Geek Answers Handbook

Is there a way to check if a GPG file is encrypted in a git hook?

I have a git repository that tracks a couple of configuration files. One of the configuration files is plain text, and the other is encrypted gpg. They are called such.

  • myconfig.yaml
  • myconfig.yaml.gpg

I would like to create a server-side binding in git to ensure that no version of any file ending with .gpg will be transferred as plaintext.

I think it would be nice to have a hook on the client side and a hook on the server side so that the developer cannot make a bunch of changes, and then got stuck trying to push them, because the history of the gpg file contains unencrypted data.

I cannot simply encrypt / decrypt gpg files during commit / clone, because some people do not need to have access to decrypt the file.

I am not sure how to complete the task of ensuring that only encrypted data is included in all versions of .gpg files. Any ideas?

+4
source share
1 answer

You can use the file command to check the file and automatically determine what type it is. For instance:

 $ file foo.gpg foo.gpg: GPG encrypted data $ file foo foo: ASCII text

You can match this with a hook. Sort of:

 case "$filename" in *.gpg) if [ "$(file -b "$filename")" != "GPG encrypted data" ]; then echo "Error: $filename should be encrypted but isn't" >&2 exit 1 fi ;; esac

For a client-side click, you can use the pre-commit binding with git diff --cached --name-only to get a list of names to check.

Server-side failure is more complicated. I think you can connect to the preliminary reception, check the suggested links to a temporary place, check them (perhaps using git diff --name-only HEAD^ to get the list of files changed), and then reject the update from there if it breaks your requirements.

+4
source

More articles:


All Articles