Build settings

docs/_includes/header.html

@@ -2,7 +2,9 @@
 
   <div class="wrapper">
 
-    <a class="site-title" href="{{ site.baseurl }}/">{{ site.title }}</a>
+    <a class="site-title" href="{{ site.baseurl }}/">
+      {{ site.title }} v{% include version.txt %}
+    </a>
 
     <div class="site-nav">
       <a href="#" class="menu-icon">
@@ -24,9 +26,9 @@
   </div>
 
   <nav class="site-navigation">
-    <a href="/installation">Installation</a>
-    <a href="{{ site.github_plugins }}">External plugins</a>
-    <a href="{{ site.github_using }}">Projects using it</a>
+    <a href="{{ "/installation" | prepend: site.baseurl }}">Installation</a>
+    <a href="{{ "/#commands" | prepend: site.baseurl }}">Commands</a>
+    <a href="{{ "/plugins" | prepend: site.baseurl }}">External plugins</a>
     <a href="{{ site.github_changelog }}">Changelog</a>
   </nav>
 

docs/_includes/why.md

@@ -1,16 +1,49 @@
 
 ## Intro
 
-There's a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret-keys, OAuth secret keys and so on, outside of the git repository. Even if this repository is private, it is a security risk to just publish them into the world wide web. What are the drawbacks of storing them separately?
+There's a well known issue with deploying and configuring software on servers: 
+generally you have to store your private data 
+(such as database passwords, application secret-keys, OAuth secret keys, etc) 
+outside of the git repository. 
+
+If you do choose to store these secrets unencrypted in your git repo, 
+even if the repository is private, it is a security risk to copy 
+the secrets everywhere you check out your repo.
+
+What are some drawbacks of storing secrets separately from your git repo?
+
+1. These files are not version controlled. 
+Filenames, locations, and passwords change from time to time,
+or new information appears, and other information is removed. 
+When secrets are stored separately from your repo,
+you can not tell for sure which version of the configuration file was used with each commit
+or deploy.
+
+2. When building the automated deployment system there will be one extra step: 
+download and place these secret-configuration files where they need to be. 
+This also means you have to maintain extra secure servers where all your secrets are stored.
 
-1. These files are not version controlled. Filenames change, locations change, passwords change from time to time, some new information appears, other is removed. And you can not tell for sure which version of the configuration file was used with each commit.
-2. When building the automated deployment system there will be one extra step: download and place these secret-configuration files where they need to be. So you have to maintain an extra secure server, where everything is stored.
 
 ### How does `git-secret` solve these problems?
 
-1. `git-secret` encrypts files and stores them inside the `git` repository, so you will have all the changes for every commit.
-2. `git-secret` doesn't require any other deploy operations rather than `git secret reveal`, so it will automatically decrypt all the required files.
+1. `git-secret` encrypts files and stores them inside your `git` repository, providing a history of changes for every commit.
+2. `git-secret` doesn't require any extra deploy operations other than providing the appropriate
+private key (to allow decryption), and using `git secret reveal`
+to decrypt all the secret files.
 
 ### What is `git-secret`?
 
-`git-secret` is a bash tool to store your private data inside a `git` repo. How's that? Basically, it just encrypts, using `gpg`, the tracked files with the public keys of all the users that you trust. So everyone of them can decrypt these files using only their personal secret key. Why deal with all this private-public keys stuff? Well, to make it easier for everyone to manage access rights. There are no passwords that change. When someone is out - just delete their public key, reencrypt the files, and they won't be able to decrypt secrets anymore.
+`git-secret` is a bash tool to store your private data inside a `git` repo. 
+
+How's that? Basically, it uses `gpg` to encrypt files with the 
+public keys of the users that you trust, and which you have specified with
+`git secret tell email@address.id`.
+Then these users can decrypt these files using their personal secret key. 
+
+Why deal with all this private/public key stuff? 
+To make it easier to manage access rights. 
+When you want to remove someone's access, use `git secret removeperson email@address.id`
+to delete their public key from your repo's git-secret keyring, and reencrypt the files. 
+Then they won't be able to decrypt secrets anymore.
+
+[![git-secret terminal preview](https://raw.githubusercontent.com/sobolevn/git-secret/master/git-secret.gif)](https://asciinema.org/a/41811?autoplay=1)

docs/_posts/2021-05-04-git-secret-add.md

@@ -1,46 +0,0 @@
----
-layout: post
-title:  'git-secret-add'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-add
-categories: command
----
-git-secret-add - starts to track added files.
-=============================================
-
-## SYNOPSIS
-
-    git secret add [-v] [-i] <pathspec>...
-
-
-## DESCRIPTION
-`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg`
-and ensures the filepath is mentioned .gitignore.
-
-When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning
-them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted.
-
-If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
-
-Use the `git secret add` command to add filenames to this file.
-It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`.
-
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
-
-## OPTIONS
-
-    -v  - verbose, shows extra information.
-    -i  - does nothing, adding paths to .gitignore is now the default behavior.
-    -h  - shows this help.
-
-
-## MANUAL
-
-Run `man git-secret-add` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal)

docs/_posts/2021-05-04-git-secret-cat.md

@@ -1,39 +0,0 @@
----
-layout: post
-title:  'git-secret-cat'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-cat
-categories: command
----
-git-secret-cat - decrypts files passed on command line to stdout
-=============================================
-
-## SYNOPSIS
-
-    git secret cat [-d dir] [-p password] filename [filenames]
-
-
-## DESCRIPTION
-`git-secret-cat` - Outputs to stdout the contents of the files named on the command line.
-As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to 
-decrypt this repo.
-
-Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
-(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
-
-
-## OPTIONS
-
-    -d  - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
-    -p  - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
-    -h  - shows help.
-
-
-## MANUAL
-
-Run `man git-secret-cat` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-cat)

docs/_posts/2021-05-04-git-secret-changes.md

@@ -1,42 +0,0 @@
----
-layout: post
-title:  'git-secret-changes'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-changes
-categories: command
----
-git-secret-changes - view diff of the hidden files.
-===================================================
-
-## SYNOPSIS
-
-    git secret changes [-h] [-d dir] [-p password] [pathspec]...
-
-
-## DESCRIPTION
-`git-secret-changes` - shows changes between the current version of hidden files and the ones already committed. 
-You can provide any number of hidden files to this command as arguments, and it will show changes for these files only. 
-Note that files must be specified by their encrypted names, typically `filename.yml.secret`.
-If no arguments are provided, information about all hidden files will be shown.
-
-Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
-(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
-
-
-## OPTIONS
-
-    -d  - specifies `--homedir` option for the `gpg`. Use this option if your store your keys in a custom location.
-    -p  - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
-    -h  - shows help.
-
-
-## MANUAL
-
-Run `man git-secret-changes` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), 
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat)

docs/_posts/2021-05-04-git-secret-clean.md

@@ -1,37 +0,0 @@
----
-layout: post
-title:  'git-secret-clean'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-clean
-categories: command
----
-git-secret-clean - removes all the hidden files.
-================================================
-
-## SYNOPSIS
-
-    git secret clean [-v]
-
-
-## DESCRIPTION
-`git-secret-clean` deletes all the encrypted files. 
-Verbose output is enabled with the -v option, in which case the program prints which files are deleted.
-
-
-## OPTIONS
-
-    -v  - verbose mode, shows which files are deleted. 
-    -h  - shows this help.
-
-You can also enable verbosity using the SECRETS_VERBOSE environment variable,
-as documented at [git-secret(7)](http://git-secret.io/)
-
-## MANUAL
-
-Run `man git-secret-clean` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)

docs/_posts/2021-05-04-git-secret-hide.md

@@ -1,69 +0,0 @@
----
-layout: post
-title:  'git-secret-hide'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-hide
-categories: command
----
-git-secret-hide - encrypts all added files with the inner keyring.
-==================================================================
-
-## SYNOPSIS
-
-    git secret hide [-c] [-F] [-P] [-v] [-d] [-m]
-
-
-## DESCRIPTION
-`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`) 
-of each file added by `git-secret-add` command. 
-Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood,
-`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files.
-
-It is recommended to encrypt (or re-encrypt) all the files in a git-secret repo each 
-time `git secret hide` is run.
-
-Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`),
-may have changed since the last time the files were encrypted, and it's possible 
-to create a state where the users in the output of `git secret whoknows` 
-may not be able to decrypt the some files in the repo, or may be able decrypt files 
-they're not supposed to be able to.
-
-In other words, unless you re-encrypt all the files in a repo each time you 'hide' any, 
-it's possible to make it so some files can no longer be decrypted by users who should be 
-(and would appear) able to decrypt them, and vice-versa.
-
-If you know what you are doing and wish to encrypt or re-encrypt only a subset of the files 
-even after reading the above paragraphs, you can use the -F or -m option to only encrypted 
-a subset of files. The -F option forces `git secret hide` to skip any hidden files 
-where the unencrypted versions aren't present. The -m option skips any hidden files that have 
-not be modified since the last time they were encrypted. 
-
-Also, it is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable.
-
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
-
-You can also enable verbosity using the SECRETS_VERBOSE environment variable,
-as documented at [git-secret(7)](http://git-secret.io/)
-
-
-## OPTIONS
-
-    -v  - verbose, shows extra information.
-    -c  - deletes encrypted files before creating new ones.
-    -F  - forces hide to continue if a file to encrypt is missing.
-    -P  - preserve permissions of unencrypted file in encrypted file.
-    -d  - deletes unencrypted files after encryption.
-    -m  - encrypt files only when modified.
-    -h  - shows help.
-
-## MANUAL
-
-Run `man git-secret-hide` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), 
-[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),  
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat)

docs/_posts/2021-05-04-git-secret-init.md

@@ -1,42 +0,0 @@
----
-layout: post
-title:  'git-secret-init'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-init
-categories: command
----
-git-secret-init - initializes git-secret repository.
-====================================================
-
-## SYNOPSIS
-
-    git secret init
-
-
-## DESCRIPTION
-`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret.
-Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.
-
-If a .gitsecret directory already exists, `git-secret-init` exits without making any changes.
-Otherwise, a .gitsecret directory is created with appropriate sub-directories,
-and patterns to ignore git-secret's `random_seed_file`
-and not ignore `.secret` files are added to `.gitignore`.  
-
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder with the SECRETS_DIR environment variable, and changing the extension git-secret uses for secret files
-with the SECRETS_EXTENSION environment variable.
-
-
-## OPTIONS
-
-    -h  - shows this help.
-
-
-## MANUAL
-
-Run `man git-secret-init` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-usage(1)](http://git-secret.io/git-secret-usage), [git-secret-tell(1)](http://git-secret.io/git-secret-tell)

docs/_posts/2021-05-04-git-secret-killperson.md

@@ -1,35 +0,0 @@
----
-layout: post
-title:  'git-secret-killperson'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-killperson
-categories: command
----
-git-secret-killperson - deletes key identified by an email from the inner keyring.
-==================================================================================
-
-## SYNOPSIS
-
-    git secret killperson <emails>...
-
-
-## DESCRIPTION
-This command removes the keys associated with the selected email addresses from the keyring. 
-If you remove a keypair's access with `git-secret-killperson`, and run `git-secret-reveal` and `git-secret-hide -r`,
-it will be impossible for given users to decrypt the hidden files.
-
-
-## OPTIONS
-
-    -h  - shows this help.
-
-
-## MANUAL
-
-Run `man git-secret-killperson` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-remove(1)](http://git-secret.io/git-secret-remove),
-[git-secret-clean(1)](http://git-secret.io/git-secret-clean)

docs/_posts/2021-05-04-git-secret-list.md

@@ -1,37 +0,0 @@
----
-layout: post
-title:  'git-secret-list'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-list
-categories: command
----
-git-secret-list - prints all the added files.
-=============================================
-
-## SYNOPSIS
-
-    git secret list
-
-
-## DESCRIPTION
-`git-secret-list` prints all the currently added tracked files from the `.gitsecret/paths/mapping.cfg`.
-
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
-
-
-## OPTIONS
-
-    -h  - shows this help.
-
-
-## MANUAL
-
-Run `man git-secret-list` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), 
-[git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), [git-secret-cat(1)](http://git-secret.io/git-secret-cat)

docs/_posts/2021-05-04-git-secret-remove.md

@@ -1,39 +0,0 @@
----
-layout: post
-title:  'git-secret-remove'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-remove
-categories: command
----
-git-secret-remove - removes files from index.
-=============================================
-
-## SYNOPSIS
-
-    git secret remove [-c] <pathspec>...
-
-
-## DESCRIPTION
-`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`, 
-so they won't be encrypted or decrypted in the future. 
-There's also a -c option to delete existing encrypted versions of the files provided.
-
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
-
-
-## OPTIONS
-
-    -c  - deletes existing real encrypted files.
-    -h  - shows help.
-
-
-## MANUAL
-
-Run `man git-secret-remove` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-clean(1)](http://git-secret.io/git-secret-clean), 
-[git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)

