And, make sure that your settings are committed first. I think your .gitattributes file should be committed first, so that the git add of the secrets is actioned.
On Friday, June 9, 2023 at 9:52:44 PM UTC+1 Philip Oakley wrote: > Not sure if I understood what you are saying. My impression is that you > have an existing repo, cloned from a server (with clone on a server;-), and > you now want to have the in-repository file blobs be stored in an encrypted > manner. > It sounds as if you have two problems. > 1. your starting point is with the coin upside down. You want your > existing repos (local and server) to actually contain encrypted data, and > then on checkout they will be filters to be un-encrypted (plain text). - > this would explain the sudden appearance of the diff at the point where you > start storing encrypted blobs. > 2. the smudge/clean filters, at least to me, are described in the manuals > in the opposite manner than expected. you may have the same problem, and it > may be the cause of the 'wrong way around' perceived diffs (assuming 1. > wasn't the problem). > > I didn't have time to actually check stuff, but those are the issues I > would consider clarifying. > -- > Philip > > On Friday, June 9, 2023 at 3:49:18 PM UTC+1 mag...@therning.org wrote: > >> I'm trying out age[1] as a filter for encrypting files in a git >> repo but I must be missing something because every new clone >> thinks the encrypted file has changed, and if I commit that change >> then every other clone sees a diff after pulling in the change. >> >> The main reason I want to try out age is that it can make use of >> SSH keys for encryption, which makes it a bit nicer than something >> like git-crypt. >> >> I'm setting it up like this: >> >> --------------------------------------------- >> ❯ cat .gitattributes >> *.secret filter=age >> >> ❯ git config -l --local|grep filter.age >> filter.age.smudge=age --decrypt -i ~/.ssh/id_ed25519 - >> filter.age.clean=age --encrypt -R ~/.ssh/id_ed25519.pub - >> --------------------------------------------- >> >> Here's a sequence setting up a first repo: >> >> --------------------------------------------- >> ❯ git init >> Initialized empty Git repository in /home/user/tmp/age-0/.git/ >> >> ❯ echo '*.secret filter=age' > .gitattributes >> >> ❯ git config --local --add filter.age.smudge "age --decrypt -i >> ~/.ssh/id_ed25519 -" >> >> ❯ git config --local --add filter.age.clean "age --encrypt -R >> ~/.ssh/id_ed25519.pub -" >> >> ❯ echo "a secret" > foo.secret >> >> ❯ echo "not a secret" > bar.txt >> >> ❯ git add .gitattributes bar.txt foo.secret >> >> ❯ git commit -m 'The first commit' >> [main (root-commit) ae75577] The first commit >> 3 files changed, 2 insertions(+) >> create mode 100644 .gitattributes >> create mode 100644 bar.txt >> create mode 100644 foo.secret >> --------------------------------------------- >> >> Now I can make a clone: >> >> --------------------------------------------- >> ❯ cd .. >> >> ❯ git clone age-0 age-1 >> Cloning into 'age-1'... >> done. >> >> ❯ cd age-1 >> >> ❯ git ls-files >> .gitattributes >> bar.txt >> foo.secret >> >> ❯ cat foo.secret >> age-encryption.org/v1 >> -> ssh-ed25519 ozAWLA ReSnu8CTgPgnuKUMvG8PWTcc7Lr5IHkKaWc6k4Hfsms >> dHsdERPHdsdOQluzyeeRamfjIrmsc2pQ+lhwLlt/0no >> --- aHijNp3L2/0MeE/EXWwVhVwyv1uBYW1Ake055jico5M >> WF}`YqBO7Ԏwߨ% >> --------------------------------------------- >> >> So far so good. The file is encrypted. Now I configure the filter >> the same way and make sure the file is decrypted: >> >> --------------------------------------------- >> ❯ git config --local --add filter.age.smudge "age --decrypt -i >> ~/.ssh/id_ed25519 -" >> >> age-1 on main >> ❯ git config --local --add filter.age.clean "age --encrypt -R >> ~/.ssh/id_ed25519.pub -" >> >> ❯ rm foo.secret >> >> ❯ git reset --hard HEAD >> HEAD is now at ae75577 The first commit >> >> ❯ cat foo.secret >> a secret >> --------------------------------------------- >> >> Now comes the problem, git thinks the file with secrets has been >> changed when it really hasn't: >> >> --------------------------------------------- >> ❯ git status >> On branch main >> Your branch is up to date with 'origin/main'. >> >> Changes not staged for commit: >> (use "git add <file>..." to update what will be committed) >> (use "git restore <file>..." to discard changes in working >> directory) >> modified: foo.secret >> >> no changes added to commit (use "git add" and/or "git commit -a") >> >> ❯ git diff >> diff --git a/foo.secret b/foo.secret >> index 2de33ca..18e4331 100644 >> Binary files a/foo.secret and b/foo.secret differ >> >> ❯ md5sum foo.secret ../age-0/foo.secret >> 6046316bf834dbdf83a5be74be6fd2ac foo.secret >> 6046316bf834dbdf83a5be74be6fd2ac ../age-0/foo.secret >> --------------------------------------------- >> >> This isn't what I expected. What's wrong with my setup, what am I >> missing? >> >> /M >> >> [1]: https://github.com/FiloSottile/age >> >> -- >> Magnus Therning OpenPGP: 0x927912051716CE39 >> email: mag...@therning.org >> @mag...@mastodon.technology http://magnus.therning.org/ >> >> "He dropped his voice still lower. In the stillness, a fly would >> not >> have dared clear its throat." >> > -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To unsubscribe from this group and stop receiving emails from it, send an email to git-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/git-users/14ee0354-0231-482b-a12c-38222dc0da57n%40googlegroups.com.
