git-cipher 1.0 → 1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 4c0501f05ef3eb618fc318e776e838a0919727fb
-  data.tar.gz: 2af67cbad13cae60e002fb333c8e9e863cdcf7b1
+SHA256:
+  metadata.gz: 7d5b65afd443605f7782cec24d66093e353ac155e6b4a1e90aac40da2b8cbfbd
+  data.tar.gz: ab7448447f5ccd3b6467190315e9597e082ae01880ffcdb4cd0e3542b37b0b3e
 SHA512:
-  metadata.gz: 05b0f6b6fcb1fabac7fb6250d84a90ee06a7382bf9f03830d9a769666075819d291b0bd0deb3706f71a3481797002e7f163f343111caa103a003516f7f05e98c
-  data.tar.gz: 1be1b9e1ae34640beab077d9f1a12fc7ed14a6c391ee94683ccf166f53fc02c3e8720c8f7a52a0b6096792e670a79f1b4419d5b97789ea4a6336aa2f9cf67e01
+  metadata.gz: 2dce18072bcee778726a04b35d2103552ba51c860b669428a7ce4c5f9c9c65e49866b6092f1d416b9b88b417a5d1c696be78d8f880b07e87ba71f2d75f0c6e8b
+  data.tar.gz: 91c20158875f8f66ebeb81924a8518f1df9265a1324dd8e9f8bf45ecb6d1787320194229c6e839525cbfc40b4fe622bc46a4e54403cbbb20d5264a8e2fb284fc

data/bin/git-cipher

@@ -8,11 +8,12 @@ require 'tempfile'
 
 class Cipher
   EXTENSION = 'encrypted'
-  DEFAULT_GPG_USER  = 'greg@hurrell.net'
+  DEFAULT_GPG_USERS  = 'greg@hurrell.net,wincent@github.com'
   EXECUTABLE_EXTENSIONS = %w[.js .sh]
   STATUS = {
-    'MISSING' => 0b01,
-    'MODIFIED' => 0b10,
+    'MISSING' => 0b001,
+    'MODIFIED' => 0b010,
+    'STALE' => 0b100,
   }
   VALID_OPTIONS = %w[force help]
   VALID_SUBCOMMANDS = %w[decrypt encrypt help log ls status]
@@ -38,8 +39,7 @@ private
   end
 
   def check_ignored(path)
-    `#{escape command_path('git')} check-ignore -q #{escape path}`
-    puts "[warning: #{path} is not ignored]" unless $?.exitstatus.zero?
+    puts "[warning: #{path} is not ignored]" unless is_ignored?(path)
   end
 
   def colorize(string, color)
@@ -59,7 +59,7 @@ private
   end
 
   def command_path(command)
-    path = `command -v #{escape command}`.chomp
+    path = `sh -c command\\ -v\\ #{escape command}`.chomp
     die "required dependency #{command} not found" if path.empty?
     path
   end
@@ -152,17 +152,21 @@ private
     if FileUtils.uptodate?(outfile, [file]) && !@force
       puts blue('[up to date]')
     else
+      recipients = gpg_users.
+        split(/\s*,\s*/).
+        map { |u| "--recipient #{escape u}"}.
+        join(' ')
       print green('[encrypting ...')
       execute(%{
         #{escape command_path('gpg')}
-          -a
-          -q
+          --armor
+          --quiet
           --batch
           --no-tty
           --yes
-          -r #{escape gpg_user}
-          -o #{escape outfile}
-          -e #{escape file}
+          #{recipients}
+          --output #{escape outfile}
+          --encrypt #{escape file}
       })
       if $?.success?
         puts green(' done]')
@@ -191,16 +195,6 @@ private
     value
   end
 
-  def get_passphrase
-    stty = escape(command_path('stty'))
-    print 'Passphrase [will not be echoed]: '
-    `#{stty} -echo` # quick hack, cheaper than depending on highline gem
-    STDIN.gets.chomp
-  ensure
-    `#{stty} echo`
-    puts
-  end
-
   def gpg_decrypt(file, outfile)
     execute(%{
       #{escape command_path('gpg')}
@@ -214,14 +208,19 @@ private
     })
   end
 
