search

AGWA / git-crypt

Transparent file encryption in git
https://www.agwa.name/projects/git-crypt/
GNU General Public License v3.0
8.18k stars 475 forks source link

Git-crypt unlock fails when run on Jenkins box #159

Closed gilmoregrills closed 5 years ago

gilmoregrills commented 5 years ago

Hi there! I know there are several issues that involve these errors, but I've tried to use the advice listed in all of them and nothing works so far.

We have a repository with a directory named "test". Inside it there are five files encrypted with git-crypt, we're able to use git-crypt with them on our local machines, and our Jenkins server is able to run git-crypt unlock after it fetches the repo without any problems.

Now, I want to add a folder named "dev" with five new files that need encryption. These files all have the same names as the original five so the .gitattributes file shouldn't need updating. However, when I add these and commit them, trying to git clone and git-crypt unlock on the Jenkins box fails with the following error:

stderr: git-crypt: error: encrypted file has been tampered with!
error: external filter '"/usr/bin/git-crypt" smudge' failed 1
error: external filter '"/usr/bin/git-crypt" smudge' failed
fatal: dev/dev/id_rsa: smudge filter git-crypt failed

The steps I've used to add files to the repository from my local machine is as follows:

git clone <repo name> Add the files either by copying the whole dev/ directory or creating/copying in the contents git add -A git-crypt status to check they're in the encrypted list git commit -m "blah blah" git push

I can then see the files are encrypted in Github, all looks fine.

Then all the Jenkins box tries to do is checkout my branch with the new directory in, and try to run git-crypt unlock.

I've tried touching the files again and recommitting, deleting the and re-cloning the repo to my local, using git-crypt status -f all over the place, and giving Jenkins a new gpg key to use. What could still be happening?

Love the tool! Just wondering what I'm doing wrong with it. Excuse the wall of text.

gilmoregrills commented 5 years ago

Quick update: git-crypt unlock is only failing on one build job, and that build job uses the exact same pipeline file as another build job - just with different environment variables o_O

gilmoregrills commented 5 years ago

Final update: It turned out the Jenkins box had some files hanging around in /var/jenkins_home/workspace/<folder>/<new dev folder>/<job> that got picked up by the filters git-crypt uses. So it was a false alarm all along!