docs/_posts/2021-05-04-git-secret-reveal.md

@@ -1,47 +0,0 @@
----
-layout: post
-title:  'git-secret-reveal'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-reveal
-categories: command
----
-git-secret-reveal - decrypts all added files.
-=============================================
-
-## SYNOPSIS
-
-    git secret reveal [-f] [-F] [-P] [-v] [-d dir] [-p password] [pathspec]...
-
-
-## DESCRIPTION
-`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`,
-or the passed `pathspec`s.
-You will need to have imported the paired secret-key with one of the 
-public-keys which were used in the encryption.
-Under the hood, this uses the `gpg --decrypt` command. 
-
-
-## OPTIONS
-
-    -f  - forces gpg to overwrite existing files without prompt.
-    -F  - forces reveal to continue even if a file fails to decrypt.
-    -d  - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
-    -v  - verbose, shows extra information.
-    -p  - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
-    -P  - preserve permissions of encrypted file in unencrypted file.
-    -h  - shows help.
-
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
-
-
-## MANUAL
-
-Run `man git-secret-reveal` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-cat(1)](http://git-secret.io/git-secret-cat), 
-[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide)

docs/_posts/2021-05-04-git-secret-tell.md

@@ -1,48 +0,0 @@
----
-layout: post
-title:  'git-secret-tell'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-tell
-categories: command
----
-git-secret-tell - adds a person, who can access private data.
-===============================================================
-
-## SYNOPSIS
-
-    git secret tell [-m] [-d dir] [emails]...
-
-
-## DESCRIPTION
-`git-secret tell` receives one or more email addresses as an input, searches for the `gpg`-key in the `gpg`
-`homedir` by these emails, then imports the corresponding public key into `git-secret`'s inner keychain. 
-From this moment this person can encrypt new files with the keyring which contains their key,
-but they cannot decrypt the old files, which were already encrypted without their key. 
-The files should be re-encrypted with the new keyring by someone who has the unencrypted files.
-
-Because `git-secret tell` works with only email addresses, it will exit with an error if you have
-multiple keys in your keychain with specified email addresses, or if one of the specified emails 
-is already associated with a key in the git-secret keychain.
-
-Versions of `git-secret tell` after 0.3.2 will warn about keys that are expired, revoked, or otherwise invalid,
-and also if multiple keys are found for a single email address.
-
-**Do not manually import secret keys into `git-secret`**. It won't work with imported secret keys anyway.
-
-## OPTIONS
-
-    -m  - takes your current `git config user.email` as an identifier for the key.
-    -d  - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location.
-    -h  - shows help.
-
-
-## MANUAL
-
-Run `man git-secret-tell` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), 
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)

docs/_posts/2021-05-04-git-secret-usage.md

@@ -1,34 +0,0 @@
----
-layout: post
-title:  'git-secret-usage'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-usage
-categories: command
----
-git-secret-usage - prints all the available commands.
-=====================================================
-
-## SYNOPSIS
-
-    git secret usage
-
-
-## DESCRIPTION
-`git-secret-usage` is used to print all the available commands.
-
-
-## OPTIONS
-
-    -h  - shows this help.
-
-
-## MANUAL
-
-Run `man git-secret-usage` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), 
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat)

docs/_posts/2021-05-04-git-secret-whoknows.md

@@ -1,35 +0,0 @@
----
-layout: post
-title:  'git-secret-whoknows'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret-whoknows
-categories: command
----
-git-secret-whoknows - prints email-labels for each key in the keyring.
-======================================================================
-
-## SYNOPSIS
-
-    git secret whoknows
-
-
-## DESCRIPTION
-`git-secret-whoknows` prints list of email addresses whose keys are allowed to access the secrets in this repo.
-
-
-## OPTIONS
-
-    -l  - 'long' output, shows key expiration dates.
-    -h  - shows this help.
-
-
-## MANUAL
-
-Run `man git-secret-whoknows` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-list(1)](http://git-secret.io/git-secret-list), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), 
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat)

docs/_posts/2021-05-04-git-secret.md

@@ -1,180 +0,0 @@
----
-layout: post
-title:  'git-secret'
-date:   2021-05-04 12:15:29 +0300
-permalink: git-secret
-categories: usage
----
-git-secret - bash tool to store private data inside a git repo.
-=============================================
-
-## Usage: Setting up git-secret in a repository
-
-These steps cover the basic process of using `git-secret`:
-
-0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address.
-
-1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information
-to make `git-secret` hide and reveal files in this repository.
-
-2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created.
-**Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file.
-In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file.
-By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
-
-3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`.
-
-4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
-This can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
-`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you.
-
-5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
-The data will be encrypted with the public-keys described by the `git secret tell` command.
-After using `git secret hide` to encrypt your data, it is safe to commit your changes.
-**NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
-
-6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the
-`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
-And you're done!
-
-### Usage: Adding someone to a repository using git-secret
-
-1. [Get their `gpg` public-key](#using-gpg). **You won't need their secret key.**
-
-2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import KEY_NAME.txt`
-
-3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
-(this will be the email address associated with the public key)
-
-4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
-`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
-(The -d options deletes the unencrypted file after re-encrypting it).
-Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`.
-
-Note that it is possible to add yourself to the git-secret repo without decrypting existing files.
-It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't
-want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.
-
-### Using gpg
-
-You can follow a quick `gpg` tutorial at [devdungeon](https://www.devdungeon.com/content/gpg-tutorial). Here are the most useful commands to get started:
-
-To generate a RSA key-pair, run:
-
-```shell
-gpg --gen-key
-```
-
-To export your public key, run:
-
-```shell
-gpg --export your.email@address.com --armor > public-key.gpg
-```
-
-To import the public key of someone else (to share the secret with them for instance), run:
-
-```shell
-gpg --import public-key.gpg
-```
-
-To make sure you get the original public keys of the indicated persons, be sure to use a secure channel to transfer it, or use a service you trust, preferably one that uses encryption such as Keybase, to retrieve their public key. Otherwise you could grant the wrong person access to your secrets by mistake!
-
-### Using git-secret for Continuous Integration / Continuous Deployment (CI/CD)
-
-When using `git-secret` for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated
-with the changes in your code.
-
-One way of doing it is the following:
-
-1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp CodeShip <myapp@codeship.com>`
-if your app is called MyApp and your CI/CD provider is CodeShip. It is easier not to define a password for that key.
-2. run `gpg --export-secret-key myapp@codeship.com --armor` to get your private key value
-3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value.
-4. Then write your Continuous Deployment build script. For instance:
-
-```shell
-# Install git-secret (https://git-secret.io/installation), for instance, for debian:
-echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
-wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
-sudo apt-get update && sudo apt-get install git-secret
-# Create private key file
-echo $GPG_PRIVATE_KEY > ./private_key.gpg
-# Import private key
-gpg --import ./private_key.gpg
-# Reveal secrets
-git secret reveal
-# carry on with your build script, secret files are available ...
-```
-
-Note: your CI/CD might not allow you to create a multiline value. In that case, you can export it on one line with
-
-```shell
-gpg --export-secret-key myapp@codeship.com --armor | tr '\n' ','
-```
-
-You can then create your private key file with:
-
-```shell
-echo $GPG_PRIVATE_KEY | tr ',' '\n' > ./private_key.gpg
-```
-
-## Environment Variables and Configuration
-
-You can configure the version of `gpg` used, or the extension your encrypted files use, to suit your workflow better.
-To do so, just set the required variable to the value you need.
-This can be done in your shell environment file or with each `git-secret` command.
-See below, or the man page of `git-secret` for an explanation of the environment variables `git-secret` uses.
-
-The settings available to be changed are:
-
-* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical
-to using `-v` on each command that supports it.
-
-* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
-It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
-After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
-
-* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
-
-* `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret.
-It can be changed to any valid directory name.
-
-* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option.
-See `gpg` docs for details about gpg's --pinentry option.
-
-## The `.gitsecret` folder (can be overridden with SECRETS_DIR)
-
-This folder contains information about the files encrypted by git-secret,
-and about which public/private key sets can access the encrypted data.
-
-You can change the name of this directory using the SECRETS_DIR environment variable.
-
-Use the various 'git secret' commands to manipulate the files in `.gitsecret`,
-you should not change the data in these files directly.
-
-Exactly which files exist in the `.gitsecret` folder and what their contents are
-vary slightly across different versions of gpg. Thus it is best to use
-git-secret with the same version of gpg being used by all users.
-This can be forced using SECRETS_GPG_COMMAND environment variable.
-
-Specifically, there is an issue between gpg version 2.1.20 and later versions
-which can cause problems reading and writing keyring files between systems
-(this shows up in errors like 'gpg: skipped packet of type 12 in keybox').
-
-The git-secret internal data is separated into two directories:
-
-### `.gitsecret/paths`
-
-This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
-In other words, the path mappings: what files are tracked to be hidden and revealed.
-
-All the other internal data is stored in the directory:
-
-### `.gitsecret/keys`
-
-This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties.
-
-Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.
-By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
-
-Again, you can change the name of this directory using the SECRETS_DIR environment variable.

docs/build.sh

@@ -28,14 +28,14 @@ function copy_to_posts {
   timestamp=$(date "+%Y-%m-%d %H:%M:%S %z")
   current_date=$(date "+%Y-%m-%d")
 
-  # Creating command refernce:
-  for com in $MAN_LOCATION/git-secret-*.1.md; do
+  # Creating command reference:
+  for com in "$MAN_LOCATION"/git-secret-*.1.md; do
     local short_name
     short_name=$(echo "$com" | sed -n "s|$MAN_LOCATION/\(.*\)\.1\.md|\1|p")
     local command_header="---
 layout: post
-title:  '${short_name}'
-date:   ${timestamp}
+title: '${short_name}'
+date: ${timestamp}
 permalink: ${short_name}
 categories: command
 ---"
@@ -48,8 +48,8 @@ categories: command
   # Creating main usage file:
   local usage_header="---
 layout: post
-title:  'git-secret'
-date:   ${timestamp}
+title: 'git-secret'
+date: ${timestamp}
 permalink: git-secret
 categories: usage
 ---"
@@ -58,5 +58,22 @@ categories: usage
   cat "$MAN7_LOCATION/git-secret.7.md" >> "$usage_filename"
 }
 
+
+function copy_install_scripts {
+  # We test these scripts using `release-ci`,
+  # so, installation instructions will always be up-to-date:
+  cp utils/deb/install.sh docs/_includes/install-deb.sh
+  cp utils/rpm/install.sh docs/_includes/install-rpm.sh
+  cp utils/apk/install.sh docs/_includes/install-apk.sh
+}
+
+
+function copy_version {
+   ./git-secret --version > docs/_includes/version.txt
+}
+
+
 checkout_manuals
 copy_to_posts
+copy_install_scripts
+copy_version

docs/index.html

@@ -21,7 +21,7 @@ layout: default
     {{ post.content }}
   {% endfor %}
 
-  <h2 class="page-heading">Command Reference</h2>
+  <h2 class="page-heading" id="commands">Command Reference</h2>
 
   <ul class="post-list">
     {% for post in site.categories.command %}

docs/installation.md

@@ -15,62 +15,134 @@ gpg (GnuPG) 1.4.20
 
 ## Supported platforms
 
-`git-secret` works with `Mac OS X` >= 10.9, `Ubuntu` >= 14.04, `Debian` >= 8.3, and `Fedora` / `CentOS`.
-You can check the full list [here](https://github.com/sobolevn/git-secret/blob/issue-657/.github/workflows/test.yml).
-You can add your platform to this list, if all the tests pass for you.
-`Cygwin` support [is planned](https://github.com/sobolevn/git-secret/issues/40).
+`git-secret` is tested with `Mac OS X` >= 10.9, `Ubuntu` >= 14.04, `Debian` >= 8.3, 
+`Fedora` / `Rocky Linux` / `AlmaLinux`, `FreeBSD`, and `Windows` >= 10 using `WSL`.
+You can check the full list of automated test platforms
+[here](https://github.com/sobolevn/git-secret/blob/master/.github/workflows/test.yml).
+
+We are always interested in getting `git-secret` working and tested on additional systems.
+If you get `git-secret` working on a new system and the tests pass for you, 
+you can add a GitHub Action to test your platform to that file. 
+Also we welcome improvements to tests or `git-secret` code for any platform.
 
 ## Installation process
 
-There are several ways to install `git-secret`:
+There are several ways to install `git-secret`, depending on your OS and distribution.
+They generally all have different installation processes, so we only go into 
+a short explanation of each. 
+(We welcome documentation improvements.)
 
