jmurty
commented
2 weeks ago Transcrypt isn't built to check for a correct password. To do so, it would need to track extra metadata information to detect successful or failed decryption based on the decrypted file containing or matching that metadata.
The easiest way I can think of to check for a correct password without looking at the resultant workspace files is to create a file with consistent name and known content in your repo(s), run just the smudge command directly with Transcrypt, and confirm the known content is present in the result from the smudge command.
You would need to set the minimum required Transcrypt Git config options for this to work, but you could do it like this (using this repo's _sensitivefile as an example):
# Set Git config options required by transcrypt
git config transcrypt.password 'correct horse battery staple'
git config transcrypt.cipher aes-256-cbc
git config transcrypt.openssl-path openssl
# Run 'smudge' command directly. You must provide:
# - the encrypted file's contents via stdin
# - the context name (default) and the encrypted file's name via command arguments
cat sensitive_file | ./transcrypt smudge context=default sensitive_file
# Check for known content in the decrypted file
cat sensitive_file | ./transcrypt smudge context=default sensitive_file | grep -q '^I just wanna'
# $? == 0
git config transcrypt.password 'wrong password'
cat sensitive_file | ./transcrypt smudge context=default sensitive_file | grep -q '^I just wanna'
# $? == 1
When using the wrong password, you end up with dirty secret files. Beyond checking for dirty secret files after "smudging", how would you check if the password/cipher is correct without touching the workspace?