Philip Oakley <philipoakley@iee.email> writes:
Not sure if I understood what you are saying. My impression is
that you have an existing repo, cloned from a server (with clone
on a server;-), and you now want to have the in-repository file
blobs be stored in an encrypted manner.
It sounds as if you have two problems.
1. your starting point is with the coin upside down. You want
your existing repos (local and server) to actually contain
encrypted data, and then on checkout they will be filters to be
un-encrypted (plain text). - this would explain the sudden
appearance of the diff at the point where you start storing
encrypted blobs.
2. the smudge/clean filters, at least to me, are described in
the manuals in the opposite manner than expected. you may have
the same problem, and it may be the cause of the 'wrong way
around' perceived diffs (assuming 1. wasn't the problem).
I didn't have time to actually check stuff, but those are the
issues I would consider clarifying.
As the shell sessions show I have, at the start, a folder,
`age-0`, containing two files
1. `foo.secret` with sensitive data, and
2. `bar.txt` with non-sensitive data.
Both are in clear-text at this point.
I then turn the folder into a git workspace using `git init` and
configure a clean/smudge filter called "age", and tell git to use
the filter on files matching `*.secret`:
---------------------------------------------
❯ cat .gitattributes
*.secret filter=age
❯ git config -l --local|grep filter.age
filter.age.smudge=age --decrypt -i ~/.ssh/id_ed25519 -
filter.age.clean=age --encrypt -R ~/.ssh/id_ed25519.pub -
---------------------------------------------
I add the three files, `.gitattributes`, `foo.secret`, and
`bar.txt`, and then commit them. At this point I can see that the
filter has worked as intended in the repo itself. I can also
verify that the local file `foo.secret` still is in clear-text.
I then create a clone of the repo, named `age-1`, still local, and
as I haven't had a chance to configure the filter I can again
verify that the file with sensitive data, `foo.secret` is indeed
encrypted. Then I configure the filter also in this workspace, and
to get a clear-text version of `foo.secet` I remove it using `rm
foo.secret` and then recreate it using `git reset --hard HEAD`. At
this point `foo.secret` is in clear-text, just as I want.
I haven't made any changes to the files in `age-1` compared to in
`age-0`, in particular the contents of `foo.secret` are identical
as my running of `md5sum` shows
---------------------------------------------
❯ md5sum foo.secret ../age-0/foo.secret
6046316bf834dbdf83a5be74be6fd2ac foo.secret
6046316bf834dbdf83a5be74be6fd2ac ../age-0/foo.secret
---------------------------------------------
Despite this git claims, very surprisingly, that `foo.secret` has
been changed in `age-1`!
---------------------------------------------
❯ git diff
diff --git a/foo.secret b/foo.secret
index 2de33ca..18e4331 100644
Binary files a/foo.secret and b/foo.secret differ
---------------------------------------------
That is, AFAICS, the filter works exactly as I want, the file
`foo.secret` is encrypted in the repo and in clear-text in the
workspaces, but git claims that the file is changed despite
containing the exact same (clear-text) data. Why is that, and how
do I get git to realise that the contents are the same?
/M
--
Philip
On Friday, June 9, 2023 at 3:49:18 PM UTC+1 mag...@therning.org
wrote:
I'm trying out age[1] as a filter for encrypting files in a git
repo but I must be missing something because every new clone
thinks the encrypted file has changed, and if I commit that
change
then every other clone sees a diff after pulling in the change.
The main reason I want to try out age is that it can make use
of
SSH keys for encryption, which makes it a bit nicer than
something
like git-crypt.
I'm setting it up like this:
---------------------------------------------
❯ cat .gitattributes
*.secret filter=age
❯ git config -l --local|grep filter.age
filter.age.smudge=age --decrypt -i ~/.ssh/id_ed25519 -
filter.age.clean=age --encrypt -R ~/.ssh/id_ed25519.pub -
---------------------------------------------
Here's a sequence setting up a first repo:
---------------------------------------------
❯ git init
Initialized empty Git repository in /home/user/tmp/age-0/.git/
❯ echo '*.secret filter=age' > .gitattributes
❯ git config --local --add filter.age.smudge "age --decrypt -i
~/.ssh/id_ed25519 -"
❯ git config --local --add filter.age.clean "age --encrypt -R
~/.ssh/id_ed25519.pub -"
❯ echo "a secret" > foo.secret
❯ echo "not a secret" > bar.txt
❯ git add .gitattributes bar.txt foo.secret
❯ git commit -m 'The first commit'
[main (root-commit) ae75577] The first commit
3 files changed, 2 insertions(+)
create mode 100644 .gitattributes
create mode 100644 bar.txt
create mode 100644 foo.secret
---------------------------------------------
Now I can make a clone:
---------------------------------------------
❯ cd ..
❯ git clone age-0 age-1
Cloning into 'age-1'...
done.
❯ cd age-1
❯ git ls-files
.gitattributes
bar.txt
foo.secret
❯ cat foo.secret
age-encryption.org/v1
-> ssh-ed25519 ozAWLA
ReSnu8CTgPgnuKUMvG8PWTcc7Lr5IHkKaWc6k4Hfsms
dHsdERPHdsdOQluzyeeRamfjIrmsc2pQ+lhwLlt/0no
--- aHijNp3L2/0MeE/EXWwVhVwyv1uBYW1Ake055jico5M
WF}`YqBO7Ԏwߨ%
---------------------------------------------
So far so good. The file is encrypted. Now I configure the
filter
the same way and make sure the file is decrypted:
---------------------------------------------
❯ git config --local --add filter.age.smudge "age --decrypt -i
~/.ssh/id_ed25519 -"
age-1 on main
❯ git config --local --add filter.age.clean "age --encrypt -R
~/.ssh/id_ed25519.pub -"
❯ rm foo.secret
❯ git reset --hard HEAD
HEAD is now at ae75577 The first commit
❯ cat foo.secret
a secret
---------------------------------------------
Now comes the problem, git thinks the file with secrets has
been
changed when it really hasn't:
---------------------------------------------
❯ git status
On branch main
Your branch is up to date with 'origin/main'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working
directory)
modified: foo.secret
no changes added to commit (use "git add" and/or "git commit
-a")
❯ git diff
diff --git a/foo.secret b/foo.secret
index 2de33ca..18e4331 100644
Binary files a/foo.secret and b/foo.secret differ
❯ md5sum foo.secret ../age-0/foo.secret
6046316bf834dbdf83a5be74be6fd2ac foo.secret
6046316bf834dbdf83a5be74be6fd2ac ../age-0/foo.secret
---------------------------------------------
This isn't what I expected. What's wrong with my setup, what am
I
missing?
/M
[1]: https://github.com/FiloSottile/age
--
Magnus Therning OpenPGP: 0x927912051716CE39
email: mag...@therning.org
@mag...@mastodon.technology http://magnus.therning.org/
"He dropped his voice still lower. In the stillness, a fly
would
not
have dared clear its throat."
--
Magnus Therning OpenPGP: 0x927912051716CE39
email: mag...@therning.org
@magthe@mastodon.technology http://magnus.therning.org/
`If there's anything more important than my ego around, I want it
caught and shot now.'
— Zaphod.
--
You received this message because you are subscribed to the Google Groups "Git for
human beings" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to git-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/git-users/87bkhml215.fsf%40therning.org.
