mirror of https://github.com/sobolevn/git-secret
Fixes docs generation and improves docs
parent
a342993dd6
commit
e52038b786
@ -1,15 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
if [[ "$GITSECRET_DIST" == "rpm" ]]; then
|
||||
# To deploy `rpm`-packages this utility is needed:
|
||||
sudo apt-get install -y rpm;
|
||||
fi
|
||||
|
||||
# if not null GITSECRET_DIST
|
||||
if [[ -n "$GITSECRET_DIST" ]]; then
|
||||
# When making a non-container build, this step will generate
|
||||
# proper manifest files:
|
||||
make "deploy-$GITSECRET_DIST";
|
||||
fi
|
@ -1,21 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
|
||||
# Mac:
|
||||
if [[ "$GITSECRET_DIST" == "brew" ]]; then
|
||||
brew update
|
||||
|
||||
gnupg_installed="$(brew list | grep -c "gnupg")"
|
||||
[[ "$gnupg_installed" -ge 1 ]] || brew install gnupg
|
||||
if [[ -f "/usr/local/bin/gpg1" ]]; then
|
||||
ln -s /usr/local/bin/gpg1 /usr/local/bin/gpg
|
||||
fi
|
||||
brew install gawk shellcheck
|
||||
fi
|
||||
|
||||
# Windows
|
||||
if [[ "$GITSECRET_DIST" == "windows" ]]; then
|
||||
choco install make shellcheck -y
|
||||
fi
|
@ -1,4 +0,0 @@
|
||||
all: build
|
||||
|
||||
build:
|
||||
@/usr/bin/env bash ./create_posts.sh
|
@ -1,62 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
MAN_LOCATION="man/man1"
|
||||
MAN7_LOCATION="man/man7"
|
||||
POSTS_LOCATION="_posts"
|
||||
|
||||
|
||||
function checkout_manuals {
|
||||
git checkout master "$MAN_LOCATION"
|
||||
git checkout master "$MAN7_LOCATION"
|
||||
|
||||
# rm -f $MAN_LOCATION/*.1
|
||||
}
|
||||
|
||||
|
||||
function copy_to_posts {
|
||||
# Cleaning old files:
|
||||
rm -f "$POSTS_LOCATION/*.md"
|
||||
rm -rf "$POSTS_LOCATION"
|
||||
mkdir -p "$POSTS_LOCATION"
|
||||
|
||||
# Moving new command files:
|
||||
local timestamp
|
||||
local current_date
|
||||
|
||||
timestamp=$(date "+%Y-%m-%d %H:%M:%S %z")
|
||||
current_date=$(date "+%Y-%m-%d")
|
||||
|
||||
# Creating command refernce:
|
||||
for com in $MAN_LOCATION/git-secret-*.1.ronn; do
|
||||
local short_name
|
||||
short_name=$(echo "$com" | sed -n "s|$MAN_LOCATION/\(.*\)\.1\.ronn|\1|p")
|
||||
local command_header="---
|
||||
layout: post
|
||||
title: '${short_name}'
|
||||
date: ${timestamp}
|
||||
permalink: ${short_name}
|
||||
categories: command
|
||||
---"
|
||||
|
||||
local post_filename="$POSTS_LOCATION/${current_date}-${short_name}.md"
|
||||
echo "$command_header" > "$post_filename"
|
||||
cat "$com" >> "$post_filename"
|
||||
done
|
||||
|
||||
# Creating main usage file:
|
||||
local usage_header="---
|
||||
layout: post
|
||||
title: 'git-secret'
|
||||
date: ${timestamp}
|
||||
permalink: git-secret
|
||||
categories: usage
|
||||
---"
|
||||
local usage_filename="$POSTS_LOCATION/${current_date}-git-secret.md"
|
||||
echo "$usage_header" > "$usage_filename"
|
||||
cat "$MAN7_LOCATION/git-secret.7.ronn" >> "$usage_filename"
|
||||
}
|
||||
|
||||
checkout_manuals
|
||||
copy_to_posts
|
@ -1,45 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-ADD" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-add\fR \- starts to track added files\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret add [\-i] <pathspec>\.\.\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-add\fR adds a filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR and ensures the filepath is mentioned \.gitignore\.
|
||||
.
|
||||
.P
|
||||
When adding files to encrypt, \fBgit\-secret\-add\fR (as of 0\.2\.6) will ensure that they are ignored by \fBgit\fR by mentioning them in \.gitignore, since they must be secure and not be committed into the remote repository unencrypted\.
|
||||
.
|
||||
.P
|
||||
If there\'s no users in the \fBgit\-secret\fR\'s keyring, when adding a file, an exception will be raised\.
|
||||
.
|
||||
.P
|
||||
Use the \fBgit secret add\fR command to add filenames to this file\. It is not recommended to add filenames directly into \fB\.gitsecret/paths/mapping\.cfg\fR\.
|
||||
.
|
||||
.P
|
||||
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-i \- does nothing, adding paths to \.gitignore is now the default behavior\.
|
||||
\-h \- shows this help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-add\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR
|
@ -1,38 +0,0 @@
|
||||
git-secret-add - starts to track added files.
