Created
March 2, 2017 10:20
-
-
Save pixie79/ccd828a6b9a594343623810a74522a50 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# | |
# Script to remove GPG key from git-crypt | |
# | |
# It will re-initialize git-crypt for the repository and re-add all keys except | |
# the one requested for removal. | |
# | |
# Note: You still need to change all your secrets to fully protect yourself. | |
# Removing a user will prevent them from reading future changes but they will | |
# still have a copy of the data up to the point of their removal. | |
# | |
# Use: | |
# ./remove-gpg-user.sh [FULL_GPG_FINGERPRINT [FULL_GPG_FINGERPRINT]] | |
# | |
# E.g.: | |
# ./remove-gpg-user.sh 3BC18383F838C0B815B961480F8CAF5467D ABCD8383F838C0B815B961480F8CAF5467D | |
# | |
# The script will create multiple commits to your repo. Feel free to squash them | |
# all down to one. | |
# | |
# Based on https://github.com/AGWA/git-crypt/issues/47#issuecomment-212734882 | |
# | |
# | |
set -ex | |
if [ -z "$1" ] | |
then | |
echo " Use:" | |
echo " ./remove-gpg-user.sh [FULL_GPG_FINGERPRINT]" | |
echo "" | |
echo " E.g.:" | |
echo " ./remove-gpg-user.sh 3BC18383F838C0B815B961480F8CAF5467D" | |
exit; | |
fi | |
TMPDIR=`mktemp -d` | |
CURRENT_DIR=`git rev-parse --show-toplevel` | |
BASENAME=$(basename `pwd`) | |
# Unlock the directory, we need to copy encrypted versions of the files | |
git-crypt unlock | |
# Work on copy. | |
cp -rp `pwd` $TMPDIR | |
pushd $TMPDIR/$BASENAME | |
# Remove encrypted files and git-crypt | |
git-crypt status | grep -v "not encrypted" > encrypted-files | |
awk '{print $2}' encrypted-files | xargs rm | |
git commit -a -m "Remove encrypted files" | |
git rm -rf .git-crypt | |
rm -rf .git/git-crypt | |
rm -f .git/hooks/pre-commit | |
git status -v | |
git commit -m "Remove git-crypt" | |
# Re-initialize git crypt | |
git-crypt init | |
echo "here" | |
# Add existing users, except the | |
for keyfilename in $CURRENT_DIR/.git-crypt/keys/default/0/*gpg; do | |
basename=`basename $keyfilename` | |
key=${basename%.*} | |
if [[ $@ == *$key* ]]; then | |
continue; | |
fi | |
git-crypt add-gpg-user $key | |
done | |
cd $CURRENT_DIR | |
for i in `awk '{print $2}' ${TMPDIR}/${BASENAME}/encrypted-files`; do | |
cp -rp --parents $i $TMPDIR/$BASENAME; | |
done | |
cd $TMPDIR/$BASENAME | |
for i in `awk '{print $2}' encrypted-files`; do | |
git add $i | |
done | |
git commit -a -m "New encrypted files" | |
popd | |
git-crypt lock | |
git pull $TMPDIR/$BASENAME | |
cp pre-commit .git/hooks/ | |
rm -rf $TMPDIR |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment