Merge branch 'main' into multiple-passphrases-in-one-repo

# By James Murty (18) and others # Via GitHub (1) and James Murty (1) * main: (26 commits) Centralise load and save of password into functions #141 Fix date of 2.2.0 release Ensure tests use "main" as default branch name #143 Use OpenSSL for B64 encoding not `base64` which differs between Linux and Mac #140 Use core attributesFile from worktree (#137) Document `xxd` requirement, and make optional with OpenSSL < 3 (#138) Prepare for 2.2.0 release Fix when using OpenSSL 3 which no longer embeds salt in output (#135) Consolidate all git operation scripts into a single transcrypt script Fix handling of small files and files with null in first 8 bytes (#116) Improve command hint to fix secret files not encrypted in index (#120) (#130) Remove Ubuntu 16.04 LTS from test matrix (#123) Configure default Git branch name for macOS tests in GitHub Handle rename of primary branch from "master" to "main" Ensure Git index is up-to-date before dirty repo check #37 (#109) Fix incorrect salt when partially staged files are commited (#119) Use shorthand for grep options for broader compatibility (#121) Let user set a custom path to openssl #108 Install entire transcrypt script into repository Change version to indicate development "pre-release" status ... # Conflicts: # README.md # tests/_test_helper.bash # tests/test_cleanup.bats # tests/test_crypt.bats # tests/test_init.bats # tests/test_not_inited.bats # transcrypt
elasticdog · Oct 15, 2022 · 30a8faf · 30a8faf
2 parents eaf594c + 93f9d4c
commit 30a8faf
Show file tree

Hide file tree

Showing 19 changed files with 955 additions and 704 deletions.
diff --git a/.github/workflows/run-bats-core-tests.yml b/.github/workflows/run-bats-core-tests.yml
@@ -1,12 +1,12 @@
 name: Tests
 
 on:
-  # Only run tests on push to master branch
+  # Only run tests on push to main branch
   push:
-    branches: [master]
-  # Run tests for all pull request changes targeting master
+    branches: [main]
+  # Run tests for all pull request changes targeting main
   pull_request:
-    branches: [master]
+    branches: [main]
 
 jobs:
 
@@ -28,15 +28,25 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-16.04, ubuntu-18.04, ubuntu-20.04, macos-latest]
+        os: [ubuntu-18.04, ubuntu-20.04, ubuntu-22.04, macos-latest]
 
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
     - uses: actions/checkout@v2
 
+    - name: Print bash version
+      run: bash --version
+
     - name: Print OpenSSL version
       run: openssl version
 
+    - name: Print Git version
+      run: git version
+
+    # Configure default Git branch name to suppress hint warnings
+    - name: Configure default Git branch to "main"
+      run: git config --global init.defaultBranch main
+
     - name: Install and set up bats-core
       run: |
         git clone https://github.com/bats-core/bats-core.git /tmp/bats-core-repo

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,36 @@ The format is based on [Keep a Changelog][1], and this project adheres to
 [1]: https://keepachangelog.com/en/1.0.0/
 [2]: https://semver.org/spec/v2.0.0.html
 
-## [Unreleased]
+## [2.2.0] - 2022-07-09
+
+### Added
+
+- Add `--set-openssl-path` option to configure transcrypt to use a specific
+  openssl version instead of the default version found in `$PATH`. This will be
+  most useful to macOS users who might want to use a newer version of OpenSSL.
+  This option can be used on init, on upgrade, or by itself.
+- Add support for an optional `transcrypt.crypt-dir` setting for advanced users
+  to override the path of the _.git/crypt/_ directory to permit things like
+  installing transcrypt in a repository on a device without execute
+  permissions (#104)
+
+### Changed
+
+- No longer need stand-alone scripts for git operations `clean`, `smudge`,
+  `textconv`, and `merge` in the repository's _crypt/_ directory; the single
+  consolidated `transcrypt` script is stored there instead.
+
+### Fixed
+
+- Remain compatible with OpenSSL versions 3 and above which changes the way
+  explicit salt values are expressed in ciphertext, requires `xxd` command (#133)
+- Ensure Git index is up-to-date before checking for dirty repo, to avoid
+  failures seen in CI systems where the repo seems dirty when it isn't. (#37)
+- Respect Git `core.hooksPath` setting when installing the pre-commit hook. (#104)
+- Zsh completion. (#107)
+- Fix salt generation for partial (patch) commits (#118)
+- Improve command hint to fix secret files not encrypted in index (#120)
+- Fix handling of files with null in first 8 bytes (#116)
 
