動くはず
Created by 1inguini on March 12, 2025
JYXYLBSITEMW7762VFYXWSZVH2FKHBQC47VCJ6LJMCQG4QCZUEIAC Dependencies
In channels
main
Change contents
File addition: .pijul
[2.1]File addition: encrypt
[0.18]File addition: scripts.sh
[0.39]#!/bin/shset -eIFS=''if ! gpg=$(command -v gpg2) >/dev/null; thenecho "$0 requires gpg2" >&2falsefiFile addition: init.sh
[0.39]#!/bin/sh[ -d .pijul ] || {echo 'this directory does not seem to be Pijul repositry.' >&2false}. .pijul/encrypt/scripts.shif [ -f .encrypt.d/master_key.gpg ]; thenecho 'pijul-encrypt already configured!'falsefirecipients="$*"[ "$recipients" ] || {echo 'Specify recipients fingerprints.'read -r recipients}(IFS=' '.pijul/encrypt/add-recipients.sh $recipients)echo 'generating master key...'master_key=$($gpg --armor --gen-random 16 512)echo "master key generated: $master_key"printf %s "$master_key" | $gpg --batch --sign --encrypt \$(printf -- '--recipient-file\n%s\n' .encrypt.d/recipient/*.asc) \--output .encrypt.d/master_key.gpgecho "Now add .pijul/encrypt/hook-record.sh to record hook.edit .pijul/config as below:\`\`\`[hooks]record = ['.pijul/encrypt/hook-record.sh']\`\`\`"File addition: hook-record.sh
[0.39]#!/bin/sh. .pijul/encrypt/scripts.shif ! sha256sum=$(command -v sha256sum) >/dev/null; thenecho "$0 requires sha256sum" >&2falsefiif [ ! -f .encrypt.d/master_key.gpg ]; thenecho "No master key in repositry. Repositry not initialized for pijul-encrypt" >&2falsefiencrypt() {path=$1$gpg --decrypt .encrypt.d/master_key.gpg |$gpg --batch --passphrase-fd 0 \--sign --encrypt --symmetric \$(printf -- "--recipient-file$IFS%s$IFS" .encrypt.d/recipient/*.asc) "$path"}decrypt() {path=$1$gpg --decrypt .encrypt.d/master_key.gpg |$gpg --batch --output - --passphrase-fd 0 \--decrypt "$path"}# globを展開、マッチするディレクトリの中身も全部マッチしたいのでfindを噛ませる# shellcheck disable=SC2046worktree_glob=$(find $(cat .encrypt) -type f -not -name '*.gpg' || true): "↓debug worktree_glob↓$worktree_glob"# pijulが記録しているパスのうち`.encrypt`にマッチするもの# shellcheck disable=SC2086# shellcheck disable=SC2046tracked_glob=$(printf '%s\n' $worktree_glob $(pijul list) | sort | uniq -d): "↓debug tracked_glob↓$tracked_glob"# shellcheck disable=SC2086pijul remove $tracked_glob # 秘密のファイルはさっさと記録から除外# pijulが記録しているパスのうち`*.gpg`にマッチするもの (pijul listが変わってるのでtracked_globとは重複しない)gpg_tracked=$(pijul list | grep '\.gpg$' | sed 's/\.gpg$//'): "↓debug gpg_tracked↓$gpg_tracked"# 秘密にしなければいけないファイルたちwill_be_encrypted="$tracked_glob$gpg_tracked"# 秘密のファイルに変更があれば暗号化し直すfor path in $will_be_encrypted; doif [ ! -f "$path" ]; then[ "$path" = ".encrypt.d/master_key" ] || pijul remove "$path.gpg"elseif [ -f "$path.gpg" ] &&[ "$($sha256sum <"$path")" != "$(decrypt "$path.gpg" | $sha256sum)" ]; thenrm "$path.gpg"fiif [ ! -e "$path.gpg" ]; thenencrypt "$path"fipijul add "$path.gpg"fidoneFile addition: add-recipients.sh
[0.39]#!/bin/sh[ -d .pijul ] || {echo 'this directory does not seem to be Pijul repositry.' >&2false}. .pijul/encrypt/scripts.sh[ "$*" ] || {echo 'Please supply the recipients fingerprints as arguments.' >&2false}mkdir -p .encrypt.d/recipient/for recipient in "$@"; dogpg --armor --export "$recipient" >".encrypt.d/recipient/$recipient.asc"doneif [ -f .encrypt.d/master_key.gpg ]; thenecho 're-encrypting master key...'$gpg --decrypt .encrypt.d/master_key.gpg |$gpg --batch --sign --encrypt \$(printf -- "--recipient-file$IFS%s$IFS" .encrypt.d/recipient/*.asc) \--output .encrypt.d/master_key.gpg.tmpmv .encrypt.d/master_key.gpg.tmp .encrypt.d/master_key.gpgecho 'done'fi