From 29974b4fba683ee3a2f7643d34f1606a789afaf2 Mon Sep 17 00:00:00 2001 From: Yuvi Panda Date: Tue, 7 Aug 2018 17:57:19 -0700 Subject: [PATCH 01/23] Recommend using '**' to encrypt entire directories gitattributes now supports '**' to mean 'entire subtree'. Using '*' instead of '**' is an easy mistake to make with pretty bad consequences. Hopefully this added emphasis will make it less likely users make the mistake. --- README.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index d24517a..dd5730e 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,7 @@ Specify files to encrypt by creating a .gitattributes file: secretfile filter=git-crypt diff=git-crypt *.key filter=git-crypt diff=git-crypt + secretdir/** filter=git-crypt diff=git-crypt Like a .gitignore file, it can match wildcards and should be checked into the repository. See below for more information about .gitattributes. @@ -150,14 +151,9 @@ specifying merely a directory (e.g. `/dir/`) is *not* sufficient to encrypt all files beneath it. Also note that the pattern `dir/*` does not match files under -sub-directories of dir/. To encrypt an entire sub-tree dir/, place the -following in dir/.gitattributes: +sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: - * filter=git-crypt diff=git-crypt - .gitattributes !filter !diff - -The second pattern is essential for ensuring that .gitattributes itself -is not encrypted. + /dir/** filter=git-crypt diff=git-crypt Mailing Lists ------------- From 8618098bcc9deaed8b498399c5777b46d66a86cb Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Thu, 2 May 2019 12:51:02 -0700 Subject: [PATCH 02/23] Update gitattributes docs --- README | 10 +++------- README.md | 2 +- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/README b/README index 232947f..f364b6c 100644 --- a/README +++ b/README @@ -30,6 +30,7 @@ Specify files to encrypt by creating a .gitattributes file: secretfile filter=git-crypt diff=git-crypt *.key filter=git-crypt diff=git-crypt + secretdir/** filter=git-crypt diff=git-crypt Like a .gitignore file, it can match wildcards and should be checked into the repository. See below for more information about .gitattributes. @@ -148,14 +149,9 @@ specifying merely a directory (e.g. `/dir/`) is NOT sufficient to encrypt all files beneath it. Also note that the pattern `dir/*` does not match files under -sub-directories of dir/. To encrypt an entire sub-tree dir/, place the -following in dir/.gitattributes: +sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: - * filter=git-crypt diff=git-crypt - .gitattributes !filter !diff - -The second pattern is essential for ensuring that .gitattributes itself -is not encrypted. + dir/** filter=git-crypt diff=git-crypt MAILING LISTS diff --git a/README.md b/README.md index dd5730e..c424b2e 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ encrypt all files beneath it. Also note that the pattern `dir/*` does not match files under sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: - /dir/** filter=git-crypt diff=git-crypt + dir/** filter=git-crypt diff=git-crypt Mailing Lists ------------- From ce716b130f3fdc2a558244ec7247cb153a78e0f7 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Thu, 2 May 2019 12:52:54 -0700 Subject: [PATCH 03/23] Document how to exclude .gitattributes from encryption --- README | 6 ++++++ README.md | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/README b/README index f364b6c..4723f3b 100644 --- a/README +++ b/README @@ -153,6 +153,12 @@ sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: dir/** filter=git-crypt diff=git-crypt +The .gitattributes file cannot be encrypted, so make sure wildcards don't +match it accidentally. If necessary, you can exclude .gitattributes from +encryption like this: + + .gitattributes !filter !diff + MAILING LISTS diff --git a/README.md b/README.md index c424b2e..8d97a49 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,12 @@ sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: dir/** filter=git-crypt diff=git-crypt +The .gitattributes file cannot be encrypted, so make sure wildcards don't +match it accidentally. If necessary, you can exclude .gitattributes from +encryption like this: + + .gitattributes !filter !diff + Mailing Lists ------------- From d1fd1353f85201f4bb5e9c387917ee203032a9d2 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Sat, 25 Jan 2020 10:16:20 -0500 Subject: [PATCH 04/23] Execute git checkout in batches to avoid overlong argument lists Closes: #195 Closes: #194 Closes: #150 --- commands.cpp | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/commands.cpp b/commands.cpp index d25c4cc..9c19b3c 100644 --- a/commands.cpp +++ b/commands.cpp @@ -183,15 +183,19 @@ static void deconfigure_git_filters (const char* key_name) } } -static bool git_checkout (const std::vector& paths) +static bool git_checkout_batch (std::vector::const_iterator paths_begin, std::vector::const_iterator paths_end) { + if (paths_begin == paths_end) { + return true; + } + std::vector command; command.push_back("git"); command.push_back("checkout"); command.push_back("--"); - for (std::vector::const_iterator path(paths.begin()); path != paths.end(); ++path) { + for (auto path(paths_begin); path != paths_end; ++path) { command.push_back(*path); } @@ -202,6 +206,18 @@ static bool git_checkout (const std::vector& paths) return true; } +static bool git_checkout (const std::vector& paths) +{ + auto paths_begin(paths.begin()); + while (paths.end() - paths_begin >= 100) { + if (!git_checkout_batch(paths_begin, paths_begin + 100)) { + return false; + } + paths_begin += 100; + } + return git_checkout_batch(paths_begin, paths.end()); +} + static bool same_key_name (const char* a, const char* b) { return (!a && !b) || (a && b && std::strcmp(a, b) == 0); From 88705f996c251f67af28e4e498a06456d87d741b Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Sat, 25 Jan 2020 10:18:10 -0500 Subject: [PATCH 05/23] Improve clarity in README --- README | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README b/README index 4723f3b..ef5e118 100644 --- a/README +++ b/README @@ -153,7 +153,7 @@ sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: dir/** filter=git-crypt diff=git-crypt -The .gitattributes file cannot be encrypted, so make sure wildcards don't +The .gitattributes file must not be encrypted, so make sure wildcards don't match it accidentally. If necessary, you can exclude .gitattributes from encryption like this: diff --git a/README.md b/README.md index 8d97a49..2d4d47d 100644 --- a/README.md +++ b/README.md @@ -155,7 +155,7 @@ sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: dir/** filter=git-crypt diff=git-crypt -The .gitattributes file cannot be encrypted, so make sure wildcards don't +The .gitattributes file must not be encrypted, so make sure wildcards don't match it accidentally. If necessary, you can exclude .gitattributes from encryption like this: From 89bcafa1a6f2643492a2f6c60525fe1a3c0ecc85 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Sat, 25 Jan 2020 10:21:23 -0500 Subject: [PATCH 06/23] Use an enum for git checkout batch size instead of hard-coding constant --- commands.cpp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/commands.cpp b/commands.cpp index 9c19b3c..81c401d 100644 --- a/commands.cpp +++ b/commands.cpp @@ -51,6 +51,12 @@ #include #include +enum { + // # of arguments per git checkout call; must be large enough to be efficient but small + // enough to avoid operating system limits on argument length + GIT_CHECKOUT_BATCH_SIZE = 100 +}; + static std::string attribute_name (const char* key_name) { if (key_name) { @@ -209,11 +215,11 @@ static bool git_checkout_batch (std::vector::const_iterator paths_b static bool git_checkout (const std::vector& paths) { auto paths_begin(paths.begin()); - while (paths.end() - paths_begin >= 100) { - if (!git_checkout_batch(paths_begin, paths_begin + 100)) { + while (paths.end() - paths_begin >= GIT_CHECKOUT_BATCH_SIZE) { + if (!git_checkout_batch(paths_begin, paths_begin + GIT_CHECKOUT_BATCH_SIZE)) { return false; } - paths_begin += 100; + paths_begin += GIT_CHECKOUT_BATCH_SIZE; } return git_checkout_batch(paths_begin, paths.end()); } From 7c129cdd3830a55a8611eecf82af08cd3301f7f2 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Tue, 28 Apr 2020 09:14:29 -0400 Subject: [PATCH 07/23] Don't interpret a literal "-" as an option argument on command line This allows the following command to work properly: git-crypt export-key - Previously, you had to run this command, because - was being interpreted as an option argument: git-crypt export-key -- - --- parse_options.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parse_options.cpp b/parse_options.cpp index 008e29d..5c80b07 100644 --- a/parse_options.cpp +++ b/parse_options.cpp @@ -43,7 +43,7 @@ int parse_options (const Options_list& options, int argc, const char** argv) { int argi = 0; - while (argi < argc && argv[argi][0] == '-') { + while (argi < argc && argv[argi][0] == '-' && argv[argi][1] != '\0') { if (std::strcmp(argv[argi], "--") == 0) { ++argi; break; From 1c905faeb595f5a64d460c923ec3401cd37b5acc Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Thu, 18 Feb 2021 18:57:58 -0500 Subject: [PATCH 08/23] Remove references to the mailing lists Since the git-crypt mailing lists have barely been used, and mailing lists seem to be falling out of fashion for open source projects, I've decided to shut down the git-crypt mailing lists in favor of functionality provided by GitHub. For announcements of new releases, you can watch the git-crypt repository (https://github.com/AGWA/git-crypt) for new releases. For bug reports, you can file an issue: https://github.com/AGWA/git-crypt/issues For discussions, you can use GitHub's new discussions feature: https://github.com/AGWA/git-crypt/discussions --- CONTRIBUTING.md | 6 ++---- README | 9 --------- README.md | 9 --------- 3 files changed, 2 insertions(+), 22 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8b4b482..e11b5ad 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -4,8 +4,7 @@ documentation, bug reports, or anything else that improves git-crypt. When contributing code, please consider the following guidelines: - * You are encouraged to open an issue on GitHub or send mail to - git-crypt-discuss@lists.cloudmutt.com to discuss any non-trivial + * You are encouraged to open an issue on GitHub to discuss any non-trivial changes before you start coding. * Please mimic the existing code style as much as possible. In @@ -15,8 +14,7 @@ When contributing code, please consider the following guidelines: * To minimize merge commits, please rebase your changes before opening a pull request. - * To submit your patch, open a pull request on GitHub or send a - properly-formatted patch to git-crypt-discuss@lists.cloudmutt.com. + * To submit your patch, open a pull request on GitHub. Finally, be aware that since git-crypt is security-sensitive software, the bar for contributions is higher than average. Please don't be diff --git a/README b/README index ef5e118..2bd44dc 100644 --- a/README +++ b/README @@ -158,12 +158,3 @@ match it accidentally. If necessary, you can exclude .gitattributes from encryption like this: .gitattributes !filter !diff - - -MAILING LISTS - -To stay abreast of, and provide input to, git-crypt development, consider -subscribing to one or both of our mailing lists: - -Announcements: https://lists.cloudmutt.com/mailman/listinfo/git-crypt-announce -Discussion: https://lists.cloudmutt.com/mailman/listinfo/git-crypt-discuss diff --git a/README.md b/README.md index 2d4d47d..0e39926 100644 --- a/README.md +++ b/README.md @@ -160,12 +160,3 @@ match it accidentally. If necessary, you can exclude .gitattributes from encryption like this: .gitattributes !filter !diff - -Mailing Lists -------------- - -To stay abreast of, and provide input to, git-crypt development, -consider subscribing to one or both of our mailing lists: - -* [Announcements](https://lists.cloudmutt.com/mailman/listinfo/git-crypt-announce) -* [Discussion](https://lists.cloudmutt.com/mailman/listinfo/git-crypt-discuss) From 12c422228a71498281210b05786258eac83f265a Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Thu, 21 Apr 2022 13:01:40 -0400 Subject: [PATCH 09/23] Add GitHub Actions to build & upload release binaries Closes: #227 --- .github/workflows/release-linux.yml | 46 ++++++++++++++++++++++ .github/workflows/release-windows.yml | 56 +++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 .github/workflows/release-linux.yml create mode 100644 .github/workflows/release-windows.yml diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml new file mode 100644 index 0000000..94a0898 --- /dev/null +++ b/.github/workflows/release-linux.yml @@ -0,0 +1,46 @@ +on: + release: + types: [published] +name: Build Release Binary (Linux) +jobs: + build: + name: Build Release Binary + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Install dependencies + run: sudo apt install libssl-dev + - name: Build binary + run: make + - name: Upload release artifact + uses: actions/upload-artifact@v3 + with: + name: git-crypt-artifacts + path: git-crypt + upload: + name: Upload Release Binary + runs-on: ubuntu-latest + needs: build + permissions: + contents: write + steps: + - name: Download release artifact + uses: actions/download-artifact@v3 + with: + name: git-crypt-artifacts + - name: Upload release asset + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const fs = require("fs").promises; + const { repo: { owner, repo }, sha } = context; + await github.repos.uploadReleaseAsset({ + owner, repo, + release_id: ${{ github.event.release.id }}, + name: 'git-crypt-${{ github.event.release.name }}-linux-x86_64', + data: await fs.readFile('git-crypt'), + }); diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml new file mode 100644 index 0000000..6794e4a --- /dev/null +++ b/.github/workflows/release-windows.yml @@ -0,0 +1,56 @@ +on: + release: + types: [published] +name: Build Release Binary (Windows) +jobs: + build: + name: Build Release Binary + runs-on: windows-2022 + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Setup msys2 + uses: msys2/setup-msys2@v2 + with: + msystem: MINGW64 + update: true + install: >- + base-devel + msys2-devel + mingw-w64-x86_64-toolchain + mingw-w64-x86_64-openssl + openssl-devel + - name: Build binary + shell: msys2 {0} + run: make LDFLAGS="-static-libstdc++ -static -lcrypto -lws2_32" + - name: Upload release artifact + uses: actions/upload-artifact@v3 + with: + name: git-crypt-artifacts + path: git-crypt.exe + upload: + name: Upload Release Binary + runs-on: ubuntu-latest + needs: build + permissions: + contents: write + steps: + - name: Download release artifact + uses: actions/download-artifact@v3 + with: + name: git-crypt-artifacts + - name: Upload release asset + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const fs = require("fs").promises; + const { repo: { owner, repo }, sha } = context; + await github.repos.uploadReleaseAsset({ + owner, repo, + release_id: ${{ github.event.release.id }}, + name: 'git-crypt-${{ github.event.release.name }}-x86_64.exe', + data: await fs.readFile('git-crypt.exe'), + }); From a1e6311f5622fb6b9027fc087d16062c7261280f Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Thu, 21 Apr 2022 13:07:59 -0400 Subject: [PATCH 10/23] Prepare 0.7.0 release --- NEWS | 5 +++++ NEWS.md | 5 +++++ README | 2 +- README.md | 4 ++-- git-crypt.hpp | 2 +- man/git-crypt.xml | 4 ++-- 6 files changed, 16 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 41e2bd5..7fec0c1 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,8 @@ +v0.7.0 (2022-04-21) + * Avoid "argument list too long" errors on macOS. + * Fix handling of "-" arguments. + * Minor documentation improvements. + v0.6.0 (2017-11-26) * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0). * Switch to C++11 (gcc 4.9 or higher now required to build). diff --git a/NEWS.md b/NEWS.md index 080035f..d62c124 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,6 +1,11 @@ News ==== +######v0.7.0 (2022-04-21) +* Avoid "argument list too long" errors on macOS. +* Fix handling of "-" arguments. +* Minor documentation improvements. + ######v0.6.0 (2017-11-26) * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0). * Switch to C++11 (gcc 4.9 or higher now required to build). diff --git a/README b/README index 2bd44dc..f4c0ec3 100644 --- a/README +++ b/README @@ -70,7 +70,7 @@ encryption and decryption happen transparently. CURRENT STATUS -The latest version of git-crypt is 0.6.0, released on 2017-11-26. +The latest version of git-crypt is 0.7.0, released on 2022-04-21. git-crypt aims to be bug-free and reliable, meaning it shouldn't crash, malfunction, or expose your confidential data. However, it has not yet reached maturity, meaning it is not as documented, diff --git a/README.md b/README.md index 0e39926..945735c 100644 --- a/README.md +++ b/README.md @@ -71,8 +71,8 @@ encryption and decryption happen transparently. Current Status -------------- -The latest version of git-crypt is [0.6.0](NEWS.md), released on -2017-11-26. git-crypt aims to be bug-free and reliable, meaning it +The latest version of git-crypt is [0.7.0](NEWS.md), released on +2022-04-21. git-crypt aims to be bug-free and reliable, meaning it shouldn't crash, malfunction, or expose your confidential data. However, it has not yet reached maturity, meaning it is not as documented, featureful, or easy-to-use as it should be. Additionally, diff --git a/git-crypt.hpp b/git-crypt.hpp index ce41dfa..ce1b256 100644 --- a/git-crypt.hpp +++ b/git-crypt.hpp @@ -31,7 +31,7 @@ #ifndef GIT_CRYPT_GIT_CRYPT_HPP #define GIT_CRYPT_GIT_CRYPT_HPP -#define VERSION "0.6.0" +#define VERSION "0.7.0" extern const char* argv0; // initialized in main() to argv[0] diff --git a/man/git-crypt.xml b/man/git-crypt.xml index 96f53d7..f8ec765 100644 --- a/man/git-crypt.xml +++ b/man/git-crypt.xml @@ -7,8 +7,8 @@ --> git-crypt - 2017-11-26 - git-crypt 0.6.0 + 2022-04-21 + git-crypt 0.7.0 Andrew Ayer From 08dbdcfed4fb182c0efaacb32a6c46481ced095b Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Tue, 7 Jun 2022 12:34:04 -0400 Subject: [PATCH 11/23] When adding GPG collaborator, include full fingerprint in commit message Short key IDs are bad (https://evil32.com/) Closes: #253 --- commands.cpp | 3 ++- gpg.cpp | 6 ------ gpg.hpp | 1 - 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/commands.cpp b/commands.cpp index 81c401d..6b3c498 100644 --- a/commands.cpp +++ b/commands.cpp @@ -1297,7 +1297,8 @@ int add_gpg_user (int argc, const char** argv) std::ostringstream commit_message_builder; commit_message_builder << "Add " << collab_keys.size() << " git-crypt collaborator" << (collab_keys.size() != 1 ? "s" : "") << "\n\nNew collaborators:\n\n"; for (std::vector >::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) { - commit_message_builder << '\t' << gpg_shorten_fingerprint(collab->first) << ' ' << gpg_get_uid(collab->first) << '\n'; + commit_message_builder << " " << collab->first << '\n'; + commit_message_builder << " " << gpg_get_uid(collab->first) << '\n'; } // git commit -m MESSAGE NEW_FILE ... diff --git a/gpg.cpp b/gpg.cpp index bec5892..901ffaf 100644 --- a/gpg.cpp +++ b/gpg.cpp @@ -61,12 +61,6 @@ static std::string gpg_nth_column (const std::string& line, unsigned int col) line.substr(pos); } -// given a key fingerprint, return the last 8 nibbles -std::string gpg_shorten_fingerprint (const std::string& fingerprint) -{ - return fingerprint.size() == 40 ? fingerprint.substr(32) : fingerprint; -} - // given a key fingerprint, return the key's UID (e.g. "John Smith ") std::string gpg_get_uid (const std::string& fingerprint) { diff --git a/gpg.hpp b/gpg.hpp index 77997b1..be98aed 100644 --- a/gpg.hpp +++ b/gpg.hpp @@ -41,7 +41,6 @@ struct Gpg_error { explicit Gpg_error (std::string m) : message(m) { } }; -std::string gpg_shorten_fingerprint (const std::string& fingerprint); std::string gpg_get_uid (const std::string& fingerprint); std::vector gpg_lookup_key (const std::string& query); std::vector gpg_list_secret_keys (); From 968c924798deb4295299897ff3a5fc5cfd31e716 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Tue, 3 Sep 2024 19:30:58 -0400 Subject: [PATCH 12/23] GitHub actions: upgrade download/upload artifacts Closes: #313 --- .github/workflows/release-linux.yml | 4 ++-- .github/workflows/release-windows.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index 94a0898..ea98525 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -16,7 +16,7 @@ jobs: - name: Build binary run: make - name: Upload release artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: git-crypt-artifacts path: git-crypt @@ -28,7 +28,7 @@ jobs: contents: write steps: - name: Download release artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: git-crypt-artifacts - name: Upload release asset diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index 6794e4a..e82e992 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -26,7 +26,7 @@ jobs: shell: msys2 {0} run: make LDFLAGS="-static-libstdc++ -static -lcrypto -lws2_32" - name: Upload release artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: git-crypt-artifacts path: git-crypt.exe @@ -38,7 +38,7 @@ jobs: contents: write steps: - name: Download release artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: git-crypt-artifacts - name: Upload release asset From 4dd5c202434afac2525fb556179eac6d5c58bd9e Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Tue, 23 Sep 2025 20:37:48 -0400 Subject: [PATCH 13/23] Drop support for OpenSSL 1.0; fix compilation with OpenSSL 3 --- Makefile | 2 +- crypto-openssl-10.cpp | 120 ------------------------------------------ crypto-openssl-11.cpp | 4 -- 3 files changed, 1 insertion(+), 125 deletions(-) delete mode 100644 crypto-openssl-10.cpp diff --git a/Makefile b/Makefile index 68eb9db..8e4360d 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ OBJFILES = \ coprocess.o \ fhstream.o -OBJFILES += crypto-openssl-10.o crypto-openssl-11.o +OBJFILES += crypto-openssl-11.o LDFLAGS += -lcrypto XSLTPROC ?= xsltproc diff --git a/crypto-openssl-10.cpp b/crypto-openssl-10.cpp deleted file mode 100644 index f0f2c53..0000000 --- a/crypto-openssl-10.cpp +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright 2012, 2014 Andrew Ayer - * - * This file is part of git-crypt. - * - * git-crypt is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * git-crypt is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with git-crypt. If not, see . - * - * Additional permission under GNU GPL version 3 section 7: - * - * If you modify the Program, or any covered work, by linking or - * combining it with the OpenSSL project's OpenSSL library (or a - * modified version of that library), containing parts covered by the - * terms of the OpenSSL or SSLeay licenses, the licensors of the Program - * grant you additional permission to convey the resulting work. - * Corresponding Source for a non-source form of such a combination - * shall include the source code for the parts of OpenSSL used as well - * as that of the covered work. - */ - -#include - -#if !defined(OPENSSL_API_COMPAT) - -#include "crypto.hpp" -#include "key.hpp" -#include "util.hpp" -#include -#include -#include -#include -#include -#include -#include -#include - -void init_crypto () -{ - ERR_load_crypto_strings(); -} - -struct Aes_ecb_encryptor::Aes_impl { - AES_KEY key; -}; - -Aes_ecb_encryptor::Aes_ecb_encryptor (const unsigned char* raw_key) -: impl(new Aes_impl) -{ - if (AES_set_encrypt_key(raw_key, KEY_LEN * 8, &(impl->key)) != 0) { - throw Crypto_error("Aes_ctr_encryptor::Aes_ctr_encryptor", "AES_set_encrypt_key failed"); - } -} - -Aes_ecb_encryptor::~Aes_ecb_encryptor () -{ - // Note: Explicit destructor necessary because class contains an unique_ptr - // which contains an incomplete type when the unique_ptr is declared. - - explicit_memset(&impl->key, '\0', sizeof(impl->key)); -} - -void Aes_ecb_encryptor::encrypt(const unsigned char* plain, unsigned char* cipher) -{ - AES_encrypt(plain, cipher, &(impl->key)); -} - -struct Hmac_sha1_state::Hmac_impl { - HMAC_CTX ctx; -}; - -Hmac_sha1_state::Hmac_sha1_state (const unsigned char* key, size_t key_len) -: impl(new Hmac_impl) -{ - HMAC_Init(&(impl->ctx), key, key_len, EVP_sha1()); -} - -Hmac_sha1_state::~Hmac_sha1_state () -{ - // Note: Explicit destructor necessary because class contains an unique_ptr - // which contains an incomplete type when the unique_ptr is declared. - - HMAC_cleanup(&(impl->ctx)); -} - -void Hmac_sha1_state::add (const unsigned char* buffer, size_t buffer_len) -{ - HMAC_Update(&(impl->ctx), buffer, buffer_len); -} - -void Hmac_sha1_state::get (unsigned char* digest) -{ - unsigned int len; - HMAC_Final(&(impl->ctx), digest, &len); -} - - -void random_bytes (unsigned char* buffer, size_t len) -{ - if (RAND_bytes(buffer, len) != 1) { - std::ostringstream message; - while (unsigned long code = ERR_get_error()) { - char error_string[120]; - ERR_error_string_n(code, error_string, sizeof(error_string)); - message << "OpenSSL Error: " << error_string << "; "; - } - throw Crypto_error("random_bytes", message.str()); - } -} - -#endif diff --git a/crypto-openssl-11.cpp b/crypto-openssl-11.cpp index adf03bb..ad4b119 100644 --- a/crypto-openssl-11.cpp +++ b/crypto-openssl-11.cpp @@ -30,8 +30,6 @@ #include -#if defined(OPENSSL_API_COMPAT) - #include "crypto.hpp" #include "key.hpp" #include "util.hpp" @@ -115,5 +113,3 @@ void random_bytes (unsigned char* buffer, size_t len) throw Crypto_error("random_bytes", message.str()); } } - -#endif From 160cf642e1c0f83c1668ad0d59e879d97b97a95b Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Tue, 23 Sep 2025 20:41:07 -0400 Subject: [PATCH 14/23] Prepare 0.8.0 release --- NEWS | 4 ++++ NEWS.md | 4 ++++ README | 2 +- README.md | 4 ++-- git-crypt.hpp | 2 +- man/git-crypt.xml | 2 +- 6 files changed, 13 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 7fec0c1..6167e03 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,7 @@ +v0.8.0 (2025-09-23) + * Remove OpenSSL 1.0 support, fix compilation with OpenSSL 3. + * Avoid use of problematic short GPG key IDs. + v0.7.0 (2022-04-21) * Avoid "argument list too long" errors on macOS. * Fix handling of "-" arguments. diff --git a/NEWS.md b/NEWS.md index d62c124..b85ea9b 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,6 +1,10 @@ News ==== +######v0.8.0 (2025-09-23) +* Remove OpenSSL 1.0 support, fix compilation with OpenSSL 3. +* Avoid use of problematic short GPG key IDs. + ######v0.7.0 (2022-04-21) * Avoid "argument list too long" errors on macOS. * Fix handling of "-" arguments. diff --git a/README b/README index f4c0ec3..bd68e79 100644 --- a/README +++ b/README @@ -70,7 +70,7 @@ encryption and decryption happen transparently. CURRENT STATUS -The latest version of git-crypt is 0.7.0, released on 2022-04-21. +The latest version of git-crypt is 0.8.0, released on 2025-09-23. git-crypt aims to be bug-free and reliable, meaning it shouldn't crash, malfunction, or expose your confidential data. However, it has not yet reached maturity, meaning it is not as documented, diff --git a/README.md b/README.md index 945735c..32c6863 100644 --- a/README.md +++ b/README.md @@ -71,8 +71,8 @@ encryption and decryption happen transparently. Current Status -------------- -The latest version of git-crypt is [0.7.0](NEWS.md), released on -2022-04-21. git-crypt aims to be bug-free and reliable, meaning it +The latest version of git-crypt is [0.8.0](NEWS.md), released on +2025-09-23. git-crypt aims to be bug-free and reliable, meaning it shouldn't crash, malfunction, or expose your confidential data. However, it has not yet reached maturity, meaning it is not as documented, featureful, or easy-to-use as it should be. Additionally, diff --git a/git-crypt.hpp b/git-crypt.hpp index ce1b256..e98752c 100644 --- a/git-crypt.hpp +++ b/git-crypt.hpp @@ -31,7 +31,7 @@ #ifndef GIT_CRYPT_GIT_CRYPT_HPP #define GIT_CRYPT_GIT_CRYPT_HPP -#define VERSION "0.7.0" +#define VERSION "0.8.0" extern const char* argv0; // initialized in main() to argv[0] diff --git a/man/git-crypt.xml b/man/git-crypt.xml index f8ec765..7d4f023 100644 --- a/man/git-crypt.xml +++ b/man/git-crypt.xml @@ -8,7 +8,7 @@ git-crypt 2022-04-21 - git-crypt 0.7.0 + git-crypt 0.8.0 Andrew Ayer From 1d3055d8c21eddaac6de3892300253513ae76f9c Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Wed, 24 Sep 2025 08:40:59 -0400 Subject: [PATCH 15/23] Remove unneeded include --- crypto-openssl-11.cpp | 2 -- 1 file changed, 2 deletions(-) diff --git a/crypto-openssl-11.cpp b/crypto-openssl-11.cpp index ad4b119..899498b 100644 --- a/crypto-openssl-11.cpp +++ b/crypto-openssl-11.cpp @@ -28,8 +28,6 @@ * as that of the covered work. */ -#include - #include "crypto.hpp" #include "key.hpp" #include "util.hpp" From 6ca139c36430090884cdbabad820b26699324c32 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Wed, 24 Sep 2025 08:41:06 -0400 Subject: [PATCH 16/23] GitHub Actions: fix Windows build --- .github/workflows/release-windows.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index e82e992..6ba2be2 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -24,7 +24,7 @@ jobs: openssl-devel - name: Build binary shell: msys2 {0} - run: make LDFLAGS="-static-libstdc++ -static -lcrypto -lws2_32" + run: make LDFLAGS="-static-libstdc++ -static -lcrypto -lws2_32 -lcrypt32" - name: Upload release artifact uses: actions/upload-artifact@v4 with: From 247da931aa019ca2b117603c80959c92c2429c5b Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Wed, 24 Sep 2025 08:50:04 -0400 Subject: [PATCH 17/23] GitHub Actions: explicitly specify Ubuntu version --- .github/workflows/release-linux.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index ea98525..bb6b870 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -5,7 +5,7 @@ name: Build Release Binary (Linux) jobs: build: name: Build Release Binary - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: read steps: From 669eae3c084656f8ec635da3c62ec96134969a43 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Wed, 24 Sep 2025 08:53:04 -0400 Subject: [PATCH 18/23] Build linux-arm64 binaries I initially tried cross-compiling from the amd64 runner, but of course that's not as easy as it should be: https://discourse.ubuntu.com/t/failing-to-pull-arm64-apt-packages-in-ubuntu-docker-containers/59377 https://discourse.ubuntu.com/t/http-404-when-attempting-to-fetch-arm64-packages-on-24-04-1/53243 https://github.com/actions/runner-images/issues/12878 https://github.com/actions/runner-images/issues/10901 --- .github/workflows/release-linux-arm64.yml | 46 +++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/release-linux-arm64.yml diff --git a/.github/workflows/release-linux-arm64.yml b/.github/workflows/release-linux-arm64.yml new file mode 100644 index 0000000..e868b26 --- /dev/null +++ b/.github/workflows/release-linux-arm64.yml @@ -0,0 +1,46 @@ +on: + release: + types: [published] +name: Build Release Binary (Linux ARM64) +jobs: + build: + name: Build Release Binary + runs-on: ubuntu-24.04-arm + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Install dependencies + run: sudo apt install libssl-dev + - name: Build binary + run: make + - name: Upload release artifact + uses: actions/upload-artifact@v4 + with: + name: git-crypt-artifacts + path: git-crypt + upload: + name: Upload Release Binary + runs-on: ubuntu-latest + needs: build + permissions: + contents: write + steps: + - name: Download release artifact + uses: actions/download-artifact@v4 + with: + name: git-crypt-artifacts + - name: Upload release asset + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const fs = require("fs").promises; + const { repo: { owner, repo }, sha } = context; + await github.repos.uploadReleaseAsset({ + owner, repo, + release_id: ${{ github.event.release.id }}, + name: 'git-crypt-${{ github.event.release.name }}-linux-aarch64', + data: await fs.readFile('git-crypt'), + }); From 2322f618e150fef590a92754543f4b980b72990b Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Wed, 24 Sep 2025 08:56:07 -0400 Subject: [PATCH 19/23] GitHub Actions: use older version of Ubuntu for better compatibility So compiled binaries will work on older Linux distros like Debian 12. --- .github/workflows/release-linux-arm64.yml | 2 +- .github/workflows/release-linux.