 ## [2.1.0] - 2020-09-07
 
@@ -208,7 +237,8 @@ Since the v0.9.7 release, these are the notable improvements made to transcrypt:
 
 ## [0.9.4] - 2014-03-03
 
-[unreleased]: https://github.com/elasticdog/transcrypt/compare/v2.1.0...HEAD
+[unreleased]: https://github.com/elasticdog/transcrypt/compare/v2.2.0...HEAD
+[2.2.0]: https://github.com/elasticdog/transcrypt/compare/v2.1.0...v2.2.0
 [2.1.0]: https://github.com/elasticdog/transcrypt/compare/v2.0.0...v2.1.0
 [2.0.0]: https://github.com/elasticdog/transcrypt/compare/v1.1.0...v2.0.0
 [1.1.0]: https://github.com/elasticdog/transcrypt/compare/v1.0.3...v1.1.0

diff --git a/INSTALL.md b/INSTALL.md
@@ -1,16 +1,21 @@
-Install transcrypt
-==================
+# Install transcrypt
 
 The requirements to run transcrypt are minimal:
 
-* Bash
-* Git
-* OpenSSL
+- Bash
+- Git
+- OpenSSL
+- `column` command (on Ubuntu/Debian install `bsdmainutils`)
+- `xxd` command if using OpenSSL version 3
+  (on Ubuntu/Debian is included with `vim`)
+
+...and optionally:
+
+- GnuPG - for secure configuration import/export
 
 You also need access to the _transcrypt_ script itself...
 
-Manual Installation
--------------------
+## Manual Installation
 
 You can add transcrypt directly to your repository, or just put it somewhere in
 your $PATH:
@@ -19,8 +24,7 @@ your $PATH:
     $ cd transcrypt/
     $ sudo ln -s ${PWD}/transcrypt /usr/local/bin/transcrypt
 
-Installation via Packages
--------------------------
+## Installation via Packages
 
 A number of packages are available for installing transcrypt directly on your
 system via its native package manager. Some of these packages also include man
@@ -29,7 +33,7 @@ page documentation as well as shell auto-completion scripts.
 ### Arch Linux
 
 If you're on Arch Linux, you can build/install transcrypt using the
-[provided PKGBUILD](https://github.com/elasticdog/transcrypt/blob/master/contrib/packaging/pacman/PKGBUILD):
+[provided PKGBUILD](https://github.com/elasticdog/transcrypt/blob/main/contrib/packaging/pacman/PKGBUILD):
 
     $ git clone https://github.com/elasticdog/transcrypt.git
     $ cd transcrypt/contrib/packaging/pacman/
@@ -50,7 +54,7 @@ If you're on NixOS, you can install transcrypt directly via
     $ nix-env -iA nixos.gitAndTools.transcrypt
 
 > _**Note:**
-> The [transcrypt derivation](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/version-management/git-and-tools/transcrypt/default.nix)
+> The [transcrypt derivation](https://github.com/NixOS/nixpkgs/blob/main/pkgs/applications/version-management/git-and-tools/transcrypt/default.nix)
 > was added in Oct 2015, so it is not available on the 15.09 channel._
 
 ### OS X

diff --git a/README.md b/README.md
@@ -56,6 +56,8 @@ The requirements to run transcrypt are minimal:
 - Git
 - OpenSSL
 - `column` command (on Ubuntu/Debian install `bsdmainutils`)
+- `xxd` command if using OpenSSL version 3
+  (on Ubuntu/Debian is included with `vim`)
 
 ...and optionally:
 
@@ -184,7 +186,7 @@ re-configure transcrypt with the new credentials.
 
