5

Loving git. Loving git-crypt.

Once upon a time, there was a repo protected with git-crypt and a group of coders working on said repo. Somehow, let's blame aliens, a file was committed in un-encrypted form.

The error was caught early and no harm was done, but this leads me to my question:

In a semi-centralized setup (gitlab, one trusted repo...) where you control the server (thus excluding github), what protections do you use if any to make sure that a secrets file does not get committed in unencrypted form?

Jeff Welling
  • 1,625
  • 2
  • 13
  • 17

1 Answers1

3

As you can see in git-crypt issue 104, there is a warning when attempt to decrypt a file which was actually not encrypted:

git-crypt: Warning: file not encrypted

That comes from the smudge() function which reads the first characters of a file:

// Read the header to get the nonce and make sure it's actually encrypted
unsigned char       header[10 + Aes_ctr_decryptor::NONCE_LEN];
std::cin.read(reinterpret_cast<char*>(header), sizeof(header));
if (std::cin.gcount() != sizeof(header) || std::memcmp(header, "\0GITCRYPT\0", 10) != 0) {

That means you can write a pre-receive hook which will unpack the pushed files and read the first NONCE (12) characters to check if the file starts with "\0GITCRYPT\0".

If one of those pushed files does not (and is one of the files referenced by the .gitattributes file), then return 1: the push will be rejected.

The point is: a server-side hook (since you control the server side) is the surest way to enforce a policy (like, here, encrypted files only)

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250