Archives
/
git-secret
mirror of https://github.com/sobolevn/git-secret
2
1
Fork 0
Code Issues Projects Releases Wiki Activity

Fixes docs generation and improves docs

Browse Source
pull/662/head
sobolevn 3 years ago committed by Nikita Sobolev
parent a342993dd6
commit e52038b786
35 changed files with 80 additions and 1594 deletions
Show Stats Download Patch File Download Diff File

15
.ci/before_deploy.sh
Unescape Escape View File

@ -1,15 +0,0 @@
#!/usr/bin/env bash
set -e
if [[ "$GITSECRET_DIST" == "rpm" ]]; then
# To deploy `rpm`-packages this utility is needed:
sudo apt-get install -y rpm;
fi
# if not null GITSECRET_DIST
if [[ -n "$GITSECRET_DIST" ]]; then
# When making a non-container build, this step will generate
# proper manifest files:
make "deploy-$GITSECRET_DIST";
fi

21
.ci/before_script.sh
Unescape Escape View File

@ -1,21 +0,0 @@
#!/usr/bin/env bash
set -e
# Mac:
if [[ "$GITSECRET_DIST" == "brew" ]]; then
brew update
gnupg_installed="$(brew list | grep -c "gnupg")"
[[ "$gnupg_installed" -ge 1 ]] || brew install gnupg
if [[ -f "/usr/local/bin/gpg1" ]]; then
ln -s /usr/local/bin/gpg1 /usr/local/bin/gpg
fi
brew install gawk shellcheck
fi
# Windows
if [[ "$GITSECRET_DIST" == "windows" ]]; then
choco install make shellcheck -y
fi

8
.github/workflows/github-pages.yml vendored
Unescape Escape View File

@ -11,9 +11,11 @@ jobs:
steps:
- uses: actions/checkout@v2
with:
submodules: recursive
persist-credentials: false
- name: Build manuals
run: |
make build-man
cp -r man/ docs/man
- name: Deploy to Pages
uses: JamesIves/github-pages-deploy-action@4.1.1

3
.gitignore vendored
Unescape Escape View File

@ -133,6 +133,9 @@ build/
*.deb
*.fpm
# Docs:
docs/man
# Kitchen files
Gemfile.lock
.kitchen/

207
CONTRIBUTING.md
Unescape Escape View File

@ -2,11 +2,28 @@
Your contributions are always welcome!
## Getting started
1. Create your own or pick an opened issue from the [tracker](https://github.com/sobolevn/git-secret/issues). Take a look at the [`help-wanted` tag](https://github.com/sobolevn/git-secret/labels/help%20wanted)
2. Fork the git-secret repo and then clone the repository using a command like `git clone https://github.com/${YOUR_NAME}/git-secret.git`
3. Make sure that everything works on the current platform by running `make test`.
You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`, which will
show you a lot of debug output while the tests are running.
Note that 'experimental' features may change or be removed in a future version of `git-secret`.
4. If you want to test on multiple operating systems just push your PR, GitHub Actions will cover everything else
Basically, our `make` file is the only thing you will need to work with this repo.
## Process
### Environment
For development with `git-secret` you should have these tools:
For development of `git-secret` you should have these tools locally:
- git
- bash
@ -14,75 +31,27 @@ For development with `git-secret` you should have these tools:
- gawk
- gnupg (or gnupg2), see below if not packaged by your distribution/OS (i.e. MacOS)
- ruby
- sha256sum (on freebsd and MacOS `shasum` is used instead)
- sha256sum (on freebsd and MacOS `shasum` is used instead)
- make
- [shellcheck](https://github.com/koalaman/shellcheck)
To test `git-secret` using [test-kitchen](https://kitchen.ci/), which is optional and uses docker to test on multiple distributions,
you will also need:
To test `git-secret` you will need:
- [docker](https://www.docker.com/)
- [test-kitchen](https://kitchen.ci/)
The below only required if dealing with manuals, `gh-pages` or releases:
- ruby, ruby-dev
- [aspell](http://aspell.net/), to check your changes for spelling errors
### Environment MacOS
- install [Homebrew](https://brew.sh/)
- install gnupg2 with `brew install gnupg2`
#### For docker/test-kitchen (optional, for testing multiple distros locally using docker)
- install Docker for Mac
- install ruby2.6 and kitchen dependencies with
brew install rbenv ruby-build rbenv-vars;
rbenv install 2.6.3; rbenv rehash; rbenv global 2.6.3;
(You can also use `rvm` instead of `rbenv`, but brew packages `rbenv` for you.)
then use
gem install bundler kitchen-ansible serverspec kitchen-docker kitchen-verifier-serverspec
If you have trouble getting test-kitchen and docker working on your mac to test git-secret with, see #534
or let us know by filing an issue.
### Getting started
1. Create your own or pick an opened issue from the [tracker][tracker]. Take a look at the [`help-wanted` tag][help-wanted]
2. Fork the git-secret repo and then clone the repository using a command like `git clone https://github.com/${YOUR_NAME}/git-secret.git`
3. Make sure that everything works on the current platform by running `make test`.
You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`, which will
show you a lot of debug output while the tests are running.
Note that 'experimental' features may change or be removed in a future version of `git-secret`.
4. If you want to test on multiple operating systems, [Run local CI tests](#running-local-ci-tests) (optional; this will
automatically happen on [Travis-CI](https://travis-ci.org/sobolevn/git-secret) when you submit a PR).
Running the CI tests locally is optional. The tests will happen automatically on Travis-CI
when you create a PR for `git-secret`, and again when any PR is merged.
To verify functionality on supported platforms use `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`.
See `[test-kitchen](https://kitchen.ci/) and `kitchen help verify` for more info about using `kitchen verify`.
### Code style
New features and changes should aim to be as clear, concise, simple, and consistent
1. clear: make it as obvious as possible what the code is doing
2. concise: your PR should be as few characters (not just lines) of changes as _reasonable_.
However, generally choose clarity over being concise.
2. concise: your PR should be as few characters (not just lines) of changes as _reasonable_.
However, generally choose clarity over being concise.
Clarity and conciseness can be in conflict with each other. But
it's more important for the code to be understandable than for it to be small.
Therefore favor writing clear code over making shorter diffs in your PRs.
3. simple: this dovetails with the previous two items.
3. simple: this dovetails with the previous two items.
git-secret is a security product, so it's best to have the code be easy to understand.
This also aids future development and helps minimize bugs.
@ -90,24 +59,24 @@ New features and changes should aim to be as clear, concise, simple, and consist
Every code base has its own conventions and style that develop and accrete over time.
Consistency also means that the inputs and outputs of git-secret should be as consistent as reasonable
with related Unix and git tools, and follow the 'rule of least surprise',
with related Unix and git tools, and follow the 'rule of least surprise',
also known as the 'principle of least astonishment': <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>
We wrote this to clarify our thinking about how git-secret should be written. Of course, these are philosophical goals,
We wrote this to clarify our thinking about how git-secret should be written. Of course, these are philosophical goals,
not necessities for releasing code, so balancing these four ideals _perfectly_ is both unwarranted and impossible.
### Writing PRs
If you're planning a large change to `git-secret` (for example, a lot of lines/characters of diffs, affecting multiple commands,
changing/adding a lot of behavior, or adding multiple command-line options), it's best to discuss the changes in an Issue first.
Also it's often best to implement larger or complex changes as a series of planned-out, smaller PRs,
If you're planning a large change to `git-secret` (for example, a lot of lines/characters of diffs, affecting multiple commands,
changing/adding a lot of behavior, or adding multiple command-line options), it's best to discuss the changes in an Issue first.
Also it's often best to implement larger or complex changes as a series of planned-out, smaller PRs,
each making a small set of specific changes. This facilitates discussions of implementation, which often come to light
only after seeing the actual code used to perform a task.
As mentioned above, we seek to be consistent with surrounding git and Unix tools, so when writing changes to git-secret,
think about the input, output, and command-line options that similar Unix commands use.
Our favor toward traditional Unix and git command-style inputs and outputs can also mean it's appropriate to
Our favor toward traditional Unix and git command-style inputs and outputs can also mean it's appropriate to
lean heavily on git and widely-used Unix command features instead of re-implementing them in code.
### Development Process
@ -119,20 +88,20 @@ This will copy the hooks from utils/hooks into .git/hooks/pre-commit and .git/ho
3. When making changes to any files inside `src/`, for changes to take effect you will need to rebuild the `git-secret` script with `make clean && make build`
4. Run [`shellcheck`][shellcheck] against all your changes with `make lint`.
4. Run `shellcheck` against all your changes with `make lint`.
You should also check your changes for spelling errors using 'aspell -c filename'.
5. Add an entry to CHANGELOG.md, referring to the related issue # if appropriate
6. Change the .ronn file(s) in man/man1 and man/man7 to document your changes if appropriate
7. Now, add all your files to the commit with `git add --all` and commit changes with `git commit`.
7. Now, add all your files to the commit with `git add --all` and commit changes with `git commit`.
Write a good commit message which explains your work
8. When running `git commit` the tests will run automatically, your commit will be canceled if they fail.
You can run the tests manually with `make clean build test`.
If you want to make a commit and not run the pre- and post-commit hooks, use 'git commit -n'
9. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request,
but don't worry, it's easy to `squash` PRs into a small number of commits when they're merged.
@ -148,25 +117,12 @@ Development looks like this:
- `master` branch is protected, so only fully tested code goes there. It is also used to create a new `git` tag and a `github` release
By convention, you can name your branches like `issue-###-short-description`, but that's not required.
The `gh-pages` branch is used for the pages at `git-secret.io`. See 'Release Process' below.
### Continuous integration
Local CI is done with the help [`test-kitchen`](http://kitchen.ci/). `test-kitchen` handles multiple test-suites on various platforms.
You can run our CI tests locally, but it is not strictly required in order to do development or testing of git-secret. When you have
`test-kitchen` installed, `bundle exec kitchen list` will output the list of test suites to be run against supported platforms.
Cloud CI is done with the help of [Travis-CI](https://travis-ci.org/sobolevn/git-secret), which handles testing on multiple environments using
- `Docker`-based jobs or so-called 'integration tests', which create a local release, install it with the package manager and then run unit-tests and system checks
- `OSX` jobs, which handle basic unit-tests on `MacOS` (Travis still calls MacOS 'OSX')
- Native `travis` jobs, which handle basic unit-tests and style checks
The `gh-pages` branch is used for the pages at `git-secret.io`. See 'Release Process' below.
### Running local ci-tests with test-kitchen
Ci-tests are only necessary if you want to test git-secret on multiple OS'es using docker and test-kitchen,
like we do on travis-ci.
like we do on travis-ci.
1. Install required gems with `bundle install`.
2. Run ci-tests with `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`
@ -177,7 +133,7 @@ like we do on travis-ci.
See the files in tests/ and the `bats-core` documentation for details.
Because the output of many commands can be affected by the SECRETS_VERBOSE environment
variable (which enables verbosity), it's best not to expect a particular number of lines of
variable (which enables verbosity), it's best not to expect a particular number of lines of
output from commands.
### Release process
@ -185,12 +141,12 @@ output from commands.
To create a new release, (you'll first need permission to commit to the repo, of course):
Update the content of `CHANGELOG.md` for the release (this should be a matter of changing headers),
and update the version string in `src/version.sh`. Then, when you `commit` these changes,
and update the version string in `src/version.sh`. Then, when you `commit` these changes,
the git-hooks described below will perform most of the steps needed for the github release.
So a lot of the release process is defined in the `git`-hooks and `.travis.yml`.
When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) the
When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) the
pre-commit and post-commit hooks will trigger three events.
- `pre-commit`: run the test suite will be locally
@ -207,29 +163,21 @@ if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then
fi
```
After all the above hooks have executed, travis-ci will test and build releases for specific platforms
After all the above hooks have executed, travis-ci will test and build releases for specific platforms
(see https://bintray.com/sobolevn/deb/git-secret, https://bintray.com/sobolevn/rpm/git-secret, etc).
While travis is doing it's building and testing, finish the release on github by pushing the new tag with
While travis is doing it's building and testing, finish the release on github by pushing the new tag with:
git push --tags
```bash
git push --tags
```
and then go to https://github.com/sobolevn/git-secret/releases and 'draft a new release',
setting up a production release like the previous ones.
#### About GnuPG
#### GitHub automated releases
Here are some links to gnupg documentation that might be useful for those working with git-secret:
- [GnuPG PDF Documentation](https://www.gnupg.org/documentation/manuals/gnupg.pdf)
- [GnuPG doc/DETAILS File](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS)
#### Travis releases
After you commit a tag that matches the pattern '^v' and the tests succeed, scripts run on [Travis-CI](https://travis-ci.org/sobolevn/git-secret)
will publish new `deb` and `rpm` packages to [`bintray`][bintray].
(If you need to override a previous release (*this is highly discouraged*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh`)
TODO
#### Manual releases
@ -238,36 +186,34 @@ To get started, see the
[Homebrew docs about Formulae-related PRs](https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request#formulae-related-pull-request)
and `brew bump-formula-pr --help`
#### Dockerhub releases
[`Dockerhub`][Dockerhub] contains `Docker` images with different OSes used for testing. It is updated via a `github` webhook on commit into `master`.
[tracker]: https://github.com/sobolevn/git-secret/issues
[help-wanted]: https://github.com/sobolevn/git-secret/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22
[shellcheck]: https://github.com/koalaman/shellcheck
[git-secret-site]: http://git-secret.io
[bintray]: https://bintray.com/sobolevn
[Dockerhub]: https://hub.docker.com/r/sobolevn/git-secret/
### Downstream Packages
There are several distributions and packaging systems that may already have git-secret packaged for your distribution (although sometimes their versions are not the most current, and we recommend all users upgrade to 0.2.5 or above).
There are several distributions and packaging systems that may already have git-secret packaged for your distribution (although sometimes their versions are not the most current, and we recommend all users upgrade to 0.2.5 or above).
