Prepare 0.8.0 release

Closes: #313

.github/workflows/release-linux.yml

@@ -0,0 +1,46 @@
+on:
+  release:
+    types: [published]
+name: Build Release Binary (Linux)
+jobs:
+  build:
+    name: Build Release Binary
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Install dependencies
+        run: sudo apt install libssl-dev
+      - name: Build binary
+        run: make
+      - name: Upload release artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: git-crypt-artifacts
+          path: git-crypt
+  upload:
+    name: Upload Release Binary
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      contents: write
+    steps:
+      - name: Download release artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: git-crypt-artifacts
+      - name: Upload release asset
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require("fs").promises;
+            const { repo: { owner, repo }, sha } = context;
+            await github.repos.uploadReleaseAsset({
+              owner, repo,
+              release_id: ${{ github.event.release.id }},
+              name: 'git-crypt-${{ github.event.release.name }}-linux-x86_64',
+              data: await fs.readFile('git-crypt'),
+            });

.github/workflows/release-windows.yml

@@ -0,0 +1,56 @@
+on:
+  release:
+    types: [published]
+name: Build Release Binary (Windows)
+jobs:
+  build:
+    name: Build Release Binary
+    runs-on: windows-2022
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Setup msys2
+        uses: msys2/setup-msys2@v2
+        with:
+          msystem: MINGW64
+          update: true
+          install: >-
+            base-devel
+            msys2-devel
+            mingw-w64-x86_64-toolchain
+            mingw-w64-x86_64-openssl
+            openssl-devel
+      - name: Build binary
+        shell: msys2 {0}
+        run: make LDFLAGS="-static-libstdc++ -static -lcrypto -lws2_32"
+      - name: Upload release artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: git-crypt-artifacts
+          path: git-crypt.exe
+  upload:
+    name: Upload Release Binary
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      contents: write
+    steps:
+      - name: Download release artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: git-crypt-artifacts
+      - name: Upload release asset
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require("fs").promises;
+            const { repo: { owner, repo }, sha } = context;
+            await github.repos.uploadReleaseAsset({
+              owner, repo,
+              release_id: ${{ github.event.release.id }},
+              name: 'git-crypt-${{ github.event.release.name }}-x86_64.exe',
+              data: await fs.readFile('git-crypt.exe'),
+            });

CONTRIBUTING.md

@@ -4,8 +4,7 @@ documentation, bug reports, or anything else that improves git-crypt.
 
 When contributing code, please consider the following guidelines:
 
- * You are encouraged to open an issue on GitHub or send mail to
+ * You are encouraged to open an issue on GitHub to discuss any non-trivial
-   git-crypt-discuss@lists.cloudmutt.com to discuss any non-trivial
    changes before you start coding.
 
  * Please mimic the existing code style as much as possible.  In
@@ -15,8 +14,7 @@ When contributing code, please consider the following guidelines:
  * To minimize merge commits, please rebase your changes before opening
    a pull request.
 
- * To submit your patch, open a pull request on GitHub or send a
+ * To submit your patch, open a pull request on GitHub.
-   properly-formatted patch to git-crypt-discuss@lists.cloudmutt.com.
 
 Finally, be aware that since git-crypt is security-sensitive software,
 the bar for contributions is higher than average.  Please don't be

INSTALL

@@ -1,25 +1,48 @@
 DEPENDENCIES
 
+To build git-crypt, you need:
+
+                                    Debian/Ubuntu package   RHEL/CentOS package
+  -----------------------------------------------------------------------------
+  Make                              make                    make
+  A C++11 compiler (e.g. gcc 4.9+)  g++                     gcc-c++
+  OpenSSL development files         libssl-dev              openssl-devel
+
+
 To use git-crypt, you need:
 
-	* Git 1.6.0 or newer
+                                    Debian/Ubuntu package   RHEL/CentOS package
-	* OpenSSL
+  -----------------------------------------------------------------------------
-	* For decrypted git diff output, Git 1.6.1 or newer
+  Git 1.7.2 or newer                git                     git
-	* For decrypted git blame output, Git 1.7.2 or newer
+  OpenSSL                           openssl                 openssl
 
-To build git-crypt, you need a C++ compiler and OpenSSL development
+Note: Git 1.8.5 or newer is recommended for best performance.
-headers.
 