-  def gpg_user
-    ENV['GPG_USER'] || get_config('gpguser') || DEFAULT_GPG_USER
+  def gpg_users
+    ENV['GPG_USER'] || get_config('gpguser') || DEFAULT_GPG_USERS
   end
 
   def green(string)
     colorize(string, 32)
   end
 
+  def is_ignored?(path)
+    `#{escape command_path('git')} check-ignore -q #{escape path}`
+    return $?.exitstatus.zero?
+  end
+
   def kill_line
     # 2K deletes the line, 0G moves to column 0
     # see: http://en.wikipedia.org/wiki/ANSI_escape_code
@@ -230,37 +229,36 @@ private
 
   def log
     if @files.empty?
-      # TODO: would be nice to interleave these instead of doing them serially.
       puts 'No explicit paths supplied: logging all matching files'
-      matching.each { |file| log!(file) }
+      log!(nil)
     else
-      @files.each { |file| log!(file) }
+      log!(@files)
     end
   end
 
-  def log!(file)
-    commits = execute(%{
-      #{escape command_path('git')} log
-      --pretty=format:%H -- #{escape file}
-    }).split
-    suffix = "-#{File.basename(file)}"
+  def log!(files)
+    if files.nil?
+      commits = execute(%{
+        #{escape command_path('git')} log
+        --pretty=format:%H
+        --topo-order
+        -- **/.*.#{EXTENSION}
+      }).split
+    else
+      # Would use `--follow` here, but that only works with a single file and, more
+      # importantly, all encrypted files look like random noise, so `--follow`
+      # won't do anything useful; log will stop at first rename.
+      commits = execute(%{
+        #{escape command_path('git')} log
+        --pretty=format:%H
+        --topo-order
+        -- #{files.map { |f| escape(f) }.join(' ')}
+      }).split
+    end
 
     commits.each do |commit|
-      files = []
+      tempfiles = []
       begin
-        # Get plaintext "post" image.
-        files.push(post = temp_write(show(file, commit)))
-        files.push(
-          post_plaintext = temp_write(gpg_decrypt(post.path, '-'), suffix)
-        )
-
-        # Get plaintext "pre" image.
-        files.push(pre = temp_write(show(file, "#{commit}~")))
-        files.push(pre_plaintext = temp_write(
-          pre.size.zero? ? '' : gpg_decrypt(pre.path, '-'),
-          suffix
-        ))
-
         # Print commit message.
         puts execute(%{
           #{escape command_path('git')} --no-pager log
@@ -268,17 +266,37 @@ private
         })
         puts
 
-        # Print pre-to-post diff.
-        puts execute(%{
-          #{escape command_path('git')} --no-pager diff
-          --color=always
-          #{escape pre_plaintext.path}
-          #{escape post_plaintext.path}
-        })
+        # See which files changed in this commit.
+        changed = wc(commit, files).split("\0")
+
+        changed.each do |file|
+          suffix = "-#{File.basename(file)}"
+
+          # Get plaintext "post" image.
+          tempfiles.push(post = temp_write(show(file, commit)))
+          tempfiles.push(post_plaintext = temp_write(
+            post.size.zero? ? '' : gpg_decrypt(post.path, '-'),
+            suffix
+          ))
+
+          # Get plaintext "pre" image.
+          tempfiles.push(pre = temp_write(show(file, "#{commit}~")))
+          tempfiles.push(pre_plaintext = temp_write(
+            pre.size.zero? ? '' : gpg_decrypt(pre.path, '-'),
+            suffix
+          ))
+
+          # Print pre-to-post diff.
+          puts execute(%{
+            #{escape command_path('git')} --no-pager diff
+            --color=always
+            #{escape pre_plaintext.path}
+            #{escape post_plaintext.path}
+          })
+        end
         puts
-
       ensure
-        files.each do |tempfile|
+        tempfiles.each do |tempfile|
           tempfile.close
           tempfile.unlink
         end
@@ -304,7 +322,13 @@ private
           description = yellow('[MODIFIED]')
           exitstatus |= STATUS['MODIFIED']
         else
-          description = green('[OK]')
+          if (File.mtime(file) - File.mtime(outfile)) > 5
+            # Plain-text is signficantly older than ciphertext.
+            description = yellow('[STALE]')
+            exitstatus |= STATUS['STALE']
+          else
+            description = green('[OK]')
+          end
         end
       else
         description = red('[MISSING]')
@@ -316,7 +340,9 @@ private
   end
 
   def matching
-    Dir.glob("**/*.#{EXTENSION}", File::FNM_DOTMATCH)
+    Dir.glob("**/*.#{EXTENSION}", File::FNM_DOTMATCH).reject do |candidate|
+      is_ignored?(candidate)
+    end
   end
 
   # Determine the appropriate mode for the given decrypted plaintext
@@ -455,9 +481,10 @@ private
           Shows the status of encrypted files in the current directory and
           its subdirectories.
 
