1inguini/pijul-encrypt - Change 7F6YCRNZUJFE5JFIAERIXDPT4E3DNO6ATEAZ5ZYJDVJIWZ2PVH2AC

うおーーー

Created by 1inguini on March 12, 2025

7F6YCRNZUJFE5JFIAERIXDPT4E3DNO6ATEAZ5ZYJDVJIWZ2PVH2AC

Dependencies

In channels

main

Change contents

File deletion: README.md

BF:BFD[3.1] → [2.10919:10952]

BF:BFD[2.10952] → [2.10953:10953]

B:BD[2.10953] → [2.10954:12978]

# pijul-encrypt
Pijul hook to encrypt files using GnuPG in Pijul repositry before recording.
Add globs matching paths you want to encrypt to `.encrypt`.
Register your and collaborators GnuPG public key using `.pijul/encrypt/add-recipients.sh`.
Files will be encrypted both asymmetricaly and symmetricaly.
Symmetric key can be retrieved by decrypting `.encrypt.d/master_key.gpg`.
GnuPGでrecord前にファイルを暗号化するPijulフック。
`.encrypt`に記入したグロブパターンにマッチするファイルを暗号化します。
`.pijul/encrypt/add-recipients.sh`で自分や共同編集者のGnuPG公開鍵を登録できます。
ファイルは公開鍵暗号と共通鍵暗号の両方で暗号化されます。
共通鍵は `.encrypt.d/master_key.gpg`を復号することで確認できます。
``` toml
[hooks]
record = [".pijul/encrypt/hook-record.sh"]
```
Master key for this example repositry.
例示のためのこのレポジトリのマスターキー
```
eb40d77797be122260be7b0be5c78f664235b973093c5f9baa3c1461d5ce370dfb02ec3ee30c80cdd37b1984fc5881a4baef71258a58b915c1c4bb326a498065cc03de58b798867f0e08dbb62b76d4ab270c936c19baf07498f0b5da53a42671796d65644de1c74f1ce8b8415865cf52ec78c8d2482018b641c5343c4aee6c1b88bc6b6ed5cf2d2df5a74631d311f37b2990a17988e4dd4d3ca1de4e8ca600c2b1cd9f9763e3bdd5b63d69eefa33158a6d457a75b206b30520dfc24e201e3f62161d50458a16139db1fcde54b38f3c7d66954d6a39bd604b112097739964a3d5c817fcaefc3f987003da3521759f703b71766d214c1bd3067baebb9bfbbb42bdd0af269a280ece5860905d0b691cde59b4ad00551abc1b48d82e40b74efcf2c9ae81dd8141a1f702c15c85c9accafcf1fe10b662b405aae3cf7c4aee999005a587d3199309a220fb83b6d56869b04521d056a9f616c19bd435df3243e0e6c33973e602e050c774de38f6b04c088181aefa8782f5f7dcf9e45f4cb3b42503c8e5130ac301a6cfad376529fce930ea331f8801cd3136e42d4818d2544cae239e81c5c695dde98b92a63881972b37704e7449639d68533a3c5ec0e2831755ea28c58ec8ddef051c3eec4dd35d7bd536f90c34879dcff9370a9a5fd6644199181d2fc451dec2971647faa241fc419d1c2ca44f6f40de90fbc1e088bce54d23799e3a
```

File deletion: .ignore
BF:BFD[3.1] → [2.16887:16918]
BF:BFD[2.16918] → [2.16919:16919]
B:BD[2.16919] → [2.16920:16934]
```
.git
.DS_Store
```
File deletion: .encrypt
BF:BFD[3.1] → [2.19307:19339]
BF:BFD[2.19339] → [2.19340:19340]
B:BD[2.19340] → [2.19341:19349]
```
secret/*
```
File deletion: scripts.sh
BF:BFD[2.3309] → [2.3311:3345]
BF:BFD[2.3345] → [2.3346:3346]
B:BD[2.3346] → [2.3347:3459]
```
#!/bin/sh
set -e
IFS='
'
if ! gpg=$(command -v gpg2) >/dev/null; then
  echo "$0 requires gpg2" >&2
  false
fi
```

File deletion: init.sh

BF:BFD[2.3309] → [2.3460:3491]

BF:BFD[2.3491] → [2.3492:3492]

B:BD[2.3492] → [2.3493:4333]

#!/bin/sh
[ -d .pijul ] || {
  echo 'this directory does not seem to be Pijul repositry.' >&2
  false
}
. .pijul/encrypt/scripts.sh
if [ -f .encrypt.d/master_key.gpg ]; then
  echo 'pijul-encrypt already configured!'
  false
fi
recipients="$*"
[ "$recipients" ] || {
  echo 'Specify recipients fingerprints.'
  read -r recipients
}
(
  IFS=' '
  .pijul/encrypt/add-recipients.sh $recipients
)
echo 'generating master key...'
master_key=$($gpg --armor --gen-random 16 512)
echo "master key generated: $master_key"
printf %s "$master_key" | $gpg --batch --sign --encrypt \
  $(printf -- '--recipient-file\n%s\n' .encrypt.d/recipient/*.asc) \
  --output .encrypt.d/master_key.gpg
echo "Now add .pijul/encrypt/hook-record.sh to record hook.
edit .pijul/config as below:
\`\`\`
[hooks]
record = ['.pijul/encrypt/hook-record.sh']
\`\`\`
"

