3

I've been trying really hard to remove a file with sensitive data from my git repository using this excellent page (among others): http://help.github.com/removing-sensitive-data/

the primary line being: 

git filter-branch --index-filter 'git rm --cached \
    --ignore-unmatch FileWithSecrets.java' HEAD

However even when I follow the instructions including the pruning and garbage collection of objects the fact that I've rewritten the history does not seem to remove the file completely.

The point being I can still find the file's contents using git grep: git grep $(git rev-list --all)

....and it still shows up.

Am I missing something obvious or non-obvious? Why can I still "git grep" the contents?

I do see that the file is no longer in the changeset when I do a "git show" of the commit where it got added. But even so I can still grep it - like it's been removed from the branch history but is still floating out there?

Git is fun, cool and amazing but really can shake one's self confidence :)

thanks!! Brendan

miku
  • 181,842
  • 47
  • 306
  • 310
Brendan
  • 408
  • 7
  • 8

1 Answers1

4

I didn't try this, but since the last argument to git filter-branch is defined as [--] [<rev-list options>...] and you're getting the sensitive info from the revs in git rev-list --all, this should work:

git filter-branch --index-filter 'git rm --cached \
--ignore-unmatch FileWithSecrets.java' -- --all
                                       ^^^^^^^^
al.
  • 687
  • 3
  • 12
  • Yup, providing HEAD as the argument as the OP did means that only HEAD is rewritten - not even the branch HEAD is pointing to! – Cascabel Aug 31 '10 at 12:59
  • Thanks so much for the answers - pointing out both the HEAD mistake and the --all argument. I did try the new command+cleanup and it still did not remove the file from "git grep" results. I'm wondering if the problem might have something to do with the fact that I have tagged several commits with "git tag" and those are being treated as separate branches. I tried checking each of these out individually and running the above filter-branch, but I can still grep the 'secret string'. I did try seeing if I could reproduce with a simple repo, but the commands work. – Brendan Sep 02 '10 at 15:25
  • @Brendan http://www.kernel.org/pub/software/scm/git/docs/git-filter-branch.html#_checklist_for_shrinking_a_repository implies that you should add `--tag-name-filter cat` to the filter-branch options. – Max Nanasy Jan 30 '13 at 22:41