At some point between Git 1.7.1 and Git 1.8.1.3, both 'git reset' and
'git status' stopped noticing that files were modified after their
smudge filter changed. Consequentially, 'git reset --hard HEAD' would
not decrypt existing encrypted files in the repo.
This commit changes 'git-crypt init' to use 'git checkout -f HEAD
/top/of/repo' instead, which does the job.
Although glibc's implementation of mkstemp creates temporary files with
a safe (i.e. 0600) mode, POSIX does not mandate any particular mode. So
to ensure maximum cross-platform safety, we must set a umask of 0077
before calling mkstemp.