 ---
 
-### Homebrew
+### Mac OS X / Homebrew
 
-`brew install git-secret`
+This is a packaging system for OSX. To install `git-secret` on OSX, you can install
+`homebrew` and then use:
+
+```bash
+brew install git-secret
+````
 
 ---
 
-### `deb` package
+### Debian-Type Systems / `deb` package
 
-You can find the `deb` repository [here](https://bintray.com/sobolevn/deb/git-secret).
+`deb` is a packaging system for [Debian](https://www.debian.org/) and related linux
+distributions.
+
+You can find the `deb` repository [here](https://gitsecret.jfrog.io/artifactory/git-secret-deb/).
 Pre-requirements: make sure you have installed `apt-transport-https` and `ca-certificates`
 
 ```bash
-echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
-wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
-sudo apt-get update && sudo apt-get install git-secret
+{% include install-deb.sh %}
 ```
 
 ---
 
-### `rpm` package
+### Red Hat Systems / `rpm` package
 
-You can find the `rpm` repository [here](https://bintray.com/sobolevn/rpm/git-secret).
+`rpm` is a packaging system for Fedora, CentOS, and other Red Hat based linux distributions.
+You can find the `rpm` repository [here](https://gitsecret.jfrog.io/artifactory/git-secret-rpm/).
 
 ```bash
-wget https://bintray.com/sobolevn/rpm/rpm -O bintray-sobolevn-rpm.repo
-sudo mv bintray-sobolevn-rpm.repo /etc/yum.repos.d/
-sudo yum install git-secret
+{% include install-rpm.sh %}
 ```
 
+---
+
+### Alpine Systems / `apk` package
+
+`apk` is a packaging system for Alpine.
+You can find the `apk` `git-secret` packaging 
+[here](https://gitsecret.jfrog.io/artifactory/git-secret-apk/),
+and you can see a list of supported architectures 
+[here](https://github.com/sobolevn/git-secret/blob/master/utils/apk/meta.sh)
+
+```bash
+{% include install-apk.sh %}
+```
+
+---
+
 ### Arch Linux
 
-The _Arch_ way to install git-secret is to use the directions for
-"Installing Packages" at [Arch User Repository Documentation](https://wiki.archlinux.org/index.php/Arch_User_Repository#Installing_packages)
-along with the `PKGBUILD` file from the [git-secret Arch Linux Package](https://aur.archlinux.org/packages/git-secret/)
-
-You can also install from the [AUR](https://aur.archlinux.org/) using your helper of choice by
-installing the package `git-secret`, for example using [yay](https://github.com/Jguer/yay)
-
-```bash
-yay -S git-secret
-```
+Use `Manual Installation` method described below.
 
 ---
 
-### Manual
+### Windows / `WSL`, `Cygwin`, `MSYS`, or `Mingw-w64`
+
+`git-secret` depends on many unix tools and features that Windows systems do not usually
+include by default.  Therefore to get `git-secret` running on Windows you have to 
+install these tools, probably using one of the toolkits described below. 
+Each has a different install and setup process. There may also be other 
+ways to install the unix prerequisites on Windows.
+
+Once the prerequisite unix tools are installed,
+you can use the Manual Installation instructions below to 
+manually install `git-secret` (see below).  
+
+Some ways to install the required unix tools on windows include
+WSL, CYGWIN, MSYS, and Mingw-w64 
+(internally, these tools may share some components).
+
+Documenting how each is installed and used is beyond the scope of this document, 
+so we will cover the topic in broad strokes. Improvements to this documentation
+(or any other git-secret documentation) are welcome. 
+
+Again, after you install the unix tools needed, you can install 
+`git-secret` on windows using the `Manual Installation` steps below.
+
+#### WSL
+
+Perhaps the easiest way to get `git-secret` operating on windows is using `WSL`
+(if your system supports it). 
+Here are instructions to install [WSL](https://docs.microsoft.com/en-us/windows/wsl/install)
+You'll need to install these additional packages: `gnupg`, `make`, `man`, `git`, `gawk`, `file`.
+
+We have successfully set up automated testing of `git-secret` on `WSL`, 
+so we are confident this method works.
+
+#### Mingw-w64
+
+Another way to install the prerequisites for `git-secret` on Windows is to use 
+[Mingw-w64](https://www.mingw-w64.org/) and install the needed packages.
+By default, the `Mingw-w64` installation will be saved to `C:\msys64`. You'll need to 
+install `make` and probably other tools such as `gnupg`, `make`, `man`, `git`, and `gawk`. 
+(This list might not be complete). 
+
+#### MSYS and Cygwin
+
+`git-secret` also works with [MSYS](https://www.msys2.org/)
+and [Cygwin](https://www.cygwin.com/), and we have gotten _most_ of the way to getting
+`git-secret`'s self-tests running on these setups with Windows (see 
+[windows-related issues](https://github.com/sobolevn/git-secret/issues?q=is%3Aissue+is%3Aopen+windows)).
+
+We welcome contributions to `git-secret` and its documentation .
+
+---
+
+### Manual Installation
 
 ```bash
 git clone https://github.com/sobolevn/git-secret.git git-secret
@@ -78,4 +150,7 @@ cd git-secret && make build
 PREFIX="/usr/local" make install
 ```
 
-Note that you can install to any prefix in your `PATH`
+Note that you can change `PREFIX` to be any directory you subsequently include in in your `PATH`
+environment variable. We generally recommend you stick to the default 
+install locations for simplicity, but if you know what you're doing you are welcome to change it.
+

docs/plugins.md

@@ -0,0 +1,9 @@
+---
+layout: default
+---
+
+# External plugins
+
+Here's a list of external plugins for `git-secret` developed by other awesome developers:
+
+- [git-secret-diff](https://github.com/msilvestre/git-secret-diff) adds `git secret diff` command similar to `git diff` to see changes in your secrets in different commits

man/man1/git-secret-add.1.md

@@ -7,18 +7,18 @@ git-secret-add - starts to track added files.
 
 
 ## DESCRIPTION
-`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg`
-and ensures the filepath is mentioned .gitignore.
+`git secret add` - tells `git secret` which files hold secrets.
 
-When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning
-them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted.
+Adds filepath(s) into `.gitsecret/paths/mapping.cfg`.
+(It is not recommended to alter `.gitsecret/paths/mapping.cfg` manually.)
 
-If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
+As of 0.2.6, this command also ensures the filepath is in `.gitignore`
+as the contents are now considered secret and should not be committed into the repository unencrypted.
 
-Use the `git secret add` command to add filenames to this file.
-It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`.
+The `add` action will fail unless there are already users in `git-secret`'s keyring.
 
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
+
+(See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
 folder using the SECRETS_DIR environment variable.
 
 ## OPTIONS
@@ -30,10 +30,10 @@ folder using the SECRETS_DIR environment variable.
 
 ## MANUAL
 
-Run `man git-secret-add` to see this note.
+Run `man git-secret-add` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal)
+[git-secret-init(1)](https://git-secret.io/git-secret-init), [git-secret-tell(1)](https://git-secret.io/git-secret-tell),
+[git-secret-hide(1)](https://git-secret.io/git-secret-hide), [git-secret-reveal(1)](https://git-secret.io/git-secret-reveal)

man/man1/git-secret-cat.1.md

@@ -1,4 +1,4 @@
-git-secret-cat - decrypts files passed on command line to stdout
+git-secret-cat - decrypts files passed on command line to stdout.
 =============================================
 
 ## SYNOPSIS
@@ -7,26 +7,27 @@ git-secret-cat - decrypts files passed on command line to stdout
 
 
 ## DESCRIPTION
-`git-secret-cat` - Outputs to stdout the contents of the files named on the command line.
-As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to 
-decrypt this repo.
+`git-secret-cat` - prints the decrypted contents of the passed files.
 
-Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
-(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
+As with `git-secret-reveal`, you'll need to have the private key for one of the emails allowed to
+decrypt this repo in your personal keyring.
+
+Note this command can be affected by the `SECRETS_PINENTRY` environment variable. See
+(See [git-secret(7)](https://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
 
 
 ## OPTIONS
 
-    -d  - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
+    -d  - specifies `--homedir` option for the `gpg`, use this option if you store your keys in a custom location.
     -p  - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
     -h  - shows help.
 
 
 ## MANUAL
 
-Run `man git-secret-cat` to see this note.
+Run `man git-secret-cat` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-cat)
+[git-secret-init(1)](https://git-secret.io/git-secret-init), [git-secret-tell(1)](https://git-secret.io/git-secret-tell), [git-secret-add(1)](https://git-secret.io/git-secret-add), [git-secret-hide(1)](https://git-secret.io/git-secret-hide), [git-secret-reveal(1)](https://git-secret.io/git-secret-cat)

man/man1/git-secret-changes.1.md

@@ -7,29 +7,32 @@ git-secret-changes - view diff of the hidden files.
 
 
 ## DESCRIPTION
-`git-secret-changes` - shows changes between the current version of hidden files and the ones already committed. 
-You can provide any number of hidden files to this command as arguments, and it will show changes for these files only. 
-Note that files must be specified by their encrypted names, typically `filename.yml.secret`.
-If no arguments are provided, information about all hidden files will be shown.
+`git-secret-changes` - shows changes between the current versions of secret files and encrypted versions.
 
-Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
-(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
+If no filenames are provided, changes to all hidden files will be shown. Alternately,
+provide any number of hidden files to this command as arguments, and it will show changes for those files.
+
+Note files must be specified by their unencrypted names, without the `.secret` suffix,
+(or whatever is specified by the `SECRETS_EXTENSION` environment variable).
+
+Note also this command can be affected by the `SECRETS_PINENTRY` environment variable. See
+(See [git-secret(7)](https://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
 
 
 ## OPTIONS
 
-    -d  - specifies `--homedir` option for the `gpg`. Use this option if your store your keys in a custom location.
+    -d  - specifies `--homedir` option for the `gpg`. Use this option if you store your keys in a custom location.
     -p  - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
     -h  - shows help.
 
 
 ## MANUAL
 
-Run `man git-secret-changes` to see this note.
+Run `man git-secret-changes` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), 
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
+[git-secret-add(1)](https://git-secret.io/git-secret-add), [git-secret-tell(1)](https://git-secret.io/git-secret-tell),
+[git-secret-hide(1)](https://git-secret.io/git-secret-hide), [git-secret-reveal(1)](https://git-secret.io/git-secret-reveal),
+[git-secret-cat(1)](https://git-secret.io/git-secret-cat)

man/man1/git-secret-clean.1.md

@@ -7,24 +7,32 @@ git-secret-clean - removes all the hidden files.
 
 
 ## DESCRIPTION
-`git-secret-clean` deletes all the encrypted files. 
-Verbose output is enabled with the -v option, in which case the program prints which files are deleted.
+`git-secret-clean` - deletes all files in the current `git-secret` repo that end with `.secret`.
+
+You can change the extension `git-secret` uses for encrypted files
+with the `SECRETS_EXTENSION` environment variable.
+
+Note that it will delete any files ending in `.secret`, even if they are not tracked by `git-secret`. 
+
+Also note that this command does not delete unencrypted versions of files.
+
+Verbose mode, enabled with the `-v` option, displays the filenames deleted.
 
 
 ## OPTIONS
 
-    -v  - verbose mode, shows which files are deleted. 
+    -v  - verbose mode, shows which files are deleted.
     -h  - shows this help.
 
 You can also enable verbosity using the SECRETS_VERBOSE environment variable,
-as documented at [git-secret(7)](http://git-secret.io/)
+as documented at [git-secret(7)](https://git-secret.io/)
 
 ## MANUAL
 
-Run `man git-secret-clean` to see this note.
+Run `man git-secret-clean` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
+[git-secret-whoknows(1)](https://git-secret.io/git-secret-whoknows), [git-secret-add(1)](https://git-secret.io/git-secret-add),
+[git-secret-remove(1)](https://git-secret.io/git-secret-remove), [git-secret-removeperson(1)](https://git-secret.io/git-secret-removeperson)

man/man1/git-secret-hide.1.md

@@ -1,4 +1,4 @@
-git-secret-hide - encrypts all added files with the inner keyring.
+git-secret-hide - encrypts all added files with repo keyring.
 ==================================================================
 
 ## SYNOPSIS
@@ -7,37 +7,34 @@ git-secret-hide - encrypts all added files with the inner keyring.
 
 
 ## DESCRIPTION
-`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`) 
-of each file added by `git-secret-add` command. 
-Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood,
-`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files.
+`git-secret-hide`  - writes an encrypted version of each file added by `git-secret-add` command.
 
-It is recommended to encrypt (or re-encrypt) all the files in a git-secret repo each 
-time `git secret hide` is run.
+Then anyone enabled via `git secret tell` can decrypt these files. 
 
-Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`),
-may have changed since the last time the files were encrypted, and it's possible 
-to create a state where the users in the output of `git secret whoknows` 
-may not be able to decrypt the some files in the repo, or may be able decrypt files 
+Under the hood, `git-secret` uses the keyring of public keys in `.gitsecret/keys` to _encrypt_ files,
+encrypted versions are typically called `filename.txt.secret`.
+
+Later permitted users can use their secret key (typically from their home directory) to _decrypt_ files.
+
+It is recommended to encrypt (or re-encrypt) all the files in a `git-secret` repo each
+time `git secret hide` is run.  
+Otherwise the keyring (the one stored in `.gitsecret/keys/*.gpg`),
+may have changed since the last time the files were encrypted, and it's possible
+to create a state where the users in the output of `git secret whoknows`
+may not be able to decrypt the some files in the repo, or may be able decrypt files
 they're not supposed to be able to.
 
-In other words, unless you re-encrypt all the files in a repo each time you 'hide' any, 
-it's possible to make it so some files can no longer be decrypted by users who should be 
+In other words, unless you re-encrypt all the files in a repo each time you `hide` any,
+it's possible to make it so some files can no longer be decrypted by users who should be
 (and would appear) able to decrypt them, and vice-versa.
 
