Skip to content

ohbin 0.2.0

Choose a tag to compare

View all tags
@prostomarkeloff prostomarkeloff released this 03 Jun 12:06
· 10 commits to main since this release
v0.2.0
e2e9ab2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Encrypted private binaries via secret gists

Distribute locally-built private binaries through secret (link-gated) GitHub gists, encrypted — no public release, no committing the binary to a repo. A leaked gist link is useless without the password.

New commands

  • ohbin publish-gist <bin> --password PW [--platform KEY] [--gist ID] — encrypt a binary for one platform and upload it to a secret gist; --gist appends more platforms to the same gist.
  • ohbin add-gist <url|id> [--password PW] — resolve a published gist into pyproject.toml (pins the immutable raw URL + checksums).
  • run / which gain --password; --pyproject-file is now a global flag on every subcommand.

How it works

Each platform's binary is gzip → AES-256-CBC (openssl, -pbkdf2) → base64 so it survives a text-only gist; ohbin decrypts on first run and caches the result. The ciphertext is checksum-verified on download and the decrypted binary afterwards (which also catches a wrong password). Crypto shells out to the system openssl — no new Python dependency.

Notes

  • Password precedence: --password > manifest password field (no env var); reading it from the manifest warns unless password_committed_ok = true.
  • Mutating commands (add / add-gist) write only to ./pyproject.toml or --pyproject-file, never walking up the tree. Every manifest-touching command prints the resolved pyproject realpath.
  • Requires openssl on PATH on the consuming machine. POSIX-only at runtime.

Full diff: v0.1.1...v0.2.0

Assets 2
Loading