-          Exits with status #{STATUS['MISSING']} if any decrypted file is missing.
-          Exits with status #{STATUS['MODIFIED']} if any decrypted file is modified.
-          Exits with status #{STATUS['MISSING'] | STATUS['MODIFIED']} if both of the above apply.
+          Exits with status #{STATUS['MISSING']} if any decrypted file is missing (eg. "MISSING").
+          Exits with status #{STATUS['MODIFIED']} if any decrypted file has modifications (eg. "MODIFIED").
+          Exits with status #{STATUS['STALE']} if any encrypted file has modifications (eg. "STALE").
+          When multiple conditions apply, they are OR-ed together to produce a status code.
       USAGE
     else
       puts strip_heredoc(<<-USAGE)
@@ -474,6 +501,21 @@ private
     exit
   end
 
+  # Show which files (out of `files`) changed in `commit`.
+  def wc(commit, files)
+    if files.nil?
+      execute(%{
+        #{escape command_path('git')} show --name-only --pretty=format: -z #{commit} --
+        **/.*.#{EXTENSION}
+      })
+    else
+      execute(%{
+        #{escape command_path('git')} show --name-only --pretty=format: -z #{commit} --
+        #{files.map { |f| escape(f) }.join(' ')}
+      })
+    end
+  end
+
   def yellow(string)
     colorize(string, 33)
   end