-If you know what you are doing and wish to encrypt or re-encrypt only a subset of the files 
-even after reading the above paragraphs, you can use the -F or -m option to only encrypted 
-a subset of files. The -F option forces `git secret hide` to skip any hidden files 
-where the unencrypted versions aren't present. The -m option skips any hidden files that have 
-not be modified since the last time they were encrypted. 
-
-Also, it is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable.
-
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
-
-You can also enable verbosity using the SECRETS_VERBOSE environment variable,
-as documented at [git-secret(7)](http://git-secret.io/)
+If you know what you are doing and wish
+to encrypt or re-encrypt only a subset of the files
+even after reading the above paragraphs, you can use the `-F` or `-m` options.
+The `-F` option forces `git secret hide` to skip any hidden files
+where the unencrypted versions aren't present.
+The `-m` option skips any hidden files that have
+not be been modified since the last time they were encrypted.
 
 
 ## OPTIONS
@@ -50,13 +47,24 @@ as documented at [git-secret(7)](http://git-secret.io/)
     -m  - encrypt files only when modified.
     -h  - shows help.
 
+
+## ENV VARIABLES
+
+- `SECRETS_GPG_COMMAND` changes the default `gpg` command to anything else
+- `SECRETS_GPG_ARMOR` is a boolean to enable [`--armor` mode](https://www.gnupg.org/gph/en/manual/r1290.html) to store secrets in text format over binary
+- `SECRETS_DIR` changes the default `.gitsecret/` folder to another name as documented at [git-secret(7)](https://git-secret.io/)
+- `SECRETS_EXTENSION` changes the default `.secret` file extension
+- `SECRETS_VERBOSE` changes the output verbosity as documented at [git-secret(7)](https://git-secret.io/)
+- `SECRETS_PINENTRY` changes the [`gpg --pinentry` mode](https://github.com/gpg/pinentry) as documented at [git-secret(7)](https://git-secret.io/)
+
+
 ## MANUAL
 
-Run `man git-secret-hide` to see this note.
+Run `man git-secret-hide` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), 
-[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),  
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
+[git-secret-init(1)](https://git-secret.io/git-secret-init), [git-secret-tell(1)](https://git-secret.io/git-secret-tell),
+[git-secret-add(1)](https://git-secret.io/git-secret-add), [git-secret-reveal(1)](https://git-secret.io/git-secret-reveal),
+[git-secret-cat(1)](https://git-secret.io/git-secret-cat)

man/man1/git-secret-init.1.md

@@ -7,17 +7,25 @@ git-secret-init - initializes git-secret repository.
 
 
 ## DESCRIPTION
-`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret.
-Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.
+`git-secret-init` - initializes a `git-secret` repo by setting up a `.gitsecret` directory.
 
-If a .gitsecret directory already exists, `git-secret-init` exits without making any changes.
-Otherwise, a .gitsecret directory is created with appropriate sub-directories,
-and patterns to ignore git-secret's `random_seed_file`
-and not ignore `.secret` files are added to `.gitignore`.  
+`git-secret-init` should be run inside a `git` repo, to create the 
+`.gitsecret` directory and initialize the repo for git-secret.
+Until a repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.
 
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder with the SECRETS_DIR environment variable, and changing the extension git-secret uses for secret files
-with the SECRETS_EXTENSION environment variable.
+If a `.gitsecret` directory already exists, `git-secret-init` exits without making any changes.
+Otherwise, 
+
+* `.gitignore` is modified to ignore `git-secret`'s `random_seed_file`,
+and to not ignore `.secret` files,
+
+* a .gitsecret directory is created with the sub-directories /keys and /paths,
+
+* The `.gitsecret/keys` subdirectory permission is set to 700 to make gnupg happy.
+
+See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
+folder with the `SECRETS_DIR` environment variable, and changing the extension `git-secret` uses for secret files
+with the `SECRETS_EXTENSION` environment variable.
 
 
 ## OPTIONS
@@ -27,9 +35,9 @@ with the SECRETS_EXTENSION environment variable.
 
 ## MANUAL
 
-Run `man git-secret-init` to see this note.
+Run `man git-secret-init` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-usage(1)](http://git-secret.io/git-secret-usage), [git-secret-tell(1)](http://git-secret.io/git-secret-tell)
+[git-secret-usage(1)](https://git-secret.io/git-secret-usage), [git-secret-tell(1)](https://git-secret.io/git-secret-tell)

man/man1/git-secret-killperson.1.md

@@ -1,28 +0,0 @@
-git-secret-killperson - deletes key identified by an email from the inner keyring.
-==================================================================================
-
-## SYNOPSIS
-
-    git secret killperson <emails>...
-
-
-## DESCRIPTION
-This command removes the keys associated with the selected email addresses from the keyring. 
-If you remove a keypair's access with `git-secret-killperson`, and run `git-secret-reveal` and `git-secret-hide -r`,
-it will be impossible for given users to decrypt the hidden files.
-
-
-## OPTIONS
-
-    -h  - shows this help.
-
-
-## MANUAL
-
-Run `man git-secret-killperson` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-remove(1)](http://git-secret.io/git-secret-remove),
-[git-secret-clean(1)](http://git-secret.io/git-secret-clean)

man/man1/git-secret-list.1.md

@@ -7,10 +7,12 @@ git-secret-list - prints all the added files.
 
 
 ## DESCRIPTION
-`git-secret-list` prints all the currently added tracked files from the `.gitsecret/paths/mapping.cfg`.
+`git-secret-list` - print the files currently considered secret in this repo.
 
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
+Shows tracked files from `.gitsecret/paths/mapping.cfg`.
+
+(See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
+folder using the `SECRETS_DIR` environment variable.
 
 
 ## OPTIONS
@@ -20,11 +22,11 @@ folder using the SECRETS_DIR environment variable.
 
 ## MANUAL
 
-Run `man git-secret-list` to see this note.
+Run `man git-secret-list` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), 
-[git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), [git-secret-cat(1)](http://git-secret.io/git-secret-cat)
+[git-secret-whoknows(1)](https://git-secret.io/git-secret-whoknows), [git-secret-add(1)](https://git-secret.io/git-secret-add),
+[git-secret-remove(1)](https://git-secret.io/git-secret-remove), [git-secret-hide(1)](https://git-secret.io/git-secret-hide),
+[git-secret-reveal(1)](https://git-secret.io/git-secret-reveal), [git-secret-cat(1)](https://git-secret.io/git-secret-cat)

man/man1/git-secret-remove.1.md

@@ -7,12 +7,19 @@ git-secret-remove - removes files from index.
 
 
 ## DESCRIPTION
-`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`, 
-so they won't be encrypted or decrypted in the future. 
+`git-secret-remove` - stops files from being tracked by `git-secret`.
+
+This deletes filenames from `.gitsecret/paths/mapping.cfg`, 
+which stops these files from being tracked by `git-secret`, and from
+being encrypted to, or decrypted from, `.secret` encrypted versions.
+
 There's also a -c option to delete existing encrypted versions of the files provided.
 
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
+Note unlike `add`, which automatically add pathnames to `.gitignore`, 
+`remove` does not delete pathnames from `.gitignore`.
+
+(See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
+folder using the `SECRETS_DIR` environment variable.
 
 
 ## OPTIONS
@@ -23,10 +30,10 @@ folder using the SECRETS_DIR environment variable.
 
 ## MANUAL
 
-Run `man git-secret-remove` to see this note.
+Run `man git-secret-remove` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-clean(1)](http://git-secret.io/git-secret-clean), 
-[git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
+[git-secret-add(1)](https://git-secret.io/git-secret-add), [git-secret-clean(1)](https://git-secret.io/git-secret-clean),
+[git-secret-removeperson(1)](https://git-secret.io/git-secret-removeperson)

man/man1/git-secret-removeperson.1.md

@@ -0,0 +1,31 @@
+git-secret-removeperson - removes user's public key from repo keyring.
+==================================================================================
+
+## SYNOPSIS
+
+    git secret removeperson <emails>...
+
+
+## DESCRIPTION
+`git-secret-removeperson` - removes public keys for passed email addresses from repo's `git-secret` keyring.
+
+This command is used to begin the process of disallowing a user from encrypting and decrypting secrets with `git-secret`.
+
+If you remove a user's access with `git-secret-removeperson`, and then run `git-secret-reveal` and `git-secret-hide -r`,
+that user will no longer be able user to decrypt the hidden files.
+
+
+## OPTIONS
+
+    -h  - shows this help.
+
+
+## MANUAL
+
+Run `man git-secret-removeperson` to see this document.
+
+
+## SEE ALSO
+
+[git-secret-tell(1)](https://git-secret.io/git-secret-tell), [git-secret-remove(1)](https://git-secret.io/git-secret-remove),
+[git-secret-clean(1)](https://git-secret.io/git-secret-clean)

man/man1/git-secret-reveal.1.md

@@ -7,11 +7,16 @@ git-secret-reveal - decrypts all added files.
 
 
 ## DESCRIPTION
-`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`,
-or the passed `pathspec`s.
-You will need to have imported the paired secret-key with one of the 
-public-keys which were used in the encryption.
-Under the hood, this uses the `gpg --decrypt` command. 
+`git-secret-reveal` - decrypts passed files, or all files considered secret by `git-secret`.
+
+Under the hood, `reveal` uses the `gpg --decrypt` command
+and your private key (typically from your personal keyring in your
+home directory) to _decrypt_ files.
+
+Therefore, for this operation to succeed, your personal keyring must contain a private key 
+matching one of the public keys which were used to encrypt the secrets --
+i.e., one of the public keys in your repo's `git-secret` keyring when the file was encrypted. 
+
 
 
 ## OPTIONS
@@ -24,17 +29,24 @@ Under the hood, this uses the `gpg --decrypt` command.
     -P  - preserve permissions of encrypted file in unencrypted file.
     -h  - shows help.
 
-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
+
+## ENV VARIABLES
+
+- `SECRETS_GPG_COMMAND` changes the default `gpg` command to anything else
+- `SECRETS_GPG_ARMOR` is a boolean to enable [`--armor` mode](https://www.gnupg.org/gph/en/manual/r1290.html) to store secrets in text format over binary
+- `SECRETS_DIR` changes the default `.gitsecret/` folder to another name as documented at [git-secret(7)](https://git-secret.io/)
+- `SECRETS_EXTENSION` changes the default `.secret` file extension
+- `SECRETS_VERBOSE` changes the output verbosity as documented at [git-secret(7)](https://git-secret.io/)
+- `SECRETS_PINENTRY` changes the [`gpg --pinentry` mode](https://github.com/gpg/pinentry) as documented at [git-secret(7)](https://git-secret.io/)
 
 
 ## MANUAL
 
-Run `man git-secret-reveal` to see this note.
+Run `man git-secret-reveal` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-cat(1)](http://git-secret.io/git-secret-cat), 
-[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide)
+[git-secret-init(1)](https://git-secret.io/git-secret-init), [git-secret-cat(1)](https://git-secret.io/git-secret-cat),
+[git-secret-tell(1)](https://git-secret.io/git-secret-tell), [git-secret-add(1)](https://git-secret.io/git-secret-add),
+[git-secret-hide(1)](https://git-secret.io/git-secret-hide)

man/man1/git-secret-tell.1.md

@@ -1,4 +1,4 @@
-git-secret-tell - adds a person, who can access private data.
+git-secret-tell - adds person who can access private data.
 ===============================================================
 
 ## SYNOPSIS
@@ -7,35 +7,42 @@ git-secret-tell - adds a person, who can access private data.
 
 
 ## DESCRIPTION
-`git-secret tell` receives one or more email addresses as an input, searches for the `gpg`-key in the `gpg`
-`homedir` by these emails, then imports the corresponding public key into `git-secret`'s inner keychain. 
-From this moment this person can encrypt new files with the keyring which contains their key,
-but they cannot decrypt the old files, which were already encrypted without their key. 
-The files should be re-encrypted with the new keyring by someone who has the unencrypted files.
+`git-secret tell` - adds user(s) to the list of those able to encrypt/decrypt secrets.
 
-Because `git-secret tell` works with only email addresses, it will exit with an error if you have
-multiple keys in your keychain with specified email addresses, or if one of the specified emails 
-is already associated with a key in the git-secret keychain.
+This lets the specified user encrypt new files,
+but will not immediately be able to decrypt existing files, which were encrypted without their key.
+Files should be re-encrypted with the new keyring by someone who already has access
+in order for the new user to be able to decrypt the files.
 
-Versions of `git-secret tell` after 0.3.2 will warn about keys that are expired, revoked, or otherwise invalid,
-and also if multiple keys are found for a single email address.
+`git-secret tell` works only with email addresses, and will exit with an error if you have
+multiple keys in your keyring with specified email addresses, or if one of the specified emails
+is already associated with a key in the `git-secret` repo's keyring.
+
+Under the hood, `git-secret-tell` searches in the current user's `gnupg` keyring for public key(s) of passed
+email(s), then imports the corresponding public key(s) into your `git-secret` repo's keyring.
+
+Versions of `git-secret tell` after `0.3.2` will warn about keys that are expired, revoked, or otherwise invalid.
+It will also warn if multiple keys are found for a single email address.
 
 **Do not manually import secret keys into `git-secret`**. It won't work with imported secret keys anyway.
 
+For more details about how `git-secret` uses public and private keys,
+see the documentation for `git-secret-hide` and `git-secret-reveal`.
+
 ## OPTIONS
 
-    -m  - takes your current `git config user.email` as an identifier for the key.
-    -d  - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location.
+    -m  - uses your current `git config user.email` setting as an identifier for the key.
+    -d  - specifies `--homedir` option for `gpg`, basically use this option if your store your keys in a custom location.
     -h  - shows help.
 
 
 ## MANUAL
 
-Run `man git-secret-tell` to see this note.
+Run `man git-secret-tell` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), 
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
+[git-secret-init(1)](https://git-secret.io/git-secret-init), [git-secret-add(1)](https://git-secret.io/git-secret-add),
+[git-secret-hide(1)](https://git-secret.io/git-secret-hide), [git-secret-reveal(1)](https://git-secret.io/git-secret-reveal),
+[git-secret-cat(1)](https://git-secret.io/git-secret-cat), [git-secret-removeperson(1)](https://git-secret.io/git-secret-removeperson)

man/man1/git-secret-usage.1.md

@@ -7,7 +7,7 @@ git-secret-usage - prints all the available commands.
 
 
 ## DESCRIPTION
-`git-secret-usage` is used to print all the available commands.
+`git-secret-usage` - prints all the available `git-secret` commands.
 
 
 ## OPTIONS
@@ -17,11 +17,11 @@ git-secret-usage - prints all the available commands.
 
 ## MANUAL
 
-Run `man git-secret-usage` to see this note.
+Run `man git-secret-usage` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), 
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
+[git-secret-init(1)](https://git-secret.io/git-secret-init), [git-secret-add(1)](https://git-secret.io/git-secret-add),
+[git-secret-hide(1)](https://git-secret.io/git-secret-hide), [git-secret-reveal(1)](https://git-secret.io/git-secret-reveal),
+[git-secret-cat(1)](https://git-secret.io/git-secret-cat)

man/man1/git-secret-whoknows.1.md

@@ -1,4 +1,4 @@
-git-secret-whoknows - prints email-labels for each key in the keyring.
+git-secret-whoknows - print email for each key in the keyring.
 ======================================================================
 
 ## SYNOPSIS
@@ -7,7 +7,7 @@ git-secret-whoknows - prints email-labels for each key in the keyring.
 
 
 ## DESCRIPTION
-`git-secret-whoknows` prints list of email addresses whose keys are allowed to access the secrets in this repo.
+`git-secret-whoknows` - print email addresses allowed to access the secrets in this repo.
 
 
 ## OPTIONS
@@ -18,11 +18,11 @@ git-secret-whoknows - prints email-labels for each key in the keyring.
 
 ## MANUAL
 
-Run `man git-secret-whoknows` to see this note.
+Run `man git-secret-whoknows` to see this document.
 
 
 ## SEE ALSO
 
-[git-secret-list(1)](http://git-secret.io/git-secret-list), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), 
-[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), 
-[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
+[git-secret-list(1)](https://git-secret.io/git-secret-list), [git-secret-tell(1)](https://git-secret.io/git-secret-tell),
+[git-secret-hide(1)](https://git-secret.io/git-secret-hide), [git-secret-reveal(1)](https://git-secret.io/git-secret-reveal),
+[git-secret-cat(1)](https://git-secret.io/git-secret-cat)

man/man7/git-secret.7.md

@@ -3,49 +3,64 @@ git-secret - bash tool to store private data inside a git repo.
 
 ## Usage: Setting up git-secret in a repository
 
-These steps cover the basic process of using `git-secret`:
+These steps cover the basic process of using `git-secret`
+to specify users and files that will interact with `git-secret`, 
+and to encrypt and decrypt secrets.
 
-0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address.
+0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): 
+which are a public key and a secret key pair, identified by your email address and
+stored with your gpg configuration.
+Generally this gpg configuration and keys will be stored somewhere in your home directory.
 
-1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information
-to make `git-secret` hide and reveal files in this repository.
+1. Begin with an existing or new git repository. 
+
+2. Initialize the `git-secret` repository by running `git secret init`. The `.gitsecret/` folder will be created,
+with subdirectories `keys/` and `paths/`, 
+`.gitsecret/keys/random_seed` will be added to `.gitignore`,
+and `.gitignore` will be configured to _not_ ignore `.secret` files.
 
-2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created.
 **Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file.
-In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file.
-By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
+This also means that of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file.
 
-3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`.
+3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@email.id`.
 
 4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
-This can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
-`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you.
+This can be done by running `git secret add <filenames...>` command, which will also (as of 0.2.6) 
+add entries to `.gitignore`, stopping those files from being added or committed to the repo unencrypted. 
+
+5. Then run `git secret hide` to encrypt the files you added with `git secret add`.
+The files will be encrypted with the public keys in your git-secret repo's keyring,
+each corresponding to a user's email that you used with `tell`.
 
-5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
-The data will be encrypted with the public-keys described by the `git secret tell` command.
 After using `git secret hide` to encrypt your data, it is safe to commit your changes.
 **NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
 
-6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the
+6. Later you can decrypt files with the `git secret reveal` command, or print their contents to stdout with the
 `git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
 And you're done!
 
 ### Usage: Adding someone to a repository using git-secret
 
 1. [Get their `gpg` public-key](#using-gpg). **You won't need their secret key.**
+They can export their public key for you using a command like: 
+`gpg --armor --export their@email.id > public_key.txt # --armor here makes it ascii`
+ 
+2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import public_key.txt`
 
-2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import KEY_NAME.txt`
+3. Now add this person to your secrets repo by running `git secret tell their@email.id`
+(this will be the email address associated with their public key)
 
-3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
-(this will be the email address associated with the public key)
+4. Now remove the other user's public key from your personal keyring with `gpg --delete-keys their@email.id`
 
-4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
+5. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
 `git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
 (The -d options deletes the unencrypted file after re-encrypting it).
 Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`.
 
-Note that it is possible to add yourself to the git-secret repo without decrypting existing files.
-It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't
+Note that when you first add a user to a git-secret repo, they will not be able to decrypt existing files
+until another user re-encrypts the files with the new keyring.  
+
+If you do not
 want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.
 
 ### Using gpg
@@ -61,7 +76,7 @@ gpg --gen-key
 To export your public key, run:
 
 ```shell
-gpg --export your.email@address.com --armor > public-key.gpg
+gpg --armor --export your.email@address.com > public-key.gpg
 ```
 
 To import the public key of someone else (to share the secret with them for instance), run:
@@ -79,38 +94,40 @@ with the changes in your code.
 
 One way of doing it is the following:
 
-1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp CodeShip <myapp@codeship.com>`
-if your app is called MyApp and your CI/CD provider is CodeShip. It is easier not to define a password for that key.
-2. run `gpg --export-secret-key myapp@codeship.com --armor` to get your private key value
-3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value.
+1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp Example <myapp@example.com>`
+if your app is called MyApp and your CI/CD provider is Example. It is easier not to define a passphrase for that key. However, if defining a passphrase is unavoidable, use a unique passphrase for the private key.
+2. run `gpg --armor --export-secret-key myapp@example.com` to get your private key value
+3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value. If a passphrase has been setup for the private key, create another env var on the CI/CD server `GPG_PASSPHRASE` and assign it the passphrase of the private key.
 4. Then write your Continuous Deployment build script. For instance:
 
 ```shell
-# Install git-secret (https://git-secret.io/installation), for instance, for debian:
-echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
-wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
-sudo apt-get update && sudo apt-get install git-secret
+# As the first step: install git-secret,
+# see: https://git-secret.io/installation
+
 # Create private key file
-echo $GPG_PRIVATE_KEY > ./private_key.gpg
-# Import private key
-gpg --import ./private_key.gpg
-# Reveal secrets
-git secret reveal
+echo "$GPG_PRIVATE_KEY" > ./private_key.gpg
+# Import private key and avoid the "Inappropriate ioctl for device" error
+gpg --batch --yes --pinentry-mode loopback --import private_key.gpg
+# Reveal secrets without user interaction and with passphrase. If no passphrase
+# is created for the key, remove `-p $GPG_PASSPHRASE`
+git secret reveal -p "$GPG_PASSPHRASE"
 # carry on with your build script, secret files are available ...
 ```
 
 Note: your CI/CD might not allow you to create a multiline value. In that case, you can export it on one line with
 
 ```shell
-gpg --export-secret-key myapp@codeship.com --armor | tr '\n' ','
+gpg --armor --export-secret-key myapp@example.com | tr '\n' ','
 ```
 
 You can then create your private key file with:
 
 ```shell
-echo $GPG_PRIVATE_KEY | tr ',' '\n' > ./private_key.gpg
+echo "$GPG_PRIVATE_KEY" | tr ',' '\n' > ./private_key.gpg
 ```
 
+Also note: the `gpg` version on the CI/CD server **MUST INTEROPERATE** with the one used locally. Otherwise, `gpg` decryption can fail, which leads to `git secret reveal` reporting `cannot find decrypted version of file` error. The best way to ensure this is to use the same version of gnupg on different systems.
+
 ## Environment Variables and Configuration
 
 You can configure the version of `gpg` used, or the extension your encrypted files use, to suit your workflow better.
@@ -120,52 +137,69 @@ See below, or the man page of `git-secret` for an explanation of the environment
 
 The settings available to be changed are:
 
-* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical
-to using `-v` on each command that supports it.
+* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical to using `-v` on each command that supports it.
 
 * `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
 It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
-After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
+After doing so rerun the tests to be sure that it won't break anything. Tested with `gpg` and `gpg2`.
+
+* `$SECRETS_GPG_ARMOR` - sets the `gpg` [`--armor` mode](https://www.gnupg.org/gph/en/manual/r1290.html). Can be set to `1` to store secrets file as text. By default is `0` and store files as binaries.
 
 * `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
 
-* `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret.
-It can be changed to any valid directory name.
+* `$SECRETS_DIR` - sets the directory where `git-secret` stores its files, defaults to `.gitsecret`. It can be changed to any valid directory name.
 
-* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option.
-See `gpg` docs for details about gpg's --pinentry option.
+* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s `--pinentry` option. See [`gpg` docs](https://github.com/gpg/pinentry) for details about gpg's `--pinentry` option.
 
-## The `.gitsecret` folder (can be overridden with SECRETS_DIR)
+## The `.gitsecret` folder (can be overridden with `SECRETS_DIR`)
 
 This folder contains information about the files encrypted by git-secret,
 and about which public/private key sets can access the encrypted data.
 
 You can change the name of this directory using the SECRETS_DIR environment variable.
 
-Use the various 'git secret' commands to manipulate the files in `.gitsecret`,
+Use the various `git-secret` commands to manipulate the files in `.gitsecret`,
 you should not change the data in these files directly.
 
 Exactly which files exist in the `.gitsecret` folder and what their contents are
-vary slightly across different versions of gpg. Thus it is best to use
-git-secret with the same version of gpg being used by all users.
-This can be forced using SECRETS_GPG_COMMAND environment variable.
+vary slightly across different versions of gpg. Also, some versions of gpg
+might not work well with keyrings created or modified with newer versions of gpg. 
+Thus it is best to use git-secret with the same version of gpg being used by all users.
+This can be forced by installing matching versions of gpg 
+and using `SECRETS_GPG_COMMAND` environment variable.
 
-Specifically, there is an issue between gpg version 2.1.20 and later versions
+For example, there is an issue between `gpg` version 2.1.20 and later versions
 which can cause problems reading and writing keyring files between systems
 (this shows up in errors like 'gpg: skipped packet of type 12 in keybox').
 
-The git-secret internal data is separated into two directories:
+This is not the only issue it is possible to encounter sharing files between different versions
+of `gpg`.
+Generally you are most likely to encounter issues between `gpg`
+versions if you use `git-secret tell` or `git-secret removeperson` to modify
+your repo's `git-secret` keyring using a newer version of `gpg`, and then try to operate
+on that keyring using an older version of `gpg`.
+
+The `git-secret` internal data is separated into two directories:
 
 ### `.gitsecret/paths`
 
-This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
+This directory currently contains only the file `mapping.cfg`, which lists all the files git-secret will consider secret.
 In other words, the path mappings: what files are tracked to be hidden and revealed.
 
-All the other internal data is stored in the directory:
+All other internal data used by git-secret is stored in the directory:
 
 ### `.gitsecret/keys`
 
-This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties.
+This directory contains data used by `git-secret` and `gpg` to encrypt files to 
+be accessed by the permitted users.
+
+In particular, this directory contains a `gnupg keyring` with public keys for the emails used with `tell`.
+
+This is the keyring used to encrypt files with `git-secret-hide`. 
+
+`git-secret-reveal` and `git-secret-cat`, which decrypt secrets,
+instead use the user's _private keys_ (which probably reside somewhere like ~/.gnupg/).
+Note that user's private keys, needed for decryption, are _not_ in the `.gitsecret/keys` directory.
 
 Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.
 By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.

src/_utils/_git_secret_tools.sh

@@ -13,12 +13,13 @@ _SECRETS_DIR_KEYS_TRUSTDB="${_SECRETS_DIR_KEYS}/trustdb.gpg"
 
 _SECRETS_DIR_PATHS_MAPPING="${_SECRETS_DIR_PATHS}/mapping.cfg"
 
-# _SECRETS_VERBOSE is expected to be empty or '1'.
-# Empty means 'off', any other value means 'on'.
+
 # shellcheck disable=SC2153
 if [[ -n "$SECRETS_VERBOSE" ]] && [[ "$SECRETS_VERBOSE" -ne 0 ]]; then
-    # shellcheck disable=SC2034
-    _SECRETS_VERBOSE='1'
+  # shellcheck disable=SC2034
+  _SECRETS_VERBOSE='1'
+  # _SECRETS_VERBOSE is empty or '1'. 
+  # Empty means 'off', any other value means 'on'.
 fi
 
 : "${SECRETS_EXTENSION:=".secret"}"
@@ -29,11 +30,11 @@ fi
 : "${SECRETS_OCTAL_PERMS_COMMAND:="_os_based __get_octal_perms"}"
 : "${SECRETS_EPOCH_TO_DATE:="_os_based __epoch_to_date"}"
 
-# Temp Dir
+# Temp Dir:
 : "${TMPDIR:=/tmp}"
 
 # AWK scripts:
-# shellcheck disable=2016
+# shellcheck disable=SC2016
 AWK_FSDB_HAS_RECORD='
 BEGIN { FS=":"; OFS=":"; cnt=0; }
 {
@@ -45,7 +46,7 @@ BEGIN { FS=":"; OFS=":"; cnt=0; }
 END { if ( cnt > 0 ) print "0"; else print "1"; }
 '
 
-# shellcheck disable=2016
+# shellcheck disable=SC2016
 AWK_FSDB_RM_RECORD='
 BEGIN { FS=":"; OFS=":"; }
 {
@@ -56,7 +57,7 @@ BEGIN { FS=":"; OFS=":"; }
 }
 '
 
-# shellcheck disable=2016
+# shellcheck disable=SC2016
 AWK_FSDB_CLEAR_HASHES='
 BEGIN { FS=":"; OFS=":"; }
 {
@@ -64,7 +65,7 @@ BEGIN { FS=":"; OFS=":"; }
 }
 '
 
-# shellcheck disable=2016
+# shellcheck disable=SC2016
 AWK_GPG_VER_CHECK='
 /^gpg/{
   version=$3
@@ -103,6 +104,7 @@ GPG_VER_MIN_21="$($SECRETS_GPG_COMMAND --version | gawk "$AWK_GPG_VER_CHECK")"
 
 # Bash:
 
+# echos 0 if function exists, otherwise non-zero
 function _function_exists {
   local function_name="$1" # required
 
@@ -131,6 +133,10 @@ function _os_based {
       "$1_linux" "${@:2}"
     ;;
 
+    MSYS*)
+      "$1_linux" "${@:2}"
+    ;;
+
     CYGWIN*)
       "$1_linux" "${@:2}"
     ;;
@@ -181,20 +187,6 @@ function _set_config {
 }
 
 
-function _file_has_line {
-  # First parameter is the key, second is the filename.
-
-  local key="$1" # required
-  local filename="$2" # required
-
-  local contains
-  contains=$(grep -qw "$key" "$filename"; echo $?)
-
-  # 0 on contains, 1 for error.
-  echo "$contains"
-}
-
-
 # this sets the global variable 'temporary_filename'
 # currently this function is only used by 'hide'
 function _temporary_file {
@@ -202,7 +194,7 @@ function _temporary_file {
   # which will be removed on system exit.
   temporary_filename=$(_os_based __temp_file)  # is not `local` on purpose.
 
-  trap 'if [[ -f "$temporary_filename" ]]; then if [[ -n "$_SECRETS_VERBOSE" ]] || [[ -n "$SECRETS_TEST_VERBOSE" ]]; then echo "git-secret: cleaning up: $temporary_filename"; fi; rm -f "$temporary_filename"; fi;' EXIT
+  trap 'if [[ -f "$temporary_filename" ]]; then if [[ -n "$_SECRETS_VERBOSE" ]] || [[ "$SECRETS_TEST_VERBOSE" == 1 ]]; then echo "git-secret: cleaning up: $temporary_filename"; fi; rm -f "$temporary_filename"; fi;' EXIT
 }
 
 
@@ -320,7 +312,7 @@ function _maybe_create_gitignore {
   # This function creates '.gitignore' if it was missing.
 
   local full_path
-  full_path=$(_append_root_path '.gitignore')
+  full_path=$(_prepend_root_path '.gitignore')
 
   if [[ ! -f "$full_path" ]]; then
     touch "$full_path"
@@ -337,9 +329,9 @@ function _add_ignored_file {
   _maybe_create_gitignore
 
   local full_path
-  full_path=$(_append_root_path '.gitignore')
+  full_path=$(_prepend_root_path '.gitignore')
 
-  printf '%q' "$filename" >> "$full_path"
+  printf '%q\n' "$filename" >> "$full_path"
 }
 
 
@@ -380,7 +372,7 @@ function _get_git_root_path {
 
 # Relative paths:
 
-function _append_root_path {
+function _prepend_root_path {
   # This function adds root path to any other path.
 
   local path="$1" # required
@@ -392,28 +384,45 @@ function _append_root_path {
 }
 
 
+# if passed a name like 'filename.txt', returns a full path in the repo
+# For #710: if we are in a subdir, fixup the path with the subdir
+function _prepend_relative_root_path {
+  local path="$1" # required
+
+  local full_path
+  full_path=$(_prepend_root_path "$path")
+
+  local subdir
+  subdir=$(git rev-parse --show-prefix)   # get the subdir of repo, like "subdir/"
+  if [ -n "$subdir" ]; then
+    full_path="$(dirname "$full_path")/${subdir}/$(basename "$full_path")"
+  fi
+
+  echo "$full_path"
+}
+
 function _get_secrets_dir {
-  _append_root_path "${_SECRETS_DIR}"
+  _prepend_root_path "${_SECRETS_DIR}"
 }
 
 
 function _get_secrets_dir_keys {
-  _append_root_path "${_SECRETS_DIR_KEYS}"
+  _prepend_root_path "${_SECRETS_DIR_KEYS}"
 }
 
 
 function _get_secrets_dir_path {
-  _append_root_path "${_SECRETS_DIR_PATHS}"
+  _prepend_root_path "${_SECRETS_DIR_PATHS}"
 }
 
 
 function _get_secrets_dir_keys_trustdb {
-  _append_root_path "${_SECRETS_DIR_KEYS_TRUSTDB}"
+  _prepend_root_path "${_SECRETS_DIR_KEYS_TRUSTDB}"
 }
 
 
 function _get_secrets_dir_paths_mapping {
-  _append_root_path "${_SECRETS_DIR_PATHS_MAPPING}"
+  _prepend_root_path "${_SECRETS_DIR_PATHS_MAPPING}"
 }
 
 
@@ -460,36 +469,23 @@ function _warn_or_abort {
 }
 
 
-function _find_and_clean {
-  # required:
-  local pattern="$1" # can be any string pattern
+function _find_and_remove_secrets_formatted {
+  local filenames
+  _list_all_added_files # sets array variable 'filenames'
 
-  local verbose_opt=''
-  if [[ -n "$_SECRETS_VERBOSE" ]]; then
-    verbose_opt='v';
-  fi
-
-  local root
-  root=$(_get_git_root_path)
-
-  # shellcheck disable=2086
-  find "$root" -path "$pattern" -type f -print0 | xargs -0 rm -f$verbose_opt
+  for filename in "${filenames[@]}"; do
+    local path # absolute path
+    encrypted_filename=$(_get_encrypted_filename "$filename")
+    if [[ -f "$encrypted_filename" ]]; then
+      rm "$encrypted_filename"
+      if [[ -n "$_SECRETS_VERBOSE" ]]; then
+        echo "git-secret: deleted: $encrypted_filename"
+      fi
+    fi
+  done
 }
 
 
-function _find_and_clean_formatted {
-  # required:
-  local pattern="$1" # can be any string pattern
-
-  local outputs
-  outputs=$(_find_and_clean "$pattern")
-
-  if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then
-    # shellcheck disable=SC2001
-    echo "$outputs" | sed "s/^/git-secret: cleaning: /"
-  fi
-}
-
 
 # this sets the global array variable 'filenames'
 function _list_all_added_files {
@@ -497,7 +493,7 @@ function _list_all_added_files {
   path_mappings=$(_get_secrets_dir_paths_mapping)
 
   if [[ ! -s "$path_mappings" ]]; then
-    _abort "$path_mappings is missing."
+    _abort "path_mappings file is missing or empty: $path_mappings"
   fi
 
   local filename
@@ -535,7 +531,7 @@ function _secrets_dir_is_not_ignored {
   ignores=$(_check_ignore "$git_secret_dir")
 
   if [[ ! $ignores -eq 1 ]]; then
-    _abort "'$git_secret_dir' is in .gitignore"
+    _abort "entry already in .gitignore: $git_secret_dir"
   fi
 }
 
@@ -575,7 +571,8 @@ function _user_required {
   local secrets_dir_keys
   secrets_dir_keys=$(_get_secrets_dir_keys)
 
-  # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
+  # for info about 3>&-
+  # see https://github.com/bats-core/bats-core/blob/master/docs/source/writing-tests.md#file-descriptor-3-read-this-if-bats-hangs 
   local keys_exist
   keys_exist=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning -n --list-keys 3>&-)
   local exit_code=$?
@@ -606,7 +603,7 @@ function _get_user_key_expiry {
   local secrets_dir_keys
   secrets_dir_keys=$(_get_secrets_dir_keys)
 
-  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
+  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core/blob/master/docs/source/writing-tests.md#file-descriptor-3-read-this-if-bats-hangs
   line=$($SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode "$username" | grep ^pub: 3>&-)
 
   local expiry_epoch
@@ -634,6 +631,14 @@ function _assert_keyring_doesnt_contain_emails {
   _assert_keyring_emails "$homedir" "$keyring_name" "$emails" 0
 }
 
+function _assert_keyring_contains_emails_at_least_once {
+  local homedir=$1
+  local keyring_name=$2
+  local emails=$3
+  _assert_keyring_emails "$homedir" "$keyring_name" "$emails" 1 1 # expect the email at least once in the keyring
+}
+
+
 
 function _assert_keyring_emails {
   local homedir="$1"
@@ -643,6 +648,7 @@ function _assert_keyring_emails {
   # 0 to not expect the email in the keyring;
   # 1 to expect the email in the keyring
   local expected="$4"
+  local allow_duplicates=$5 # set this to 0 to not allow duplicate emails in the keyring when processing assertion (optional)
 
   local gpg_uids
   gpg_uids=$(_get_users_in_gpg_keyring "$homedir")
@@ -660,7 +666,9 @@ function _assert_keyring_emails {
         if [[ $emails_found -eq 0 ]]; then
           _abort "no key found in gpg $keyring_name for: $email"
         elif [[ $emails_found -gt 1 ]]; then
-          _abort "$emails_found keys found in gpg $keyring_name for: $email"
+          if [[ $allow_duplicates -ne 1 ]]; then
+            _abort "$emails_found keys found in gpg $keyring_name for: $email"
+          fi
         fi
     else
         if [[ $emails_found -gt 0 ]]; then
@@ -696,15 +704,15 @@ function _get_users_in_gpg_keyring {
   result=$($SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-public-keys --with-colon --fixed-list-mode | \
       gawk -F: '$1=="uid"' )
 
+  local emails
+  emails=$(_extract_emails_from_gpg_output "$result")
+
   # For #508 / #552: warn user if gpg indicates keys are one of:
   # i=invalid, d=disabled, r=revoked, e=expired, n=not valid
   # See https://github.com/gpg/gnupg/blob/master/doc/DETAILS#field-2---validity # for more on gpg 'validity codes'.
   local invalid_lines
   invalid_lines=$(echo "$result" | gawk -F: '$2=="i" || $2=="d" || $2=="r" || $2=="e" || $2=="n"')
 
-  local emails
-  emails=$(_extract_emails_from_gpg_output "$result")
-
   local emails_with_invalid_keys
   emails_with_invalid_keys=$(_extract_emails_from_gpg_output "$invalid_lines")
 
@@ -722,7 +730,7 @@ function _extract_emails_from_gpg_output {
   # gensub() outputs email from <> within field 10, "User-ID".  If there's no <>, then field is just an email address
   #  (and maybe a comment) and we pass it through.
   # Sed at the end removes any 'comment' that appears in parentheses, for #530
-  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
+  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core/blob/master/docs/source/writing-tests.md#file-descriptor-3-read-this-if-bats-hangs
   local emails
   emails=$(echo "$result" | gawk -F: '{print gensub(/.*<(.*)>.*/, "\\1", "g", $10); }' | sed 's/([^)]*)//g' 3>&-)
   echo "$emails"
@@ -767,53 +775,59 @@ function _decrypt {
   local encrypted_filename
   encrypted_filename=$(_get_encrypted_filename "$filename")
 
