Closed jwatt closed 3 years ago
Hi @jwatt this is something we have discussed before in and around this comment: https://github.com/elasticdog/transcrypt/issues/55#issuecomment-637094456 So far we have decided against making the OpenSSL binary path configurable, though like you I would enjoy being able to customise the OpenSSL version used on MacOS.
I'm not familiar with yadm
(Yet Another Dotfiles Manager). This seems to be the relevant section on using yadm
with transcrypt though the only mention of the yadm.openssl-program
option I found is here.
Can you talk more about how yadm
could, or should, relay settings like yadm.openssl-program
through to programs it invokes? If it does something relatively simple, we might be able to work from that to come up with a clean way to set a custom OpenSSL path both with and without using yadm
.
Hi @jmurty. Thanks for the reply and link to the previous discussion.
Note that I'm just a casual user of yadm. That said, it seems like yadm is essentially a git wrapper that at its core invokes git --git-dir=~/.local/share/yadm/repo.git --work-tree=~ <other args passed to yadm>
(plus other niceties).
yadm, like transcrypt, is just a single file shell script. I had expected that yadm
invokes transcrypt
frequently, passing command line arguments, and therefore the obvious mechanism for yadm to communicate the openssl path with transcrypt would be for it to pass the openssl path using a new transcrypt
command line argument. It looks like I was mistaken in my assumptions about how things work though, and actually once transcrypt is set up yadm plays no direct part in the encryption/decryption or invoking transcrypt code.
Besides that, on reflection it probably wouldn't make sense to tell yadm about the openssl path if it's just passing on the args to transcrypt.
Ignoring yadm for the moment, presumably if transcrypt were to add support for specifying an openssl path it would store it in a [transcrypt]
section of the user's $XDG_CONFIG_HOME/git/config
/ ~/.gitconfig
. (Or else in a new ~/.config/transcrypt/config
-- yadm stores the path in ~/.config/yadm/config
, but it's more a git wrapper than a git integration.) So maybe it would make sense to add a transcrypt config
command to allow users to specify an openssl path globally for their user for transcrypt. In that case there would be no need for yadm to coordinate with transcrypt on the openssl path at all.
As you pointed out in https://github.com/elasticdog/transcrypt/issues/55#issuecomment-774470172, storing the path in the user's $XDG_CONFIG_HOME/git/config
or ~/.gitconfig
doesn't seem like a good idea. Many people synchronize their ~/.gitconfig
and other dotfiles across multiple machines, and the openssl
path will likely vary from machine to machine.
Perhaps storing the path in the per-repo .git/config
, or else allowing it to be communicated via an environment variable (.bashrc
s etc. can have per-machine conditional if-else
blocks), would be better.
Hi @jwatt in #111 I have taken a first pass at implementing an --openssl-path
argument option to set the OpenSSL binary version transcrypt will use. This setting is stored in the local Git config transcrypt.openssl-path
and defaults to 'openssl'
(i.e. by default it will use the first openssl
binary found on the user's $PATH
).
You can use the --upgrade
operation to update the path in a pre-configured repo, like so:
./transcrypt --upgrade --yes --openssl-path=/usr/local/opt/openssl@1.1/bin/openssl
Can you try this and see if it works for you? Be warned that I have only done initial testing.
Hi @jwatt I think the recently-merged --set-openssl-path
feature in dce1ad0dc41d3fb5eb754e5e135761910f275968 should let users set a custom path to OpenSSL. --set-openssl-path
For macOS users with newer, better versions of OpenSSL installed with Homebrew a command like the following will tell transcrypt to use that version instead of the one included with macOS: transcrypt --openssl-path=/usr/local/opt/openssl@1.1/bin/openssl
This implementation saves a transcrypt.openssl-path
config setting in the local repository, which means it must be re-run for every repo, but because it relies on a standard Git setting you could work around this by setting git config --global transcrypt.openssl-path
manually if/when you know it's safe to do this for your particular setup.
Can you confirm this works for you with the latest code from master
and re-open this issue if you find problems?
On macOS it would be useful to be able to tell
transcrypt
to use the Homebrew installedopenssl
, but I don't want to add/usr/local/opt/openssl/bin
toPATH
due to the potential for side affects. More specifically I'm hoping thatyadm
could pass any value set foryadm.openssl-program
in its configuration file along totranscrypt
in order to avoid the "deprecated key derivation used" warnings.