From fc113586f12e2a19024c4d838df90bf3161028a7 Mon Sep 17 00:00:00 2001 From: Adrian Dimitrov Date: Mon, 26 Apr 2021 14:58:02 +0300 Subject: [PATCH 1/7] Use shorthand for grep options for broader compatibility (#121) In busybox there is no line-regexp for grep, using -x as it is used in busybox, macos and gnugrep. Adding also -F to force plain text and non pattern search. --- transcrypt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/transcrypt b/transcrypt index 2ccd088..7ea5f13 100755 --- a/transcrypt +++ b/transcrypt @@ -238,7 +238,7 @@ validate_cipher() { fi local supported - supported=$($list_cipher_commands | tr -s ' ' '\n' | grep --line-regexp "$cipher") || true + supported=$($list_cipher_commands | tr -s ' ' '\n' | grep -Fx "$cipher") || true if [[ ! $supported ]]; then if [[ $interactive ]]; then printf '"%s" is not a valid cipher; choose one of the following:\n\n' "$cipher" From 588f1bc4909273cde4ccf3eaf6a1fd94bc8fbe8a Mon Sep 17 00:00:00 2001 From: Aram Dulyan Date: Mon, 26 Apr 2021 22:13:20 +1000 Subject: [PATCH 2/7] Fix incorrect salt when partially staged files are commited (#119) * Fix incorrect salt when partially staged files are commited. Re #118 --- CHANGELOG.md | 1 + transcrypt | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b4d880..d793940 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The format is based on [Keep a Changelog][1], and this project adheres to - Respect Git `core.hooksPath` setting when installing the pre-commit hook. (#104) - Zsh completion. (#107) +- Fix salt generation for partial (patch) commits (#118) ## [2.1.0] - 2020-09-07 diff --git a/transcrypt b/transcrypt index 7ea5f13..da6e481 100755 --- a/transcrypt +++ b/transcrypt @@ -133,7 +133,7 @@ git_clean() { cipher=$(git config --get --local transcrypt.cipher) password=$(git config --get --local transcrypt.password) openssl_path=$(git config --get --local transcrypt.openssl-path) - salt=$("${openssl_path}" dgst -hmac "${filename}:${password}" -sha256 "$filename" | tr -d '\r\n' | tail -c16) + salt=$("${openssl_path}" dgst -hmac "${filename}:${password}" -sha256 "$tempfile" | tr -d '\r\n' | tail -c16) ENC_PASS=$password "$openssl_path" enc "-${cipher}" -md MD5 -pass env:ENC_PASS -e -a -S "$salt" -in "$tempfile" fi } From 79f24e0ab63f7d7824ada86c71deebf943310f46 Mon Sep 17 00:00:00 2001 From: James Murty Date: Tue, 27 Apr 2021 00:48:34 +1000 Subject: [PATCH 3/7] Ensure Git index is up-to-date before dirty repo check #37 (#109) Should fix/avoid failures seen in CI systems where the repo seems dirty when it really isn't. --- CHANGELOG.md | 2 ++ transcrypt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d793940..78d6edf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,8 @@ The format is based on [Keep a Changelog][1], and this project adheres to ### Fixed +- Ensure Git index is up-to-date before checking for dirty repo, to avoid + failures seen in CI systems where the repo seems dirty when it isn't. (#37) - Respect Git `core.hooksPath` setting when installing the pre-commit hook. (#104) - Zsh completion. (#107) - Fix salt generation for partial (patch) commits (#118) diff --git a/transcrypt b/transcrypt index da6e481..510157e 100755 --- a/transcrypt +++ b/transcrypt @@ -219,6 +219,8 @@ run_safety_checks() { # ensure the repository is clean (if it has a HEAD revision) so we can force # checkout files without the destruction of uncommitted changes if [[ $requires_clean_repo ]] && [[ $HEAD_EXISTS ]] && [[ $IS_BARE == 'false' ]]; then + # ensure index is up-to-date before dirty check + git update-index -q --really-refresh # check if the repo is dirty if ! git diff-index --quiet HEAD --; then die 1 'the repo is dirty; commit or stash your changes before running transcrypt' From a64c88f7760b57e053d087a48489cb102b1edf17 Mon Sep 17 00:00:00 2001 From: James Murty Date: Thu, 29 Apr 2021 00:00:46 +1000 Subject: [PATCH 4/7] Handle rename of primary branch from "master" to "main" References on renaming primary branch in GitHub and Git: - https://github.com/github/renaming#rename-existing - https://docs.github.com/en/github/administering-a-repository/renaming-a-branch#updating-a-local-clone-after-a-branch-name-changes --- .github/workflows/run-bats-core-tests.yml | 8 ++++---- INSTALL.md | 19 ++++++++----------- README.md | 2 +- tests/test_merge.bats | 2 +- 4 files changed, 14 insertions(+), 17 deletions(-) diff --git a/.github/workflows/run-bats-core-tests.yml b/.github/workflows/run-bats-core-tests.yml index c0ae062..9670e37 100644 --- a/.github/workflows/run-bats-core-tests.yml +++ b/.github/workflows/run-bats-core-tests.yml @@ -1,12 +1,12 @@ name: Tests on: - # Only run tests on push to master branch + # Only run tests on push to main branch push: - branches: [master] - # Run tests for all pull request changes targeting master + branches: [main] + # Run tests for all pull request changes targeting main pull_request: - branches: [master] + branches: [main] jobs: diff --git a/INSTALL.md b/INSTALL.md index 2e7350b..cc2b067 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1,16 +1,14 @@ -Install transcrypt -================== +# Install transcrypt The requirements to run transcrypt are minimal: -* Bash -* Git -* OpenSSL +- Bash +- Git +- OpenSSL You also need access to the _transcrypt_ script itself... -Manual Installation -------------------- +## Manual Installation You can add transcrypt directly to your repository, or just put it somewhere in your $PATH: @@ -19,8 +17,7 @@ your $PATH: $ cd transcrypt/ $ sudo ln -s ${PWD}/transcrypt /usr/local/bin/transcrypt -Installation via Packages -------------------------- +## Installation via Packages A number of packages are available for installing transcrypt directly on your system via its native package manager. Some of these packages also include man @@ -29,7 +26,7 @@ page documentation as well as shell auto-completion scripts. ### Arch Linux If you're on Arch Linux, you can build/install transcrypt using the -[provided PKGBUILD](https://github.com/elasticdog/transcrypt/blob/master/contrib/packaging/pacman/PKGBUILD): +[provided PKGBUILD](https://github.com/elasticdog/transcrypt/blob/main/contrib/packaging/pacman/PKGBUILD): $ git clone https://github.com/elasticdog/transcrypt.git $ cd transcrypt/contrib/packaging/pacman/ @@ -50,7 +47,7 @@ If you're on NixOS, you can install transcrypt directly via $ nix-env -iA nixos.gitAndTools.transcrypt > _**Note:** -> The [transcrypt derivation](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/version-management/git-and-tools/transcrypt/default.nix) +> The [transcrypt derivation](https://github.com/NixOS/nixpkgs/blob/main/pkgs/applications/version-management/git-and-tools/transcrypt/default.nix) > was added in Oct 2015, so it is not available on the 15.09 channel._ ### OS X diff --git a/README.md b/README.md index 0983ae8..cc7263b 100644 --- a/README.md +++ b/README.md @@ -183,7 +183,7 @@ re-configure transcrypt with the new credentials. $ transcrypt --flush-credentials $ git fetch origin - $ git merge origin/master + $ git merge origin/main $ transcrypt -c aes-256-cbc -p 'the-new-password' ### Command Line Options diff --git a/tests/test_merge.bats b/tests/test_merge.bats index b293be6..3e5db52 100755 --- a/tests/test_merge.bats +++ b/tests/test_merge.bats @@ -90,7 +90,7 @@ load "$BATS_TEST_DIRNAME/_test_helper.bash" run cat sensitive_file [[ "$status" -eq 0 ]] - [[ "${lines[0]}" = "<<<<<<< master" ]] + [[ "${lines[0]}" = "<<<<<<< main" ]] [[ "${lines[1]}" = "a. First step" ]] [[ "${lines[2]}" = "=======" ]] [[ "${lines[3]}" = "1. Step the first" ]] From 588a8d07ddd1032ff70c190e28ae99fd52b4ba51 Mon Sep 17 00:00:00 2001 From: James Murty Date: Sun, 28 Feb 2021 00:09:27 +1100 Subject: [PATCH 5/7] Configure default Git branch name for macOS tests in GitHub --- .github/workflows/run-bats-core-tests.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/run-bats-core-tests.yml b/.github/workflows/run-bats-core-tests.yml index 9670e37..bc3c720 100644 --- a/.github/workflows/run-bats-core-tests.yml +++ b/.github/workflows/run-bats-core-tests.yml @@ -40,6 +40,13 @@ jobs: - name: Print OpenSSL version run: openssl version + - name: Print Git version + run: git version + + # Configure default Git branch name to suppress hint warnings + - name: Configure default Git branch to "main" + run: git config --global init.defaultBranch main + - name: Install and set up bats-core run: | git clone https://github.com/bats-core/bats-core.git /tmp/bats-core-repo From aea3ff83c7aea95b18e18839d5beb6da29b7548c Mon Sep 17 00:00:00 2001 From: Aaron Bull Schaefer Date: Thu, 29 Apr 2021 16:25:56 -0700 Subject: [PATCH 6/7] Remove Ubuntu 16.04 LTS from test matrix (#123) The "Xenial Xerus" version of Ubuntu is EOL (end-of-life) as of 2021-04-30. See: - https://help.ubuntu.com/community/EOL --- .github/workflows/run-bats-core-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-bats-core-tests.yml b/.github/workflows/run-bats-core-tests.yml index bc3c720..4091123 100644 --- a/.github/workflows/run-bats-core-tests.yml +++ b/.github/workflows/run-bats-core-tests.yml @@ -28,7 +28,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-16.04, ubuntu-18.04, ubuntu-20.04, macos-latest] + os: [ubuntu-18.04, ubuntu-20.04, macos-latest] steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it From 331b4afa859df38969aa0689a9a0001e2525f9e8 Mon Sep 17 00:00:00 2001 From: James Murty Date: Sun, 16 Jan 2022 00:07:01 +1100 Subject: [PATCH 7/7] Improve command hint to fix secret files not encrypted in index (#120) (#130) * Disable overly fussy shellcheck rule SC2155 for old code * Update expected test output to match changed command hint Code that's been unchanged for years is suddenly being flagged by rule SC2155; perhaps this rule is stricter in newer versions of `shellcheck` or action https://github.com/luizm/action-sh-checker ? Fixes linting failures due to: SC2155: Declare and assign separately to avoid masking return values. --- CHANGELOG.md | 1 + tests/test_pre_commit.bats | 2 +- transcrypt | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 78d6edf..79a9f48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The format is based on [Keep a Changelog][1], and this project adheres to - Respect Git `core.hooksPath` setting when installing the pre-commit hook. (#104) - Zsh completion. (#107) - Fix salt generation for partial (patch) commits (#118) +- Improve command hint to fix secret files not encrypted in index (#120) ## [2.1.0] - 2020-09-07 diff --git a/tests/test_pre_commit.bats b/tests/test_pre_commit.bats index 4b156fe..b88a250 100755 --- a/tests/test_pre_commit.bats +++ b/tests/test_pre_commit.bats @@ -47,7 +47,7 @@ load "$BATS_TEST_DIRNAME/_test_helper.bash" [[ "${output}" = *"Transcrypt managed file is not encrypted in the Git index: sensitive_file"* ]] [[ "${output}" = *"You probably staged this file using a tool that does not apply .gitattribute filters as required by Transcrypt."* ]] [[ "${output}" = *"Fix this by re-staging the file with a compatible tool or with Git on the command line:"* ]] - [[ "${output}" = *" git reset -- sensitive_file"* ]] + [[ "${output}" = *" git rm --cached -- sensitive_file"* ]] [[ "${output}" = *" git add sensitive_file"* ]] } diff --git a/transcrypt b/transcrypt index 510157e..4746286 100755 --- a/transcrypt +++ b/transcrypt @@ -52,6 +52,7 @@ realpath() { } # establish repository metadata and directory handling +# shellcheck disable=SC2155 gather_repo_metadata() { # whether or not transcrypt is already configured readonly CONFIGURED=$(git config --get --local transcrypt.version 2>/dev/null) @@ -429,7 +430,7 @@ save_helper_hooks() { printf 'Fix this by re-staging the file with a compatible tool or with' printf ' Git on the command line:\n' >&2 printf '\n' >&2 - printf ' git reset -- %s\n' "$secret_file" >&2 + printf ' git rm --cached -- %s\n' "$secret_file" >&2 printf ' git add %s\n' "$secret_file" >&2 printf '\n' >&2 exit 1