Document how to verify something is encrypted

[onionjake]

The readme should encourage you to double check if something is encrypted after writing the .gitattributes file.

You can verify the filter is being matching by doing:

git check-attr -a -- <path>

An easier method (assuming you don't have other gitattributes!) I have found is to make sure the hash of the plain file DOES NOT match the hash of the object in the tree:

# Make sure these hashes DO NOT MATCH
$ git hash-object secretfile
eedff305e146f749da4253aafc7340845a72cec7
$ cat secretfile | git hash-object --stdin
eedff305e146f749da4253aafc7340845a72cec7 ### YOUR GIT ATTRIBUTE DID NOT WORK, your file is not encrypted

If you encrypt the file successfully the hashes will not match:

$ git hash-object secretfile
1ced004ffd1578dd783ada1e6ffc8b7c41717800
$ cat secretfile | git hash-object --stdin
eedff305e146f749da4253aafc7340845a72cec7

[naugtur]

Yes, please!

This is too transparent as is, I had no idea how to verify success without cloning the repository after push (of fake secrets at first)

[onionjake]

I just discovered the git crypt status command!

That is super useful and deserves a mention in the readme as well. I am sure some users are going to want to manually verify files are encrypted, but git crypt status probably meets most needs.

[jimturnquist]

Another helpful tidbit. I needed a scriptable method for determining whether a repository is currently locked or not.

I added a file called .is-encrypted to the .gitattributes file.

.is-encrypted just contains: no

You can then easily script the encryption state:

When repo is unencrypted...

grep -vq 'no' .is-encrypted
echo $?
1

When repo is encrypted...

grep -vq 'no' .is-encrypted
echo $?
0