-  local args=( "--use-agent" "--decrypt" "--no-permission-warning" )
-
-  if [[ "$write_to_file" -eq 1 ]]; then
-    args+=( "-o" "$filename" )
-  fi
-
-  if [[ "$force" -eq 1 ]]; then
-    args+=( "--yes" )
-  fi
-
-  if [[ -n "$homedir" ]]; then
-    args+=( "--homedir" "$homedir" )
-  fi
-
-  if [[ "$GPG_VER_MIN_21" -eq 1 ]]; then
-    if [[ -n "$SECRETS_PINENTRY" ]]; then
-      args+=( "--pinentry-mode" "$SECRETS_PINENTRY" )
-    else
-      args+=( "--pinentry-mode" "loopback" )
-    fi
-  fi
-
-  if [[ -z "$_SECRETS_VERBOSE" ]]; then
-    args+=( "--quiet" )
-  fi
-
-  set +e   # disable 'set -e' so we can capture exit_code
-
-  #echo "# gpg passphrase: $passphrase" >&3
-  local exit_code
-  if [[ -n "$passphrase" ]]; then
-    echo "$passphrase" | $SECRETS_GPG_COMMAND "${args[@]}" --batch --yes --no-tty --passphrase-fd 0 \
-      "$encrypted_filename"
-    exit_code=$?
+  if [ ! -f "$encrypted_filename" ]; then
+    _warn_or_abort "cannot find file to decrypt: $encrypted_filename" "1" "$error_ok"
   else
-    $SECRETS_GPG_COMMAND "${args[@]}" "$encrypted_filename"
-    exit_code=$?
-  fi
+    # we no longer use --no-permission-warning on decryption, for #811 
+    local args=( "--use-agent" "--decrypt" )
+  
+    if [[ "$write_to_file" -eq 1 ]]; then
+      args+=( "-o" "$filename" )
+    fi
+  
+    if [[ "$force" -eq 1 ]]; then
+      args+=( "--yes" )
+    fi
+  
+    if [[ -n "$homedir" ]]; then
+      args+=( "--homedir" "$homedir" )
+    fi
+  
+    if [[ "$GPG_VER_MIN_21" -eq 1 ]]; then
+      if [[ -n "$SECRETS_PINENTRY" ]]; then
+        args+=( "--pinentry-mode" "$SECRETS_PINENTRY" )
+      else
+        args+=( "--pinentry-mode" "loopback" )
+      fi
+    fi
 
-  set -e  # re-enable set -e
+    if [[ -z "$_SECRETS_VERBOSE" ]]; then
+      args+=( "--quiet" )
+    fi
 
-  # note that according to https://github.com/sobolevn/git-secret/issues/238 ,
-  # it's possible for gpg to return a 0 exit code but not have decrypted the file
-  #echo "# gpg exit code: $exit_code, error_ok: $error_ok" >&3
-  if [[ "$exit_code" -ne "0" ]]; then
-    local msg="problem decrypting file with gpg: exit code $exit_code: $filename"
-    _warn_or_abort "$msg" "$exit_code" "$error_ok"
+    set +e   # disable 'set -e' so we can capture exit_code
+  
+    #echo "# gpg passphrase: $passphrase" >&3
+    local exit_code
+    if [[ -n "$passphrase" ]]; then
+      exec 5<<<"$passphrase"  # use 5, because descriptors 3 and 4 are used by bats
+      $SECRETS_GPG_COMMAND "${args[@]}" --batch --yes --no-tty --passphrase-fd 5 "$encrypted_filename"
+      exit_code=$?
+      exec 5>&-   # close file descriptor 5
+    else
+      $SECRETS_GPG_COMMAND "${args[@]}" "$encrypted_filename"
+      exit_code=$?
+    fi
+  
+    set -e  # re-enable set -e
+  
+    # note that according to https://github.com/sobolevn/git-secret/issues/238 ,
+    # it's possible for gpg to return a 0 exit code but not have decrypted the file
+    #echo "# gpg exit code: $exit_code, error_ok: $error_ok" >&3
+    if [[ "$exit_code" -ne "0" ]]; then
+      local msg="problem decrypting file with gpg: exit code $exit_code: $filename"
+      _warn_or_abort "$msg" "$exit_code" "$error_ok"
+    fi
   fi
 
   # at this point the file should be written to disk or output to stdout

src/_utils/_git_secret_tools_freebsd.sh

@@ -3,7 +3,7 @@
 # support for freebsd. Mostly the same as MacOS.
 
 
-# shellcheck disable=1117
+# shellcheck disable=SC1117
 function __replace_in_file_freebsd {
   sed -i.bak "s/^\($1[[:space:]]*=[[:space:]]*\).*\$/\1$2/" "$3"
 }
@@ -32,7 +32,7 @@ function __get_octal_perms_freebsd {
   filename=$1
   local perms
   perms=$(stat -f "%04OLp" "$filename")
-  # perms is a string like '0644'. 
+  # perms is a string like '0644'.
   # In the "%04OLp':
   #   the '04' means 4 digits, 0 padded.  So we get 0644, not 644.
   #   the 'O' means Octal.

src/_utils/_git_secret_tools_linux.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 
-# shellcheck disable=1117
+# shellcheck disable=SC1117
 function __replace_in_file_linux {
   sed -i.bak "s/^\($1\s*=\s*\).*\$/\1$2/" "$3"
 }
@@ -11,18 +11,18 @@ function __temp_file_linux {
   local filename
   # man mktemp on CentOS 7:
   # mktemp [OPTION]... [TEMPLATE]
-  # ... 
+  # ...
   #  -p DIR, --tmpdir[=DIR]
-  #        interpret TEMPLATE relative to DIR; if DIR is not specified, 
-  #        use $TMPDIR if set, else /tmp.  With this option, TEMPLATE 
-  #        must not be an absolute name; unlike  with -t, TEMPLATE may 
+  #        interpret TEMPLATE relative to DIR; if DIR is not specified,
+  #        use $TMPDIR if set, else /tmp.  With this option, TEMPLATE
+  #        must not be an absolute name; unlike  with -t, TEMPLATE may
   #        contain slashes, but mktemp creates only the final component
   # ...
-  #  -t     interpret TEMPLATE as a single file name component, 
-  #         relative to a directory: $TMPDIR, if set; else the directory 
+  #  -t     interpret TEMPLATE as a single file name component,
+  #         relative to a directory: $TMPDIR, if set; else the directory
   #         specified via -p; else /tmp [deprecated]
 
-  filename=$(mktemp -p "${TMPDIR}" _git_secret.XXXXXX ) 
+  filename=$(mktemp -p "${TMPDIR}" _git_secret.XXXXXX )
   # makes a filename like /$TMPDIR/_git_secret.ONIHo
   echo "$filename"
 }
@@ -36,7 +36,7 @@ function __get_octal_perms_linux {
   filename=$1
 
   local stat_is_busybox
-  stat_is_busybox=_exe_is_busybox "stat"
+  stat_is_busybox=$(_exe_is_busybox "stat")
   local perms   # a string like '644'
   if [ "$stat_is_busybox" -eq 1 ]; then
     # special case for busybox, which doesn't understand --format

src/_utils/_git_secret_tools_osx.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 
-# shellcheck disable=1117
+# shellcheck disable=SC1117
 function __replace_in_file_osx {
   sed -i.bak "s/^\($1[[:space:]]*=[[:space:]]*\).*\$/\1$2/" "$3"
 }
@@ -9,7 +9,7 @@ function __replace_in_file_osx {
 
 function __temp_file_osx {
   local filename
-  # man mktemp on OSX: 
+  # man mktemp on OSX:
   # ...
   # "If the -t prefix option is given, mktemp will generate a template string
   #   based on the prefix and the _CS_DARWIN_USER_TEMP_DIR configuration vari-
@@ -17,8 +17,8 @@ function __temp_file_osx {
   #   available are TMPDIR and /tmp."
 
   # we use /usr/bin/mktemp in case there's another mktemp available. See #485
-  filename=$(/usr/bin/mktemp -t _git_secret )    
-  # On OSX this can make a filename like 
+  filename=$(/usr/bin/mktemp -t _git_secret )
+  # On OSX this can make a filename like
   # '/var/folders/nz/vv4_91234569k3tkvyszvwg90009gn/T/_git_secret.HhvUPlUI'
   echo "$filename";
 }
@@ -32,7 +32,8 @@ function __get_octal_perms_osx {
   local filename
   filename=$1
   local perms
-  perms=$(stat -f "%04OLp" "$filename")
+  # we use /usr/bin/stat in case there's another stat available from brew. See #918
+  perms=$(/usr/bin/stat -f "%04OLp" "$filename")
   # see _git_secret_tools_freebsd.sh for more about stat's format string
   echo "$perms"
 }

src/commands/git_secret_add.sh

@@ -2,12 +2,11 @@
 
 
 function add {
-  local auto_ignore=1
   OPTIND=1
 
   while getopts "ihv" opt; do
     case "$opt" in
-      i) auto_ignore=1;;    # this doesn't change anything
+      i) ;;    # this doesn't change anything
 
       h) _show_manual_for "add";;
 
@@ -32,7 +31,7 @@ function add {
     local path # absolute path
     local normalized_path # relative to the .git dir
     normalized_path=$(_git_normalize_filename "$item")
-    path=$(_append_root_path "$normalized_path")
+    path=$(_prepend_root_path "$normalized_path")
 
     # check that the file is not tracked
     local in_git
@@ -59,25 +58,13 @@ function add {
   # Are there any unignored files?
 
   if [[ ! "${#not_ignored[@]}" -eq 0 ]]; then
-    # And show them all at once.
-    local message
-    message="these files are not in .gitignore: $*"
+    # Add these files to `.gitignore` automatically:
+    # see https://github.com/sobolevn/git-secret/issues/18 for more.
 
-    if [[ "$auto_ignore" -eq 0 ]]; then
-      # This file is not ignored. user don't want it to be added automatically.
-      # Raise the exception, since all files, which will be hidden, must be ignored.
-      # note that it is no longer possible to wind up in this code path as auto_ignore cannot be 0.
-      # code left here in case we want to restore/modify this path later
-      _abort "$message"
-    else
-      # In this case these files should be added to the `.gitignore` automatically:
-      # see https://github.com/sobolevn/git-secret/issues/18 for more.
-      _message "$message"
-      _message "auto adding them to .gitignore"
-      for item in "${not_ignored[@]}"; do
-        _add_ignored_file "$item"
-      done
-    fi
+    for item in "${not_ignored[@]}"; do
+      _message "file not in .gitignore, adding: $item"
+      _add_ignored_file "$item"
+    done
   fi
 
   # Adding files to path mappings:
@@ -101,7 +88,7 @@ function add {
        if [[ -n "$_SECRETS_VERBOSE" ]]; then
         _message "adding file: $key"
       fi
-      
+
       ((count=count+1))
     fi
   done

src/commands/git_secret_cat.sh

@@ -32,7 +32,7 @@ function cat {
     local path
 
     filename=$(_get_record_filename "$line")
-    path=$(_append_root_path "$filename")
+    path=$(_prepend_relative_root_path "$filename")  # this uses the _relative version because of #710
 
     # The parameters are: filename, write-to-file, force, homedir, passphrase
     _decrypt "$path" "0" "0" "$homedir" "$passphrase"

src/commands/git_secret_changes.sh

@@ -42,12 +42,12 @@ function changes {
         _abort "cannot find encrypted version of file: $filename"
     fi
     if [[ -n "$normalized_path" ]]; then
-      path=$(_append_root_path "$normalized_path")
+      path=$(_prepend_root_path "$normalized_path")
     else
       # Path was already normalized
-      path=$(_append_root_path "$filename")
+      path=$(_prepend_root_path "$filename")
     fi
-    
+
     if [[ ! -f "$path" ]]; then
         _abort "file not found. Consider using 'git secret reveal': $filename"
     fi
@@ -58,7 +58,7 @@ function changes {
     local decrypted
     decrypted_x=$(_decrypt "$path" "0" "0" "$homedir" "$passphrase"; echo x$?)
     decrypted="${decrypted_x%x*}"
-    # we ignore the exit code because _decrypt will _abort if appropriate.
+    # we ignore the exit code because _decrypt will abort_ if appropriate.
 