 
 BUILDING GIT-CRYPT
 
-The Makefile is tailored for g++, but should work with other compilers.
+Run:
 
 	$ make
-	$ cp git-crypt /usr/local/bin/
+	$ make install
 
-It doesn't matter where you install the git-crypt binary - choose wherever
+To install to a specific location:
-is most convenient for you.
+
+	$ make install PREFIX=/usr/local
+
+Or, just copy the git-crypt binary to wherever is most convenient for you.
+
+
+BUILDING THE MAN PAGE
+
+To build and install the git-crypt(1) man page, pass ENABLE_MAN=yes to make:
+
+	$ make ENABLE_MAN=yes
+	$ make ENABLE_MAN=yes install
+
+xsltproc is required to build the man page.  Note that xsltproc will access
+the Internet to retrieve its stylesheet unless the Docbook stylesheet is
+installed locally and registered in the system's XML catalog.
 
 
 BUILDING A DEBIAN PACKAGE

INSTALL.md

@@ -1,31 +1,51 @@
-Dependencies
+### Dependencies
-------------
+
+To build git-crypt, you need:
+
+| Software                        | Debian/Ubuntu package | RHEL/CentOS package|
+|---------------------------------|-----------------------|--------------------|
+|Make                             | make                  | make               |
+|A C++11 compiler (e.g. gcc 4.9+) | g++                   | gcc-c++            |
+|OpenSSL development files        | libssl-dev            | openssl-devel      |
+
 
 To use git-crypt, you need:
 
-*   Git 1.6.0 or newer
+| Software                        | Debian/Ubuntu package | RHEL/CentOS package|
-*   OpenSSL
+|---------------------------------|-----------------------|--------------------|
-*   For decrypted git diff output, Git 1.6.1 or newer
+|Git 1.7.2 or newer               | git                   | git                |
-*   For decrypted git blame output, Git 1.7.2 or newer
+|OpenSSL                          | openssl               | openssl            |
 
-To build git-crypt, you need a C++ compiler and OpenSSL development
+Note: Git 1.8.5 or newer is recommended for best performance.
-headers.
 
 
-Building git-crypt
+### Building git-crypt
-------------------
 
-The Makefile is tailored for g++, but should work with other compilers.
+Run:
 
     make
-    cp git-crypt /usr/local/bin/
+    make install
 
-It doesn't matter where you install the git-crypt binary - choose
+To install to a specific location:
-wherever is most convenient for you.
+
+    make install PREFIX=/usr/local
+
+Or, just copy the git-crypt binary to wherever is most convenient for you.
 
 
-Building A Debian Package
+### Building The Man Page
--------------------------
+
+To build and install the git-crypt(1) man page, pass `ENABLE_MAN=yes` to make:
+
+    make ENABLE_MAN=yes
+    make ENABLE_MAN=yes install
+
+xsltproc is required to build the man page.  Note that xsltproc will access
+the Internet to retrieve its stylesheet unless the Docbook stylesheet is
+installed locally and registered in the system's XML catalog.
+
+
+### Building A Debian Package
 
 Debian packaging can be found in the 'debian' branch of the project Git
 repository.  The package is built using git-buildpackage as follows:
@@ -34,15 +54,13 @@ repository.  The package is built using git-buildpackage as follows:
     git-buildpackage -uc -us
 
 
-Installing On Mac OS X
+### Installing On Mac OS X
-----------------------
 
 Using the brew package manager, simply run:
 
     brew install git-crypt
 
-Experimental Windows Support
+### Experimental Windows Support
-----------------------------
 
 git-crypt should build on Windows with MinGW, although the build system
 is not yet finalized so you will need to pass your own CXX, CXXFLAGS, and

Makefile

@@ -1,7 +1,17 @@
-CXX := c++
+#
-CXXFLAGS := -Wall -pedantic -Wno-long-long -O2
+# Copyright (c) 2015 Andrew Ayer
-LDFLAGS :=
+#
-PREFIX := /usr/local
+# See COPYING file for license information.
+#
+
+CXXFLAGS ?= -Wall -pedantic -Wno-long-long -O2
+CXXFLAGS += -std=c++11
+PREFIX ?= /usr/local
+BINDIR ?= $(PREFIX)/bin
+MANDIR ?= $(PREFIX)/share/man
+
+ENABLE_MAN ?= no
+DOCBOOK_XSL ?= http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
 
 OBJFILES = \
     git-crypt.o \
@@ -10,22 +20,76 @@ OBJFILES = \
     gpg.o \
     key.o \
     util.o \
-    parse_options.o
+    parse_options.o \
+    coprocess.o \
+    fhstream.o
 
-OBJFILES += crypto-openssl.o
+OBJFILES += crypto-openssl-11.o
 LDFLAGS += -lcrypto
 
-all: git-crypt
+XSLTPROC ?= xsltproc
+DOCBOOK_FLAGS += --param man.output.in.separate.dir 1 \
+		 --stringparam man.output.base.dir man/ \
+		 --param man.output.subdirs.enabled 1 \
+		 --param man.authors.section.enabled 1
+
+all: build
+
+#
+# Build
+#
+BUILD_MAN_TARGETS-yes = build-man
+BUILD_MAN_TARGETS-no =
+BUILD_TARGETS := build-bin $(BUILD_MAN_TARGETS-$(ENABLE_MAN))
+
+build: $(BUILD_TARGETS)
+
+build-bin: git-crypt
 
 git-crypt: $(OBJFILES)
 	$(CXX) $(CXXFLAGS) -o $@ $(OBJFILES) $(LDFLAGS)
 
 util.o: util.cpp util-unix.cpp util-win32.cpp
+coprocess.o: coprocess.cpp coprocess-unix.cpp coprocess-win32.cpp
 
-clean:
+build-man: man/man1/git-crypt.1
-	rm -f *.o git-crypt
 
-install: git-crypt
+man/man1/git-crypt.1: man/git-crypt.xml
-	install -m 755 git-crypt $(DESTDIR)$(PREFIX)/bin/
+	$(XSLTPROC) $(DOCBOOK_FLAGS) $(DOCBOOK_XSL) man/git-crypt.xml
 
-.PHONY: all clean install
+#
+# Clean
+#
+CLEAN_MAN_TARGETS-yes = clean-man
+CLEAN_MAN_TARGETS-no =
+CLEAN_TARGETS := clean-bin $(CLEAN_MAN_TARGETS-$(ENABLE_MAN))
+
+clean: $(CLEAN_TARGETS)
+
+clean-bin:
+	rm -f $(OBJFILES) git-crypt
+
+clean-man:
+	rm -f man/man1/git-crypt.1
+
+#
+# Install
+#
+INSTALL_MAN_TARGETS-yes = install-man
+INSTALL_MAN_TARGETS-no =
+INSTALL_TARGETS := install-bin $(INSTALL_MAN_TARGETS-$(ENABLE_MAN))
+
+install: $(INSTALL_TARGETS)
+
+install-bin: build-bin
+	install -d $(DESTDIR)$(BINDIR)
+	install -m 755 git-crypt $(DESTDIR)$(BINDIR)/
+
+install-man: build-man
+	install -d $(DESTDIR)$(MANDIR)/man1
+	install -m 644 man/man1/git-crypt.1 $(DESTDIR)$(MANDIR)/man1/
+
+.PHONY: all \
+	build build-bin build-man \
+	clean clean-bin clean-man \
+	install install-bin install-man

NEWS

@@ -1,3 +1,41 @@
+v0.8.0 (2025-09-23)
+  * Remove OpenSSL 1.0 support, fix compilation with OpenSSL 3.
+  * Avoid use of problematic short GPG key IDs.
+
+v0.7.0 (2022-04-21)
+  * Avoid "argument list too long" errors on macOS.
+  * Fix handling of "-" arguments.
+  * Minor documentation improvements.
+
+v0.6.0 (2017-11-26)
+  * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0).
+  * Switch to C++11 (gcc 4.9 or higher now required to build).
+  * Allow GPG to fail on some keys (makes unlock work better if there are
+    multiple keys that can unlock the repo but only some are available).
+  * Allow the repo state directory to be configured with the
+    git-crypt.repoStateDir git config option.
+  * Respect the gpg.program git config option.
+  * Don't hard code path to git-crypt in .git/config on Linux (ensures
+    repo continues to work if git-crypt is moved).
+  * Ensure git-crypt's gpg files won't be treated as text by Git.
+  * Minor improvements to build system, documentation.
+
+v0.5.0 (2015-05-30)
+  * Drastically speed up lock/unlock when used with Git 1.8.5 or newer.
+  * Add git-crypt(1) man page (pass ENABLE_MAN=yes to make to build).
+  * Add --trusted option to 'git-crypt gpg-add-user' to add user even if
+    GPG doesn't trust user's key.
+  * Improve 'git-crypt lock' usability, add --force option.
+  * Ignore symlinks and other non-files when running 'git-crypt status'.
+  * Fix compilation on old versions of Mac OS X.
+  * Fix GPG mode when with-fingerprint enabled in gpg.conf.
+  * Minor bug fixes and improvements to help/error messages.
+
+v0.4.2 (2015-01-31)
+  * Fix unlock and lock under Git 2.2.2 and higher.
+  * Drop support for versions of Git older than 1.7.2.
+  * Minor improvements to some help/error messages.
+
 v0.4.1 (2015-01-08)
   * Important usability fix to ensure that the .git-crypt directory
     can't be encrypted by accident (see RELEASE_NOTES-0.4.1.md for

NEWS.md

@@ -1,6 +1,44 @@
 News
 ====
 
+######v0.8.0 (2025-09-23)
+* Remove OpenSSL 1.0 support, fix compilation with OpenSSL 3.
+* Avoid use of problematic short GPG key IDs.
+
+######v0.7.0 (2022-04-21)
+* Avoid "argument list too long" errors on macOS.
+* Fix handling of "-" arguments.
+* Minor documentation improvements.
+
+######v0.6.0 (2017-11-26)
+* Add support for OpenSSL 1.1 (still works with OpenSSL 1.0).
+* Switch to C++11 (gcc 4.9 or higher now required to build).
+* Allow GPG to fail on some keys (makes unlock work better if there are
+  multiple keys that can unlock the repo but only some are available).
+* Allow the repo state directory to be configured with the
+  git-crypt.repoStateDir git config option.
+* Respect the gpg.program git config option.
+* Don't hard code path to git-crypt in .git/config on Linux (ensures
+  repo continues to work if git-crypt is moved).
+* Ensure git-crypt's gpg files won't be treated as text by Git.
+* Minor improvements to build system, documentation.
+
+######v0.5.0 (2015-05-30)
+* Drastically speed up lock/unlock when used with Git 1.8.5 or newer.
+* Add git-crypt(1) man page (pass `ENABLE_MAN=yes` to make to build).
+* Add --trusted option to `git-crypt gpg-add-user` to add user even if
+  GPG doesn't trust user's key.
+* Improve `git-crypt lock` usability, add --force option.
+* Ignore symlinks and other non-files when running `git-crypt status`.
+* Fix compilation on old versions of Mac OS X.
+* Fix GPG mode when with-fingerprint enabled in gpg.conf.
+* Minor bug fixes and improvements to help/error messages.
+
+######v0.4.2 (2015-01-31)
+* Fix unlock and lock under Git 2.2.2 and higher.
+* Drop support for versions of Git older than 1.7.2.
+* Minor improvements to some help/error messages.
+
 ######v0.4.1 (2015-01-08)
 * Important usability fix to ensure that the .git-crypt directory
   can't be encrypted by accident (see

README

@@ -30,10 +30,14 @@ Specify files to encrypt by creating a .gitattributes file:
 
 	secretfile filter=git-crypt diff=git-crypt
 	*.key filter=git-crypt diff=git-crypt
+	secretdir/** filter=git-crypt diff=git-crypt
 
 Like a .gitignore file, it can match wildcards and should be checked into
 the repository.  See below for more information about .gitattributes.
-Make sure you don't accidentally encrypt the .gitattributes file itself!
+Make sure you don't accidentally encrypt the .gitattributes file itself
+(or other git files like .gitignore or .gitmodules).  Make sure your
+.gitattributes rules are in place *before* you add sensitive files, or
+those files won't be encrypted!
 
 Share the repository with others (or with yourself) using GPG:
 
@@ -51,7 +55,7 @@ are added to your repository):
 
 	$ git-crypt export-key /path/to/key
 
-After cloning a repository with encrypted files, unlock with with GPG:
+After cloning a repository with encrypted files, unlock with GPG:
 
 	$ git-crypt unlock
 
@@ -66,7 +70,7 @@ encryption and decryption happen transparently.
 