data/bin/git-cipher1

@@ -0,0 +1,524 @@
+#!/usr/bin/env ruby
+# git-cipher -- encrypt/decrypt files
+
+require 'fileutils'
+require 'pathname'
+require 'shellwords'
+require 'tempfile'
+
+class Cipher
+  EXTENSION = 'encrypted'
+  DEFAULT_GPG_USERS  = 'greg@hurrell.net,wincent@github.com'
+  EXECUTABLE_EXTENSIONS = %w[.js .sh]
+  STATUS = {
+    'MISSING' => 0b001,
+    'MODIFIED' => 0b010,
+    'STALE' => 0b100,
+  }
+  VALID_OPTIONS = %w[force help]
+  VALID_SUBCOMMANDS = %w[decrypt encrypt help log ls status]
+
+  def run
+    send @subcommand
+  end
+
+private
+
+  def initialize
+    @subcommand, @options, @files = process_args
+
+    if @options.include?('help') || @subcommand == 'help'
+      usage(@subcommand)
+    end
+
+    @force = @options.include?('force')
+  end
+
+  def blue(string)
+    colorize(string, 34)
+  end
+
+  def check_ignored(path)
+    puts "[warning: #{path} is not ignored]" unless is_ignored?(path)
+  end
+
+  def colorize(string, color)
+    "\e[#{color}m#{string}\e[0m"
+  end
+
+  def command_name
+    @command_name ||= begin
+      if `ps -p #{Process.ppid.to_i}` =~ /\bgit cipher\b/
+        'git cipher'
+      else
+        File.basename(__FILE__)
+      end
+    rescue
+      File.basename(__FILE__)
+    end
+  end
+
+  def command_path(command)
+    path = `sh -c command\\ -v\\ #{escape command}`.chomp
+    die "required dependency #{command} not found" if path.empty?
+    path
+  end
+
+  def decrypt
+    if @files.empty?
+      puts 'No explicit paths supplied: decrypting all matching files'
+      matching.each { |file| decrypt!(file) }
+    else
+      @files.each { |file| decrypt!(file) }
+    end
+  end
+
+  def decrypt!(file)
+    pathname = Pathname.new(file)
+    basename = pathname.basename.to_s
+    unless basename.start_with?('.')
+      die "#{file} does not begin with a period"
+    end
+
+    unless basename.end_with?(".#{EXTENSION}")
+      die "#{file} does not have an .#{EXTENSION} extension"
+    end
+
+    unless pathname.exist?
+      die "#{file} does not exist"
+    end
+
+    outfile = pathname.dirname + basename.gsub(
+      /\A\.|\.#{EXTENSION}\z/, ''
+    )
+
+    print "#{file} -> #{outfile} "
+
+    if FileUtils.uptodate?(outfile, [file]) && !@force
+      # decrypted is newer than encrypted; it might have local changes which we
+      # could blow away, so warn
+      puts red('[warning: plain-text newer than ciphertext; skipping]')
+    else
+      print green('[decrypting ...')
+      gpg_decrypt(file, outfile)
+      if $?.success?
+        puts green(' done]')
+
+        File.chmod(mode(outfile), outfile)
+
+        # Mark plain-text as older than ciphertext, this will prevent a
+        # bin/encrypt run from needlessly changing the contents of the ciphertext
+        # (as the encryption is non-deterministic).
+        time = File.mtime(file) - 1
+        File.utime(time, time, outfile)
+      else
+        print kill_line
+        puts red('[decrypting ... failed; bailing]')
+        exit $?.exitstatus
+      end
+
+      check_ignored(outfile)
+    end
+  end
+
+  def die(msg)
+    STDERR.puts red('error:'), strip_heredoc(msg)
+    exit 1
+  end
+
+  def encrypt
+    if @files.empty?
+      puts 'No explicit paths supplied: encrypting all matching files'
+      matching.each do |file|
+        file = Pathname.new(file)
+        encrypt!(
+          file.dirname +
+          file.basename.to_s.gsub(/\A\.|\.#{EXTENSION}\z/, '')
+        )
+      end
+    else
+      @files.each { |file| encrypt!(Pathname.new(file)) }
+    end
+  end
+
+  def encrypt!(file)
+    unless file.exist?
+      die "#{file} does not exist"
+    end
+
+    outfile = file.dirname + ".#{file.basename}.#{EXTENSION}"
+
+    print "#{file} -> #{outfile} "
+    if FileUtils.uptodate?(outfile, [file]) && !@force
+      puts blue('[up to date]')
+    else
+      recipients = gpg_users.
+        split(/\s*,\s*/).
+        map { |u| "--recipient #{escape u}"}.
+        join(' ')
+      print green('[encrypting ...')
+      execute(%{
+        #{escape command_path('gpg')}
+          --armor
+          --quiet
+          --batch
+          --no-tty
+          --yes
+          #{recipients}
+          --output #{escape outfile}
+          --encrypt #{escape file}
+      })
+      if $?.success?
+        puts green(' done]')
+      else
+        print kill_line
+        puts red('[encrypting ... failed; bailing]')
+        exit $?.exitstatus
+      end
+    end
+
+    File.chmod(mode(file), file)
+    check_ignored(file)
+  end
+
+  def escape(string)
+    Shellwords.escape(string)
+  end
+
+  def execute(string)
+    %x{#{string.gsub("\n", ' ')}}
+  end
+
+  def get_config(key)
+    value = `#{escape command_path('git')} config cipher.#{key}`.chomp
+    return if value.empty?
+    value
+  end
+
+  def gpg_decrypt(file, outfile)
+    execute(%{
+      #{escape command_path('gpg')}
+        -q
+        --yes
+        --batch
+        --no-tty
+        --use-agent
+        -o #{escape outfile}
+        -d #{escape file}
+    })
+  end
+
+  def gpg_users
+    ENV['GPG_USER'] || get_config('gpguser') || DEFAULT_GPG_USERS
+  end
+
+  def green(string)
+    colorize(string, 32)
+  end
+
+  def is_ignored?(path)
+    `#{escape command_path('git')} check-ignore -q #{escape path}`
+    return $?.exitstatus.zero?
+  end
+
+  def kill_line
+    # 2K deletes the line, 0G moves to column 0
+    # see: http://en.wikipedia.org/wiki/ANSI_escape_code
+    "\e[2K\e[0G"
+  end
+
+  def log
+    if @files.empty?
+      puts 'No explicit paths supplied: logging all matching files'
+      log!(nil)
+    else
+      log!(@files)
+    end
+  end
+
+  def log!(files)
+    if files.nil?
+      commits = execute(%{
+        #{escape command_path('git')} log
+        --pretty=format:%H
+        --topo-order
+        -- **/.*.#{EXTENSION}
+      }).split
+    else
+      # Would use `--follow` here, but that only works with a single file and, more
+      # importantly, all encrypted files look like random noise, so `--follow`
+      # won't do anything useful; log will stop at first rename.
+      commits = execute(%{
+        #{escape command_path('git')} log
+        --pretty=format:%H
+        --topo-order
+        -- #{files.map { |f| escape(f) }.join(' ')}
+      }).split
+    end
+
+    commits.each do |commit|
+      tempfiles = []
+      begin
+        # Print commit message.
+        puts execute(%{
+          #{escape command_path('git')} --no-pager log
+          --color=always -1 #{commit}
+        })
+        puts
+
+        # See which files changed in this commit.
+        changed = wc(commit, files).split("\0")
+
+        changed.each do |file|
+          suffix = "-#{File.basename(file)}"
+
+          # Get plaintext "post" image.
+          tempfiles.push(post = temp_write(show(file, commit)))
+          tempfiles.push(post_plaintext = temp_write(
+            post.size.zero? ? '' : gpg_decrypt(post.path, '-'),
+            suffix
+          ))
+
+          # Get plaintext "pre" image.
+          tempfiles.push(pre = temp_write(show(file, "#{commit}~")))
+          tempfiles.push(pre_plaintext = temp_write(
+            pre.size.zero? ? '' : gpg_decrypt(pre.path, '-'),
+            suffix
+          ))
+
+          # Print pre-to-post diff.
+          puts execute(%{
+            #{escape command_path('git')} --no-pager diff
+            --color=always
+            #{escape pre_plaintext.path}
+            #{escape post_plaintext.path}
+          })
+        end
+        puts
+      ensure
+        tempfiles.each do |tempfile|
+          tempfile.close
+          tempfile.unlink
+        end
+      end
+    end
+  end
+
+  def ls
+    matching.each { |file| puts file }
+  end
+
+  def status
+    exitstatus = 0
+    matching.each do |file|
+      pathname = Pathname.new(file)
+      basename = pathname.basename.to_s
+      outfile = pathname.dirname + basename.gsub(
+        /\A\.|\.#{EXTENSION}\z/, ''
+      )
+      if outfile.exist?
+        if FileUtils.uptodate?(outfile, [file])
+          # Plain-text is newer than ciphertext.
+          description = yellow('[MODIFIED]')
+          exitstatus |= STATUS['MODIFIED']
+        else
+          if (File.mtime(file) - File.mtime(outfile)) > 5
+            # Plain-text is signficantly older than ciphertext.
+            description = yellow('[STALE]')
+            exitstatus |= STATUS['STALE']
+          else
+            description = green('[OK]')
+          end
+        end
+      else
+        description = red('[MISSING]')
+        exitstatus |= STATUS['MISSING']
+      end
+      puts "#{file}: #{description}"
+    end
+    exit exitstatus
+  end
+
+  def matching
+    Dir.glob("**/*.#{EXTENSION}", File::FNM_DOTMATCH).reject do |candidate|
+      is_ignored?(candidate)
+    end
+  end
+
+  # Determine the appropriate mode for the given decrypted plaintext
+  # `file` based on its file extension.
+  def mode(file)
+    if EXECUTABLE_EXTENSIONS.include?(Pathname.new(file).extname)
+      0700
+    else
+      0600
+    end
+  end
+
+  def normalize_option(option)
+    normal = option.dup
+
+    if normal.sub!(/\A--/, '') # long option
+      found = VALID_OPTIONS.find { |o| o == normal }
+    elsif normal.sub!(/\A-/, '') # short option
