1inguini/pijul-encrypt - Change N52ZICTOT7TZ2TMETMBDELF777QNZHKFD6YWU7DRSOPOFSSW7IYQC

例を追加

Created by 1inguini on March 12, 2025

N52ZICTOT7TZ2TMETMBDELF777QNZHKFD6YWU7DRSOPOFSSW7IYQC

Dependencies

In channels

main

Change contents

File deletion: hello
BF:BFD[4.1] → [5.0:16]
BF:BFD[5.16] → [5.17:17]
File deletion: secret
BF:BFD[5.17] → [5.19:36]
BF:BFD[5.36] → [5.37:37]
File deletion: world
BF:BFD[5.37] → [5.39:55]
BF:BFD[5.55] → [5.56:56]

File deletion: README.md

BF:BFD[4.1] → [6.0:33]

BF:BFD[6.33] → [6.34:34]

B:BD[6.34] → [6.35:52]

B:BD[6.52] → [3.0:872]

# pijul-encrypt
Pijul hook to encrypt files using GnuPG in Pijul repositry before recording.
Add globs matching paths you want to encrypt to `.encrypt`.
Register your and collaborators GnuPG public key using `.pijul/encrypt/add-recipients.sh`.
Files will be encrypted both asymmetricaly and symmetricaly.
Symmetric key can be retrieved by decrypting `.encrypt.d/master_key.gpg`.
GnuPGでrecord前にファイルを暗号化するPijulフック。
`.encrypt`に記入したグロブパターンにマッチするファイルを暗号化します。
`.pijul/encrypt/add-recipients.sh`で自分や共同編集者のGnuPG公開鍵を登録できます。
ファイルは公開鍵暗号と共通鍵暗号の両方で暗号化されます。
共通鍵は `.encrypt.d/master_key.gpg`を復号することで確認できます。
``` toml
[hooks]
record = [".pijul/encrypt/hook-record.sh"]
```

File deletion: .pijul
BF:BFD[4.1] → [5.923:940]
BF:BFD[5.940] → [5.941:941]
File deletion: encrypt
BF:BFD[5.941] → [5.943:961]
BF:BFD[5.961] → [5.962:962]

File deletion: add-recipients.sh

BF:BFD[5.962] → [5.4094:4135]

BF:BFD[5.4135] → [5.4136:4136]

B:BD[5.4136] → [5.4137:4863]

#!/bin/sh
[ -d .pijul ] || {
  echo 'this directory does not seem to be Pijul repositry.' >&2
  false
}
. .pijul/encrypt/scripts.sh
[ "$*" ] || {
  echo 'Please supply the recipients fingerprints as arguments.' >&2
  false
}
mkdir -p .encrypt.d/recipient/
for recipient in "$@"; do
  gpg --armor --export "$recipient" >".encrypt.d/recipient/$recipient.asc"
done
if [ -f .encrypt.d/master_key.gpg ]; then
  echo 're-encrypting master key...'
  $gpg --decrypt .encrypt.d/master_key.gpg |
    $gpg --batch --sign --encrypt \
      $(printf -- "--recipient-file$IFS%s$IFS" .encrypt.d/recipient/*.asc) \
      --output .encrypt.d/master_key.gpg.tmp
  mv .encrypt.d/master_key.gpg.tmp .encrypt.d/master_key.gpg
  echo 'done'
fi

File deletion: hook-record.sh

BF:BFD[5.962] → [5.1987:2025]

BF:BFD[5.2025] → [5.2026:2026]

B:BD[5.2026] → [5.2027:4093]

#!/bin/sh
. .pijul/encrypt/scripts.sh
if ! sha256sum=$(command -v sha256sum) >/dev/null; then
  echo "$0 requires sha256sum" >&2
  false
fi
if [ ! -f .encrypt.d/master_key.gpg ]; then
  echo "No master key in repositry. Repositry not initialized for pijul-encrypt" >&2
  false
fi
encrypt() {
  path=$1
  $gpg --decrypt .encrypt.d/master_key.gpg |
    $gpg --batch --passphrase-fd 0 \
      --sign --encrypt --symmetric \
      $(printf -- "--recipient-file$IFS%s$IFS" .encrypt.d/recipient/*.asc) "$path"
}
decrypt() {
  path=$1
  $gpg --decrypt .encrypt.d/master_key.gpg |
    $gpg --batch --output - --passphrase-fd 0 \
      --decrypt "$path"
}
# globを展開、マッチするディレクトリの中身も全部マッチしたいのでfindを噛ませる
# shellcheck disable=SC2046
worktree_glob=$(find $(cat .encrypt) -type f -not -name '*.gpg')
: "↓debug worktree_glob↓
$worktree_glob"
# pijulが記録しているパスのうち`.encrypt`にマッチするもの
# shellcheck disable=SC2086
# shellcheck disable=SC2046
tracked_glob=$(printf '%s\n' $worktree_glob $(pijul list) | sort | uniq -d)
: "↓debug tracked_glob↓
$tracked_glob"
# shellcheck disable=SC2086
pijul remove $tracked_glob # 秘密のファイルはさっさと記録から除外
# pijulが記録しているパスのうち`*.gpg`にマッチするもの (pijul listが変わってるのでtracked_globとは重複しない)
gpg_tracked=$(pijul list | grep '\.gpg$' | sed 's/\.gpg$//')
: "↓debug gpg_tracked↓
$gpg_tracked"
# 秘密にしなければいけないファイルたち
will_be_encrypted="$tracked_glob
$gpg_tracked"
# 秘密のファイルに変更があれば暗号化し直す
for path in $will_be_encrypted; do
  if [ ! -f "$path" ]; then
    [ "$path" = ".encrypt.d/master_key" ] || pijul remove "$path.gpg"
  else
    if [ -f "$path.gpg" ] &&
      [ "$($sha256sum <"$path")" != "$(decrypt "$path.gpg" | $sha256sum)" ]; then
      rm "$path.gpg"
    fi
    if [ ! -e "$path.gpg" ]; then
      encrypt "$path"
    fi
    pijul add "$path.gpg"
  fi
done