 
     _message "changes in ${path}:"

src/commands/git_secret_clean.sh

@@ -4,7 +4,7 @@
 function clean {
   OPTIND=1
 
-  # shellcheck disable=2034
+  # shellcheck disable=SC2034
   while getopts 'vh' opt; do
     case "$opt" in
       v) _SECRETS_VERBOSE=1;;
@@ -18,12 +18,11 @@ function clean {
   shift $((OPTIND-1))
   [ "$1" = '--' ] && shift
 
-  if [ $# -ne 0 ]; then 
+  if [ $# -ne 0 ]; then
     _abort "clean does not understand params: $*"
   fi
 
   _user_required
 
-  # User should see properly formatted output:
-  _find_and_clean_formatted "*$SECRETS_EXTENSION"
+  _find_and_remove_secrets_formatted
 }

src/commands/git_secret_hide.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# shellcheck disable=2016
+# shellcheck disable=SC2016
 AWK_FSDB_UPDATE_HASH='
 BEGIN { FS=":"; OFS=":"; }
 {
@@ -15,14 +15,6 @@ BEGIN { FS=":"; OFS=":"; }
 }
 '
 
-function _optional_clean {
-  local clean="$1"
-
-  if [[ $clean -eq 1 ]]; then
-    _find_and_clean_formatted "*$SECRETS_EXTENSION"
-  fi
-}
-
 
 function _optional_delete {
   local delete="$1"
@@ -33,19 +25,19 @@ function _optional_delete {
 
     # We use custom formatting here:
     if [[ -n "$_SECRETS_VERBOSE" ]]; then
-      echo && _message 'removing unencrypted files:'
+      _message 'removing unencrypted files'
     fi
 
-    while read -r line; do
-      # So the formatting would not be repeated several times here:
+    while read -r line; do  # each line is a record like: filename: or filename:hash
       local filename
       filename=$(_get_record_filename "$line")
-      _find_and_clean "*$filename"
+      if [[ -e "$filename" ]]; then 
+        rm "$filename"
+        if [[ -n "$_SECRETS_VERBOSE" ]]; then
+          _message "deleted: $filename"
+        fi
+      fi
     done < "$path_mappings"
-
-    if [[ -n "$_SECRETS_VERBOSE" ]]; then
-      echo
-    fi
   fi
 }
 
@@ -108,16 +100,19 @@ function hide {
   shift $((OPTIND-1))
   [ "$1" = '--' ] && shift
 
-  if [ $# -ne 0 ]; then 
+  if [ $# -ne 0 ]; then
     _abort "hide does not understand params: $*"
   fi
 
   # We need user to continue:
   _user_required
 
-  # If -c option was provided, it would clean the hidden files
+  # If -c option was provided, clean the hidden files
   # before creating new ones.
-  _optional_clean "$clean"
+  # BUG: if passed files, we should only delete them, but we always delete all secret files; see issue #834
+  if [[ $clean -eq 1 ]]; then
+    _find_and_remove_secrets_formatted
+  fi
 
   # Encrypting files:
 
@@ -149,8 +144,8 @@ function hide {
 
     local input_path
     local output_path
-    input_path=$(_append_root_path "$filename")
-    output_path=$(_append_root_path "$encrypted_filename")
+    input_path=$(_prepend_root_path "$filename")
+    output_path=$(_prepend_root_path "$encrypted_filename")
 
     # Checking that file is valid:
     if [[ ! -f "$input_path" ]]; then
@@ -158,19 +153,35 @@ function hide {
       _warn_or_abort "file not found: $input_path" "1" "$force_continue"
     else
       file_hash=$(_get_file_hash "$input_path")
-  
-      # encrypt file only if required
-      if [[ "$update_only_modified" -eq 0 ]] || [[ "$fsdb_file_hash" != "$file_hash" ]]; then
 
-        local args=( --homedir "$secrets_dir_keys" "--no-permission-warning" --use-agent --yes "--trust-model=always" --encrypt )
+      # encrypt file only if required
+      if [[ "$update_only_modified" -eq 0 ]] ||
+         [[ "$fsdb_file_hash" != "$file_hash" ]]; then
+
+        # we no longer use --no-permission-warning here, for #811
+        local args=( --homedir "$secrets_dir_keys" --use-agent --yes '--trust-model=always' --encrypt )
+
+        # SECRETS_GPG_ARMOR is expected to be empty or '1'.
+        # Empty means 'off', any other value means 'on'.
+        # See: https://github.com/sobolevn/git-secret/pull/661
+        # shellcheck disable=SC2153
+        if [[ -n "$SECRETS_GPG_ARMOR" ]] &&
+           [[ "$SECRETS_GPG_ARMOR" -ne 0 ]]; then
+          args+=( '--armor' )
+        fi
+
+        if [[ -n "$_SECRETS_VERBOSE" ]]; then
+          args+=( '--verbose' )
+        fi
 
         # we depend on $recipients being split on whitespace
         # shellcheck disable=SC2206
         args+=( $recipients -o "$output_path" "$input_path" )
 
-        set +e   # disable 'set -e' so we can capture exit_code
+        set +e  # disable 'set -e' so we can capture exit_code
 
-     	  # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
+     	  # For info about `3>&-` see:
+        # https://github.com/bats-core/bats-core/blob/master/docs/source/writing-tests.md#file-descriptor-3-read-this-if-bats-hangs
         local gpg_output
         gpg_output=$($SECRETS_GPG_COMMAND "${args[@]}" 3>&-)  # we leave stderr alone
         local exit_code=$?
@@ -179,13 +190,13 @@ function hide {
 
         local error=0
         if [[ "$exit_code" -ne 0 ]] || [[ ! -f "$output_path" ]]; then
-          error=1 
+          error=1
         fi
 
         if [[ "$error" -ne 0 ]] || [[ -n "$_SECRETS_VERBOSE" ]]; then
           if [[ -n "$gpg_output" ]]; then
             echo "$gpg_output"
-          fi  
+          fi
         fi
 
         if [[ ! -f "$output_path" ]]; then
@@ -199,7 +210,7 @@ function hide {
             chmod "$perms" "$output_path"
           fi
         fi
-  
+
         # Update file hash for future use of -m
         local key="$filename"
         local hash="$file_hash"

src/commands/git_secret_init.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# shellcheck disable=2016
+# shellcheck disable=SC2016
 AWK_ADD_TO_GITIGNORE='
 BEGIN {
   cnt=0
@@ -33,7 +33,7 @@ function gitignore_add_pattern {
   local gitignore_file_path
 
   pattern="$1"
-  gitignore_file_path=$(_append_root_path '.gitignore')
+  gitignore_file_path=$(_prepend_root_path '.gitignore')
 
   _maybe_create_gitignore
   _gawk_inplace -v pattern="$pattern" "'$AWK_ADD_TO_GITIGNORE'" "$gitignore_file_path"
@@ -53,7 +53,7 @@ function init {
   shift $((OPTIND-1))
   [ "$1" = '--' ] && shift
 
-  if [ $# -ne 0 ]; then 
+  if [ $# -ne 0 ]; then
     _abort "init does not understand params: $*"
   fi
 
@@ -71,6 +71,7 @@ function init {
   # Create internal files:
 
   mkdir "$git_secret_dir" "$(_get_secrets_dir_keys)" "$(_get_secrets_dir_path)"
+  chmod 700 "$(_get_secrets_dir_keys)"  # for #811, set to rwx------
   touch "$(_get_secrets_dir_paths_mapping)"
 
   _message "init created: '$git_secret_dir/'"

src/commands/git_secret_killperson.sh

@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-
-
-function killperson {
-  OPTIND=1
-
-  while getopts 'h' opt; do
-    case "$opt" in
-      h) _show_manual_for 'killperson';;
-
-      *) _invalid_option_for 'killperson';;
-    esac
-  done
-
-  shift $((OPTIND-1))
-  [ "$1" = "--" ] && shift
-
-  _user_required
-
-  # Command logic:
-
-  local emails=( "$@" )
-
-  if [[ ${#emails[@]} -eq 0 ]]; then
-    _abort "at least one email is required for killperson."
-  fi
-  # Getting the local git-secret `gpg` key directory:
-  local secrets_dir_keys
-  secrets_dir_keys=$(_get_secrets_dir_keys)
-
-  _assert_keyring_contains_emails "$secrets_dir_keys" "git-secret keyring" "${emails[@]}"
-
-  for email in "${emails[@]}"; do
-    # see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
-    $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --batch --yes --delete-key "$email" 3>&-
-    local exit_code=$?
-    if [[ "$exit_code" -ne 0 ]]; then
-      _abort "problem deleting key for '$email' with gpg: exit code $exit_code"
-    fi
-  done
-
-  _message 'removed keys.'
-  _message "now [$*] do not have an access to the repository."
-  _message 'make sure to hide the existing secrets again.'
-}

src/commands/git_secret_list.sh

@@ -15,7 +15,7 @@ function list {
   shift $((OPTIND-1))
   [ "$1" = '--' ] && shift
 
-  if [ $# -ne 0 ]; then 
+  if [ $# -ne 0 ]; then
     _abort "list does not understand params: $*"
   fi
 

src/commands/git_secret_remove.sh

@@ -31,7 +31,7 @@ function remove {
     local path # absolute path
     local normalized_path # relative to .git folder
     normalized_path=$(_git_normalize_filename "$item")
-    path=$(_append_root_path "$normalized_path")
+    path=$(_prepend_root_path "$normalized_path")
 
     # Checking if file exists:
     if [[ ! -f "$path" ]]; then
@@ -53,6 +53,9 @@ function remove {
       encrypted_filename=$(_get_encrypted_filename "$path")
 
       rm "$encrypted_filename" # fail on error
+      if [[ -n "$_SECRETS_VERBOSE" ]]; then
+          _message "deleted: $encrypted_filename"
+      fi
     fi
   done
 

src/commands/git_secret_removeperson.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+
+function removeperson {
+  OPTIND=1
+
+  while getopts 'h' opt; do
+    case "$opt" in
+      h) _show_manual_for 'removeperson';;
+
+      *) _invalid_option_for 'removeperson';;
+    esac
+  done
+
+  shift $((OPTIND-1))
+  [ "$1" = "--" ] && shift
+
+  _user_required
+
+  # Command logic:
+
+  local emails=( "$@" )
+
+  if [[ ${#emails[@]} -eq 0 ]]; then
+    _abort "at least one email is required for removeperson."
+  fi
+  # Getting the local git-secret `gpg` key directory:
+  local secrets_dir_keys
+  secrets_dir_keys=$(_get_secrets_dir_keys)
+
+  _assert_keyring_contains_emails_at_least_once "$secrets_dir_keys" "git-secret keyring" "${emails[@]}"
+
+  local args=( --homedir "$secrets_dir_keys" --batch --yes )
+  # we no longer use --no-permission-warning here in non-verbose mode, for #811
+
+  for email in "${emails[@]}"; do
+    # see https://github.com/bats-core/bats-core/blob/master/docs/source/writing-tests.md#file-descriptor-3-read-this-if-bats-hangs for info about 3>&-
+    $SECRETS_GPG_COMMAND "${args[@]}" --delete-key "$email" 3>&-
+    local exit_code=$?
+    if [[ "$exit_code" -ne 0 ]]; then
+      _abort "problem deleting key for '$email' with gpg: exit code $exit_code"
+    fi
+  done
+
+  _message 'removed keys.'
+  _message "now [$*] do not have an access to the repository."
+  _message 'make sure to hide the existing secrets again.'
+}
+
+function killperson {
+  echo "Warning: 'killperson' has been renamed to 'removeperson'. This alias will be removed in the future versions, please switch to call 'removeperson' going forward."
+
+  removeperson "$@"
+}

src/commands/git_secret_reveal.sh

@@ -44,8 +44,10 @@ function reveal {
 
   local counter=0
   local to_show=( "$@" )
+  local path_prepend_func='_prepend_relative_root_path'
 
   if [ ${#to_show[@]} -eq 0 ]; then
+    path_prepend_func='_prepend_root_path'
     while read -r record; do
       to_show+=("$record")  # add record to array
     done < "$path_mappings"
@@ -55,7 +57,7 @@ function reveal {
     local filename
     local path
     filename=$(_get_record_filename "$line")
-    path=$(_append_root_path "$filename")
+    path=$("$path_prepend_func" "$filename")
 
     if [[ "$filename" == *"$SECRETS_EXTENSION" ]]; then
       _abort "cannot decrypt to secret version of file: $filename"
@@ -76,7 +78,7 @@ function reveal {
         chmod "$perms" "$path"
       fi
     fi
-  
+
   done
 
   _message "done. $counter of ${#to_show[@]} files are revealed."

src/commands/git_secret_tell.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# shellcheck disable=2016
+# shellcheck disable=SC2016
 AWK_GPG_KEY_CNT='
 BEGIN { cnt=0; OFS=":"; FS=":"; }
 flag=0; $1 == "pub" { cnt++ }
@@ -10,7 +10,7 @@ END { print cnt }
 function get_gpg_key_count {
   local secrets_dir_keys
   secrets_dir_keys=$(_get_secrets_dir_keys)
-  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
+  # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core/blob/master/docs/source/writing-tests.md#file-descriptor-3-read-this-if-bats-hangs
   $SECRETS_GPG_COMMAND --homedir "$secrets_dir_keys" --no-permission-warning --list-public-keys --with-colon | gawk "$AWK_GPG_KEY_CNT" 3>&-
   local exit_code=$?
   if [[ "$exit_code" -ne 0 ]]; then
@@ -77,17 +77,18 @@ function tell {
   start_key_cnt=$(get_gpg_key_count)
   for email in "${emails[@]}"; do
     _temporary_file  # note that `_temporary_file` will export `temporary_filename` var.
-    # shellcheck disable=2154
+    # shellcheck disable=SC2154
     local keyfile="$temporary_filename"
 
-    # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core#file-descriptor-3-read-this-if-bats-hangs
+    # 3>&- closes fd 3 for bats, see https://github.com/bats-core/bats-core/blob/master/docs/source/writing-tests.md#file-descriptor-3-read-this-if-bats-hangs
     local exit_code
     if [[ -z "$homedir" ]]; then
       $SECRETS_GPG_COMMAND --export -a "$email" > "$keyfile" 3>&-
       exit_code=$?
     else
-      # It means that homedir is set as an extra argument via `-d`:
-      $SECRETS_GPG_COMMAND --no-permission-warning --homedir="$homedir" \
+      # This means that homedir is set as an extra argument via `-d`:
+      # we no longer use --no-permission-warning here, for #811
+      $SECRETS_GPG_COMMAND --homedir="$homedir" \
         --export -a "$email" > "$keyfile" 3>&-
       exit_code=$?
     fi
@@ -100,7 +101,7 @@ function tell {
     fi
 
     # Importing public key to the local keyring:
-    local args=( --homedir "$secrets_dir_keys" --no-permission-warning --import "$keyfile" )
+    local args=( --homedir "$secrets_dir_keys" --import "$keyfile" )
     if [[ -z "$_SECRETS_VERBOSE" ]]; then
       $SECRETS_GPG_COMMAND "${args[@]}" > /dev/null 2>&1 3>&-
     else