 CURRENT STATUS
 
-The latest version of git-crypt is 0.4.1, released on 2015-01-08.
+The latest version of git-crypt is 0.8.0, released on 2025-09-23.
 git-crypt aims to be bug-free and reliable, meaning it shouldn't
 crash, malfunction, or expose your confidential data.  However,
 it has not yet reached maturity, meaning it is not as documented,
@@ -76,15 +80,15 @@ backwards-incompatible changes introduced before version 1.0.
 
 SECURITY
 
-git-crypt is more secure that other transparent git encryption systems.
+git-crypt is more secure than other transparent git encryption systems.
 git-crypt encrypts files using AES-256 in CTR mode with a synthetic IV
-derived from the SHA-1 HMAC of the file.  This is provably semantically
+derived from the SHA-1 HMAC of the file.  This mode of operation is
-secure under deterministic chosen-plaintext attack.  That means that
+provably semantically secure under deterministic chosen-plaintext attack.
-although the encryption is deterministic (which is required so git can
+That means that although the encryption is deterministic (which is
-distinguish when a file has and hasn't changed), it leaks no information
+required so git can distinguish when a file has and hasn't changed),
-beyond whether two files are identical or not.  Other proposals for
+it leaks no information beyond whether two files are identical or not.
-transparent git encryption use ECB or CBC with a fixed IV.  These systems
+Other proposals for transparent git encryption use ECB or CBC with a
-are not semantically secure and leak information.
+fixed IV.  These systems are not semantically secure and leak information.
 
 
 LIMITATIONS
@@ -95,10 +99,25 @@ all of the files in a repository. Where git-crypt really shines is where
 most of your repository is public, but you have a few files (perhaps
 private keys named *.key, or a file with API credentials) which you
 need to encrypt.  For encrypting an entire repository, consider using a
-system like git-remote-gcrypt <https://github.com/joeyh/git-remote-gcrypt>
+system like git-remote-gcrypt <https://spwhitton.name/tech/code/git-remote-gcrypt/>
 instead.  (Note: no endorsement is made of git-remote-gcrypt's security.)
 
-git-crypt does not encrypt file names, commit messages, or other metadata.
+git-crypt does not encrypt file names, commit messages, symlink targets,
+gitlinks, or other metadata.
+
+git-crypt does not hide when a file does or doesn't change, the length
+of a file, or the fact that two files are identical (see "Security"
+section above).
+
+git-crypt does not support revoking access to an encrypted repository
+which was previously granted. This applies to both multi-user GPG
+mode (there's no del-gpg-user command to complement add-gpg-user)
+and also symmetric key mode (there's no support for rotating the key).
+This is because it is an inherently complex problem in the context
+of historical data. For example, even if a key was rotated at one
+point in history, a user having the previous key can still access
+previous repository history. This problem is discussed in more detail in
+<https://github.com/AGWA/git-crypt/issues/47>.
 
 Files encrypted with git-crypt are not compressible.  Even the smallest
 change to an encrypted file requires git to store the entire changed file,
@@ -116,9 +135,9 @@ the patch itself is encrypted.  To generate an encrypted patch, use `git
 diff --no-textconv --binary`.  Alternatively, you can apply a plaintext
 patch outside of git using the patch command.
 
-git-crypt does not work reliably with Atlassian SourceTree.
+git-crypt does not work reliably with some third-party git GUIs, such
-Files might be left in an unencrypted state.  See
+as Atlassian SourceTree <https://jira.atlassian.com/browse/SRCTREE-2511>
-<https://jira.atlassian.com/browse/SRCTREE-2511>.
+and GitHub for Mac.  Files might be left in an unencrypted state.
 
 
 GITATTRIBUTES FILE
@@ -130,20 +149,12 @@ specifying merely a directory (e.g. `/dir/`) is NOT sufficient to
 encrypt all files beneath it.
 
