search

sobolevn / git-secret

:busts_in_silhouette: A bash-tool to store your private data inside a git repository.
https://sobolevn.me/git-secret/
MIT License
3.75k stars 198 forks source link

git secret + commit hook fails with git gui. Overrides pinentry #221

Open ieugen opened 6 years ago

ieugen commented 6 years ago

What are the steps to reproduce this issue?

  1. Add a pre commit hook as per documentation:

.git/hooks/pre-commit

 git secret changes | grep "+++"
 if [ $? -eq 0 ]; then
     echo "Hiding git secretes."
     git secret hide
 else
     echo "No secrets to hide."
 fi

I'm hiding secrets only if there are changes.

  1. Open git gui and commit https://git-scm.com/docs/git-gui

What happens?

Git gui hangs - because the gpg pass phrase is presented on standard input and I can't access that.

I believe I've tracked the code to this part in /usr/bin/git-secret

if [[ "$GPG_VER_21" -eq 1 ]]; then
    base="$base --pinentry-mode loopback"
fi

What were you expecting to happen?

I should be presented with the gui pinentry application that I have setup in my /.gnupg/gpg-agent.conf via pinentry-program /usr/bin/pinentry-gnome3 .

Any other comments?

I think Arch docs are explain gpg situation pretty good: https://wiki.archlinux.org/index.php/GnuPG#gpg-agent

What versions of software are you using?

Operating system: (uname -a) Linux default 4.16.0-2-amd64 #1 SMP Debian 4.16.12-1 (2018-05-27) x86_64 GNU/Linux

I'm using Debian testing (Buster).

git-secret path: (which git-secret) /usr/bin/git-secret git-secret version: (git secret --version) 0.2.2 git version: (git --version) 2.18.0 Shell type and version: ($SHELL --version) zsh 5.5.1

gpg version: (gpg --version) gpg (GnuPG) 2.2.8 libgcrypt 1.8.3

joshrabinowitz commented 6 years ago

@ieugen thank you for this report.

Can you please try again with the most recent release of git-secret, 0.2.4?

Also, if you know what code change is required to fix this issue, please let us know or open a PR.

ieugen commented 6 years ago

Thanks. I will give it a try. Unfortunatelly I don't know the fix but I will give it a try. Gpg is not the friendliest of softwares.

joshrabinowitz commented 6 years ago

Hello, @ieugen, @simbo1905 , @sobolevn :

What's the right way to handle this?

Should we be reading ~/.gpg/gpg-agent.conf to find the correct 'pinentry-program' value?

sobolevn commented 6 years ago

I guess we can just have a configuration option. Reading this file will be almost impossible to implement correctly including all location/format/permission/versions stuff.

joshrabinowitz commented 6 years ago

@sobolevn so are you envisioning a -nop option for git-secret reveal and hide to disable use of gpg's --pinentry loopback option? How would you see this looking in practice?

ieugen commented 6 years ago

@joshrabinowitz :+1:

Should we be reading ~/.gpg/gpg-agent.conf to find the correct 'pinentry-program' value?

Not sure if we need to read it. I believe it has a command that can give us the value.

I think gpgconf should be ok. However, on my system it shows the wrong version of pinentry so I guess it does not read gpg-agent.conf where I set pinentry-program /usr/bin/pinentry-gnome3 . It is either a bug or I am doing something wrong. 

gpgconf --list-components                                              
gpg:OpenPGP:/usr/bin/gpg
gpg-agent:Private Keys:/usr/bin/gpg-agent
scdaemon:Smartcards:/usr/lib/gnupg/scdaemon
gpgsm:S/MIME:/usr/bin/gpgsm
dirmngr:Network:/usr/bin/dirmngr
pinentry:Passphrase Entry:/usr/bin/pinentry
--- 
gpgconf --list-dirs     
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/x86_64-linux-gnu/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/run/user/1000/gnupg
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/ieugen/.gnupg

[1] https://www.gnupg.org/documentation/manuals/gnupg/gpgconf.html

doozMen commented 5 years ago

I cannot get it setup correctly. I use it in a swift script and for now got it to work with the workaround to run git secret reveal before I run my script. I created an issue in my fork https://github.com/dooZdev/Highway/issues/36 Any tips :) Thanks!

simbo1905 commented 5 years ago

@doozMen are you using git-gui? i looked at your issue it names a Secrets.swift that I cannot find after cloning your repo. i am not a swift programmer so if you can please provide the minimal steps to reproduce (such as a sample repo with Highway and a secret, if that is necessary, I am not sure) then we can take a look.

simbo1905 commented 5 years ago

@doozMen also could you please post all the software versions (gpg, git-secret)

joshrabinowitz commented 5 years ago

Following up on @sobolevn 's suggestion from Jul 14, 2018:

I propose that we support users who need to set --pinentry (which this seems to be an example of), by supporting a SECRETS_PINENTRY=/path/here env var and/or -e /path/here

(I'm open to other flags than -e but -p and -P are already used for other purposes in git-secret).

sobolevn commented 5 years ago

Let's have SECRETS_PINENTRY 👍

joshrabinowitz commented 5 years ago

SECRETS_PINENTRY=/path/here won't work as --pinentry only accepts 'default', 'ask', 'cancel', 'error' and 'loopback'.

gpgagent has a --pinentry-program setting, but we don't interact with gpgagent directly in git-secret.

I suspect the right solution for this issue is to provide some way for the user to have git-secret ~not pass --pinentry=localhost in the case where the user needs~ provide a way for the user to use a custom --pinentry setting. See #490