Suggestion: provide a mechanism for users to specify the openssl path

[jwatt]

On macOS it would be useful to be able to tell transcrypt to use the Homebrew installed openssl, but I don't want to add /usr/local/opt/openssl/bin to PATH due to the potential for side affects. More specifically I'm hoping that yadm could pass any value set for yadm.openssl-program in its configuration file along to transcrypt in order to avoid the "deprecated key derivation used" warnings.

[jmurty]

Hi @jwatt this is something we have discussed before in and around this comment: https://github.com/elasticdog/transcrypt/issues/55#issuecomment-637094456 So far we have decided against making the OpenSSL binary path configurable, though like you I would enjoy being able to customise the OpenSSL version used on MacOS.

I'm not familiar with yadm (Yet Another Dotfiles Manager). This seems to be the relevant section on using yadm with transcrypt though the only mention of the yadm.openssl-program option I found is here.

Can you talk more about how yadm could, or should, relay settings like yadm.openssl-program through to programs it invokes? If it does something relatively simple, we might be able to work from that to come up with a clean way to set a custom OpenSSL path both with and without using yadm.

[jwatt]

Hi @jmurty. Thanks for the reply and link to the previous discussion.

Note that I'm just a casual user of yadm. That said, it seems like yadm is essentially a git wrapper that at its core invokes git --git-dir=~/.local/share/yadm/repo.git --work-tree=~ <other args passed to yadm> (plus other niceties).

yadm, like transcrypt, is just a single file shell script. I had expected that yadm invokes transcrypt frequently, passing command line arguments, and therefore the obvious mechanism for yadm to communicate the openssl path with transcrypt would be for it to pass the openssl path using a new transcrypt command line argument. It looks like I was mistaken in my assumptions about how things work though, and actually once transcrypt is set up yadm plays no direct part in the encryption/decryption or invoking transcrypt code.

Besides that, on reflection it probably wouldn't make sense to tell yadm about the openssl path if it's just passing on the args to transcrypt.

Ignoring yadm for the moment, presumably if transcrypt were to add support for specifying an openssl path it would store it in a [transcrypt] section of the user's $XDG_CONFIG_HOME/git/config / ~/.gitconfig. (Or else in a new ~/.config/transcrypt/config -- yadm stores the path in ~/.config/yadm/config, but it's more a git wrapper than a git integration.) So maybe it would make sense to add a transcrypt config command to allow users to specify an openssl path globally for their user for transcrypt. In that case there would be no need for yadm to coordinate with transcrypt on the openssl path at all.

[jwatt]

As you pointed out in https://github.com/elasticdog/transcrypt/issues/55#issuecomment-774470172, storing the path in the user's $XDG_CONFIG_HOME/git/config or ~/.gitconfig doesn't seem like a good idea. Many people synchronize their ~/.gitconfig and other dotfiles across multiple machines, and the openssl path will likely vary from machine to machine.

Perhaps storing the path in the per-repo .git/config, or else allowing it to be communicated via an environment variable (.bashrcs etc. can have per-machine conditional if-else blocks), would be better.

[jmurty]

Hi @jwatt in #111 I have taken a first pass at implementing an --openssl-path argument option to set the OpenSSL binary version transcrypt will use. This setting is stored in the local Git config transcrypt.openssl-path and defaults to 'openssl' (i.e. by default it will use the first openssl binary found on the user's $PATH).

You can use the --upgrade operation to update the path in a pre-configured repo, like so:

./transcrypt --upgrade --yes --openssl-path=/usr/local/opt/openssl@1.1/bin/openssl

Can you try this and see if it works for you? Be warned that I have only done initial testing.

[jmurty]

Hi @jwatt I think the recently-merged --set-openssl-path feature in dce1ad0dc41d3fb5eb754e5e135761910f275968 should let users set a custom path to OpenSSL. --set-openssl-path

For macOS users with newer, better versions of OpenSSL installed with Homebrew a command like the following will tell transcrypt to use that version instead of the one included with macOS: transcrypt --openssl-path=/usr/local/opt/openssl@1.1/bin/openssl

This implementation saves a transcrypt.openssl-path config setting in the local repository, which means it must be re-run for every repo, but because it relies on a standard Git setting you could work around this by setting git config --global transcrypt.openssl-path manually if/when you know it's safe to do this for your particular setup.

Can you confirm this works for you with the latest code from master and re-open this issue if you find problems?