+      found = VALID_OPTIONS.find { |o| o[0] == normal }
+    end
+
+    die "unrecognized option: #{option}" if found.nil?
+
+    found
+  end
+
+  def process_args
+    options, files = ARGV.partition { |arg| arg.start_with?('-') }
+    subcommand = files.shift
+
+    options.map! { |option| normalize_option(option) }
+
+    unless VALID_SUBCOMMANDS.include?(subcommand)
+      if subcommand.nil?
+        message = 'no subcommand'
+      else
+        message = 'unrecognized subcommand'
+      end
+      die [message, "expected one of #{VALID_SUBCOMMANDS.inspect}"].join(': ')
+    end
+
+    [subcommand, options, files]
+  end
+
+  def red(string)
+    colorize(string, 31)
+  end
+
+  def show(file, commit)
+    # Redirect stderr to /dev/null because the file might not have existed prior
+    # to this commit.
+    execute(%{
+      #{escape command_path('git')} show
+      #{commit}:#{escape file} 2> /dev/null
+    })
+  end
+
+  def strip_heredoc(doc)
+    # based on method of same name from Rails
+    indent = doc.scan(/^[ \t]*(?=\S)/).map(&:size).min || 0
+    doc.gsub(/^[ \t]{#{indent}}/, '')
+  end
+
+  def temp_write(contents, suffix = '')
+    file = Tempfile.new(['git-cipher-', suffix])
+    file.write(contents)
+    file.flush
+    file
+  end
+
+  # Print usage information and exit.
+  def usage(subcommand)
+    case subcommand
+    when 'decrypt'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} decrypt [-f|--force] [FILES...]
+
+        Decrypts files that have been encrypted for storage in version control
+
+            Decrypt two files, but only if the corresponding plain-text files
+            are missing or older:
+
+                #{command_name} decrypt .foo.encrypted .bar.encrypted
+
+            Decrypt all decryptable files:
+
+                #{command_name} decrypt
+
+            (Re-)decrypt all decryptable files, even those whose corresponding
+            plain-text files are newer:
+
+                #{command_name} decrypt -f
+                #{command_name} decrypt --force # (alternative syntax)
+      USAGE
+    when 'encrypt'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} encrypt [-f|--force] [FILES...]
+
+        Encrypts files for storage in version control
+
+            Encrypt two files, but only if the corresponding ciphertext files
+            are missing or older:
+
+                #{command_name} encrypt foo bar
+
+            Encrypt all encryptable files:
+
+                #{command_name} encrypt
+
+            (Re-)encrypt all encryptable files, even those whose corresponding
+            ciphertext files are newer:
+
+                #{command_name} encrypt -f
+                #{command_name} encrypt --force # (alternative syntax)
+      USAGE
+    when 'log'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} log FILE
+
+          Shows the log message and decrypted diff for FILE
+          (analogous to `git log -p -- FILE`).
+
+              #{command_name} log foo
+      USAGE
+    when 'ls'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} ls
+
+          Lists the encrypted files in the current directory and
+          its subdirectories.
+      USAGE
+    when 'status'
+      puts strip_heredoc(<<-USAGE)
+        #{command_name} status
+
+          Shows the status of encrypted files in the current directory and
+          its subdirectories.
+
+          Exits with status #{STATUS['MISSING']} if any decrypted file is missing (eg. "MISSING").
+          Exits with status #{STATUS['MODIFIED']} if any decrypted file has modifications (eg. "MODIFIED").
+          Exits with status #{STATUS['STALE']} if any encrypted file has modifications (eg. "STALE").
+          When multiple conditions apply, they are OR-ed together to produce a status code.
+      USAGE
+    else
+      puts strip_heredoc(<<-USAGE)
+        Available commands (invoke any with -h or --help for more info):
+
+            #{command_name} decrypt
+            #{command_name} encrypt
+            #{command_name} log
+            #{command_name} ls
+            #{command_name} status
+      USAGE
+    end
+
+    exit
+  end
+
+  # Show which files (out of `files`) changed in `commit`.
+  def wc(commit, files)
+    if files.nil?
+      execute(%{
+        #{escape command_path('git')} show --name-only --pretty=format: -z #{commit} --
+        **/.*.#{EXTENSION}
+      })
+    else
+      execute(%{
+        #{escape command_path('git')} show --name-only --pretty=format: -z #{commit} --
+        #{files.map { |f| escape(f) }.join(' ')}
+      })
+    end
+  end
+
+  def yellow(string)
+    colorize(string, 33)
+  end
+end
+
+Cipher.new.run

data/bin/git-cipher2

@@ -0,0 +1,196 @@
+#!/usr/bin/env ruby
+
+# TODO: in readme, note threat model and how this is "rolling your own crypto"
+# even though you might not think that "using openssl" is "rolling your own
+# crypto"; therefore this is for protecting LOW VALUE secrets (eg. hostnames in
+# an ssh config file, not cryptocurrency secret keys)
+#
+# TODO: think about how dotfiles work. in absence of key, plaintext file is
+# absent, so we know not to install it... with clean/smudge filters, file is
+# always present, so we need another way of deciding whether or not to install
+# (may need a header line or stash the whole thing in JSON)
+# given that we're going to do encrypt-then-mac, maybe the trailer can be the
+# signal? ie. we'll have something like:
+#
+# U2FsdGVkX1/wDfrOAAAAAJyY66rhru4B0gIY0axns4oLgCEN2Og73UvGzFfCzs8a
+# H/NRK/4MhpbXNhvoVg/Is5UgrZqtMKs96UoAOtYtzTJweByMhFjaTpyK9Dtz7ctc
+# ...
+# UqEPjxtbf4LeUHofwbIXvVzMNqdWrjvpV1wUkaOcHdeDUwUMzcPmct7ZpjEPcSDW
+# nPfzqyYDoxyT9waSKbYlBQ==
+# HMAC-SHA256(/etc/passwd)= 0c967cc4b8b040dc7c4185f03247bfbeaa7403f626f8fd9c88cec0d3de86ce95
+#
+# TODO: links
+# https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files/31552829
+# https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pbkdf2-sha256/3993
+# https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
+# > Encrypt-and-MAC: The ciphertext is generated by encrypting the plaintext and then appending a MAC of the plaintext. This is approximately how SSH works.
+# > MAC-then-encrypt: The ciphertext is generated by appending a MAC to the plaintext and then encrypting everything. This is approximately how SSL works.
+# > Encrypt-then-MAC: The ciphertext is generated by encrypting the plaintext and then appending a MAC of the encrypted plaintext. This is approximately how IPSEC works.
+# https://crypto.stackexchange.com/questions/202/should-we-mac-then-encrypt-or-encrypt-then-mac
+#
+# TODO: prior art
+# https://github.com/AGWA/git-crypt
+# https://github.com/StackExchange/blackbox#how-is-the-encryption-done
+# https://github.com/elasticdog/transcrypt
+# https://github.com/sobolevn/git-secret
+# (by no means an exhaustive list... there are so many of them...)
+class Cipher
+  VALID_SUBCOMMANDS = %w[
+    add
+    help
+    init
+    list
+    log
+    ls
+    register
+    remove
+    rm
+    status
+    unregister
+  ]
+
+  def run
+  end
+
+private
+
+  def initialize
+    @subcommand, @options, @files = process_args
+  end
+
+  def colorize(string, color)
+    "\e[#{color}m#{string}\e[0m"
+  end
+
+  def die(message)
+    STDERR.puts red('error:'), dedent(message)
+    exit 1
+  end
+
+  # TODO need to do encrypt-then-mac https://stackoverflow.com/a/22958889/2103996
+  def encrypt
+    ENV['ENC_PASS'] = 'encryption pass'
+    # note -S must be hex digits
+    # can do cipher instead of enc -e cipher
+    # eg. `openssl aes-256-cbc` instead of `openssl enc -e -aes-256-cbc`
+    # -pass stdin could also work
+    # openssl enc -e cipher -md sha1 -pass env:ENC_PASS -S $salt -in $infile | xxd -p
+    # openssl enc -e cipher -md sha1 -pass env:ENC_PASS -S $salt -in $infile | openssl base64
+    # openssl enc -e cipher -base64 -md sha1 -pass env:ENC_PASS -S $salt -in $infile
+    #
+    # only concern here is that iv won't be random as it comes from pass?
+    # -P will print out the deets here; this shows that when you call with same
+    # salt and pass, you get same key and same iv
+    # when you alter the pass, you get a different key and iv
+    # when you alter the salt, you get a different key and iv
+    #
+    # $ openssl enc -e -aes-256-cbc -base64 -md sha1 -pass pass:secret -S f00dface -in /etc/passwd -P
+    # salt=F00DFACE00000000
+    # key=2CB12DA63001EA3474724000D66FE00ACE073DE41364108ADFE84095280693B9
+    # iv =A18D6BA58FD1916C40E2AB674F575360
+    # $ openssl enc -e -aes-256-cbc -base64 -md sha1 -pass pass:secret -S f00dface -in /etc/passwd -P
+    # salt=F00DFACE00000000
+    # key=2CB12DA63001EA3474724000D66FE00ACE073DE41364108ADFE84095280693B9
+    # iv =A18D6BA58FD1916C40E2AB674F575360
+    # $ openssl enc -e -aes-256-cbc -base64 -md sha1 -pass pass:secret2 -S f00dface -in /etc/passwd -P
+    # salt=F00DFACE00000000
+    # key=AED814B111F3732FBEA095B1E66F2958D3D92E4C00A3ABBCB7FD260515C44E92
+    # iv =D9D9F867C730925ED0C8CA8252CAF5C2
+    # $ openssl enc -e -aes-256-cbc -base64 -md sha1 -pass pass:secret2 -S f00dfacef -in /etc/passwd -P
+    # salt=F00DFACEF0000000
+    # key=04227E47F87C2E8876714976EA5A69B58CB36CD5404D4F60271411EDD2BD076D
+    # iv =A7F83B902B5CA76A8B04AF5652C3B799
+    #
+    # using stronger (slower) key derivation with -pbkdf2 -iter 20000
+    # openssl enc -e -aes-256-cbc -base64 -pbkdf2 -iter 20000 -pass pass:secret -S f00dface -in /etc/passwd -P
+    # (doesn't work on macOS version of openssl; testing on linux two times in a row we get)
