Loving git. Loving git-crypt.
Once upon a time, there was a repo protected with git-crypt and a group of coders working on said repo. Somehow, let's blame aliens, a file was committed in un-encrypted form.
The error was caught early and no harm was done, but this leads me to my question:
In a semi-centralized setup (gitlab, one trusted repo...) where you control the server (thus excluding github), what protections do you use if any to make sure that a secrets file does not get committed in unencrypted form?
As you can see in git-crypt issue 104, there is a warning when attempt to decrypt a file which was actually not encrypted:
git-crypt: Warning: file not encrypted
That comes from the smudge() function which reads the first characters of a file:
// Read the header to get the nonce and make sure it's actually encrypted
unsigned char header[10 + Aes_ctr_decryptor::NONCE_LEN];
std::cin.read(reinterpret_cast<char*>(header), sizeof(header));
if (std::cin.gcount() != sizeof(header) || std::memcmp(header, "\0GITCRYPT\0", 10) != 0) {
That means you can write a pre-receive hook which will unpack the pushed files and read the first NONCE (12) characters to check if the file starts with "\0GITCRYPT\0"
.
If one of those pushed files does not (and is one of the files referenced by the .gitattributes
file), then return 1: the push will be rejected.
The point is: a server-side hook (since you control the server side) is the surest way to enforce a policy (like, here, encrypted files only)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With