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret add [-i] <pathspec>...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg`
|
||||
and ensures the filepath is mentioned .gitignore.
|
||||
|
||||
When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning
|
||||
them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted.
|
||||
|
||||
If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
|
||||
|
||||
Use the `git secret add` command to add filenames to this file.
|
||||
It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-i - does nothing, adding paths to .gitignore is now the default behavior.
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-add` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal)
|
@ -1,37 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-CAT" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-cat\fR \- decrypts files passed on command line to stdout
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret cat [\-d dir] [\-p password] filename [filenames]
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-cat\fR \- Outputs to stdout the contents of the files named on the command line\. As with \fBgit\-secret\-reveal\fR, you\'ll need to have a public/private keypair that is allowed to decrypt this repo\.
|
||||
.
|
||||
.P
|
||||
Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if you store your keys in a custom location\.
|
||||
\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
|
||||
\-h \- shows help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-cat\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR
|
@ -1,32 +0,0 @@
|
||||
git-secret-cat - decrypts files passed on command line to stdout
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret cat [-d dir] [-p password] filename [filenames]
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-cat` - Outputs to stdout the contents of the files named on the command line.
|
||||
As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to
|
||||
decrypt this repo.
|
||||
|
||||
Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
|
||||
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
|
||||
-h - shows help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-cat` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-cat)
|
@ -1,37 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-CHANGES" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-changes\fR \- view diff of the hidden files\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret changes [\-h] [\-d dir] [\-p password] [pathspec]\.\.\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-changes\fR \- shows changes between the current version of hidden files and the ones already committed\. You can provide any number of hidden files to this command as arguments, and it will show changes for these files only\. Note that files must be specified by their encrypted names, typically \fBfilename\.yml\.secret\fR\. If no arguments are provided, information about all hidden files will be shown\.
|
||||
.
|
||||
.P
|
||||
Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-d \- specifies `\-\-homedir` option for the `gpg`\. Use this option if your store your keys in a custom location\.
|
||||
\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
|
||||
\-h \- shows help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-changes\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR
|
@ -1,35 +0,0 @@
|
||||
git-secret-changes - view diff of the hidden files.
|
||||
===================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret changes [-h] [-d dir] [-p password] [pathspec]...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-changes` - shows changes between the current version of hidden files and the ones already committed.
|
||||
You can provide any number of hidden files to this command as arguments, and it will show changes for these files only.
|
||||
Note that files must be specified by their encrypted names, typically `filename.yml.secret`.
|
||||
If no arguments are provided, information about all hidden files will be shown.
|
||||
|
||||
Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-d - specifies `--homedir` option for the `gpg`. Use this option if your store your keys in a custom location.
|
||||
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
|
||||
-h - shows help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-changes` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,36 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-CLEAN" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-clean\fR \- removes all the hidden files\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret clean [\-v]
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-clean\fR deletes all the encrypted files\. Verbose output is enabled with the \-v option, in which case the program prints which files are deleted\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-v \- verbose mode, shows which files are deleted\.
|
||||
\-h \- shows this help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.P
|
||||
You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-clean\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-whoknows(1) \fIhttp://git\-secret\.io/git\-secret\-whoknows\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR
|
@ -1,30 +0,0 @@
|
||||
git-secret-clean - removes all the hidden files.
|
||||
================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret clean [-v]
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-clean` deletes all the encrypted files.
|
||||
Verbose output is enabled with the -v option, in which case the program prints which files are deleted.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-v - verbose mode, shows which files are deleted.
|
||||
-h - shows this help.
|
||||
|
||||
You can also enable verbosity using the SECRETS_VERBOSE environment variable,
|
||||
as documented at [git-secret(7)](http://git-secret.io/)
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-clean` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
|
@ -1,62 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-HIDE" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-hide\fR \- encrypts all added files with the inner keyring\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret hide [\-c] [\-F] [\-P] [\-v] [\-d] [\-m]
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-hide\fR creates an encrypted version (typically called \fBfilename\.txt\.secret\fR) of each file added by \fBgit\-secret\-add\fR command\. Now anyone enabled via \'git secret tell\' can can decrypt these files\. Under the hood, \fBgit\-secret\fR uses the keyring in \fB\.gitsecret/keys\fR and user\'s secret keys to decrypt the files\.
|
||||
.
|
||||
.P
|
||||
It is recommended to encrypt (or re\-encrypt) all the files in a git\-secret repo each time \fBgit secret hide\fR is run\.
|
||||
.
|
||||
.P
|
||||
Otherwise the keychain (the one stored in \fB\.gitsecret/keys/*\.gpg\fR), may have changed since the last time the files were encrypted, and it\'s possible to create a state where the users in the output of \fBgit secret whoknows\fR may not be able to decrypt the some files in the repo, or may be able decrypt files they\'re not supposed to be able to\.
|
||||
.
|
||||
.P
|
||||
In other words, unless you re\-encrypt all the files in a repo each time you \'hide\' any, it\'s possible to make it so some files can no longer be decrypted by users who should be (and would appear) able to decrypt them, and vice\-versa\.
|
||||
.
|
||||
.P
|
||||
If you know what you are doing and wish to encrypt or re\-encrypt only a subset of the files even after reading the above paragraphs, you can use the \-F or \-m option to only encrypted a subset of files\. The \-F option forces \fBgit secret hide\fR to skip any hidden files where the unencrypted versions aren\'t present\. The \-m option skips any hidden files that have not be modified since the last time they were encrypted\.
|
||||
.
|
||||
.P
|
||||
Also, it is possible to modify the names of the encrypted files by setting \fBSECRETS_EXTENSION\fR variable\.
|
||||
.
|
||||
.P
|
||||
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
|
||||
.
|
||||
.P
|
||||
You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-v \- verbose, shows extra information\.
|
||||
\-c \- deletes encrypted files before creating new ones\.
|
||||
\-F \- forces hide to continue if a file to encrypt is missing\.
|
||||
\-P \- preserve permissions of unencrypted file in encrypted file\.
|
||||
\-d \- deletes unencrypted files after encryption\.
|
||||
\-m \- encrypt files only when modified\.
|
||||
\-h \- shows help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-hide\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR,
|
||||
.
|
||||
.br
|
||||
git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR
|
@ -1,62 +0,0 @@
|
||||
git-secret-hide - encrypts all added files with the inner keyring.
|
||||
==================================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret hide [-c] [-F] [-P] [-v] [-d] [-m]
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`)
|
||||
of each file added by `git-secret-add` command.
|
||||
Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood,
|
||||
`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files.
|
||||
|
||||
It is recommended to encrypt (or re-encrypt) all the files in a git-secret repo each
|
||||
time `git secret hide` is run.
|
||||
|
||||
Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`),
|
||||
may have changed since the last time the files were encrypted, and it's possible
|
||||
to create a state where the users in the output of `git secret whoknows`
|
||||
may not be able to decrypt the some files in the repo, or may be able decrypt files
|
||||
they're not supposed to be able to.
|
||||
|
||||
In other words, unless you re-encrypt all the files in a repo each time you 'hide' any,
|
||||
it's possible to make it so some files can no longer be decrypted by users who should be
|
||||
(and would appear) able to decrypt them, and vice-versa.
|
||||
|
||||
If you know what you are doing and wish to encrypt or re-encrypt only a subset of the files
|
||||
even after reading the above paragraphs, you can use the -F or -m option to only encrypted
|
||||
a subset of files. The -F option forces `git secret hide` to skip any hidden files
|
||||
where the unencrypted versions aren't present. The -m option skips any hidden files that have
|
||||
not be modified since the last time they were encrypted.
|
||||
|
||||
Also, it is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
You can also enable verbosity using the SECRETS_VERBOSE environment variable,
|
||||
as documented at [git-secret(7)](http://git-secret.io/)
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-v - verbose, shows extra information.
|
||||
-c - deletes encrypted files before creating new ones.
|
||||
-F - forces hide to continue if a file to encrypt is missing.
|
||||
-P - preserve permissions of unencrypted file in encrypted file.
|
||||
-d - deletes unencrypted files after encryption.
|
||||
-m - encrypt files only when modified.
|
||||
-h - shows help.
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-hide` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
|
||||
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,38 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-INIT" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-init\fR \- initializes git\-secret repository\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret init
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo to set up the \.gitsecret directory and initialize the repo for git\-secret\. Until repository is initialized with \fBgit secret init\fR, all other \fBgit\-secret\fR commands are unavailable\.
|
||||
.
|
||||
.P
|
||||
If a \.gitsecret directory already exists, \fBgit\-secret\-init\fR exits without making any changes\. Otherwise, a \.gitsecret directory is created with appropriate sub\-directories, and patterns to ignore git\-secret\'s \fBrandom_seed_file\fR and not ignore \fB\.secret\fR files are added to \fB\.gitignore\fR\.
|
||||
.
|
||||
.P
|
||||
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder with the SECRETS_DIR environment variable, and changing the extension git\-secret uses for secret files with the SECRETS_EXTENSION environment variable\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-h \- shows this help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-init\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-usage(1) \fIhttp://git\-secret\.io/git\-secret\-usage\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR
|
@ -1,35 +0,0 @@
|
||||
git-secret-init - initializes git-secret repository.
|
||||
====================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret init
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret.
|
||||
Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.
|
||||
|
||||
If a .gitsecret directory already exists, `git-secret-init` exits without making any changes.
|
||||
Otherwise, a .gitsecret directory is created with appropriate sub-directories,
|
||||
and patterns to ignore git-secret's `random_seed_file`
|
||||
and not ignore `.secret` files are added to `.gitignore`.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder with the SECRETS_DIR environment variable, and changing the extension git-secret uses for secret files
|
||||
with the SECRETS_EXTENSION environment variable.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-init` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-usage(1)](http://git-secret.io/git-secret-usage), [git-secret-tell(1)](http://git-secret.io/git-secret-tell)
|
@ -1,32 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-KILLPERSON" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-killperson\fR \- deletes key identified by an email from the inner keyring\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret killperson <emails>\.\.\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
This command removes the keys associated with the selected email addresses from the keyring\. If you remove a keypair\'s access with \fBgit\-secret\-killperson\fR, and run \fBgit\-secret\-reveal\fR and \fBgit\-secret\-hide \-r\fR, it will be impossible for given users to decrypt the hidden files\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-h \- shows this help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-killperson\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-clean(1) \fIhttp://git\-secret\.io/git\-secret\-clean\fR
|
@ -1,32 +0,0 @@
|
||||
git-secret-killperson - deletes key identified by an email from the inner keyring.
|
||||
==================================================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret killperson <emails>...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
This command removes the keys associated with the selected email addresses from the keyring.
|
||||
If you remove a keypair's access with `git-secret-killperson`, and run `git-secret-reveal` and `git-secret-hide -r`,
|
||||
it will be impossible for given users to decrypt the hidden files.
|
||||
|
||||
Using git-secret-killperson and re-encrypting the secrets does not prevent a user from extracting secrets that they have previously had access to.
|
||||
The old keyrings and the secrets encrypted with them will still be readable by the user in the git history.
|
||||
This means that any secrets that the user has had access to at any time must be changed and re-encrypted after their key has been removed from the keyring.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-killperson` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-remove(1)](http://git-secret.io/git-secret-remove),
|
||||
[git-secret-clean(1)](http://git-secret.io/git-secret-clean)
|
@ -1,35 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-LIST" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-list\fR \- prints all the added files\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret list
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-list\fR prints all the currently added tracked files from the \fB\.gitsecret/paths/mapping\.cfg\fR\.
|
||||
.
|
||||
.P
|
||||
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-h \- shows this help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-list\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-whoknows(1) \fIhttp://git\-secret\.io/git\-secret\-whoknows\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-remove(1) \fIhttp://git\-secret\.io/git\-secret\-remove\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR
|
@ -1,30 +0,0 @@
|
||||
git-secret-list - prints all the added files.
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret list
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-list` prints all the currently added tracked files from the `.gitsecret/paths/mapping.cfg`.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-list` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-hide(1)](http://git-secret.io/git-secret-hide),
|
||||
[git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), [git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,36 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-REMOVE" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-remove\fR \- removes files from index\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret remove [\-c] <pathspec>\.\.\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-remove\fR deletes files from \fB\.gitsecret/paths/mapping\.cfg\fR, so they won\'t be encrypted or decrypted in the future\. There\'s also a \-c option to delete existing encrypted versions of the files provided\.
|
||||
.
|
||||
.P
|
||||
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-c \- deletes existing real encrypted files\.
|
||||
\-h \- shows help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-remove\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-clean(1) \fIhttp://git\-secret\.io/git\-secret\-clean\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR
|
@ -1,32 +0,0 @@
|
||||
git-secret-remove - removes files from index.
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret remove [-c] <pathspec>...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`,
|
||||
so they won't be encrypted or decrypted in the future.
|
||||
There's also a -c option to delete existing encrypted versions of the files provided.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-c - deletes existing real encrypted files.
|
||||
-h - shows help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-remove` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-clean(1)](http://git-secret.io/git-secret-clean),
|
||||
[git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
|
@ -1,41 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-REVEAL" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-reveal\fR \- decrypts all added files\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret reveal [\-f] [\-F] [\-P] [\-v] [\-d dir] [\-p password] [pathspec]\.\.\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-reveal\fR \- decrypts all the files in \fB\.gitsecret/paths/mapping\.cfg\fR, or the passed \fBpathspec\fRs\. You will need to have imported the paired secret\-key with one of the public\-keys which were used in the encryption\. Under the hood, this uses the \fBgpg \-\-decrypt\fR command\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-f \- forces gpg to overwrite existing files without prompt\.
|
||||
\-F \- forces reveal to continue even if a file fails to decrypt\.
|
||||
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if you store your keys in a custom location\.
|
||||
\-v \- verbose, shows extra information\.
|
||||
\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
|
||||
\-P \- preserve permissions of encrypted file in unencrypted file\.
|
||||
\-h \- shows help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.P
|
||||
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-reveal\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR
|
@ -1,40 +0,0 @@
|
||||
git-secret-reveal - decrypts all added files.
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret reveal [-f] [-F] [-P] [-v] [-d dir] [-p password] [pathspec]...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`,
|
||||
or the passed `pathspec`s.
|
||||
You will need to have imported the paired secret-key with one of the
|
||||
public-keys which were used in the encryption.
|
||||
Under the hood, this uses the `gpg --decrypt` command.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-f - forces gpg to overwrite existing files without prompt.
|
||||
-F - forces reveal to continue even if a file fails to decrypt.
|
||||
-d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
|
||||
-v - verbose, shows extra information.
|
||||
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
|
||||
-P - preserve permissions of encrypted file in unencrypted file.
|
||||
-h - shows help.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-reveal` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-cat(1)](http://git-secret.io/git-secret-cat),
|
||||
[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide)
|
@ -1,40 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-TELL" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-tell\fR \- adds a person, who can access private data\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret tell [\-m] [\-d dir] [emails]\.\.\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-tell\fR receives one or more email addresses as an input, searches for the \fBgpg\fR\-key in the \fBgpg\fR \fBhomedir\fR by these emails, then imports the corresponding public key into \fBgit\-secret\fR\'s inner keychain\. From this moment this person can encrypt new files with the keyring which contains their key, but they cannot decrypt the old files, which were already encrypted without their key\. The files should be re\-encrypted with the new keyring by someone who has the unencrypted files\.
|
||||
.
|
||||
.P
|
||||
Versions of \fBgit\-secret tell\fR after 0\.3\.2 will warn about keys that are expired, revoked, or otherwise invalid, and also if multiple keys are found for a single email address\.
|
||||
.
|
||||
.P
|
||||
\fBDo not manually import secret keys into \fBgit\-secret\fR\fR\. It won\'t work with imported secret keys anyway\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-m \- takes your current `git config user\.email` as an identifier for the key\.
|
||||
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if your store your keys in a custom location\.
|
||||
\-h \- shows help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-tell\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR, git\-secret\-killperson(1) \fIhttp://git\-secret\.io/git\-secret\-killperson\fR
|
@ -1,37 +0,0 @@
|
||||
git-secret-tell - adds a person, who can access private data.
|
||||
===============================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret tell [-m] [-d dir] [emails]...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-tell` receives one or more email addresses as an input, searches for the `gpg`-key in the `gpg`
|
||||
`homedir` by these emails, then imports the corresponding public key into `git-secret`'s inner keychain.
|
||||
From this moment this person can encrypt new files with the keyring which contains their key,
|
||||
but they cannot decrypt the old files, which were already encrypted without their key.
|
||||
The files should be re-encrypted with the new keyring by someone who has the unencrypted files.
|
||||
|
||||
Versions of `git-secret tell` after 0.3.2 will warn about keys that are expired, revoked, or otherwise invalid,
|
||||
and also if multiple keys are found for a single email address.
|
||||
|
||||
**Do not manually import secret keys into `git-secret`**. It won't work with imported secret keys anyway.
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-m - takes your current `git config user.email` as an identifier for the key.
|
||||
-d - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location.
|
||||
-h - shows help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-tell` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
|
@ -1,32 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-USAGE" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-usage\fR \- prints all the available commands\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret usage
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-usage\fR is used to print all the available commands\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-h \- shows this help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-usage\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-init(1) \fIhttp://git\-secret\.io/git\-secret\-init\fR, git\-secret\-add(1) \fIhttp://git\-secret\.io/git\-secret\-add\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR
|
@ -1,27 +0,0 @@
|
||||
git-secret-usage - prints all the available commands.
|
||||
=====================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret usage
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-usage` is used to print all the available commands.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-usage` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,33 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET\-WHOKNOWS" "1" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\-whoknows\fR \- prints email\-labels for each key in the keyring\.
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.nf
|
||||
|
||||
git secret whoknows
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
\fBgit\-secret\-whoknows\fR prints list of email addresses whose keys are allowed to access the secrets in this repo\.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
.
|
||||
.nf
|
||||
|
||||
\-l \- \'long\' output, shows key expiration dates\.
|
||||
\-h \- shows this help\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.SH "MANUAL"
|
||||
Run \fBman git\-secret\-whoknows\fR to see this note\.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
git\-secret\-list(1) \fIhttp://git\-secret\.io/git\-secret\-list\fR, git\-secret\-tell(1) \fIhttp://git\-secret\.io/git\-secret\-tell\fR, git\-secret\-hide(1) \fIhttp://git\-secret\.io/git\-secret\-hide\fR, git\-secret\-reveal(1) \fIhttp://git\-secret\.io/git\-secret\-reveal\fR, git\-secret\-cat(1) \fIhttp://git\-secret\.io/git\-secret\-cat\fR
|
@ -1,28 +0,0 @@
|
||||
git-secret-whoknows - prints email-labels for each key in the keyring.
|
||||
======================================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret whoknows
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-whoknows` prints list of email addresses whose keys are allowed to access the secrets in this repo.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-l - 'long' output, shows key expiration dates.
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-whoknows` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-list(1)](http://git-secret.io/git-secret-list), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,219 +0,0 @@
|
||||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "GIT\-SECRET" "7" "March 2020" "sobolevn" "git-secret 0.3.2"
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBgit\-secret\fR \- bash tool to store private data inside a git repo\.
|
||||
.
|
||||
.SH "Usage: Setting up git\-secret in a repository"
|
||||
These steps cover the basic process of using \fBgit\-secret\fR:
|
||||
.
|
||||
.IP "1." 4
|
||||
Before starting, \fImake sure you have created \fBgpg\fR RSA key\-pair\fR: public and secret key identified by your email address\.
|
||||
.
|
||||
.IP "2." 4
|
||||
Begin with an existing or new git repository\. You\'ll use the \'git secret\' commands to add the keyrings and information to make the git\-secret hide and reveal files in this repository\.
|
||||
.
|
||||
.IP "3." 4
|
||||
Initialize the \fBgit\-secret\fR repository by running \fBgit secret init\fR command\. the \fB\.gitsecret/\fR folder will be created, \fBNote\fR all the contents of the \fB\.gitsecret/\fR folder should be checked in, /except/ the \fBrandom_seed\fR file\. In other words, of the files in \.gitsecret, only the random_seed file should be mentioned in your \.gitignore file\.
|
||||
.
|
||||
.IP "4." 4
|
||||
Add the first user to the git\-secret repo keyring by running \fBgit secret tell your@gpg\.email\fR\.
|
||||
.
|
||||
.IP "5." 4
|
||||
Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. It can be done by running \fBgit secret add <filenames\.\.\.>\fR command\. Make sure these files are ignored by mentions in \.gitignore, otherwise \fBgit\-secret\fR won\'t allow you to add them, as these files could be stored unencrypted\.
|
||||
.
|
||||
.IP "6." 4
|
||||
When done, run \fBgit secret hide\fR to encrypt all files which you have added by the \fBgit secret add\fR command\. The data will be encrypted with the public\-keys described by the \fBgit secret tell\fR command\. After using \fBgit secret hide\fR to encrypt your data, it is safe to commit your changes\. \fBNOTE:\fR\. It\'s recommended to add \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
|
||||
.
|
||||
.IP "7." 4
|
||||
Later you can decrypt files with the \fBgit secret reveal\fR command, or just show their contents to stdout with the \fBgit secret cat\fR command\. If you used a password on your GPG key (always recommended), it will ask you for your password\. And you\'re done!
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SS "Usage: Adding someone to a repository using git\-secret"
|
||||
.
|
||||
.IP "1." 4
|
||||
\fIGet their \fBgpg\fR public\-key\fR\. \fBYou won\'t need their secret key\.\fR
|
||||
.
|
||||
.IP "2." 4
|
||||
Import this key into your \fBgpg\fR setup (in ~/\.gnupg or similar) by running \fBgpg \-\-import KEY_NAME\.txt\fR
|
||||
.
|
||||
.IP "3." 4
|
||||
Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address associated with the public key)
|
||||
.
|
||||
.IP "4." 4
|
||||
The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the files using \fBgit secret reveal; git secret hide \-d\fR, and then commit and push the newly encrypted files\. (The \-d options deletes the unencrypted file after re\-encrypting it)\. Now the newly added user be able to decrypt the files in the repo using \fBgit\-secret\fR\.
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
Note that it is possible to add yourself to the git\-secret repo without decrypting existing files\. It will be possible to decrypt them after re\-encrypting them with the new keyring\. So, if you don\'t want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
|
||||
.
|
||||
.SS "Using gpg"
|
||||
You can follow a quick gpg tutorial at https://www\.devdungeon\.com/content/gpg\-tutorial\. Here are the most useful commands to get started:
|
||||
.
|
||||
.P
|
||||
To generate a RSA key\-pair, run:
|
||||
.
|
||||
.IP "" 4
|
||||
.
|
||||
.nf
|
||||
|
||||
gpg \-\-gen\-key
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
To export your public key, run:
|
||||
.
|
||||
.IP "" 4
|
||||
.
|
||||
.nf
|
||||
|
||||
gpg \-\-export your\.email@address\.com \-\-armor > public\-key\.gpg
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
To import the public key of someone else (to share the secret with them for instance), run:
|
||||
.
|
||||
.IP "" 4
|
||||
.
|
||||
.nf
|
||||
|
||||
gpg \-\-import public\-key\.gpg
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
Be sure to use a secure channel to share your public key!
|
||||
.
|
||||
.SS "Using git\-secret for Continuous Integration / Continuous Deployment (CI/CD)"
|
||||
When using git\-secret for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated with the changes in your code\.
|
||||
.
|
||||
.P
|
||||
One way of doing it is the following:
|
||||
.
|
||||
.IP "1." 4
|
||||
\fIcreate a gpg key\fR for your CI/CD environment\. You can chose any name and email address you want: for instance \fBMyApp CodeShip <myapp@codeship\.com>\fR if your app is called MyApp and your CI/CD provider is CodeShip\. It is easier not to define a password for that key\.
|
||||
.
|
||||
.IP "2." 4
|
||||
run \fBgpg \-\-export\-secret\-key myapp@codeship\.com \-\-armor\fR to get your private key value
|
||||
.
|
||||
.IP "3." 4
|
||||
Create an env var on your CI/CD server \fBGPG_PRIVATE_KEY\fR and assign it the private key value\.
|
||||
.
|
||||
.IP "4." 4
|
||||
Then write your Continuous Deployment build script\. For instance:
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.IP "" 4
|
||||
.
|
||||
.nf
|
||||
|
||||
# Install git\-secret (https://git\-secret\.io/installation), for instance, for debian:
|
||||
echo "deb https://dl\.bintray\.com/sobolevn/deb git\-secret main" | sudo tee \-a /etc/apt/sources\.list
|
||||
wget \-qO \- https://api\.bintray\.com/users/sobolevn/keys/gpg/public\.key | sudo apt\-key add \-
|
||||
sudo apt\-get update && sudo apt\-get install git\-secret
|
||||
# Create private key file
|
||||
echo $GPG_PRIVATE_KEY > \./private_key\.gpg
|
||||
# Import private key
|
||||
gpg \-\-import \./private_key\.gpg
|
||||
# Reveal secrets
|
||||
git secret reveal
|
||||
# carry on with your build script, secret files are available \.\.\.
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
Note: your CI/CD might not allow you to create a multiline value\. In that case, you can export it on one line with
|
||||
.
|
||||
.IP "" 4
|
||||
.
|
||||
.nf
|
||||
|
||||
gpg \-\-export\-secret\-key myapp@codeship\.com \-\-armor | tr \'\en\' \',\'
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
You can then create your private key file with:
|
||||
.
|
||||
.IP "" 4
|
||||
.
|
||||
.nf
|
||||
|
||||
echo $GPG_PRIVATE_KEY | tr \',\' \'\en\' > \./private_key\.gpg
|
||||
.
|
||||
.fi
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "Environment Variables and Configuration"
|
||||
You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better\. To do so, just set the required variable to the value you need\. This can be done in your shell environment file or with each \fBgit\-secret\fR command\.
|
||||
.
|
||||
.P
|
||||
The settings available to be changed are:
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB$SECRETS_VERBOSE\fR \- sets the verbose flag to on for all \fBgit\-secret\fR commands; is identical to using \fB\-v\fR on each command that supports it\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB$SECRETS_GPG_COMMAND\fR \- sets the \fBgpg\fR alternatives, defaults to \fBgpg\fR\. It can be changed to \fBgpg\fR, \fBgpg2\fR, \fBpgp\fR, \fB/usr/local/gpg\fR or any other value\. After doing so rerun the tests to be sure that it won\'t break anything\. Tested to be working with: \fBgpg\fR, \fBgpg2\fR\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB$SECRETS_EXTENSION\fR \- sets the secret files extension, defaults to \fB\.secret\fR\. It can be changed to any valid file extension\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB$SECRETS_DIR\fR \- sets the directory where git\-secret stores its files, defaults to \.gitsecret\. It can be changed to any valid directory name\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB$SECRETS_PINENTRY\fR \- allows user to specify a setting for \fBgpg\fR\'s \-\-pinentry option\. See \fBgpg\fR docs for details about gpg\'s \-\-pinentry option\.
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "The <code>\.gitsecret</code> folder (can be overridden with SECRETS_DIR)"
|
||||
This folder contains information about the files encrypted by git\-secret, and about which public/private key sets can access the encrypted data\.
|
||||
.
|
||||
.P
|
||||
You can change the name of this directory using the SECRETS_DIR environment variable\.
|
||||
.
|
||||
.P
|
||||
Use the various \'git secret\' commands to manipulate the files in \fB\.gitsecret\fR, you should not change the data in these files directly\.
|
||||
.
|
||||
.P
|
||||
Exactly which files exist in the \fB\.gitsecret\fR folder and what their contents are vary slightly across different versions of gpg\. Thus it is best to use git\-secret with the same version of gpg being used by all users\. This can be forced using SECRETS_GPG_COMMAND environment variable\.
|
||||
.
|
||||
.P
|
||||
Specifically, there is an issue between gpg version 2\.1\.20 and later versions which can cause problems reading and writing keyring files between systems (this shows up in errors like \'gpg: skipped packet of type 12 in keybox\')\.
|
||||
.
|
||||
.P
|
||||
The git\-secret internal data is separated into two directories:
|
||||
.
|
||||
.SS "<code>\.gitsecret/paths</code>"
|
||||
This directory currently contains only the file \fBmapping\.cfg\fR, which lists all the files your storing encrypted\. In other words, the path mappings: what files are tracked to be hidden and revealed\.
|
||||
.
|
||||
.P
|
||||
All the other internal data is stored in the directory:
|
||||
.
|
||||
.SS "<code>\.gitsecret/keys</code>"
|
||||
This directory contains data used by git\-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties\.
|
||||
.
|
||||
.P
|
||||
Generally speaking, all the files in this directory \fIexcept\fR \fBrandom_seed\fR should be checked into your repo\. By default, \fBgit secret init\fR will add the file \fB\.gitsecret/keys/random_seed\fR to your \.gitignore file\.
|
||||
.
|
||||
.P
|
||||
Again, you can change the name of this directory using the SECRETS_DIR environment variable\.
|
@ -1,173 +0,0 @@
|
||||
git-secret - bash tool to store private data inside a git repo.
|
||||
=============================================
|
||||
|
||||
## Usage: Setting up git-secret in a repository
|
||||
|
||||
These steps cover the basic process of using `git-secret`:
|
||||
|
||||
0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address.
|
||||
|
||||
1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information
|
||||
to make `git-secret` hide and reveal files in this repository.
|
||||
|
||||
2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created.
|
||||
**Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file.
|
||||
In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file.
|
||||
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
|
||||
|
||||
3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`.
|
||||
|
||||
4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
|
||||
This can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
|
||||
`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you.
|
||||
|
||||
5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
|
||||
The data will be encrypted with the public-keys described by the `git secret tell` command.
|
||||
After using `git secret hide` to encrypt your data, it is safe to commit your changes.
|
||||
**NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
|
||||
|
||||
6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the
|
||||
`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
|
||||
And you're done!
|
||||
|
||||
### Usage: Adding someone to a repository using git-secret
|
||||
|
||||
1. [Get their `gpg` public-key](#using-gpg). **You won't need their secret key.**
|
||||
|
||||
2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import KEY_NAME.txt`
|
||||
|
||||
3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
|
||||
(this will be the email address associated with the public key)
|
||||
|
||||
4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
|
||||
`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
|
||||
(The -d options deletes the unencrypted file after re-encrypting it).
|
||||
Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`.
|
||||
|
||||
Note that it is possible to add yourself to the git-secret repo without decrypting existing files.
|
||||
It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't
|
||||
want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.
|
||||
|
||||
### Using gpg
|
||||
|
||||
You can follow a quick `gpg` tutorial at [devdungeon](https://www.devdungeon.com/content/gpg-tutorial). Here are the most useful commands to get started:
|
||||
|
||||
To generate a RSA key-pair, run:
|
||||
|
||||
```shell
|
||||
gpg --gen-key
|
||||
```
|
||||
|
||||
To export your public key, run:
|
||||
|
||||
```shell
|
||||
gpg --export your.email@address.com --armor > public-key.gpg
|
||||
```
|
||||
|
||||
To import the public key of someone else (to share the secret with them for instance), run:
|
||||
|
||||
```shell
|
||||
gpg --import public-key.gpg
|
||||
```
|
||||
|
||||
To make sure you get the original public keys of the indicated persons, be sure to use a secure channel to transfer it, or use a service you trust, preferably one that uses encryption such as Keybase, to retrieve their public key. Otherwise you could grant the wrong person access to your secrets by mistake!
|
||||
|
||||
### Using git-secret for Continuous Integration / Continuous Deployment (CI/CD)
|
||||
|
||||
When using `git-secret` for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated
|
||||
with the changes in your code.
|
||||
|
||||
One way of doing it is the following:
|
||||
|
||||
1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp CodeShip <myapp@codeship.com>`
|
||||
if your app is called MyApp and your CI/CD provider is CodeShip. It is easier not to define a password for that key.
|
||||
2. run `gpg --export-secret-key myapp@codeship.com --armor` to get your private key value
|
||||
3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value.
|
||||
4. Then write your Continuous Deployment build script. For instance:
|
||||
|
||||
```shell
|
||||
# Install git-secret (https://git-secret.io/installation), for instance, for debian:
|
||||
echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
|
||||
wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
|
||||
sudo apt-get update && sudo apt-get install git-secret
|
||||
# Create private key file
|
||||
echo $GPG_PRIVATE_KEY > ./private_key.gpg
|
||||
# Import private key
|
||||
gpg --import ./private_key.gpg
|
||||
# Reveal secrets
|
||||
git secret reveal
|
||||
# carry on with your build script, secret files are available ...
|
||||
```
|
||||
|
||||
Note: your CI/CD might not allow you to create a multiline value. In that case, you can export it on one line with
|
||||
|
||||
```shell
|
||||
gpg --export-secret-key myapp@codeship.com --armor | tr '\n' ','
|
||||
```
|
||||
|
||||
You can then create your private key file with:
|
||||
|
||||
```shell
|
||||
echo $GPG_PRIVATE_KEY | tr ',' '\n' > ./private_key.gpg
|
||||
```
|
||||
|
||||
## Environment Variables and Configuration
|
||||
|
||||
You can configure the version of `gpg` used, or the extension your encrypted files use, to suit your workflow better.
|
||||
To do so, just set the required variable to the value you need.
|
||||
This can be done in your shell environment file or with each `git-secret` command.
|
||||
See below, or the man page of `git-secret` for an explanation of the environment variables `git-secret` uses.
|
||||
|
||||
The settings available to be changed are:
|
||||
|
||||
* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical
|
||||
to using `-v` on each command that supports it.
|
||||
|
||||
* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
|
||||
It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
|
||||
After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
|
||||
|
||||
* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
|
||||
|
||||
* `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret.
|
||||
It can be changed to any valid directory name.
|
||||
|
||||
* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option.
|
||||
See `gpg` docs for details about gpg's --pinentry option.
|
||||
|
||||
## The `.gitsecret` folder (can be overridden with SECRETS_DIR)
|
||||
|
||||
This folder contains information about the files encrypted by git-secret,
|
||||
and about which public/private key sets can access the encrypted data.
|
||||
|
||||
You can change the name of this directory using the SECRETS_DIR environment variable.
|
||||
|
||||
Use the various 'git secret' commands to manipulate the files in `.gitsecret`,
|
||||
you should not change the data in these files directly.
|
||||
|
||||
Exactly which files exist in the `.gitsecret` folder and what their contents are
|
||||
vary slightly across different versions of gpg. Thus it is best to use
|
||||
git-secret with the same version of gpg being used by all users.
|
||||
This can be forced using SECRETS_GPG_COMMAND environment variable.
|
||||
|
||||
Specifically, there is an issue between gpg version 2.1.20 and later versions
|
||||
which can cause problems reading and writing keyring files between systems
|
||||
(this shows up in errors like 'gpg: skipped packet of type 12 in keybox').
|
||||
|
||||
The git-secret internal data is separated into two directories:
|
||||
|
||||
### `.gitsecret/paths`
|
||||
|
||||
This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
|
||||
In other words, the path mappings: what files are tracked to be hidden and revealed.
|
||||
|
||||
All the other internal data is stored in the directory:
|
||||
|
||||
### `.gitsecret/keys`
|
||||
|
||||
This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties.
|
||||
|
||||
Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.
|
||||
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
|
||||
|
||||
Again, you can change the name of this directory using the SECRETS_DIR environment variable.
|
Loading…
Reference in New Issue