+    # `openssl version` on linux prints: OpenSSL 1.1.1q  5 Jul 2022
+    # `openssl version` on macOS prints: LibreSSL 2.8.3
+    # install openssl on macOS is probably not a good idea: https://stackoverflow.com/questions/22795471/utilizing-pbkdf2-with-openssl-library
+    #
+    # hex string is too short, padding with zero bytes to length
+    # salt=F00DFACE00000000
+    # key=D661D07A0672957F64646190C7BF8E6FAEA13C97830E7C036B6C978CD6C89FC7
+    # iv =82BD1988A8E0F4D3E48C40AB366D4174
+    #
+    # hex string is too short, padding with zero bytes to length
+    # salt=F00DFACE00000000
+    # key=D661D07A0672957F64646190C7BF8E6FAEA13C97830E7C036B6C978CD6C89FC7
+    # iv =82BD1988A8E0F4D3E48C40AB366D4174
+    #
+    # (ie. is consistent across runs at least)
+    #
+    # is using sha1 for key derivation a problem? https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pbkdf2-sha256/3993
+    # probably not, because we're not using a user-supplied password; we're using an extremely high entropy long password
+    #
+    # $ openssl enc -e -aes-256-cbc -base64 -md sha1 -pass pass:extremely_long_secret_that_will_actually_be_total_gibberish_we_can_even_pipe_in_binary_crap_to_std_in -S f00dface -in /etc/passwd -P
+    # salt=F00DFACE00000000
+    # key=191531DB1684CFE9D15FBCC1F9D6E7A384E4EC08CDA22B596D6AF83F32113720
+    # iv =738D9C01A176CF97B90F48466188C5FA
+    #
+    # note we can use -md sha256 and that works on macOS and Linux
+    # cf node: https://stackoverflow.com/questions/12219499/whats-wrong-with-nodejs-crypto-decipher
+    # that says i can avoid the salt being prepended... interesting... -nosalt
+    # it is not documented in the linux openssl manpage (see `man enc` instead), but it works in both places and
+    # produces the same results, byte for byte
+    # macOS manpage says:
+    # > This option should never be used since it makes it possible to perform
+    # > efficient dictionary attacks on the password and to attack stream cipher
+    # > encrypted data.
+    # linux:
+    # > Don't use a salt in the key derivation routines. This option SHOULD NOT
+    # > be used except for test purposes or compatibility with ancient versions of
+    # > OpenSSL.
+
+
+
+  end
+
+  # need something random (salt) as input into cbc mode to make it secure
+  # we can't literally use something like this, because git-cipher **does not use passwords**
+  # we need to use GPG to read password, _then_ blah...
+  #
+  # note that salt string must be hex, 16 digits long (if shorter, it gets
+  # padded, if longer, we get an error); equivalent to 64 bits
+  #
+  # note that salt is derived from filename + password (from GPG) + file contents
+  # which means two files can have same contents and will get different salt
+  # and any time file changes, it gets a new salt
+  def salt
+    # $key = "$filename:$password"
+    # echo hello | openssl dgst -hmac $key -sha256
+    # prints: 8e384ff349a3d90f2c7837b0d76de8f81c6e85b390ed38905f521ae77cb9a29a
+    # or:          openssl dgst -hmac $key -sha256 $infile
+    # prints: HMAC-SHA256($infile)= 0c967cc4b8b040dc7c4185f03247bfbeaa7403f626f8fd9c88cec0d3de86ce95
+  end
+
+  def process_args
+    options, files = ARGV.partition { |arg| arg.start_with?('-') }
+    subcommand = files.shift
+
+    unless VALID_SUBCOMMANDS.include?(subcommand)
+      if subcommand.nil?
+        message = 'no subcommand'
+      else
+        message = "unrecognized subcommand #{subcommand.inspect}"
+      end
+      die [message, "expected one of #{VALID_SUBCOMMANDS.inspect}"].join(': ')
+    end
+
+    [subcommand, options, files]
+  end
+
+  def red(string)
+    colorize(string, 31)
+  end
+
+  # Based on the strip_heredoc method in Rails.
+  #
+  # See: https://apidock.com/rails/String/strip_heredoc
+  def dedent(doc)
+    indent = doc.scan(/^[ \t]*(?=\S)/).map(&:size).min || 0
+    doc.gsub(/^[ \t]{#{indent}}/, '')
+  end
+end
+
+Cipher.new.run

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: git-cipher
 version: !ruby/object:Gem::Version
-  version: '1.0'
+  version: '1.1'
 platform: ruby
 authors:
 - Greg Hurrell
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-16 00:00:00.000000000 Z
+date: 2022-08-02 00:00:00.000000000 Z
 dependencies: []
 description: "\n    Provides a convenient workflow for working with encrypted files
   in a public\n    Git repo. Delegates the underlying work of encryption/decryption
@@ -21,11 +21,13 @@ extensions: []
 extra_rdoc_files: []
 files:
 - bin/git-cipher
+- bin/git-cipher1
+- bin/git-cipher2
 homepage: https://github.com/wincent/git-cipher
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -42,9 +44,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements:
 - Git
 - GnuPG
-rubyforge_project: 
-rubygems_version: 2.5.2.3
-signing_key: 
+rubygems_version: 3.3.15
+signing_key:
 specification_version: 4
 summary: Manages encrypted content in a Git repo
 test_files: []