search

elasticdog / transcrypt

transparently encrypt files within a git repository
MIT License
1.43k stars 102 forks source link

Unable to encrypt .pem file? #131

Closed ddmee closed 2 years ago

ddmee commented 2 years ago

Hi, I've been trying to encrypt a certificate with transcrypt.

Let's say I have a certificate file in my git repo at <repo>/cert.pem

—–BEGIN PRIVATE KEY—–
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBj08sp5++4anG
cmQxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMSAwHgYD
VQQDDBcqLmF3cy10ZXN0LnByb2dyZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
…
bml6YXRpb252YWxzaGEyZzIuY3JsMIGgBggrBgEFBQcBAQSBkzCBkDBNBggrBgEF
BQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdh
z3P668YfhUbKdRF6S42Cg6zn
—–END PRIVATE KEY—–

If I add the file to transcrypt via gitattributes, when I try to commit the file I get the warning

Transcrypt managed file is not encrypted in the Git index: cert.pem

You probably staged this file using a tool that does not apply .gitattribute filters as required by Transcrypt.

Fix this by re-staging the file with a compatible tool or with Git on the command line:

    git reset -- cert.pem
    git add cert.pem

Using https://github.com/elasticdog/transcrypt/issues/120 git rm --cached cert.pem doesn't fix the problem.

I guess transcrypt must think that the certificate file is already encrypted? As it seems to be hitting these lines of code: https://github.com/elasticdog/transcrypt/blob/fdf81c53f0ad27651e03a67ea732b164d209e948/transcrypt#L224-L226

But the certificate file isn't encrypted. I'm wondering can transcrypt encrypt certificate files?

Thanks

jmurty commented 2 years ago

Hi, the only way I have been able to reproduce this problem with a PEM file of my own is to make repository changes in a subtly wrong order: by staging the pem file first and only updating the .gitattributes file afterwards.

Could this be what is going wrong for you?

If have confirmed that if I change the .gitattributes file before git adding the pem file, I am able to transcrypt a pem file like others. Can you test with a sequence like the following?

# Copy a pem file into repo
cp ~/.ssh/example.pem .

# Configure transcrypt "crypt" attributes to encrypt pem files
# This MUST be done before you stage the pem file
echo '*.pem filter=crypt diff=crypt merge=crypt' >> .gitattributes

# Stage pem file and config changes
git add .gitattributes example.pem

# Check raw contents of staged pem file, should start with "U2FsdGVk"
git show :example.pem

# Commit works as expected
git commit -m "Add encrypted pem file"
ddmee commented 2 years ago

Hi Jmurty. Thanks for trying to reproduce this. No, I had updated the .gitattributes before I staged the pem file.

I have tested the sequence as you described. And pem file did encrypt correctly.

So at least that confirms that .pem files are encryptable by transcrypt.

I suppose the other thing to note is that the .pem files I was trying to encrypt are actually mounted onto the filesystem from a docker container. I hadn't had an issue encrypting other files that were inside a docker container, mounted on the host. So I didn't think this was an issue. But maybe something strange is happening that way.

Ernaldis commented 2 years ago

I am seeing the same issue on my system.

Environment info: OS: Pop!_OS 22.04 LTS transcrypt version: 2.1.0 git version: 2.34.1

Steps to produce issue:

mkdir test_transcrypt
cd test_transcrypt
git init
echo "123" > secret.yaml
transcrypt (accepting defaults)
echo 'secret.yaml  filter=crypt diff=crypt merge=crypt' >> .gitattributes
git add .
git commit -m "test transcrypt"

The final command returns the following message:

Transcrypt managed file is not encrypted in the Git index: secret.yaml

You probably staged this file using a tool that does not apply .gitattribute filters as required by Transcrypt.

Fix this by re-staging the file with a compatible tool or with Git on the command line:

    git reset -- secret.yaml
    git add secret.yaml

Running the two suggested commands and attempting to commit again returned the same message.

Running transcrypt -l returns secret.yaml

Running git show :secret.yaml returns /1Vqnq87x17ayOQPmoBTLw==

This was also attempted with version 2.2.0-pre and 2.0.0, which did not solve the problem. It was also attempted on a machine running macOS, which installed transcrypt version 2.1.0 through homebrew. In this environment, everything worked as expected.

yambottle commented 2 years ago

Having the same issue with @Ernaldis !

jmurty commented 2 years ago

Hi @Ernaldis and @yambottle can you check which version of OpenSSL you are using with openssl version?

I suspect the issue is due to an incompatible (with transcrypt) change in how the new OpenSSL version 3 encrypts files, as discussed in https://github.com/elasticdog/transcrypt/issues/133

If you are using OpenSSL 3+ can you try the fix-for-openssl3 branch (PR #135) to see if that fixes the problem for you? We should probably get the OpenSSL 3+ fix out pretty soon, but I'd appreciate more feedback on whether or not it works for people.

Ernaldis commented 2 years ago

Hi @jmurty, thank you for getting back to us.

openssl version returns OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

After checking out the fix-for-openssl3 branch, transcrypt --version returned transcrypt 2.2.0-pre.

Initially, the same error occurred, but removing transcrypt from the repo with transcrypt -u and setting it back up again fixed the issue. Everything appears to be in working order now.

jmurty commented 2 years ago

Thanks for confirming this fix, we'll include the fix along with a bunch of other improvements in the upcoming 2.2.0 release