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-linux-arm64.yml b/.github/workflows/release-linux-arm64.yml index e868b26..4633e99 100644 --- a/.github/workflows/release-linux-arm64.yml +++ b/.github/workflows/release-linux-arm64.yml @@ -5,7 +5,7 @@ name: Build Release Binary (Linux ARM64) jobs: build: name: Build Release Binary - runs-on: ubuntu-24.04-arm + runs-on: ubuntu-22.04-arm permissions: contents: read steps: diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index bb6b870..fb747d6 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -5,7 +5,7 @@ name: Build Release Binary (Linux) jobs: build: name: Build Release Binary - runs-on: ubuntu-24.04 + runs-on: ubuntu-22.04 permissions: contents: read steps: From dd1b1f4e2af7b22dd260a83f1d2fb8cad9e15f49 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Wed, 24 Sep 2025 09:05:56 -0400 Subject: [PATCH 20/23] Remove plaintext README and NEWS files It's easier to just have the markdown files. Fixes: #274 --- NEWS | 79 ---------------------------- README | 160 --------------------------------------------------------- 2 files changed, 239 deletions(-) delete mode 100644 NEWS delete mode 100644 README diff --git a/NEWS b/NEWS deleted file mode 100644 index 6167e03..0000000 --- a/NEWS +++ /dev/null @@ -1,79 +0,0 @@ -v0.8.0 (2025-09-23) - * Remove OpenSSL 1.0 support, fix compilation with OpenSSL 3. - * Avoid use of problematic short GPG key IDs. - -v0.7.0 (2022-04-21) - * Avoid "argument list too long" errors on macOS. - * Fix handling of "-" arguments. - * Minor documentation improvements. - -v0.6.0 (2017-11-26) - * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0). - * Switch to C++11 (gcc 4.9 or higher now required to build). - * Allow GPG to fail on some keys (makes unlock work better if there are - multiple keys that can unlock the repo but only some are available). - * Allow the repo state directory to be configured with the - git-crypt.repoStateDir git config option. - * Respect the gpg.program git config option. - * Don't hard code path to git-crypt in .git/config on Linux (ensures - repo continues to work if git-crypt is moved). - * Ensure git-crypt's gpg files won't be treated as text by Git. - * Minor improvements to build system, documentation. - -v0.5.0 (2015-05-30) - * Drastically speed up lock/unlock when used with Git 1.8.5 or newer. - * Add git-crypt(1) man page (pass ENABLE_MAN=yes to make to build). - * Add --trusted option to 'git-crypt gpg-add-user' to add user even if - GPG doesn't trust user's key. - * Improve 'git-crypt lock' usability, add --force option. - * Ignore symlinks and other non-files when running 'git-crypt status'. - * Fix compilation on old versions of Mac OS X. - * Fix GPG mode when with-fingerprint enabled in gpg.conf. - * Minor bug fixes and improvements to help/error messages. - -v0.4.2 (2015-01-31) - * Fix unlock and lock under Git 2.2.2 and higher. - * Drop support for versions of Git older than 1.7.2. - * Minor improvements to some help/error messages. - -v0.4.1 (2015-01-08) - * Important usability fix to ensure that the .git-crypt directory - can't be encrypted by accident (see RELEASE_NOTES-0.4.1.md for - more information). - -v0.4 (2014-11-16) - (See RELEASE_NOTES-0.4.md for important details.) - * Add optional GPG support: GPG can be used to share the repository - between one or more users in lieu of sharing a secret key. - * New workflow: the symmetric key is now stored inside the .git - directory. Although backwards compatibility has been preserved - with repositories created by old versions of git-crypt, the - commands for setting up a repository have changed. See the - release notes file for details. - * Multiple key support: it's now possible to encrypt different parts - of a repository with different keys. - * Initial 'git-crypt status' command to report which files are - encrypted and to fix problems that are detected. - * Numerous usability, documentation, and error reporting improvements. - * Major internal code improvements that will make future development - easier. - * Initial experimental Windows support. - -v0.3 (2013-04-05) - * Fix 'git-crypt init' on newer versions of Git. Previously, - encrypted files were not being automatically decrypted after - running 'git-crypt init' with recent versions of Git. - * Allow 'git-crypt init' to be run even if the working tree contains - untracked files. - * 'git-crypt init' now properly escapes arguments to the filter - commands it configures, allowing both the path to git-crypt and the - path to the key file to contain arbitrary characters such as spaces. - -v0.2 (2013-01-25) - * Numerous improvements to 'git-crypt init' usability. - * Fix gitattributes example in README: the old example showed a colon - after the filename where there shouldn't be one. - * Various build fixes and improvements. - -v0.1 (2012-11-29) - * Initial release. diff --git a/README b/README deleted file mode 100644 index bd68e79..0000000 --- a/README +++ /dev/null @@ -1,160 +0,0 @@ -ABOUT GIT-CRYPT - -git-crypt enables transparent encryption and decryption of files in a -git repository. Files which you choose to protect are encrypted when -committed, and decrypted when checked out. git-crypt lets you freely -share a repository containing a mix of public and private content. -git-crypt gracefully degrades, so developers without the secret key can -still clone and commit to a repository with encrypted files. This lets -you store your secret material (such as keys or passwords) in the same -repository as your code, without requiring you to lock down your entire -repository. - -git-crypt was written by Andrew Ayer . For more -information, see . - - -BUILDING GIT-CRYPT - -See the INSTALL file. - - -USING GIT-CRYPT - -Configure a repository to use git-crypt: - - $ cd repo - $ git-crypt init - -Specify files to encrypt by creating a .gitattributes file: - - secretfile filter=git-crypt diff=git-crypt - *.key filter=git-crypt diff=git-crypt - secretdir/** filter=git-crypt diff=git-crypt - -Like a .gitignore file, it can match wildcards and should be checked into -the repository. See below for more information about .gitattributes. -Make sure you don't accidentally encrypt the .gitattributes file itself -(or other git files like .gitignore or .gitmodules). Make sure your -.gitattributes rules are in place *before* you add sensitive files, or -those files won't be encrypted! - -Share the repository with others (or with yourself) using GPG: - - $ git-crypt add-gpg-user USER_ID - -USER_ID can be a key ID, a full fingerprint, an email address, or anything -else that uniquely identifies a public key to GPG (see "HOW TO SPECIFY -A USER ID" in the gpg man page). Note: `git-crypt add-gpg-user` will -add and commit a GPG-encrypted key file in the .git-crypt directory of -the root of your repository. - -Alternatively, you can export a symmetric secret key, which you must -securely convey to collaborators (GPG is not required, and no files -are added to your repository): - - $ git-crypt export-key /path/to/key - -After cloning a repository with encrypted files, unlock with GPG: - - $ git-crypt unlock - -Or with a symmetric key: - - $ git-crypt unlock /path/to/key - -That's all you need to do - after git-crypt is set up (either with -`git-crypt init` or `git-crypt unlock`), you can use git normally - -encryption and decryption happen transparently. - - -CURRENT STATUS - -The latest version of git-crypt is 0.8.0, released on 2025-09-23. -git-crypt aims to be bug-free and reliable, meaning it shouldn't -crash, malfunction, or expose your confidential data. However, -it has not yet reached maturity, meaning it is not as documented, -featureful, or easy-to-use as it should be. Additionally, there may be -backwards-incompatible changes introduced before version 1.0. - - -SECURITY - -git-crypt is more secure than other transparent git encryption systems. -git-crypt encrypts files using AES-256 in CTR mode with a synthetic IV -derived from the SHA-1 HMAC of the file. This mode of operation is -provably semantically secure under deterministic chosen-plaintext attack. -That means that although the encryption is deterministic (which is -required so git can distinguish when a file has and hasn't changed), -it leaks no information beyond whether two files are identical or not. -Other proposals for transparent git encryption use ECB or CBC with a -fixed IV. These systems are not semantically secure and leak information. - - -LIMITATIONS - -git-crypt relies on git filters, which were not designed with encryption -in mind. As such, git-crypt is not the best tool for encrypting most or -all of the files in a repository. Where git-crypt really shines is where -most of your repository is public, but you have a few files (perhaps -private keys named *.key, or a file with API credentials) which you -need to encrypt. For encrypting an entire repository, consider using a -system like git-remote-gcrypt -instead. (Note: no endorsement is made of git-remote-gcrypt's security.) - -git-crypt does not encrypt file names, commit messages, symlink targets, -gitlinks, or other metadata. - -git-crypt does not hide when a file does or doesn't change, the length -of a file, or the fact that two files are identical (see "Security" -section above). - -git-crypt does not support revoking access to an encrypted repository -which was previously granted. This applies to both multi-user GPG -mode (there's no del-gpg-user command to complement add-gpg-user) -and also symmetric key mode (there's no support for rotating the key). -This is because it is an inherently complex problem in the context -of historical data. For example, even if a key was rotated at one -point in history, a user having the previous key can still access -previous repository history. This problem is discussed in more detail in -. - -Files encrypted with git-crypt are not compressible. Even the smallest -change to an encrypted file requires git to store the entire changed file, -instead of just a delta. - -Although git-crypt protects individual file contents with a SHA-1 -HMAC, git-crypt cannot be used securely unless the entire repository is -protected against tampering (an attacker who can mutate your repository -can alter your .gitattributes file to disable encryption). If necessary, -use git features such as signed tags instead of relying solely on -git-crypt for integrity. - -Files encrypted with git-crypt cannot be patched with git-apply, unless -the patch itself is encrypted. To generate an encrypted patch, use `git -diff --no-textconv --binary`. Alternatively, you can apply a plaintext -patch outside of git using the patch command. - -git-crypt does not work reliably with some third-party git GUIs, such -as Atlassian SourceTree -and GitHub for Mac. Files might be left in an unencrypted state. - - -GITATTRIBUTES FILE - -The .gitattributes file is documented in the gitattributes(5) man page. -The file pattern format is the same as the one used by .gitignore, -as documented in the gitignore(5) man page, with the exception that -specifying merely a directory (e.g. `/dir/`) is NOT sufficient to -encrypt all files beneath it. - -Also note that the pattern `dir/*` does not match files under -sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: - - dir/** filter=git-crypt diff=git-crypt - -The .gitattributes file must not be encrypted, so make sure wildcards don't -match it accidentally. If necessary, you can exclude .gitattributes from -encryption like this: - - .gitattributes !filter !diff From 567aec5222915baf73959bb05b6a2d814afb1498 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Wed, 24 Sep 2025 09:07:58 -0400 Subject: [PATCH 21/23] Improve formatting of NEWS.md --- NEWS.md | 79 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 39 insertions(+), 40 deletions(-) diff --git a/NEWS.md b/NEWS.md index b85ea9b..b702728 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,16 +1,15 @@ -News -==== +# Change Log -######v0.8.0 (2025-09-23) +## v0.8.0 (2025-09-23) * Remove OpenSSL 1.0 support, fix compilation with OpenSSL 3. * Avoid use of problematic short GPG key IDs. -######v0.7.0 (2022-04-21) +## v0.7.0 (2022-04-21) * Avoid "argument list too long" errors on macOS. * Fix handling of "-" arguments. * Minor documentation improvements. -######v0.6.0 (2017-11-26) +## v0.6.0 (2017-11-26) * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0). * Switch to C++11 (gcc 4.9 or higher now required to build). * Allow GPG to fail on some keys (makes unlock work better if there are @@ -23,7 +22,7 @@ News * Ensure git-crypt's gpg files won't be treated as text by Git. * Minor improvements to build system, documentation. -######v0.5.0 (2015-05-30) +## v0.5.0 (2015-05-30) * Drastically speed up lock/unlock when used with Git 1.8.5 or newer. * Add git-crypt(1) man page (pass `ENABLE_MAN=yes` to make to build). * Add --trusted option to `git-crypt gpg-add-user` to add user even if @@ -34,49 +33,49 @@ News * Fix GPG mode when with-fingerprint enabled in gpg.conf. * Minor bug fixes and improvements to help/error messages. -######v0.4.2 (2015-01-31) +## v0.4.2 (2015-01-31) * Fix unlock and lock under Git 2.2.2 and higher. * Drop support for versions of Git older than 1.7.2. * Minor improvements to some help/error messages. -######v0.4.1 (2015-01-08) +## v0.4.1 (2015-01-08) * Important usability fix to ensure that the .git-crypt directory can't be encrypted by accident (see [the release notes](RELEASE_NOTES-0.4.1.md) for more information). -######v0.4 (2014-11-16) +## v0.4 (2014-11-16) (See [the release notes](RELEASE_NOTES-0.4.md) for important