dotgpg 0.5.1 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 48a037835fdef38056c761c71cdfc41e2d89ebeb
-  data.tar.gz: 919fda0ab9bf3fcbb599b4a746f83b19e52e3ab0
+  metadata.gz: 9809f26fb51e8fce8cce8bcbfb6656b1de07208f
+  data.tar.gz: 98e7d6a9928c1a64de793e7e57729756949cdbf1
 SHA512:
-  metadata.gz: f4343d6eafe255048b2375caf4e84d4dee83485e876accf414e831d7a384be819c7ea405078c8b1f74228bc054a57e6294a9ac09fe0bb9bc7c28005d4cb648b5
-  data.tar.gz: 737f43db0c26b457b5c6ea37a45e4d7bde855adbed68185ec2c02941a7a0db5d7aab1cc7412030c43b4d85ffd0fe64a5ee2156508f2c5ea4b01a0fe6f8b4bcbc
+  metadata.gz: 2133b5d5e87cc941c0aebed9e2e12680d56abaf62fa42fca66cd1822d828e0eca3478c7c81e5cb3069bec3c0057be59de42c7ee72be4894f638410d875f23cbe
+  data.tar.gz: b8030f114a7fb96bdd9100f216529b566077a015f000f6d458f2b741d785d48b20e87cfcae7b22e55e04f8dcc1af1aba44eb2a63012a9bea7829423db0dd76fb

data/README.md

@@ -80,6 +80,10 @@ leJCaaNJQBbIOj4QOjFWiZ8ATqLH9nkgawSwOV3xp0MWayCJ3MVnibt4CaI=
 -----END PGP PUBLIC KEY BLOCK-----
 ```
 
+#### dotgpg merge
+
+See the 'Integration With Git' section below.
+
 ## Why
 
 Production secrets are the keys that your app needs to run. For example the session cookie encryption key, or the database password. These are critical to the running of your app, so it's essential to have a backup that is version controlled. Then if anything goes wrong, you can find the previous values and go back to running happily.
@@ -165,3 +169,25 @@ Occasionally people leave, or stop needing access to dotgpg. To remove them use
 dotgpg rm conrad.irwin@gmail.com
 ```
 
+### Integration with git
+
+Encrypted files don't work well with many git workflows because they are (basically) binary files that appear to be text files. Because of this diff and merge may appear to work from git's point of view but will actually generate garbage according to GPG. It's possible to work around this:
+
+Add the following lines to your [git config](http://git-scm.com/docs/git-config):
+```
+[diff "gpg"]
+  textconv = gpg -d -q --batch --no-tty 2>/dev/null
+[merge "gpg"]
+  name = dotgpg merge driver
+  driver = "dotgpg merge %O %A %B"
+```
+(you may need to use `bundle exec dotgpg merge %O %A %B` depending on how you've installed dotgpg and ruby)
+
+Add the following lines to your [git attributes](http://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes)
+```
+*.gpg diff=gpg merge=gpg
+```
+
+Now `git diff` will show you the diff of the decrypted content. `git merge` will decrypted your files, try to merge the decrypted text, and then encrypt the subsequent output. If there's a conflict the file will be marked as such but will still be a valid GPG file - the decrypted file will contain the text with the merge conflict markers in it.
+
+It's probably possible to adapt this to other VCS's.

data/dotgpg.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |gem|
   gem.name = 'dotgpg'
-  gem.version = '0.5.1'
+  gem.version = '0.6.0'
 
   gem.summary = 'gpg-encrypted backup for your dotenv files'
   gem.description = "Easy management of gpg-encrypted backup files"

data/lib/dotgpg/cli.rb

@@ -23,7 +23,7 @@ class Dotgpg
       info "  #{directory}/.gpg/#{key.email}"
 
       FileUtils.mkdir_p(dir.dotgpg)
-      unless File.exist? 'README.md'      
+      unless File.exist? 'README.md'
         FileUtils.cp Pathname.new(__FILE__).dirname.join("template/README.md"), dir.path.join("README.md")
       dir.add_key(key)
       end
@@ -100,6 +100,14 @@ class Dotgpg
       fail e.message
     end
 
+    desc "unsafe_cat FILES...", "unsafely decrypt and print files"
+    def unsafe_cat(*files)
+      return if helped?
+      files.each do |f|
+        $stdout.puts Dotgpg.decrypt_without_validating_signatures File.open f
+      end
+    end
+
     desc "edit FILES...", "edit and re-encrypt files"
     def edit(*files)
       return if helped?
@@ -122,6 +130,100 @@ class Dotgpg
       fail e.message
     end
 
+    desc "merge MYFILE OLDFILE YOURFILE", "dotgpg-aware wrapper for merging via diff3(1)"
+    def merge(*files)
+      require 'find'
+      require 'digest'
+      require 'fileutils'
+
+      return if helped?
+      fail "usage: MYFILE OLDFILE YOURFILE" unless files.length == 3
+
+      # ok, we won't know which gpg directory was used for our files because
+      # the .merge_files are dumped in the root git dir. so we resort to ulginess
+      # - we hash OLDFILE, search for directories which contain a .gpg subdir
+      # and check the md5sums of all the files in said directory. if there's a
+      # match we have our dir
+      old_hash = Digest::SHA256.file(files[1]).hexdigest
+
+      # if file is nil DotGpg:Dir.closest throws an error. if it's just a blank
+      # string we get the "not in a dotgpg directory" message
+      file = ''
+
+      Find.find(::Dir.pwd) do |path|
+        if FileTest.directory?(path) && File.basename(path) == ".gpg"
+          # found a .gpg dir, check in the parent for our target file
+          dotgpg_dir = File.dirname path
+          gpg_files = ::Dir.glob(File.join dotgpg_dir, "*")
+
+          if matched = gpg_files.find { |f| File.file?(f) && old_hash == Digest::SHA256.file(f).hexdigest }
+            file = matched
+            break
+          end
+        end
+      end
+
+      dir = Dotgpg::Dir.closest(file)
+      fail "not in a dotgpg directory" unless dir
+
+      mine = Tempfile.open('mine')
+      old = Tempfile.open('old')
+      yours = Tempfile.open('yours')
+
+      begin
+        # decrypt all three of our files
+        dir.decrypt files[0], mine
+        dir.decrypt files[1], old
+        dir.decrypt files[2], yours
+
+        # flush our io
+        mine.flush
+        old.flush
+        yours.flush
+
+        # TODO - could also use diff3(1) here:
+        #
+        #   "diff3 -L mine -L old -L yours -m #{mine.path} #{old.path} #{yours.path}"
+        #
+        # but git merge-file's output is more diff3-ish than diff3's, weird.
+        cmd = "git merge-file -L mine -L old -L yours -p %s %s %s  2>/dev/null" %
+          [ Shellwords.escape(mine.path), Shellwords.escape(old.path),
+            Shellwords.escape(yours.path) ]
+
+        # run our merge
+        diff = `#{cmd}`
+        conflict = !$?.success?
+      ensure
+        # close and unlink our tempfiles
+        mine.close!
+        old.close!
+        yours.close!
+      end
+
+      # make a new stringio object out of our diff output
+      io = StringIO.new diff
+
+      #  create a new tempfile to write our merged file to
+      t = Tempfile.open('merged')
+      begin
+        # encrypt our diff3 output
+        dir.encrypt t, io
+        t.flush
+
+        # and copy that file back to OLDFILE (aka files[1]) since that's where
+        # git expects to find it
+        FileUtils.copy t.path, files[1]
+      ensure
+        t.close!
+      end
+
+      # this is important - this exit value is what git uses to decide if there
+      # is a conflict or not
+      exit (conflict ? 1 : 0)
+    rescue GPGME::Error::BadPassphrase => e
+      fail e.message
+    end
+
     private
 
     # If the global --help or -h flag is passed, show help.

data/lib/dotgpg.rb

@@ -94,4 +94,17 @@ class Dotgpg
     io.puts(@passphrase)
     io.flush
   end
+
+  # this is a quick workaroundfor situations where finding a dotgpg directory is
+  # difficult.
+  #
+  # THIS WILL NOT VERIFY THE INPUT WAS SIGNED
+  # THIS WILL NOT VERIFY THE INPUT SIGNATURE IS VALID
+  # THIS WILL NOT VERIFY THE INPUT SIGNATURE IS TRUSTED
+  #
+  # see Dir#decrypt for the right way to read files.
+
+  def self.decrypt_without_validating_signatures(data)
+    GPGME::Crypto.new.decrypt data, passphrase_callback: Dotgpg.method(:passfunc)
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dotgpg
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.6.0
 platform: ruby
 authors:
 - Conrad Irwin
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - certs/gem-public_cert.pem
-date: 2014-12-12 00:00:00.000000000 Z
+date: 2015-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor