git-cipher 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f65b15e499a669209962429243007bbdbbdaaeaa
+  data.tar.gz: 21f8abf07fbcb9ef6c7c55c75f78530b965c8815
+SHA512:
+  metadata.gz: 614dfcf2bb60ce0f183d20d3c23aa032f58b9b8e5b69bf6fa679c6bd3fd5a94625790099d327526fd7fe353f063fb95646bac1b71cae7ff9bc276005b49f244b
+  data.tar.gz: dc7c936e44505b66408eb91c9c19fa736cee2805c5a44e131547ba93382b6ffce0aaf11abe451e983d18b2642f1ce9ae502e9ba148b719627aa37c75d943417d

data/bin/git-cipher

@@ -0,0 +1,380 @@
+#!/usr/bin/env ruby
+# git-cipher -- encrypt/decrypt files
+
+require 'fileutils'
+require 'pathname'
+require 'shellwords'
+
+class Cipher
+  EXTENSION = 'encrypted'
+  DEFAULT_GPG_USER  = 'greg@hurrell.net'
+  DEFAULT_GPG_PRESET_COMMAND = '/usr/local/opt/gpg-agent/libexec/gpg-preset-passphrase'
+  VALID_OPTIONS = %w[force help]
+  VALID_SUBCOMMANDS = %w[decrypt encrypt help preset forget]
+
+  def run
+    send @subcommand
+  end
+
+private
+
+  def initialize
+    @subcommand, @options, @files = process_args
+
+    if @options.include?('help') || @subcommand == 'help'
+      usage(@subcommand)
+    end
+
+    @force = @options.include?('force')
+  end
+
+  def blue(string)
+    colorize(string, 34)
+  end
+
+  def check_ignored(path)
+    `#{escape command_path('git')} check-ignore -q #{escape path}`
+    puts "[warning: #{path} is not ignored]" unless $?.exitstatus.zero?
+  end
+
+  def colorize(string, color)
+    "\e[#{color}m#{string}\e[0m"
+  end
+
+  def command_name
+    @command_name ||= begin
+      if `ps -p #{Process.ppid.to_i}` =~ /\bgit cipher\b/
+        'git cipher'
+      else
+        File.basename(__FILE__)
+      end
+    rescue
+      File.basename(__FILE__)
+    end
+  end
+
+  def command_path(command)
+    path = `command -v #{escape command}`.chomp
+    die "required dependency #{command} not found" if path.empty?
+    path
+  end
+
+  def decrypt
+    if @files.empty?
+      puts 'No explicit paths supplied: decrypting all matching files'
+      Dir["**/.*.#{EXTENSION}"].each { |file| decrypt!(file) }
+    else
+      @files.each { |file| decrypt!(file) }
+    end
+  end
+
+  def decrypt!(file)
+    unless ENV['GPG_AGENT_INFO']
+      die <<-MSG
+        GPG_AGENT_INFO not present in the environment.
+        Try running:
+          eval $(gpg-agent --daemon)
+          #{command_name} preset
+      MSG
+    end
+
+    pathname = Pathname.new(file)
+    basename = pathname.basename.to_s
+    unless basename.start_with?('.')
+      die "#{file} does not begin with a period"
+    end
+
+    unless basename.end_with?(".#{EXTENSION}")
+      die "#{file} does not have an .#{EXTENSION} extension"
+    end
+
+    unless pathname.exist?
+      die "#{file} does not exist"
+    end
+
+    outfile = pathname.dirname + basename.gsub(
+      /\A\.|\.#{EXTENSION}\z/, ''
+    )
+
+    print "#{file} -> #{outfile} "
+
+    if FileUtils.uptodate?(outfile, [file]) && !@force
+      # decrypted is newer than encrypted; it might have local changes which we
+      # could blow away, so warn
+      puts red('[warning: plain-text newer than ciphertext; skipping]')
+    else
+      print green('[decrypting ...')
+      execute(%{
+        #{escape command_path('gpg')}
+          -q
+          --yes
+          --batch
+          --no-tty
+          --use-agent
+          -o #{escape outfile}
+          -d #{escape file}
+      })
+      if $?.success?