details.) -* Add optional GPG support: GPG can be used to share the repository - between one or more users in lieu of sharing a secret key. -* New workflow: the symmetric key is now stored inside the .git - directory. Although backwards compatibility has been preserved - with repositories created by old versions of git-crypt, the - commands for setting up a repository have changed. See the - release notes file for details. -* Multiple key support: it's now possible to encrypt different parts - of a repository with different keys. -* Initial `git-crypt status` command to report which files are - encrypted and to fix problems that are detected. -* Numerous usability, documentation, and error reporting improvements. -* Major internal code improvements that will make future development - easier. -* Initial experimental Windows support. +* Add optional GPG support: GPG can be used to share the repository + between one or more users in lieu of sharing a secret key. +* New workflow: the symmetric key is now stored inside the .git + directory. Although backwards compatibility has been preserved + with repositories created by old versions of git-crypt, the + commands for setting up a repository have changed. See the + release notes file for details. +* Multiple key support: it's now possible to encrypt different parts + of a repository with different keys. +* Initial `git-crypt status` command to report which files are + encrypted and to fix problems that are detected. +* Numerous usability, documentation, and error reporting improvements. +* Major internal code improvements that will make future development + easier. +* Initial experimental Windows support. -######v0.3 (2013-04-05) -* Fix `git-crypt init` on newer versions of Git. Previously, - encrypted files were not being automatically decrypted after running - `git-crypt init` with recent versions of Git. -* Allow `git-crypt init` to be run even if the working tree contains - untracked files. -* `git-crypt init` now properly escapes arguments to the filter - commands it configures, allowing both the path to git-crypt and the - path to the key file to contain arbitrary characters such as spaces. +## v0.3 (2013-04-05) +* Fix `git-crypt init` on newer versions of Git. Previously, + encrypted files were not being automatically decrypted after running + `git-crypt init` with recent versions of Git. +* Allow `git-crypt init` to be run even if the working tree contains + untracked files. +* `git-crypt init` now properly escapes arguments to the filter + commands it configures, allowing both the path to git-crypt and the + path to the key file to contain arbitrary characters such as spaces. -######v0.2 (2013-01-25) -* Numerous improvements to `git-crypt init` usability. -* Fix gitattributes example in [README](README.md): the old example - showed a colon after the filename where there shouldn't be one. -* Various build fixes and improvements. +## v0.2 (2013-01-25) +* Numerous improvements to `git-crypt init` usability. +* Fix gitattributes example in [README](README.md): the old example + showed a colon after the filename where there shouldn't be one. +* Various build fixes and improvements. -######v0.1 (2012-11-29) -* Initial release. +## v0.1 (2012-11-29) +* Initial release. From 1f1f5e41bd1a8de814d3e532be701621594d3468 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Wed, 24 Sep 2025 10:03:32 -0400 Subject: [PATCH 22/23] Upgrade GitHub Actions Closes: #285 --- .github/workflows/release-linux-arm64.yml | 6 +++--- .github/workflows/release-linux.yml | 6 +++--- .github/workflows/release-windows.yml | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release-linux-arm64.yml b/.github/workflows/release-linux-arm64.yml index 4633e99..dc1bd9f 100644 --- a/.github/workflows/release-linux-arm64.yml +++ b/.github/workflows/release-linux-arm64.yml @@ -10,7 +10,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Install dependencies run: sudo apt install libssl-dev - name: Build binary @@ -32,13 +32,13 @@ jobs: with: name: git-crypt-artifacts - name: Upload release asset - uses: actions/github-script@v3 + uses: actions/github-script@v6 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const fs = require("fs").promises; const { repo: { owner, repo }, sha } = context; - await github.repos.uploadReleaseAsset({ + await github.rest.repos.uploadReleaseAsset({ owner, repo, release_id: ${{ github.event.release.id }}, name: 'git-crypt-${{ github.event.release.name }}-linux-aarch64', diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index fb747d6..7f09f0f 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -10,7 +10,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Install dependencies run: sudo apt install libssl-dev - name: Build binary @@ -32,13 +32,13 @@ jobs: with: name: git-crypt-artifacts - name: Upload release asset - uses: actions/github-script@v3 + uses: actions/github-script@v6 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const fs = require("fs").promises; const { repo: { owner, repo }, sha } = context; - await github.repos.uploadReleaseAsset({ + await github.rest.repos.uploadReleaseAsset({ owner, repo, release_id: ${{ github.event.release.id }}, name: 'git-crypt-${{ github.event.release.name }}-linux-x86_64', diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index 6ba2be2..158aa4f 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -10,7 +10,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup msys2 uses: msys2/setup-msys2@v2 with: @@ -42,13 +42,13 @@ jobs: with: name: git-crypt-artifacts - name: Upload release asset - uses: actions/github-script@v3 + uses: actions/github-script@v6 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const fs = require("fs").promises; const { repo: { owner, repo }, sha } = context; - await github.repos.uploadReleaseAsset({ + await github.rest.repos.uploadReleaseAsset({ owner, repo, release_id: ${{ github.event.release.id }}, name: 'git-crypt-${{ github.event.release.name }}-x86_64.exe', From 8c7a90ff38fc9daf41e5f6ccb3f105ee82782231 Mon Sep 17 00:00:00 2001 From: rusty Date: Fri, 16 Feb 2018 16:28:03 +0000 Subject: [PATCH 23/23] Update URL for docbook.xsl Closes: #142 --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8e4360d..1d2b1ef 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,7 @@ BINDIR ?= $(PREFIX)/bin MANDIR ?= $(PREFIX)/share/man ENABLE_MAN ?= no -DOCBOOK_XSL ?= http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl +DOCBOOK_XSL ?= http://cdn.docbook.org/release/xsl-nons/current/manpages/docbook.xsl OBJFILES = \ git-crypt.o \