Changeset - 5c11eb05a67d
[Not reviewed]
0 1 0
Branko Majic (branko) - 4 years ago 2020-06-29 04:17:35
branko@majic.rs
Added checksum checks for decrypted content. This information is used for tracking changes in decrypted files.
1 file changed with 27 insertions and 6 deletions:
0 comments (0 inline, 0 general) First comment
openpgp/gitprotect.sh
Show inline comments
 
@@ -276,9 +276,20 @@ elif [[ $command = "encrypt" ]]; then
 
    # Encrypt every file from the decrypted sub-directory.
 
    while read filePath; do
 
        filename=$(basename "$filePath")
 
        cat "$filePath" | gpg2 --trust-model always --batch --homedir "$gnupgHome" \
 
            --armor "${recipients[@]}" --encrypt > "${filename}.gpg"
 
    done < <(find "decrypted/" -maxdepth 1 -type f)
 
        checksumFile="decrypted/.${filename}.sha256"
 

	
 
        # If the checksum file exists, then verify it. This way we detect if
 
        # decrypted file has been changed in any way since it has been
 
        # decrypted. We should skip unchanged files.
 
        if [[ -f $checksumFile ]] && sha256sum --quiet -c "$checksumFile" > /dev/null 2>&1; then
 
            echo "INFO: File decrypted/$filename doesn't seem to have been changed. Skipping."
 
        # The file was changed, so we need to encrypt new version of it.
 
        else
 
            cat "$filePath" | gpg2 --trust-model always --batch --homedir "$gnupgHome" \
 
                --armor "${recipients[@]}" --encrypt > "${filename}.gpg"
 
            sha256sum "decrypted/$filename" > "decrypted/.${filename}.sha256"
 
        fi
 
    done < <(find "decrypted/" -maxdepth 1 -type f ! -name '.*.sha256')
 
elif [[ $command = "decrypt" ]]; then
 
    gitprotectConfigured || exit "$ERR_NOCONFIG"
 

	
 
@@ -288,11 +299,21 @@ elif [[ $command = "decrypt" ]]; then
 
    # Process each GnuPG-encrypted file.
 
    while read filePath; do
 
        filename=$(basename "$filePath" ".gpg")
 

	
 
        # Remove the "decrypted" file if decryption had failed.
 
        if ! gpg2 --quiet --decrypt "$filePath" > "decrypted/$filename"; then
 
        checksumFile="decrypted/.${filename}.sha256"
 

	
 
        # If the checksum file exists, and it does not match, the destination
 
        # file has been modified, so refuse to overwrite it.
 
        if [[ -f $checksumFile ]] && ! sha256sum --quiet -c "$checksumFile" > /dev/null 2>&1; then
 
            echo "ERROR: Current decrypted file 'decrypted/$filename' seems to have been modified since it was last decrypted."
 
        # Decrypt the file. If decryption has failed, we've ended-up with empty
 
        # file we need to remove.
 
        elif ! gpg2 --quiet --decrypt "$filePath" > "decrypted/$filename"; then
 
            echo "ERROR: Failed to decrypt file '$filePath'. No private key available." >&2
 
            rm "decrypted/$filename"
 
        # Create a new checksum file for checking if file had been changed by
 
        # user or not.
 
        else
 
            sha256sum "decrypted/$filename" > "decrypted/.${filename}.sha256"
 
        fi
 
    done < <(find . -maxdepth 1 -name '*.gpg')
 
else
0 comments (0 inline, 0 general) First comment
You need to be logged in to comment. Login now