+        puts green(' done]')
+
+        File.chmod(0600, outfile)
+
+        # mark plain-text as older than ciphertext, this will prevent a
+        # bin/encrypt run from needlessly changing the contents of the ciphertext
+        # (as the encryption is non-deterministic)
+        time = File.mtime(file) - 1
+        File.utime(time, time, outfile)
+      else
+        print kill_line
+        puts red('[decrypting ... failed; bailing]')
+        exit $?.exitstatus
+      end
+
+      check_ignored(outfile)
+    end
+  end
+
+  def die(msg)
+    STDERR.puts red('error:'), strip_heredoc(msg)
+    exit 1
+  end
+
+  def encrypt
+    if @files.empty?
+      puts 'No explicit paths supplied: encrypting all matching files'
+      Dir["**/.*.#{EXTENSION}"].each do |file|
+        file = Pathname.new(file)
+        encrypt!(
+          file.dirname +
+          file.basename.to_s.gsub(/\A\.|\.#{EXTENSION}\z/, '')
+        )
+      end
+    else
+      @files.each { |file| encrypt!(Pathname.new(file)) }
+    end
+  end
+
+  def encrypt!(file)
+    unless file.exist?
+      die "#{file} does not exist"
+    end
+
+    outfile = file.dirname + ".#{file.basename}.#{EXTENSION}"
+
+    print "#{file} -> #{outfile} "
+    if FileUtils.uptodate?(outfile, [file]) && !@force
+      puts blue('[up to date]')
+    else
+      print green('[encrypting ...')
+      execute(%{
+        #{escape command_path('gpg')}
+          -a
+          -q
+          --batch
+          --no-tty
+          --yes
+          -r #{escape gpg_user}
+          -o #{escape outfile}
+          -e #{escape file}
+      })
+      if $?.success?
+        puts green(' done]')
+      else
+        print kill_line
+        puts red('[encrypting ... failed; bailing]')
+        exit $?.exitstatus
+      end
+    end
+
+    File.chmod(0600, file)
+    check_ignored(file)
+  end
+
+  def escape(string)
+    Shellwords.escape(string)
+  end
+
+  def execute(string)
+    %x{#{string.gsub("\n", ' ')}}
+  end
+
+  def forget
+    `#{escape command_path(gpg_preset_command)} --forget #{keygrip}`
+    die 'gpg-preset-passphrase failed' unless $?.success?
+  end
+
+  def get_config(key)
+    value = `#{escape command_path('git')} config cipher.#{key}`.chomp
+    return if value.empty?
+    value
+  end
+
+  def get_passphrase
+    stty = escape(command_path('stty'))
+    print 'Passphrase [will not be echoed]: '
+    `#{stty} -echo` # quick hack, cheaper than depending on highline gem
+    STDIN.gets.chomp
+  ensure
+    `#{stty} echo`
+    puts
+  end
+
+  def gpg_preset_command
+    ENV['GPG_PRESET_COMMAND'] || get_config('presetcommand') || DEFAULT_GPG_PRESET_COMMAND
+  end
+
+  def gpg_user
+    ENV['GPG_USER'] || get_config('gpguser') || DEFAULT_GPG_USER
+  end
+
+  def green(string)
+    colorize(string, 32)
+  end
+
+  def keygrip
+    # get the subkey fingerprint and convert it into a 40-char hex code
+    @keygrip ||= execute(%{
+      #{escape command_path('gpg')} --fingerprint #{escape gpg_user} |
+      grep fingerprint |
+      tail -1 |
+      cut -d= -f2 |
+      sed -e 's/ //g'
+    })
+  end
+
+  def kill_line
+    # 2K deletes the line, 0G moves to column 0
+    # see: http://en.wikipedia.org/wiki/ANSI_escape_code
+    "\e[2K\e[0G"
+  end
+
+  def normalize_option(option)
+    normal = option.dup
+
+    if normal.sub!(/\A--/, '') # long option
+      found = VALID_OPTIONS.find { |o| o == normal }
+    elsif normal.sub!(/\A-/, '') # short option
+      found = VALID_OPTIONS.find { |o| o[0] == normal }
+    end
+
+    die "unrecognized option: #{option}" if found.nil?
+
+    found
+  end
+
+  def preset
+    passphrase = get_passphrase
+    command = "#{escape command_path(gpg_preset_command)} --preset #{keygrip}"
+    IO.popen(command, 'w+') do |io|
+      io.puts passphrase
+      io.close_write
+      puts io.read # usually silent
+    end
+    die 'gpg-preset-passphrase failed' unless $?.success?
+  end
+
+  def process_args
+    options, files = ARGV.partition { |arg| arg.start_with?('-') }
+    subcommand = files.shift
+
+    options.map! { |option| normalize_option(option) }
+
+    unless VALID_SUBCOMMANDS.include?(subcommand)
+      if subcommand.nil?
+        message = 'no subcommand'
+      else
+        message = 'unrecognized subcommand'
+      end
+      die [message, "expected one of #{VALID_SUBCOMMANDS.inspect}"].join(': ')
+    end
+
+    [subcommand, options, files]
+  end
+
+  def red(string)
+    colorize(string, 31)
+  end
+
+  def strip_heredoc(doc)
+    # based on method of same name from Rails
+    indent = doc.scan(/^[ \t]*(?=\S)/).map(&:size).min || 0
+    doc.gsub(/^[ \t]{#{indent}}/, '')
+  end
+
+  # Print usage information and exit.
+  def usage(subcommand)
+    case subcommand
+    when 'decrypt'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} decrypt [-f|--force] [FILES...]
+
+        Decrypts files that have been encrypted for storage in version control
+
+            Decrypt two files, but only if the corresponding plain-text files
+            are missing or older:
+
+                #{command_name} decrypt .foo.encrypted .bar.encrypted
+
+            Decrypt all decryptable files:
+
+                #{command_name} decrypt
+
+            (Re-)decrypt all decryptable files, even those whose corresponding
+            plain-text files are newer:
+
+                #{command_name} decrypt -f
+                #{command_name} decrypt --force # (alternative syntax)
+      USAGE
+    when 'encrypt'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} encrypt [-f|--force] [FILES...]
+
+        Encrypts files for storage in version control
+
+            Encrypt two files, but only if the corresponding ciphertext files
+            are missing or older:
+
+                #{command_name} encrypt foo bar
+
+            Encrypt all encryptable files:
+
+                #{command_name} encrypt
+
+            (Re-)encrypt all encryptable files, even those whose corresponding
+            ciphertext files are newer:
+
+                #{command_name} encrypt -f
+                #{command_name} encrypt --force # (alternative syntax)
+      USAGE
+    when 'forget'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} forget
+
+          Forget passphrase previously stored using `#{command_name} preset`:
+
+              #{command_name} forget
+      USAGE
+    when 'preset'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} preset
+
+          Store a passphrase in a running `gpg-agent` agent:
+
+              #{command_name} preset
+      USAGE
+    else
+      puts strip_heredoc(<<-USAGE)
+        Available commands (invoke any with -h or --help for more info):
+
+            #{command_name} decrypt
+            #{command_name} encrypt
+            #{command_name} forget
+            #{command_name} preset
+      USAGE
+    end
+
+    exit
+  end
+end
+
+Cipher.new.run

metadata

@@ -0,0 +1,50 @@
+--- !ruby/object:Gem::Specification
+name: git-cipher
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Greg Hurrell
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-03-31 00:00:00.000000000 Z
+dependencies: []
+description: "\n    Provides a convenient workflow for working with encrypted files
+  in a public\n    Git repo. Delegates the underlying work of encryption/decryption
+  to GnuPG.\n  "
+email:
+- greg@hurrell.net
+executables:
+- git-cipher
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/git-cipher
+homepage: https://github.com/wincent/git-cipher
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements:
+- Git
+- GnuPG
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: Manages encrypted content in a Git repo
+test_files: []