File deletion: hook-record.sh

BF:BFD[2.3309] → [2.4334:4372]

BF:BFD[2.4372] → [2.4373:4373]

B:BD[2.4373] → [2.4374:6448]

#!/bin/sh
. .pijul/encrypt/scripts.sh
if ! sha256sum=$(command -v sha256sum) >/dev/null; then
  echo "$0 requires sha256sum" >&2
  false
fi
if [ ! -f .encrypt.d/master_key.gpg ]; then
  echo "No master key in repositry. Repositry not initialized for pijul-encrypt" >&2
  false
fi
encrypt() {
  path=$1
  $gpg --decrypt .encrypt.d/master_key.gpg |
    $gpg --batch --passphrase-fd 0 \
      --sign --encrypt --symmetric \
      $(printf -- "--recipient-file$IFS%s$IFS" .encrypt.d/recipient/*.asc) "$path"
}
decrypt() {
  path=$1
  $gpg --decrypt .encrypt.d/master_key.gpg |
    $gpg --batch --output - --passphrase-fd 0 \
      --decrypt "$path"
}
# globを展開、マッチするディレクトリの中身も全部マッチしたいのでfindを噛ませる
# shellcheck disable=SC2046
worktree_glob=$(find $(cat .encrypt) -type f -not -name '*.gpg' || true)
: "↓debug worktree_glob↓
$worktree_glob"
# pijulが記録しているパスのうち`.encrypt`にマッチするもの
# shellcheck disable=SC2086
# shellcheck disable=SC2046
tracked_glob=$(printf '%s\n' $worktree_glob $(pijul list) | sort | uniq -d)
: "↓debug tracked_glob↓
$tracked_glob"
# shellcheck disable=SC2086
pijul remove $tracked_glob # 秘密のファイルはさっさと記録から除外
# pijulが記録しているパスのうち`*.gpg`にマッチするもの (pijul listが変わってるのでtracked_globとは重複しない)
gpg_tracked=$(pijul list | grep '\.gpg$' | sed 's/\.gpg$//')
: "↓debug gpg_tracked↓
$gpg_tracked"
# 秘密にしなければいけないファイルたち
will_be_encrypted="$tracked_glob
$gpg_tracked"
# 秘密のファイルに変更があれば暗号化し直す
for path in $will_be_encrypted; do
  if [ ! -f "$path" ]; then
    [ "$path" = ".encrypt.d/master_key" ] || pijul remove "$path.gpg"
  else
    if [ -f "$path.gpg" ] &&
      [ "$($sha256sum <"$path")" != "$(decrypt "$path.gpg" | $sha256sum)" ]; then
      rm "$path.gpg"
    fi
    if [ ! -e "$path.gpg" ]; then
      encrypt "$path"
    fi
    pijul add "$path.gpg"
  fi
done

File deletion: add-recipients.sh

BF:BFD[2.3309] → [2.6449:6490]

BF:BFD[2.6490] → [2.6491:6491]

B:BD[2.6491] → [2.6492:7218]

#!/bin/sh
[ -d .pijul ] || {
  echo 'this directory does not seem to be Pijul repositry.' >&2
  false
}
. .pijul/encrypt/scripts.sh
[ "$*" ] || {
  echo 'Please supply the recipients fingerprints as arguments.' >&2
  false
}
mkdir -p .encrypt.d/recipient/
for recipient in "$@"; do
  gpg --armor --export "$recipient" >".encrypt.d/recipient/$recipient.asc"
done
if [ -f .encrypt.d/master_key.gpg ]; then
  echo 're-encrypting master key...'
  $gpg --decrypt .encrypt.d/master_key.gpg |
    $gpg --batch --sign --encrypt \
      $(printf -- "--recipient-file$IFS%s$IFS" .encrypt.d/recipient/*.asc) \
      --output .encrypt.d/master_key.gpg.tmp
  mv .encrypt.d/master_key.gpg.tmp .encrypt.d/master_key.gpg
  echo 'done'
fi

File deletion: master_key.gpg
BF:BFD[2.7289] → [2.8691:8736]
BF:BFD[2.8736] → [2.8737:8737]
B:BD[2.8737] → [2.8738:9685]

File deletion: 709D50D8B911D7803BBEB84B49333C087767B9C1.asc

BF:BFD[2.7312] → [2.7314:7382]

BF:BFD[2.7382] → [2.7383:7383]

B:BD[2.7383] → [2.7384:8690]

うおーーー

Dependencies

In channels

Change contents

File deletion: README.md

File deletion: .ignore

File deletion: .encrypt

File deletion: scripts.sh

File deletion: init.sh

File deletion: hook-record.sh

File deletion: add-recipients.sh

File deletion: master_key.gpg

File deletion: 709D50D8B911D7803BBEB84B49333C087767B9C1.asc