File deletion: init.sh

BF:BFD[5.962] → [5.1113:1144]

BF:BFD[5.1144] → [5.1145:1145]

B:BD[5.1145] → [5.1146:1986]

#!/bin/sh
[ -d .pijul ] || {
  echo 'this directory does not seem to be Pijul repositry.' >&2
  false
}
. .pijul/encrypt/scripts.sh
if [ -f .encrypt.d/master_key.gpg ]; then
  echo 'pijul-encrypt already configured!'
  false
fi
recipients="$*"
[ "$recipients" ] || {
  echo 'Specify recipients fingerprints.'
  read -r recipients
}
(
  IFS=' '
  .pijul/encrypt/add-recipients.sh $recipients
)
echo 'generating master key...'
master_key=$($gpg --armor --gen-random 16 512)
echo "master key generated: $master_key"
printf %s "$master_key" | $gpg --batch --sign --encrypt \
  $(printf -- '--recipient-file\n%s\n' .encrypt.d/recipient/*.asc) \
  --output .encrypt.d/master_key.gpg
echo "Now add .pijul/encrypt/hook-record.sh to record hook.
edit .pijul/config as below:
\`\`\`
[hooks]
record = ['.pijul/encrypt/hook-record.sh']
\`\`\`
"

File deletion: scripts.sh
BF:BFD[5.962] → [5.964:998]
BF:BFD[5.998] → [5.999:999]
B:BD[5.999] → [5.1000:1112]
```
#!/bin/sh
set -e
IFS='
'
if ! gpg=$(command -v gpg2) >/dev/null; then
  echo "$0 requires gpg2" >&2
  false
fi
```
File deletion: .ignore
BF:BFD[4.1] → [5.4864:4895]
BF:BFD[5.4895] → [5.4896:4896]
B:BD[5.4896] → [5.4897:4911]
```
.git
.DS_Store
```
File deletion: .encrypt.d
BF:BFD[4.1] → [5.4912:4933]
BF:BFD[5.4933] → [5.4934:4934]
File deletion: master_key.gpg
BF:BFD[5.4934] → [5.6336:6381]
BF:BFD[5.6381] → [5.6382:6382]
B:BD[5.6382] → [5.6383:7330]
File deletion: recipient
BF:BFD[5.4934] → [5.4936:4956]
BF:BFD[5.4956] → [5.4957:4957]

File deletion: 709D50D8B911D7803BBEB84B49333C087767B9C1.asc

BF:BFD[5.4957] → [5.4959:5027]

BF:BFD[5.5027] → [5.5028:5028]

B:BD[5.5028] → [5.5029:6335]

File deletion: .encrypt
BF:BFD[4.1] → [5.7331:7363]
BF:BFD[5.7363] → [5.7364:7364]
B:BD[5.7364] → [6.122:133]
```
**/secret/*
```
File addition: secret (d--x------)
[2.1]

File addition: Lorem ipsum.txt (----------)

[0.18]

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

File addition: Hello World.txt (----------)
[0.18]
```
Hello World!
```
File addition: .encrypt.d (d--x------)
[2.1]
File addition: recipient (d--x------)
[0.585]

File addition: 709D50D8B911D7803BBEB84B49333C087767B9C1.asc (----------)

[0.608]

File addition: master_key.gpg (----------)
[0.585]
File addition: .encrypt (----------)
[2.1]
```
**/secret/*
```

File addition: Lorem ipsum.txt (----------)

[0.18]

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

File addition: Hello World.txt (----------)
[0.18]
```
Hello World!
```

File addition: 709D50D8B911D7803BBEB84B49333C087767B9C1.asc (----------)

[0.608]

File addition: master_key.gpg (----------)
[0.585]
File addition: .encrypt (----------)
[4.1]
```
**/secret/*
```

例を追加

Dependencies

In channels

Change contents

File deletion: hello

File deletion: secret

File deletion: world

File deletion: README.md

File deletion: .pijul

File deletion: encrypt

File deletion: add-recipients.sh

File deletion: hook-record.sh

File deletion: init.sh

File deletion: scripts.sh

File deletion: .ignore

File deletion: .encrypt.d

File deletion: master_key.gpg

File deletion: recipient

File deletion: 709D50D8B911D7803BBEB84B49333C087767B9C1.asc

File deletion: .encrypt

File addition: secret (d--x------)

File addition: Lorem ipsum.txt (----------)

File addition: Hello World.txt (----------)

File addition: .encrypt.d (d--x------)

File addition: recipient (d--x------)

File addition: 709D50D8B911D7803BBEB84B49333C087767B9C1.asc (----------)

File addition: master_key.gpg (----------)

File addition: .encrypt (----------)

File addition: Lorem ipsum.txt (----------)

File addition: Hello World.txt (----------)

File addition: 709D50D8B911D7803BBEB84B49333C087767B9C1.asc (----------)

File addition: master_key.gpg (----------)

File addition: .encrypt (----------)