Add SECRETS_PINENTRY env var and docs (#490)

* Add SECRETS_PINENTRY env var * add docs and tests for SECRETS_PINENTRY * improve diagnostic output * fix regex example for bats-core diagnostics
5 years ago · baf6c4113b
parent bb4b61c2c4
commit baf6c4113b
9 changed files with 50 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,11 @@
 # Changelog

+## {{Next Version}}
+
+### Bugfixes
+
+- Support SECRETS_PINENTRY env var for gnupg --pinentry-mode parameter (#221)
+
 ## Version 0.2.6

 ### Features
--- a/man/man1/git-secret-cat.1.ronn
+++ b/man/man1/git-secret-cat.1.ronn
@ -11,6 +11,9 @@ git-secret-cat - decrypts files passed on command line to stdout
 As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to 
 decrypt this repo.

+Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
+(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
+

 ## OPTIONS

--- a/man/man1/git-secret-changes.1.ronn
+++ b/man/man1/git-secret-changes.1.ronn
@ -12,6 +12,9 @@ You can provide any number of hidden files to this command as arguments, and it
 Note that files must be specified by their encrypted names, typically `filename.yml.secret`.
 If no arguments are provided, information about all hidden files will be shown.

+Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
+(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
+

 ## OPTIONS

--- a/man/man1/git-secret-hide.1.ronn
+++ b/man/man1/git-secret-hide.1.ronn
@ -36,6 +36,9 @@ Also, it is possible to modify the names of the encrypted files by setting `SECR
 (See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
 folder using the SECRETS_DIR environment variable.

+You can also enable verbosity using the SECRETS_VERBOSE environment variable,
+as documented at [git-secret(7)](http://git-secret.io/)
+

 ## OPTIONS

@ -47,9 +50,6 @@ folder using the SECRETS_DIR environment variable.
    -m  - encrypt files only when modified.
    -h  - shows help.

-You can also enable verbosity using the SECRETS_VERBOSE environment variable,
-as documented at [git-secret(7)](http://git-secret.io/)
-
 ## MANUAL

 Run `man git-secret-hide` to see this note.
--- a/man/man1/git-secret-reveal.1.ronn
+++ b/man/man1/git-secret-reveal.1.ronn
@ -13,9 +13,6 @@ You will need to have imported the paired secret-key with one of the
 public-keys which were used in the encryption.
 Under the hood, this uses the `gpg --decrypt` command. 

-(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
-folder using the SECRETS_DIR environment variable.
-

 ## OPTIONS

@ -27,6 +24,9 @@ folder using the SECRETS_DIR environment variable.
    -P  - preserve permissions of encrypted file in unencrypted file.
    -h  - shows help.

+(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
+folder using the SECRETS_DIR environment variable.
+

 ## MANUAL

--- a/man/man7/git-secret.7.ronn
+++ b/man/man7/git-secret.7.ronn
@ -67,6 +67,9 @@ After doing so rerun the tests to be sure that it won't break anything. Tested t
 * `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret. 
 It can be changed to any valid directory name.

+* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option. 
+See `gpg` docs for details about gpg's --pinentry option.
+
 ## The `.gitsecret` folder (can be overridden with SECRETS_DIR)

 This folder contains information about the files encrypted by git-secret, 
--- a/src/_utils/_git_secret_tools.sh
+++ b/src/_utils/_git_secret_tools.sh
@ -95,7 +95,7 @@ AWK_GPG_VER_CHECK='
 '

 # This is 1 for gpg version 2.1 or greater, otherwise 0
-GPG_VER_21="$($SECRETS_GPG_COMMAND --version | gawk "$AWK_GPG_VER_CHECK")"
+GPG_VER_MIN_21="$($SECRETS_GPG_COMMAND --version | gawk "$AWK_GPG_VER_CHECK")"


 # Bash:
@ -681,8 +681,12 @@ function _decrypt {
    args+=( "--homedir" "$homedir" )
  fi

-  if [[ "$GPG_VER_21" -eq 1 ]]; then
-    args+=( "--pinentry-mode" "loopback" )
+  if [[ "$GPG_VER_MIN_21" -eq 1 ]]; then
+    if [[ -n "$SECRETS_PINENTRY" ]]; then
+      args+=( "--pinentry-mode" "$SECRETS_PINENTRY" )
+    else
+      args+=( "--pinentry-mode" "loopback" )
+    fi
  fi

  if [[ -z "$_SECRETS_VERBOSE" ]]; then
--- a/tests/test_reveal.bats
+++ b/tests/test_reveal.bats
@ -186,3 +186,23 @@ function teardown {
  # Cleaning up:
  uninstall_fixture_full_key "$TEST_SECOND_USER" "$second_fingerprint"
 }
+
+@test "run 'reveal' with SECRETS_PINENTRY=loopback" {
+  rm -f "$FILE_TO_HIDE"
+
+  local password=$(test_user_password "$TEST_DEFAULT_USER")
+  SECRETS_PINENTRY=loopback run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password"
+  [ "$status" -eq 0 ]
+}
+
+@test "run 'reveal' with SECRETS_PINENTRY=error" {
+  if [[ "$GPG_VER_MIN_21" -ne 1 ]]; then
+    skip "this test is skipped on gpg before version 2.1"
+  fi
+
+  rm -f "$FILE_TO_HIDE"
+
+  local password=$(test_user_password "$TEST_DEFAULT_USER")
+  SECRETS_PINENTRY=error run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password"
+  [ "$status" -ne 0 ]
+}
--- a/utils/tests.sh
+++ b/utils/tests.sh
@ -8,7 +8,7 @@ TEST_DIR=/tmp/git-secret-test

 rm -rf "${TEST_DIR}" 
 mkdir "${TEST_DIR}"
-echo "Created dir: ${TEST_DIR}"
+echo "# created dir: ${TEST_DIR}"

 chmod 0700 "${TEST_DIR}"
 (
@ -21,7 +21,7 @@ chmod 0700 "${TEST_DIR}"
    export TMPDIR="${TEST_DIR}"
    echo "# TMPDIR is $TMPDIR" 

-    # bats expects diagnostic lines to be sent to fd 3, matching regex '^ #' 
+    # bats expects diagnostic lines to be sent to fd 3, matching regex '^# ' 
    #  (IE, like: `echo '# message here' >&3`).
    # bats ... 3>&1 shows diagnostic output
    bats "${SECRET_PROJECT_ROOT}/tests/" 3>&1