     $ transcrypt --flush-credentials
     $ git fetch origin
-    $ git merge origin/master
+    $ git merge origin/main
     $ transcrypt -c aes-256-cbc -p 'the-new-password'
 
 ### Command Line Options
@@ -202,6 +204,9 @@ directory.
              the password to derive the key from;
              defaults to 30 random base64 characters
 
+      --set-openssl-path=PATH_TO_OPENSSL
+             use OpenSSL at this path; defaults to 'openssl' in $PATH
+
       -y, --yes
              assume yes and accept defaults for non-specified options
 
@@ -322,21 +327,8 @@ Please use:
 Tests are written using [bats-core](https://github.com/bats-core/bats-core)
 version of "Bash Automated Testing System" and stored in the _tests/_ directory.
 
-To run the tests locally:
+To run the tests:
 
 - [install bats-core](https://github.com/bats-core/bats-core#installation)
 - run all tests with: `bats tests/`
-- run an individual test with e.g: `./tests/test_help.bats`
-
-To run the tests in Docker:
-
-- install Docker
-- `cd tests/`
-- check available test targets (Docker services): `docker-compose ps`
-- build images for all test targets: `docker-compose build`
-  - or for a specific test target: `docker-compose build ubuntu-20.04`
-- run tests on all targets (non-zero exit codes means fail): `docker-compose up`
-  - or run tests on a specific target: `docker-compose run --rm ubuntu-20.04`
-- to manually run and debug tests:
-  - run shell in a specfic target: `docker-compose run --rm ubuntu-20.04`
-  - run tests selectively with something like: `bats tests/test_init.bats -t`
+- run an individual test with e.g: `bats tests/test_crypt.bats`
diff --git a/contrib/bash/transcrypt b/contrib/bash/transcrypt
@@ -22,7 +22,7 @@ _transcrypt() {
 	cur="${COMP_WORDS[COMP_CWORD]}"
 	prev="${COMP_WORDS[COMP_CWORD-1]}"
 	opts="-c -p -y -d -r -f -F -u -l -s -e -i -v -h \
-	      --cipher --password --yes --display --rekey --flush-credentials --force --uninstall --upgrade --list --show-raw --export-gpg --import-gpg --version --help"
+	      --cipher --password --set-openssl-path --yes --display --rekey --flush-credentials --force --uninstall --upgrade --list --show-raw --export-gpg --import-gpg --version --help"
 
 	case "${prev}" in
 		-c | --cipher)

diff --git a/contrib/packaging/pacman/PKGBUILD b/contrib/packaging/pacman/PKGBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Aaron Bull Schaefer <aaron@elasticdog.com>
 pkgname=transcrypt
-pkgver=2.1.0
+pkgver=2.2.0
 pkgrel=1
 pkgdesc='A script to configure transparent encryption of files within a Git repository'
 arch=('any')

diff --git a/contrib/zsh/_transcrypt b/contrib/zsh/_transcrypt
@@ -18,7 +18,8 @@ _transcrypt() {
 		'(-f --flush-credentials -c --cipher -p --password -r --rekey -u --uninstall)'{-f,--flush-credentials}'[flush cached credentials]' \
 		'(-F --force -d --display -u --uninstall)'{-F,--force}'[ignore repository clean state]' \
 		'(-u --uninstall -c --cipher -d --display -f --flush-credentials -p --password -r --rekey)'{-u,--uninstall}'[uninstall transcrypt]' \
-		'(--upgrade -c --cipher -d --display -f --flush-credentials -p --password -r --rekey)'{--upgrade}'[upgrade transcrypt]' \
+		'(--set-openssl-path -c --cipher -d --display -f --flush-credentials -p --password -r --rekey)'{--set-openssl-path}'[use OpenSSL at this path]' \
+		'(--upgrade -c --cipher -d --display -f --flush-credentials -p --password -r --rekey)--upgrade[upgrade transcrypt]' \
 		'(-i --import-gpg -c --cipher -p --password -d --display -f --flush-credentials -u --uninstall)'{-i,--import-gpg=}'[import config from gpg file]:file:->file' \
 		&& return 0
 

diff --git a/man/transcrypt.1.ronn b/man/transcrypt.1.ronn
@@ -25,6 +25,9 @@ The transcrypt source code and full documentation may be downloaded from
     the password to derive the key from;
     defaults to 30 random base64 characters
 
+  * `--set-openssl-path`=<path_to_openssl>:
+    use OpenSSL at this path; defaults to 'openssl' in $PATH
+
   * `-y`, `--yes`:
     assume yes and accept defaults for non-specified options
 

diff --git a/tests/Dockerfile.ubuntu b/tests/Dockerfile.ubuntu
diff --git a/tests/_test_helper.bash b/tests/_test_helper.bash
@@ -1,43 +1,44 @@
 function init_git_repo {
   # Warn and do nothing if test dir envvar is unset
-  if [[ -z "$BATS_TMPDIR" ]]; then
-    echo "WARNING: Required envvar \$BATS_TMPDIR is unset"
+  if [[ -z "$BATS_TEST_DIRNAME" ]]; then
+    echo "WARNING: Required envvar \$BATS_TEST_DIRNAME is unset"
   # Warn and do nothing if test git repo path already exists
-  elif [[ -e "$BATS_TMPDIR/.git" ]]; then
-    echo "WARNING: Test repo already exists at $BATS_TMPDIR/.git"
+  elif [[ -e "$BATS_TEST_DIRNAME/.git" ]]; then
+    echo "WARNING: Test repo already exists at $BATS_TEST_DIRNAME/.git"
   else
     # Initialise test git repo at the same path as the test files
-    git init "$BATS_TMPDIR"
+    git init "$BATS_TEST_DIRNAME"
+    git checkout -b main
     # Tests will fail if name and email aren't set
     git config user.name "John Doe"
     git config user.email johndoe@example.com
     # Flag test git repo as 100% the test one, for safety before later removal
-    touch "$BATS_TMPDIR"/.git/repo-for-transcrypt-bats-tests
+    touch "$BATS_TEST_DIRNAME"/.git/repo-for-transcrypt-bats-tests
   fi
 }
 
 function nuke_git_repo {
   # Warn and do nothing if test dir envvar is unset
-  if [[ -z "$BATS_TMPDIR" ]]; then
-    echo "WARNING: Required envvar \$BATS_TMPDIR is unset"
+  if [[ -z "$BATS_TEST_DIRNAME" ]]; then
+    echo "WARNING: Required envvar \$BATS_TEST_DIRNAME is unset"
   # Warn and do nothing if the test git repo is missing the flag file that
   # ensures it *really* is the test one, as set by the 'init_git_repo' function
-  elif [[ ! -e "$BATS_TMPDIR/.git/repo-for-transcrypt-bats-tests" ]]; then
-    echo "WARNING: Aborting delete of non-test Git repo at $BATS_TMPDIR/.git"
+  elif [[ ! -e "$BATS_TEST_DIRNAME/.git/repo-for-transcrypt-bats-tests" ]]; then
+    echo "WARNING: Aborting delete of non-test Git repo at $BATS_TEST_DIRNAME/.git"
   else
     # Forcibly delete the test git repo
-    rm -fR "$BATS_TMPDIR"/.git
+    rm -fR "$BATS_TEST_DIRNAME"/.git
   fi
 }
 
 function cleanup_all {
   nuke_git_repo
-  rm -f "$BATS_TMPDIR"/.gitattributes
-  rm -f "$BATS_TMPDIR"/sensitive_file
+  rm -f "$BATS_TEST_DIRNAME"/.gitattributes
+  rm -f "$BATS_TEST_DIRNAME"/sensitive_file
 }
 
 function init_transcrypt {
-  "$BATS_TEST_DIRNAME"/../transcrypt --cipher=aes-256-cbc --password=abc123 --yes
+  "$BATS_TEST_DIRNAME"/../transcrypt --cipher=aes-256-cbc --password='abc 123' --yes
 }
 
 function encrypt_named_file {
@@ -57,7 +58,7 @@ function encrypt_named_file {
 }
 
 function setup {
-  pushd "$BATS_TMPDIR" || exit 1
+  pushd "$BATS_TEST_DIRNAME" || exit 1
   init_git_repo
   if [[ ! "$SETUP_SKIP_INIT_TRANSCRYPT" ]]; then
     init_transcrypt

diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml