Merge branch 'main' into alternative-enhancement

# By Adrian Dimitrov (1) and James Murty (1) # Via GitHub * main: Use core attributesFile from worktree (elasticdog#137) Document `xxd` requirement, and make optional with OpenSSL < 3 (elasticdog#138) # Conflicts: # transcrypt
Erotemic · Jun 27, 2022 · c77f489 · c77f489
2 parents 28b7581 + 3041bc7
commit c77f489
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,7 +41,7 @@ The format is based on [Keep a Changelog][1], and this project adheres to
 ### Fixed
 
 - Remain compatible with OpenSSL versions 3 and above which changes the way
-  explicit salt values are expressed in ciphertext (#133)
+  explicit salt values are expressed in ciphertext, requires `xxd` command (#133)
 - Ensure Git index is up-to-date before checking for dirty repo, to avoid
   failures seen in CI systems where the repo seems dirty when it isn't. (#37)
 - Respect Git `core.hooksPath` setting when installing the pre-commit hook. (#104)

diff --git a/INSTALL.md b/INSTALL.md
@@ -5,6 +5,13 @@ The requirements to run transcrypt are minimal:
 - Bash
 - Git
 - OpenSSL
+- `column` command (on Ubuntu/Debian install `bsdmainutils`)
+- `xxd` command if using OpenSSL version 3
+  (on Ubuntu/Debian is included with `vim`)
+
+...and optionally:
+
+- GnuPG - for secure configuration import/export
 
 You also need access to the _transcrypt_ script itself...
 

diff --git a/README.md b/README.md
@@ -56,6 +56,8 @@ The requirements to run transcrypt are minimal:
 - Git
 - OpenSSL
 - `column` command (on Ubuntu/Debian install `bsdmainutils`)
+- `xxd` command if using OpenSSL version 3
+  (on Ubuntu/Debian is included with `vim`)
 
 ...and optionally:
 

diff --git a/transcrypt b/transcrypt
@@ -73,16 +73,21 @@ realpath() {
 
 _openssl_encrypt() {
 	# In 3.x openssl disabled output of the salt prefix, which we need for determinism.
-	# We take control over outputting the the prefix 'Salted__' with the salt
+	# For 3.x we take control over outputting the the prefix 'Salted__' with the salt
 	# to ensure it is always included regardless of the OpenSSL version. #133
-	(
-		# Always prepend encrypted ciphertext with "Salted__" prefix and binary salt value
-		printf "Salted__" && printf "%s" "$final_salt" | xxd -r -p &&
-			# Encrypt file to binary ciphertext
-			ENC_PASS=$password "$openssl_path" enc -e "-${cipher}" -md "${digest}" -pass env:ENC_PASS -S "$final_salt" "${pbkdf2_args[@]}" -in "$tempfile" |
-			# Strip "Salted__" prefix and salt value if also added by OpenSSL (version < 3)
-			LC_ALL=C sed -e "s/^\(Salted__.\{8\}\)\(.*\)/\2/"
-	) | base64
+	openssl_major_version=$($openssl_path version | cut -d' ' -f2 | cut -d'.' -f1)
+	if [ "$openssl_major_version" -ge "3" ]; then
+		# Encrypt the file to base64, ensuring it includes the prefix 'Salted__' with the salt. #133
+		(
+			printf "Salted__" && printf "%s" "$final_salt" | xxd -r -p &&
+				# Encrypt file to binary ciphertext
+				ENC_PASS=$password "$openssl_path" enc -e "-${cipher}" -md "${digest}" -pass env:ENC_PASS -S "$final_salt" "${pbkdf2_args[@]}" -in "$tempfile"
+		) |
+			base64
+	else
+		# Encrypt file to base64 ciphertext
+		ENC_PASS=$password "$openssl_path" enc -e -a "-${cipher}" -md "${digest}" -pass env:ENC_PASS -S "$final_salt" "${pbkdf2_args[@]}" -in "$tempfile"
+	fi
 }
 
 _openssl_decrypt() {
@@ -295,7 +300,7 @@ gather_repo_metadata() {
 
 	# the current git repository's gitattributes file
 	local CORE_ATTRIBUTES
-	CORE_ATTRIBUTES=$(git config --get --local --path core.attributesFile 2>/dev/null || printf '')
+	CORE_ATTRIBUTES=$(git config --get --local --path core.attributesFile 2>/dev/null || git config --get --path core.attributesFile 2>/dev/null || printf '')
 	if [[ $CORE_ATTRIBUTES ]]; then
 		readonly GIT_ATTRIBUTES=$CORE_ATTRIBUTES
 	elif [[ $IS_BARE == 'true' ]] || [[ $IS_VCSH == 'true' ]]; then
@@ -530,6 +535,12 @@ run_safety_checks() {
 	for cmd in {column,grep,mktemp,"${openssl_path}",sed,tee}; do
 		command -v "$cmd" >/dev/null || die 'required command "%s" was not found' "$cmd"
 	done
+	# check for extra `xxd` dependency when running against OpenSSL version 3+
+	openssl_major_version=$($openssl_path version | cut -d' ' -f2 | cut -d'.' -f1)
+	if [ "$openssl_major_version" -ge "3" ]; then
+		cmd="xxd"
+		command -v "$cmd" >/dev/null || die 'required command "%s" was not found' "$cmd"
+	fi
 
 	# ensure the repository is clean (if it has a HEAD revision) so we can force
 	# checkout files without the destruction of uncommitted changes