### Notes to Downstream Packagers (Those who make packages for specific OSes/distributions)
First of all, thank you for packaging git-secret for your platform! We appreciate it.
We also would like to welcome you to collaborate or discuss any issues, ideas or thoughts you have about
git-secret by submitting [issue report](https://github.com/sobolevn/git-secret/issues)
(which can also be feature requests) or
[pull requests](https://help.github.com/en/articles/creating-a-pull-request)
via the git repo at
[git-secret on github](https://github.com/sobolevn/git-secret)
We also would like to welcome you to collaborate or discuss any issues, ideas or thoughts you have about
git-secret by submitting [issue report](https://github.com/sobolevn/git-secret/issues)
(which can also be feature requests) or
[pull requests](https://help.github.com/en/articles/creating-a-pull-request)
via the git repo at
[git-secret on github](https://github.com/sobolevn/git-secret)
Please let us know if there are any changes you'd like to see to the source,
packaging, testing, documentation, or other aspect of git-secret.
Please let us know if there are any changes you'd like to see to the source,
packaging, testing, documentation, or other aspect of git-secret.
We look forward to hearing from you.
## About GnuPG
Here are some links to gnupg documentation that might be useful for those working with git-secret:
- [GnuPG PDF Documentation](https://www.gnupg.org/documentation/manuals/gnupg.pdf)
- [GnuPG doc/DETAILS File](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS)
## Financial contributions
We also welcome financial contributions in full transparency on our [open collective](https://opencollective.com/git-secret).
@ -276,32 +222,23 @@ Anyone can file an expense. If the expense makes sense for the development of th
## Credits
### Contributors
Thank you to all the people who have already contributed
to git-secret via commits to our git repository!
<a href="http://github.com/sobolevn/git-secret/graphs/contributors"><img src="https://opencollective.com/git-secret/contributors.svg?width=890" /></a>
Thank you to all the people who have already contributed
to `git-secret` via commits to our git repository!
[![List of contributors](https://opencollective.com/git-secret/contributors.svg?width=890&button=0)](https://github.com/sobolevn/git-secret/contributors)
### Backers
Thank you to all our backers! [[Become a backer](https://opencollective.com/git-secret#backer)]
<a href="https://opencollective.com/git-secret#backers" target="_blank"><img src="https://opencollective.com/git-secret/backers.svg?width=890"></a>
<object type="image/svg+xml" data="https://opencollective.com/git-secret/tiers/backer.svg?avatarHeight=36&width=600" style="max-width: 100%;"></object>
### Sponsors
Thank you to all our sponsors! (please ask your company to also support this open source project by [becoming a sponsor](https://opencollective.com/git-secret#sponsor))
<a href="https://opencollective.com/git-secret/sponsor/0/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/0/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/1/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/1/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/2/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/2/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/3/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/3/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/4/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/4/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/5/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/5/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/6/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/6/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/7/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/7/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/8/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/8/avatar.svg"></a>
<a href="https://opencollective.com/git-secret/sponsor/9/website" target="_blank"><img src="https://opencollective.com/git-secret/sponsor/9/avatar.svg"></a>
<object type="image/svg+xml" data="https://opencollective.com/git-secret/tiers/sponsor.svg?avatarHeight=36&width=600" style="max-width: 100%;"></object>

4
docs/Makefile
Unescape Escape View File

@ -1,4 +0,0 @@
all: build
build:
@/usr/bin/env bash ./create_posts.sh

62
docs/create_posts.sh
Unescape Escape View File

@ -1,62 +0,0 @@
#!/usr/bin/env bash
set -e
MAN_LOCATION="man/man1"
MAN7_LOCATION="man/man7"
POSTS_LOCATION="_posts"
function checkout_manuals {
git checkout master "$MAN_LOCATION"
git checkout master "$MAN7_LOCATION"
# rm -f $MAN_LOCATION/*.1
}
function copy_to_posts {
# Cleaning old files:
rm -f "$POSTS_LOCATION/*.md"
rm -rf "$POSTS_LOCATION"
mkdir -p "$POSTS_LOCATION"
# Moving new command files:
local timestamp
local current_date
timestamp=$(date "+%Y-%m-%d %H:%M:%S %z")
current_date=$(date "+%Y-%m-%d")
# Creating command refernce:
for com in $MAN_LOCATION/git-secret-*.1.ronn; do
local short_name
short_name=$(echo "$com" | sed -n "s|$MAN_LOCATION/\(.*\)\.1\.ronn|\1|p")
local command_header="---
layout: post
title: '${short_name}'
date: ${timestamp}
permalink: ${short_name}
categories: command
---"
local post_filename="$POSTS_LOCATION/${current_date}-${short_name}.md"
echo "$command_header" > "$post_filename"
cat "$com" >> "$post_filename"
done
# Creating main usage file:
local usage_header="---
layout: post
title: 'git-secret'
date: ${timestamp}
permalink: git-secret
categories: usage
---"
local usage_filename="$POSTS_LOCATION/${current_date}-git-secret.md"
echo "$usage_header" > "$usage_filename"
cat "$MAN7_LOCATION/git-secret.7.ronn" >> "$usage_filename"
}
checkout_manuals
copy_to_posts

45
docs/man/man1/git-secret-add.1
Unescape Escape View File

@ -1,45 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-ADD" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-add\fR \- starts to track added files\.
.
.SH "SYNOPSIS"
.
.nf
git secret add [\-i] <pathspec>\.\.\.
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-add\fR adds a filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR and ensures the filepath is mentioned \.gitignore\.
.
.P
When adding files to encrypt, \fBgit\-secret\-add\fR (as of 0\.2\.6) will ensure that they are ignored by \fBgit\fR by mentioning them in \.gitignore, since they must be secure and not be committed into the remote repository unencrypted\.
.
.P
If there\'s no users in the \fBgit\-secret\fR\'s keyring, when adding a file, an exception will be raised\.
.
.P
Use the \fBgit secret add\fR command to add filenames to this file\. It is not recommended to add filenames directly into \fB\.gitsecret/paths/mapping\.cfg\fR\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
.
.SH "OPTIONS"
.
.nf
\-i \- does nothing, adding paths to \.gitignore is now the default behavior\.
\-h \- shows this help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-add\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR

38
docs/man/man1/git-secret-add.1.ronn
Unescape Escape View File

@ -1,38 +0,0 @@
git-secret-add - starts to track added files.
=============================================
## SYNOPSIS
git secret add [-i] <pathspec>...
## DESCRIPTION
`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg`
and ensures the filepath is mentioned .gitignore.
When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning
them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted.
If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
Use the `git secret add` command to add filenames to this file.
It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`.
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
folder using the SECRETS_DIR environment variable.
## OPTIONS
-i - does nothing, adding paths to .gitignore is now the default behavior.
-h - shows this help.
## MANUAL
Run `man git-secret-add` to see this note.
## SEE ALSO
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal)

37
docs/man/man1/git-secret-cat.1
Unescape Escape View File

@ -1,37 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-CAT" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-cat\fR \- decrypts files passed on command line to stdout
.
.SH "SYNOPSIS"
.
.nf
git secret cat [\-d dir] [\-p password] filename [filenames]
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-cat\fR \- Outputs to stdout the contents of the files named on the command line\. As with \fBgit\-secret\-reveal\fR, you\'ll need to have a public/private keypair that is allowed to decrypt this repo\.
.
.P
Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\.
.
.SH "OPTIONS"
.
.nf
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if you store your keys in a custom location\.
\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
\-h \- shows help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-cat\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR

32
docs/man/man1/git-secret-cat.1.ronn
Unescape Escape View File

@ -1,32 +0,0 @@
git-secret-cat - decrypts files passed on command line to stdout
=============================================
## SYNOPSIS
git secret cat [-d dir] [-p password] filename [filenames]
## DESCRIPTION
`git-secret-cat` - Outputs to stdout the contents of the files named on the command line.
As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to
decrypt this repo.
Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
## OPTIONS
-d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
-h - shows help.
## MANUAL
Run `man git-secret-cat` to see this note.
## SEE ALSO
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-cat)

37
docs/man/man1/git-secret-changes.1
Unescape Escape View File

@ -1,37 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-CHANGES" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-changes\fR \- view diff of the hidden files\.
.
.SH "SYNOPSIS"
.
.nf
git secret changes [\-h] [\-d dir] [\-p password] [pathspec]\.\.\.
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-changes\fR \- shows changes between the current version of hidden files and the ones already committed\. You can provide any number of hidden files to this command as arguments, and it will show changes for these files only\. Note that files must be specified by their encrypted names, typically \fBfilename\.yml\.secret\fR\. If no arguments are provided, information about all hidden files will be shown\.
.
.P
Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\.
.
.SH "OPTIONS"
.
.nf
\-d \- specifies `\-\-homedir` option for the `gpg`\. Use this option if your store your keys in a custom location\.
\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
\-h \- shows help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-changes\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR

35
docs/man/man1/git-secret-changes.1.ronn
Unescape Escape View File

@ -1,35 +0,0 @@
git-secret-changes - view diff of the hidden files.
===================================================
## SYNOPSIS
git secret changes [-h] [-d dir] [-p password] [pathspec]...
## DESCRIPTION
`git-secret-changes` - shows changes between the current version of hidden files and the ones already committed.
You can provide any number of hidden files to this command as arguments, and it will show changes for these files only.
Note that files must be specified by their encrypted names, typically `filename.yml.secret`.
If no arguments are provided, information about all hidden files will be shown.
Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
## OPTIONS
-d - specifies `--homedir` option for the `gpg`. Use this option if your store your keys in a custom location.
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
-h - shows help.
## MANUAL
Run `man git-secret-changes` to see this note.
## SEE ALSO
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)

36
docs/man/man1/git-secret-clean.1
Unescape Escape View File

@ -1,36 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-CLEAN" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-clean\fR \- removes all the hidden files\.
.
.SH "SYNOPSIS"
.
.nf
git secret clean [\-v]
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-clean\fR deletes all the encrypted files\. Verbose output is enabled with the \-v option, in which case the program prints which files are deleted\.
.
.SH "OPTIONS"
.
.nf
\-v \- verbose mode, shows which files are deleted\.
\-h \- shows this help\.
.
.fi
.
.P
You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
.
.SH "MANUAL"
Run \fBman git\-secret\-clean\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-whoknows(1) \fIhttp://git\-secret\.io/git\-secret\-whoknows\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR

30
docs/man/man1/git-secret-clean.1.ronn
Unescape Escape View File

@ -1,30 +0,0 @@
git-secret-clean - removes all the hidden files.
================================================
## SYNOPSIS
git secret clean [-v]
## DESCRIPTION
`git-secret-clean` deletes all the encrypted files.
Verbose output is enabled with the -v option, in which case the program prints which files are deleted.
## OPTIONS
-v - verbose mode, shows which files are deleted.
-h - shows this help.
You can also enable verbosity using the SECRETS_VERBOSE environment variable,
as documented at [git-secret(7)](http://git-secret.io/)
## MANUAL
Run `man git-secret-clean` to see this note.
## SEE ALSO
[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add),
[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)

62
docs/man/man1/git-secret-hide.1
Unescape Escape View File

@ -1,62 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-HIDE" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-hide\fR \- encrypts all added files with the inner keyring\.
.
.SH "SYNOPSIS"
.
.nf
git secret hide [\-c] [\-F] [\-P] [\-v] [\-d] [\-m]
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-hide\fR creates an encrypted version (typically called \fBfilename\.txt\.secret\fR) of each file added by \fBgit\-secret\-add\fR command\. Now anyone enabled via \'git secret tell\' can can decrypt these files\. Under the hood, \fBgit\-secret\fR uses the keyring in \fB\.gitsecret/keys\fR and user\'s secret keys to decrypt the files\.
.
.P
It is recommended to encrypt (or re\-encrypt) all the files in a git\-secret repo each time \fBgit secret hide\fR is run\.
.
.P
Otherwise the keychain (the one stored in \fB\.gitsecret/keys/*\.gpg\fR), may have changed since the last time the files were encrypted, and it\'s possible to create a state where the users in the output of \fBgit secret whoknows\fR may not be able to decrypt the some files in the repo, or may be able decrypt files they\'re not supposed to be able to\.
.
.P
In other words, unless you re\-encrypt all the files in a repo each time you \'hide\' any, it\'s possible to make it so some files can no longer be decrypted by users who should be (and would appear) able to decrypt them, and vice\-versa\.
.
.P
If you know what you are doing and wish to encrypt or re\-encrypt only a subset of the files even after reading the above paragraphs, you can use the \-F or \-m option to only encrypted a subset of files\. The \-F option forces \fBgit secret hide\fR to skip any hidden files where the unencrypted versions aren\'t present\. The \-m option skips any hidden files that have not be modified since the last time they were encrypted\.
.
.P
Also, it is possible to modify the names of the encrypted files by setting \fBSECRETS_EXTENSION\fR variable\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
.
.P
You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
.
.SH "OPTIONS"
.
.nf
\-v \- verbose, shows extra information\.
\-c \- deletes encrypted files before creating new ones\.
\-F \- forces hide to continue if a file to encrypt is missing\.
\-P \- preserve permissions of unencrypted file in encrypted file\.
\-d \- deletes unencrypted files after encryption\.
\-m \- encrypt files only when modified\.
\-h \- shows help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-hide\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR,
.
.br
git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR

62
docs/man/man1/git-secret-hide.1.ronn
Unescape Escape View File

@ -1,62 +0,0 @@
git-secret-hide - encrypts all added files with the inner keyring.
==================================================================
## SYNOPSIS
git secret hide [-c] [-F] [-P] [-v] [-d] [-m]
## DESCRIPTION
`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`)
of each file added by `git-secret-add` command.
Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood,
`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files.
It is recommended to encrypt (or re-encrypt) all the files in a git-secret repo each
time `git secret hide` is run.
Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`),
may have changed since the last time the files were encrypted, and it's possible
to create a state where the users in the output of `git secret whoknows`
may not be able to decrypt the some files in the repo, or may be able decrypt files
they're not supposed to be able to.
In other words, unless you re-encrypt all the files in a repo each time you 'hide' any,
it's possible to make it so some files can no longer be decrypted by users who should be
(and would appear) able to decrypt them, and vice-versa.
If you know what you are doing and wish to encrypt or re-encrypt only a subset of the files
even after reading the above paragraphs, you can use the -F or -m option to only encrypted
a subset of files. The -F option forces `git secret hide` to skip any hidden files
where the unencrypted versions aren't present. The -m option skips any hidden files that have
not be modified since the last time they were encrypted.
Also, it is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable.
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
folder using the SECRETS_DIR environment variable.
You can also enable verbosity using the SECRETS_VERBOSE environment variable,
as documented at [git-secret(7)](http://git-secret.io/)
## OPTIONS
-v - verbose, shows extra information.
-c - deletes encrypted files before creating new ones.
-F - forces hide to continue if a file to encrypt is missing.
-P - preserve permissions of unencrypted file in encrypted file.
-d - deletes unencrypted files after encryption.
-m - encrypt files only when modified.
-h - shows help.
## MANUAL
Run `man git-secret-hide` to see this note.
## SEE ALSO
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)

38
docs/man/man1/git-secret-init.1
Unescape Escape View File

@ -1,38 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-INIT" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-init\fR \- initializes git\-secret repository\.
.
.SH "SYNOPSIS"
.
.nf
git secret init
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo to set up the \.gitsecret directory and initialize the repo for git\-secret\. Until repository is initialized with \fBgit secret init\fR, all other \fBgit\-secret\fR commands are unavailable\.
.
.P
If a \.gitsecret directory already exists, \fBgit\-secret\-init\fR exits without making any changes\. Otherwise, a \.gitsecret directory is created with appropriate sub\-directories, and patterns to ignore git\-secret\'s \fBrandom_seed_file\fR and not ignore \fB\.secret\fR files are added to \fB\.gitignore\fR\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder with the SECRETS_DIR environment variable, and changing the extension git\-secret uses for secret files with the SECRETS_EXTENSION environment variable\.
.
.SH "OPTIONS"
.
.nf
\-h \- shows this help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-init\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-usage(1) \fIhttp://git\-secret\.io/git\-secret\-usage\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR

35
docs/man/man1/git-secret-init.1.ronn
Unescape Escape View File

@ -1,35 +0,0 @@
git-secret-init - initializes git-secret repository.
====================================================
## SYNOPSIS
git secret init
## DESCRIPTION
`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret.
Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.
If a .gitsecret directory already exists, `git-secret-init` exits without making any changes.
Otherwise, a .gitsecret directory is created with appropriate sub-directories,
and patterns to ignore git-secret's `random_seed_file`
and not ignore `.secret` files are added to `.gitignore`.
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
folder with the SECRETS_DIR environment variable, and changing the extension git-secret uses for secret files
with the SECRETS_EXTENSION environment variable.
## OPTIONS
-h - shows this help.
## MANUAL
Run `man git-secret-init` to see this note.
## SEE ALSO
[git-secret-usage(1)](http://git-secret.io/git-secret-usage), [git-secret-tell(1)](http://git-secret.io/git-secret-tell)

32
docs/man/man1/git-secret-killperson.1
Unescape Escape View File

@ -1,32 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-KILLPERSON" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-killperson\fR \- deletes key identified by an email from the inner keyring\.
.
.SH "SYNOPSIS"
.
.nf
git secret killperson <emails>\.\.\.
.
.fi
.
.SH "DESCRIPTION"
This command removes the keys associated with the selected email addresses from the keyring\. If you remove a keypair\'s access with \fBgit\-secret\-killperson\fR, and run \fBgit\-secret\-reveal\fR and \fBgit\-secret\-hide \-r\fR, it will be impossible for given users to decrypt the hidden files\.
.
.SH "OPTIONS"
.
.nf
\-h \- shows this help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-killperson\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-clean(1) \fIhttp://git\-secret\.io/git\-secret\-clean\fR

32
docs/man/man1/git-secret-killperson.1.ronn
Unescape Escape View File

@ -1,32 +0,0 @@
git-secret-killperson - deletes key identified by an email from the inner keyring.
==================================================================================
## SYNOPSIS
git secret killperson <emails>...
## DESCRIPTION
This command removes the keys associated with the selected email addresses from the keyring.
If you remove a keypair's access with `git-secret-killperson`, and run `git-secret-reveal` and `git-secret-hide -r`,
it will be impossible for given users to decrypt the hidden files.
Using git-secret-killperson and re-encrypting the secrets does not prevent a user from extracting secrets that they have previously had access to.
The old keyrings and the secrets encrypted with them will still be readable by the user in the git history.
This means that any secrets that the user has had access to at any time must be changed and re-encrypted after their key has been removed from the keyring.
## OPTIONS
-h - shows this help.
## MANUAL
Run `man git-secret-killperson` to see this note.
## SEE ALSO
[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-remove(1)](http://git-secret.io/git-secret-remove),
[git-secret-clean(1)](http://git-secret.io/git-secret-clean)

35
docs/man/man1/git-secret-list.1
Unescape Escape View File

@ -1,35 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-LIST" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-list\fR \- prints all the added files\.
.
.SH "SYNOPSIS"
.
.nf
git secret list
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-list\fR prints all the currently added tracked files from the \fB\.gitsecret/paths/mapping\.cfg\fR\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
.
.SH "OPTIONS"
.
.nf
\-h \- shows this help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-list\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-whoknows(1) \fIhttp://git\-secret\.io/git\-secret\-whoknows\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR

30
docs/man/man1/git-secret-list.1.ronn
Unescape Escape View File

@ -1,30 +0,0 @@
git-secret-list - prints all the added files.
=============================================
## SYNOPSIS
git secret list
## DESCRIPTION
`git-secret-list` prints all the currently added tracked files from the `.gitsecret/paths/mapping.cfg`.
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
folder using the SECRETS_DIR environment variable.
## OPTIONS
-h - shows this help.
## MANUAL
Run `man git-secret-list` to see this note.
## SEE ALSO
[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add),
[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-hide(1)](http://git-secret.io/git-secret-hide),
[git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), [git-secret-cat(1)](http://git-secret.io/git-secret-cat)

36
docs/man/man1/git-secret-remove.1
Unescape Escape View File

@ -1,36 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-REMOVE" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-remove\fR \- removes files from index\.
.
.SH "SYNOPSIS"
.
.nf
git secret remove [\-c] <pathspec>\.\.\.
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-remove\fR deletes files from \fB\.gitsecret/paths/mapping\.cfg\fR, so they won\'t be encrypted or decrypted in the future\. There\'s also a \-c option to delete existing encrypted versions of the files provided\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
.
.SH "OPTIONS"
.
.nf
\-c \- deletes existing real encrypted files\.
\-h \- shows help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-remove\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-clean(1) \fIhttp://git\-secret\.io/git\-secret\-clean\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR

32
docs/man/man1/git-secret-remove.1.ronn
Unescape Escape View File

@ -1,32 +0,0 @@
git-secret-remove - removes files from index.
=============================================
## SYNOPSIS
git secret remove [-c] <pathspec>...
## DESCRIPTION
`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`,
so they won't be encrypted or decrypted in the future.
There's also a -c option to delete existing encrypted versions of the files provided.
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
folder using the SECRETS_DIR environment variable.
## OPTIONS
-c - deletes existing real encrypted files.
-h - shows help.
## MANUAL
Run `man git-secret-remove` to see this note.
## SEE ALSO
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-clean(1)](http://git-secret.io/git-secret-clean),
[git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)

41
docs/man/man1/git-secret-reveal.1
Unescape Escape View File

@ -1,41 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-REVEAL" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-reveal\fR \- decrypts all added files\.
.
.SH "SYNOPSIS"
.
.nf
git secret reveal [\-f] [\-F] [\-P] [\-v] [\-d dir] [\-p password] [pathspec]\.\.\.
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-reveal\fR \- decrypts all the files in \fB\.gitsecret/paths/mapping\.cfg\fR, or the passed \fBpathspec\fRs\. You will need to have imported the paired secret\-key with one of the public\-keys which were used in the encryption\. Under the hood, this uses the \fBgpg \-\-decrypt\fR command\.
.
.SH "OPTIONS"
.
.nf
\-f \- forces gpg to overwrite existing files without prompt\.
\-F \- forces reveal to continue even if a file fails to decrypt\.
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if you store your keys in a custom location\.
\-v \- verbose, shows extra information\.
\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
\-P \- preserve permissions of encrypted file in unencrypted file\.
\-h \- shows help\.
.
.fi
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
.
.SH "MANUAL"
Run \fBman git\-secret\-reveal\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR

40
docs/man/man1/git-secret-reveal.1.ronn
Unescape Escape View File

@ -1,40 +0,0 @@
git-secret-reveal - decrypts all added files.
=============================================
## SYNOPSIS
git secret reveal [-f] [-F] [-P] [-v] [-d dir] [-p password] [pathspec]...
## DESCRIPTION
`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`,
or the passed `pathspec`s.
You will need to have imported the paired secret-key with one of the
public-keys which were used in the encryption.
Under the hood, this uses the `gpg --decrypt` command.
## OPTIONS
-f - forces gpg to overwrite existing files without prompt.
-F - forces reveal to continue even if a file fails to decrypt.
-d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
-v - verbose, shows extra information.
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
-P - preserve permissions of encrypted file in unencrypted file.
-h - shows help.
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
folder using the SECRETS_DIR environment variable.
## MANUAL
Run `man git-secret-reveal` to see this note.
## SEE ALSO
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-cat(1)](http://git-secret.io/git-secret-cat),
[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add),
[git-secret-hide(1)](http://git-secret.io/git-secret-hide)

40
docs/man/man1/git-secret-tell.1
Unescape Escape View File

@ -1,40 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-TELL" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-tell\fR \- adds a person, who can access private data\.
.
.SH "SYNOPSIS"
.
.nf
git secret tell [\-m] [\-d dir] [emails]\.\.\.
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-tell\fR receives one or more email addresses as an input, searches for the \fBgpg\fR\-key in the \fBgpg\fR \fBhomedir\fR by these emails, then imports the corresponding public key into \fBgit\-secret\fR\'s inner keychain\. From this moment this person can encrypt new files with the keyring which contains their key, but they cannot decrypt the old files, which were already encrypted without their key\. The files should be re\-encrypted with the new keyring by someone who has the unencrypted files\.
.
.P
Versions of \fBgit\-secret tell\fR after 0\.3\.2 will warn about keys that are expired, revoked, or otherwise invalid, and also if multiple keys are found for a single email address\.
.
.P
\fBDo not manually import secret keys into \fBgit\-secret\fR\fR\. It won\'t work with imported secret keys anyway\.
.
.SH "OPTIONS"
.
.nf
\-m \- takes your current `git config user\.email` as an identifier for the key\.
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if your store your keys in a custom location\.
\-h \- shows help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-tell\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR

37
docs/man/man1/git-secret-tell.1.ronn
Unescape Escape View File

@ -1,37 +0,0 @@
git-secret-tell - adds a person, who can access private data.
===============================================================
## SYNOPSIS
git secret tell [-m] [-d dir] [emails]...
## DESCRIPTION
`git-secret-tell` receives one or more email addresses as an input, searches for the `gpg`-key in the `gpg`
`homedir` by these emails, then imports the corresponding public key into `git-secret`'s inner keychain.
From this moment this person can encrypt new files with the keyring which contains their key,
but they cannot decrypt the old files, which were already encrypted without their key.
The files should be re-encrypted with the new keyring by someone who has the unencrypted files.
Versions of `git-secret tell` after 0.3.2 will warn about keys that are expired, revoked, or otherwise invalid,
and also if multiple keys are found for a single email address.
**Do not manually import secret keys into `git-secret`**. It won't work with imported secret keys anyway.
## OPTIONS
-m - takes your current `git config user.email` as an identifier for the key.
-d - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location.
-h - shows help.
## MANUAL
Run `man git-secret-tell` to see this note.
## SEE ALSO
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add),
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
[git-secret-cat(1)](http://git-secret.io/git-secret-cat), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)

32
docs/man/man1/git-secret-usage.1
Unescape Escape View File

@ -1,32 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-USAGE" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-usage\fR \- prints all the available commands\.
.
.SH "SYNOPSIS"
.
.nf
git secret usage
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-usage\fR is used to print all the available commands\.
.
.SH "OPTIONS"
.
.nf
\-h \- shows this help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-usage\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR

27
docs/man/man1/git-secret-usage.1.ronn
Unescape Escape View File

@ -1,27 +0,0 @@
git-secret-usage - prints all the available commands.
=====================================================
## SYNOPSIS
git secret usage
## DESCRIPTION
`git-secret-usage` is used to print all the available commands.
## OPTIONS
-h - shows this help.
## MANUAL
Run `man git-secret-usage` to see this note.
## SEE ALSO
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add),
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)

33
docs/man/man1/git-secret-whoknows.1
Unescape Escape View File

@ -1,33 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET\-WHOKNOWS" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\-whoknows\fR \- prints email\-labels for each key in the keyring\.
.
.SH "SYNOPSIS"
.
.nf
git secret whoknows
.
.fi
.
.SH "DESCRIPTION"
\fBgit\-secret\-whoknows\fR prints list of email addresses whose keys are allowed to access the secrets in this repo\.
.
.SH "OPTIONS"
.
.nf
\-l \- \'long\' output, shows key expiration dates\.
\-h \- shows this help\.
.
.fi
.
.SH "MANUAL"
Run \fBman git\-secret\-whoknows\fR to see this note\.
.
.SH "SEE ALSO"
git\-secret\-list(1) \fIhttp://git\-secret\.io/git\-secret\-list\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR

28
docs/man/man1/git-secret-whoknows.1.ronn
Unescape Escape View File

@ -1,28 +0,0 @@
git-secret-whoknows - prints email-labels for each key in the keyring.
======================================================================
## SYNOPSIS
git secret whoknows
## DESCRIPTION
`git-secret-whoknows` prints list of email addresses whose keys are allowed to access the secrets in this repo.
## OPTIONS
-l - 'long' output, shows key expiration dates.
-h - shows this help.
## MANUAL
Run `man git-secret-whoknows` to see this note.
## SEE ALSO
[git-secret-list(1)](http://git-secret.io/git-secret-list), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)

219
docs/man/man7/git-secret.7
Unescape Escape View File

@ -1,219 +0,0 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET" "7" "March 2020" "sobolevn" "git-secret 0.3.2"
.
.SH "NAME"
\fBgit\-secret\fR \- bash tool to store private data inside a git repo\.
.
.SH "Usage: Setting up git\-secret in a repository"
These steps cover the basic process of using \fBgit\-secret\fR:
.
.IP "1." 4
Before starting, \fImake sure you have created \fBgpg\fR RSA key\-pair\fR: public and secret key identified by your email address\.
.
.IP "2." 4
Begin with an existing or new git repository\. You\'ll use the \'git secret\' commands to add the keyrings and information to make the git\-secret hide and reveal files in this repository\.
.
.IP "3." 4
Initialize the \fBgit\-secret\fR repository by running \fBgit secret init\fR command\. the \fB\.gitsecret/\fR folder will be created, \fBNote\fR all the contents of the \fB\.gitsecret/\fR folder should be checked in, /except/ the \fBrandom_seed\fR file\. In other words, of the files in \.gitsecret, only the random_seed file should be mentioned in your \.gitignore file\.
.
.IP "4." 4
Add the first user to the git\-secret repo keyring by running \fBgit secret tell your@gpg\.email\fR\.
.
.IP "5." 4
Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. It can be done by running \fBgit secret add <filenames\.\.\.>\fR command\. Make sure these files are ignored by mentions in \.gitignore, otherwise \fBgit\-secret\fR won\'t allow you to add them, as these files could be stored unencrypted\.
.
.IP "6." 4
When done, run \fBgit secret hide\fR to encrypt all files which you have added by the \fBgit secret add\fR command\. The data will be encrypted with the public\-keys described by the \fBgit secret tell\fR command\. After using \fBgit secret hide\fR to encrypt your data, it is safe to commit your changes\. \fBNOTE:\fR\. It\'s recommended to add \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
.
.IP "7." 4
Later you can decrypt files with the \fBgit secret reveal\fR command, or just show their contents to stdout with the \fBgit secret cat\fR command\. If you used a password on your GPG key (always recommended), it will ask you for your password\. And you\'re done!
.
.IP "" 0
.
.SS "Usage: Adding someone to a repository using git\-secret"
.
.IP "1." 4
\fIGet their \fBgpg\fR public\-key\fR\. \fBYou won\'t need their secret key\.\fR
.
.IP "2." 4
Import this key into your \fBgpg\fR setup (in ~/\.gnupg or similar) by running \fBgpg \-\-import KEY_NAME\.txt\fR
.
.IP "3." 4
Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address associated with the public key)
.
.IP "4." 4
The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the files using \fBgit secret reveal; git secret hide \-d\fR, and then commit and push the newly encrypted files\. (The \-d options deletes the unencrypted file after re\-encrypting it)\. Now the newly added user be able to decrypt the files in the repo using \fBgit\-secret\fR\.
.
.IP "" 0
.
.P
Note that it is possible to add yourself to the git\-secret repo without decrypting existing files\. It will be possible to decrypt them after re\-encrypting them with the new keyring\. So, if you don\'t want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
.
.SS "Using gpg"
You can follow a quick gpg tutorial at https://www\.devdungeon\.com/content/gpg\-tutorial\. Here are the most useful commands to get started:
.
.P
To generate a RSA key\-pair, run:
.
.IP "" 4
.
.nf
gpg \-\-gen\-key
.
.fi
.
.IP "" 0
.
.P
To export your public key, run:
.
.IP "" 4
.
.nf
gpg \-\-export your\.email@address\.com \-\-armor > public\-key\.gpg
.
.fi
.
.IP "" 0
.
.P
To import the public key of someone else (to share the secret with them for instance), run:
.
.IP "" 4
.
.nf
gpg \-\-import public\-key\.gpg
.
.fi
.
.IP "" 0
.
.P
Be sure to use a secure channel to share your public key!
.
.SS "Using git\-secret for Continuous Integration / Continuous Deployment (CI/CD)"
When using git\-secret for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated with the changes in your code\.
.
.P
One way of doing it is the following:
.
.IP "1." 4
\fIcreate a gpg key\fR for your CI/CD environment\. You can chose any name and email address you want: for instance \fBMyApp CodeShip <myapp@codeship\.com>\fR if your app is called MyApp and your CI/CD provider is CodeShip\. It is easier not to define a password for that key\.
.
.IP "2." 4
run \fBgpg \-\-export\-secret\-key myapp@codeship\.com \-\-armor\fR to get your private key value
.
.IP "3." 4
Create an env var on your CI/CD server \fBGPG_PRIVATE_KEY\fR and assign it the private key value\.
.
.IP "4." 4
Then write your Continuous Deployment build script\. For instance:
.
.IP "" 0
.
.IP "" 4
.
.nf
# Install git\-secret (https://git\-secret\.io/installation), for instance, for debian:
echo "deb https://dl\.bintray\.com/sobolevn/deb git\-secret main" | sudo tee \-a /etc/apt/sources\.list
wget \-qO \- https://api\.bintray\.com/users/sobolevn/keys/gpg/public\.key | sudo apt\-key add \-
sudo apt\-get update && sudo apt\-get install git\-secret
# Create private key file
echo $GPG_PRIVATE_KEY > \./private_key\.gpg
# Import private key
gpg \-\-import \./private_key\.gpg
# Reveal secrets
git secret reveal
# carry on with your build script, secret files are available \.\.\.
.
.fi
.
.IP "" 0
.
.P
Note: your CI/CD might not allow you to create a multiline value\. In that case, you can export it on one line with
.
.IP "" 4
.
.nf
gpg \-\-export\-secret\-key myapp@codeship\.com \-\-armor | tr \'\en\' \',\'
.
.fi
.
.IP "" 0
.
.P
You can then create your private key file with:
.
.IP "" 4
.
.nf
echo $GPG_PRIVATE_KEY | tr \',\' \'\en\' > \./private_key\.gpg
.
.fi
.
.IP "" 0
.
.SH "Environment Variables and Configuration"
You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better\. To do so, just set the required variable to the value you need\. This can be done in your shell environment file or with each \fBgit\-secret\fR command\.
.
.P
The settings available to be changed are:
.
.IP "\(bu" 4
\fB$SECRETS_VERBOSE\fR \- sets the verbose flag to on for all \fBgit\-secret\fR commands; is identical to using \fB\-v\fR on each command that supports it\.
.
.IP "\(bu" 4
\fB$SECRETS_GPG_COMMAND\fR \- sets the \fBgpg\fR alternatives, defaults to \fBgpg\fR\. It can be changed to \fBgpg\fR, \fBgpg2\fR, \fBpgp\fR, \fB/usr/local/gpg\fR or any other value\. After doing so rerun the tests to be sure that it won\'t break anything\. Tested to be working with: \fBgpg\fR, \fBgpg2\fR\.
.
.IP "\(bu" 4
\fB$SECRETS_EXTENSION\fR \- sets the secret files extension, defaults to \fB\.secret\fR\. It can be changed to any valid file extension\.
.
.IP "\(bu" 4
\fB$SECRETS_DIR\fR \- sets the directory where git\-secret stores its files, defaults to \.gitsecret\. It can be changed to any valid directory name\.
.
.IP "\(bu" 4
\fB$SECRETS_PINENTRY\fR \- allows user to specify a setting for \fBgpg\fR\'s \-\-pinentry option\. See \fBgpg\fR docs for details about gpg\'s \-\-pinentry option\.
.
.IP "" 0
.
.SH "The <code>\.gitsecret</code> folder (can be overridden with SECRETS_DIR)"
This folder contains information about the files encrypted by git\-secret, and about which public/private key sets can access the encrypted data\.
.
.P
You can change the name of this directory using the SECRETS_DIR environment variable\.
.
.P
Use the various \'git secret\' commands to manipulate the files in \fB\.gitsecret\fR, you should not change the data in these files directly\.
.
.P
Exactly which files exist in the \fB\.gitsecret\fR folder and what their contents are vary slightly across different versions of gpg\. Thus it is best to use git\-secret with the same version of gpg being used by all users\. This can be forced using SECRETS_GPG_COMMAND environment variable\.
.
.P
Specifically, there is an issue between gpg version 2\.1\.20 and later versions which can cause problems reading and writing keyring files between systems (this shows up in errors like \'gpg: skipped packet of type 12 in keybox\')\.
.
.P
The git\-secret internal data is separated into two directories:
.
.SS "<code>\.gitsecret/paths</code>"
This directory currently contains only the file \fBmapping\.cfg\fR, which lists all the files your storing encrypted\. In other words, the path mappings: what files are tracked to be hidden and revealed\.
.
.P
All the other internal data is stored in the directory:
.
.SS "<code>\.gitsecret/keys</code>"
This directory contains data used by git\-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties\.
.
.P
Generally speaking, all the files in this directory \fIexcept\fR \fBrandom_seed\fR should be checked into your repo\. By default, \fBgit secret init\fR will add the file \fB\.gitsecret/keys/random_seed\fR to your \.gitignore file\.
.
.P
Again, you can change the name of this directory using the SECRETS_DIR environment variable\.

173
docs/man/man7/git-secret.7.ronn
Unescape Escape View File

@ -1,173 +0,0 @@
git-secret - bash tool to store private data inside a git repo.
=============================================
## Usage: Setting up git-secret in a repository
These steps cover the basic process of using `git-secret`:
0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address.
1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information
to make `git-secret` hide and reveal files in this repository.
2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created.
**Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file.
In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file.
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`.
4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
This can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you.
5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
The data will be encrypted with the public-keys described by the `git secret tell` command.
After using `git secret hide` to encrypt your data, it is safe to commit your changes.
**NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the
`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
And you're done!
### Usage: Adding someone to a repository using git-secret
1. [Get their `gpg` public-key](#using-gpg). **You won't need their secret key.**
2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import KEY_NAME.txt`
3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
(this will be the email address associated with the public key)
4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
(The -d options deletes the unencrypted file after re-encrypting it).
Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`.
Note that it is possible to add yourself to the git-secret repo without decrypting existing files.
It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't
want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.
### Using gpg
You can follow a quick `gpg` tutorial at [devdungeon](https://www.devdungeon.com/content/gpg-tutorial). Here are the most useful commands to get started:
To generate a RSA key-pair, run:
```shell
gpg --gen-key
```
To export your public key, run:
```shell
gpg --export your.email@address.com --armor > public-key.gpg
```
To import the public key of someone else (to share the secret with them for instance), run:
```shell
gpg --import public-key.gpg
```
To make sure you get the original public keys of the indicated persons, be sure to use a secure channel to transfer it, or use a service you trust, preferably one that uses encryption such as Keybase, to retrieve their public key. Otherwise you could grant the wrong person access to your secrets by mistake!
### Using git-secret for Continuous Integration / Continuous Deployment (CI/CD)
When using `git-secret` for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated
with the changes in your code.
One way of doing it is the following:
1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp CodeShip <myapp@codeship.com>`
if your app is called MyApp and your CI/CD provider is CodeShip. It is easier not to define a password for that key.
2. run `gpg --export-secret-key myapp@codeship.com --armor` to get your private key value
3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value.
4. Then write your Continuous Deployment build script. For instance:
```shell
# Install git-secret (https://git-secret.io/installation), for instance, for debian:
echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
sudo apt-get update && sudo apt-get install git-secret
# Create private key file
echo $GPG_PRIVATE_KEY > ./private_key.gpg
# Import private key
gpg --import ./private_key.gpg
# Reveal secrets
git secret reveal
# carry on with your build script, secret files are available ...
```
Note: your CI/CD might not allow you to create a multiline value. In that case, you can export it on one line with
```shell
gpg --export-secret-key myapp@codeship.com --armor | tr '\n' ','
```
You can then create your private key file with:
```shell
echo $GPG_PRIVATE_KEY | tr ',' '\n' > ./private_key.gpg
```
## Environment Variables and Configuration
You can configure the version of `gpg` used, or the extension your encrypted files use, to suit your workflow better.
To do so, just set the required variable to the value you need.
This can be done in your shell environment file or with each `git-secret` command.
See below, or the man page of `git-secret` for an explanation of the environment variables `git-secret` uses.
The settings available to be changed are:
* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical
to using `-v` on each command that supports it.
* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
* `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret.
It can be changed to any valid directory name.
* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option.
See `gpg` docs for details about gpg's --pinentry option.
## The `.gitsecret` folder (can be overridden with SECRETS_DIR)
This folder contains information about the files encrypted by git-secret,
and about which public/private key sets can access the encrypted data.
You can change the name of this directory using the SECRETS_DIR environment variable.
Use the various 'git secret' commands to manipulate the files in `.gitsecret`,
you should not change the data in these files directly.
Exactly which files exist in the `.gitsecret` folder and what their contents are
vary slightly across different versions of gpg. Thus it is best to use
git-secret with the same version of gpg being used by all users.
This can be forced using SECRETS_GPG_COMMAND environment variable.
Specifically, there is an issue between gpg version 2.1.20 and later versions
which can cause problems reading and writing keyring files between systems
(this shows up in errors like 'gpg: skipped packet of type 12 in keybox').
The git-secret internal data is separated into two directories:
### `.gitsecret/paths`
This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
In other words, the path mappings: what files are tracked to be hidden and revealed.
All the other internal data is stored in the directory:
### `.gitsecret/keys`
This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties.
Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
Again, you can change the name of this directory using the SECRETS_DIR environment variable.
Write Preview
Loading…
Cancel
Save