 Also note that the pattern `dir/*` does not match files under
-sub-directories of dir/.  To encrypt an entire sub-tree dir/, place the
+sub-directories of dir/.  To encrypt an entire sub-tree dir/, use `dir/**`:
-following in dir/.gitattributes:
+
+	dir/** filter=git-crypt diff=git-crypt
+
+The .gitattributes file must not be encrypted, so make sure wildcards don't
+match it accidentally.  If necessary, you can exclude .gitattributes from
+encryption like this:
 
-	* filter=git-crypt diff=git-crypt
 	.gitattributes !filter !diff
-
-The second pattern is essential for ensuring that .gitattributes itself
-is not encrypted.
-
-
-MAILING LISTS
-
-To stay abreast of, and provide input to, git-crypt development, consider
-subscribing to one or both of our mailing lists:
-
-Announcements: https://lists.cloudmutt.com/mailman/listinfo/git-crypt-announce
-Discussion:    https://lists.cloudmutt.com/mailman/listinfo/git-crypt-discuss

README.md

@@ -31,10 +31,14 @@ Specify files to encrypt by creating a .gitattributes file:
 
     secretfile filter=git-crypt diff=git-crypt
     *.key filter=git-crypt diff=git-crypt
+    secretdir/** filter=git-crypt diff=git-crypt
 
 Like a .gitignore file, it can match wildcards and should be checked into
 the repository.  See below for more information about .gitattributes.
-Make sure you don't accidentally encrypt the .gitattributes file itself!
+Make sure you don't accidentally encrypt the .gitattributes file itself
+(or other git files like .gitignore or .gitmodules).  Make sure your
+.gitattributes rules are in place *before* you add sensitive files, or
+those files won't be encrypted!
 
 Share the repository with others (or with yourself) using GPG:
 
@@ -52,7 +56,7 @@ are added to your repository):
 
     git-crypt export-key /path/to/key
 
-After cloning a repository with encrypted files, unlock with with GPG:
+After cloning a repository with encrypted files, unlock with GPG:
 
     git-crypt unlock
 
@@ -67,8 +71,8 @@ encryption and decryption happen transparently.
 Current Status
 --------------
 
-The latest version of git-crypt is [0.4.1](RELEASE_NOTES-0.4.1.md), released on
+The latest version of git-crypt is [0.8.0](NEWS.md), released on
-2015-01-08.  git-crypt aims to be bug-free and reliable, meaning it
+2025-09-23.  git-crypt aims to be bug-free and reliable, meaning it
 shouldn't crash, malfunction, or expose your confidential data.
 However, it has not yet reached maturity, meaning it is not as
 documented, featureful, or easy-to-use as it should be.  Additionally,
@@ -78,15 +82,15 @@ there may be backwards-incompatible changes introduced before version
 Security
 --------
 
-git-crypt is more secure that other transparent git encryption systems.
+git-crypt is more secure than other transparent git encryption systems.
 git-crypt encrypts files using AES-256 in CTR mode with a synthetic IV
-derived from the SHA-1 HMAC of the file.  This is provably semantically
+derived from the SHA-1 HMAC of the file.  This mode of operation is
-secure under deterministic chosen-plaintext attack.  That means that
+provably semantically secure under deterministic chosen-plaintext attack.
-although the encryption is deterministic (which is required so git can
+That means that although the encryption is deterministic (which is
-distinguish when a file has and hasn't changed), it leaks no information
+required so git can distinguish when a file has and hasn't changed),
-beyond whether two files are identical or not.  Other proposals for
+it leaks no information beyond whether two files are identical or not.
-transparent git encryption use ECB or CBC with a fixed IV.  These
+Other proposals for transparent git encryption use ECB or CBC with a
-systems are not semantically secure and leak information.
+fixed IV.  These systems are not semantically secure and leak information.
 
 Limitations
 -----------
@@ -97,10 +101,25 @@ all of the files in a repository. Where git-crypt really shines is where
 most of your repository is public, but you have a few files (perhaps
 private keys named *.key, or a file with API credentials) which you
 need to encrypt.  For encrypting an entire repository, consider using a
-system like [git-remote-gcrypt](https://github.com/joeyh/git-remote-gcrypt)
+system like [git-remote-gcrypt](https://spwhitton.name/tech/code/git-remote-gcrypt/)
 instead.  (Note: no endorsement is made of git-remote-gcrypt's security.)
 
-git-crypt does not encrypt file names, commit messages, or other metadata.
+git-crypt does not encrypt file names, commit messages, symlink targets,
+gitlinks, or other metadata.
+
+git-crypt does not hide when a file does or doesn't change, the length
+of a file, or the fact that two files are identical (see "Security"
+section above).
+
+git-crypt does not support revoking access to an encrypted repository
+which was previously granted. This applies to both multi-user GPG
+mode (there's no del-gpg-user command to complement add-gpg-user)
+and also symmetric key mode (there's no support for rotating the key).
+This is because it is an inherently complex problem in the context
+of historical data. For example, even if a key was rotated at one
+point in history, a user having the previous key can still access
+previous repository history. This problem is discussed in more detail in
+<https://github.com/AGWA/git-crypt/issues/47>.
 
 Files encrypted with git-crypt are not compressible.  Even the smallest
 change to an encrypted file requires git to store the entire changed file,
@@ -118,9 +137,9 @@ the patch itself is encrypted.  To generate an encrypted patch, use `git
 diff --no-textconv --binary`.  Alternatively, you can apply a plaintext
 patch outside of git using the patch command.
 
-git-crypt does [not work reliably with Atlassian
+git-crypt does not work reliably with some third-party git GUIs, such
-SourceTree](https://jira.atlassian.com/browse/SRCTREE-2511).  Files might
+as [Atlassian SourceTree](https://jira.atlassian.com/browse/SRCTREE-2511)
-be left in an unencrypted state.
+and GitHub for Mac.  Files might be left in an unencrypted state.
 
 Gitattributes File
 ------------------
@@ -132,20 +151,12 @@ specifying merely a directory (e.g. `/dir/`) is *not* sufficient to
 encrypt all files beneath it.
 
 Also note that the pattern `dir/*` does not match files under
-sub-directories of dir/.  To encrypt an entire sub-tree dir/, place the
+sub-directories of dir/.  To encrypt an entire sub-tree dir/, use `dir/**`:
-following in dir/.gitattributes:
+
+    dir/** filter=git-crypt diff=git-crypt
+
+The .gitattributes file must not be encrypted, so make sure wildcards don't
+match it accidentally.  If necessary, you can exclude .gitattributes from
+encryption like this:
 
-    * filter=git-crypt diff=git-crypt
     .gitattributes !filter !diff
-
-The second pattern is essential for ensuring that .gitattributes itself
-is not encrypted.
-
-Mailing Lists
--------------
-
-To stay abreast of, and provide input to, git-crypt development,
-consider subscribing to one or both of our mailing lists:
-
-* [Announcements](https://lists.cloudmutt.com/mailman/listinfo/git-crypt-announce)
-* [Discussion](https://lists.cloudmutt.com/mailman/listinfo/git-crypt-discuss)

THANKS.md

@@ -12,6 +12,10 @@ For their contributions to git-crypt, I thank:
    * Linus G Thiel
    * Michael Schout
    * Simon Kotlinski
+   * Kevin Menard
+   * Wael M. Nasreddine
+   * Kevin Borgolte
+   * Adrian Cohea
 
  * And everyone who has tested git-crypt, provided feedback, reported
    bugs, and participated in discussions about new features.

commands.cpp

@@ -34,6 +34,7 @@
 #include "key.hpp"
 #include "gpg.hpp"
 #include "parse_options.hpp"
+#include "coprocess.hpp"
 #include <unistd.h>
 #include <stdint.h>
 #include <algorithm>
@@ -47,8 +48,69 @@
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>
+#include <exception>
 #include <vector>
 
+enum {
+	// # of arguments per git checkout call; must be large enough to be efficient but small
+	// enough to avoid operating system limits on argument length
+	GIT_CHECKOUT_BATCH_SIZE = 100
+};
+
+static std::string attribute_name (const char* key_name)
+{
+	if (key_name) {
+		// named key
+		return std::string("git-crypt-") + key_name;
+	} else {
+		// default key
+		return "git-crypt";
+	}
+}
+
+static std::string git_version_string ()
+{
+	std::vector<std::string>	command;
+	command.push_back("git");
+	command.push_back("version");
+
+	std::stringstream		output;
+	if (!successful_exit(exec_command(command, output))) {
+		throw Error("'git version' failed - is Git installed?");
+	}
+	std::string			word;
+	output >> word; // "git"
+	output >> word; // "version"
+	output >> word; // "1.7.10.4"
+	return word;
+}
+
+static std::vector<int> parse_version (const std::string& str)
+{
+	std::istringstream	in(str);
+	std::vector<int>	version;
+	std::string		component;
+	while (std::getline(in, component, '.')) {
+		version.push_back(std::atoi(component.c_str()));
+	}
+	return version;
+}
+
+static const std::vector<int>& git_version ()
+{
+	static const std::vector<int> version(parse_version(git_version_string()));
+	return version;
+}
+
+static std::vector<int> make_version (int a, int b, int c)
+{
+	std::vector<int>	version;
+	version.push_back(a);
+	version.push_back(b);
+	version.push_back(c);
+	return version;
+}
+
 static void git_config (const std::string& name, const std::string& value)
 {
 	std::vector<std::string>	command;
@@ -62,7 +124,23 @@ static void git_config (const std::string& name, const std::string& value)
 	}
 }
 
-static void git_unconfig (const std::string& name)
+static bool git_has_config (const std::string& name)
+{
+	std::vector<std::string>	command;
+	command.push_back("git");
+	command.push_back("config");
+	command.push_back("--get-all");
+	command.push_back(name);
+
+	std::stringstream		output;
+	switch (exit_status(exec_command(command, output))) {
+		case 0:  return true;
+		case 1:  return false;
+		default: throw Error("'git config' failed");
+	}
+}
+
+static void git_deconfig (const std::string& name)
 {
 	std::vector<std::string>	command;
 	command.push_back("git");
@@ -96,34 +174,35 @@ static void configure_git_filters (const char* key_name)
 	}
 }
 
-static void unconfigure_git_filters (const char* key_name)
+static void deconfigure_git_filters (const char* key_name)
 {
-	// unconfigure the git-crypt filters
+	// deconfigure the git-crypt filters
-	if (key_name) {
+	if (git_has_config("filter." + attribute_name(key_name) + ".smudge") ||
-		// named key
+			git_has_config("filter." + attribute_name(key_name) + ".clean") ||
-		git_unconfig(std::string("filter.git-crypt-") + key_name);
+			git_has_config("filter." + attribute_name(key_name) + ".required")) {
-		git_unconfig(std::string("diff.git-crypt-") + key_name);
+
-	} else {
+		git_deconfig("filter." + attribute_name(key_name));
-		// default key
+	}
-		git_unconfig("filter.git-crypt");
+
-		git_unconfig("diff.git-crypt");
+	if (git_has_config("diff." + attribute_name(key_name) + ".textconv")) {
+		git_deconfig("diff." + attribute_name(key_name));
 	}
 }
 
-static bool git_checkout_head (const std::string& top_dir)
+static bool git_checkout_batch (std::vector<std::string>::const_iterator paths_begin, std::vector<std::string>::const_iterator paths_end)
 {
+	if (paths_begin == paths_end) {
+		return true;
+	}
+
 	std::vector<std::string>	command;
 
 	command.push_back("git");
 	command.push_back("checkout");
-	command.push_back("-f");
-	command.push_back("HEAD");
 	command.push_back("--");
 
-	if (top_dir.empty()) {
+	for (auto path(paths_begin); path != paths_end; ++path) {
-		command.push_back(".");
+		command.push_back(*path);
-	} else {
-		command.push_back(top_dir);
 	}
 
 	if (!successful_exit(exec_command(command))) {
@@ -133,6 +212,18 @@ static bool git_checkout_head (const std::string& top_dir)
 	return true;
 }
 
+static bool git_checkout (const std::vector<std::string>& paths)
+{
+	auto paths_begin(paths.begin());
+	while (paths.end() - paths_begin >= GIT_CHECKOUT_BATCH_SIZE) {
+		if (!git_checkout_batch(paths_begin, paths_begin + GIT_CHECKOUT_BATCH_SIZE)) {
+			return false;
+		}
+		paths_begin += GIT_CHECKOUT_BATCH_SIZE;
+	}
+	return git_checkout_batch(paths_begin, paths.end());
+}
+
 static bool same_key_name (const char* a, const char* b)
 {
 	return (!a && !b) || (a && b && std::strcmp(a, b) == 0);
@@ -186,6 +277,27 @@ static std::string get_internal_key_path (const char* key_name)
 	return path;
 }
 
+std::string get_git_config (const std::string& name)
+{
+	// git config --get
+	std::vector<std::string>	command;
+	command.push_back("git");
+	command.push_back("config");
+	command.push_back("--get");
+	command.push_back(name);
+
+	std::stringstream	output;
+
+	if (!successful_exit(exec_command(command, output))) {
+		throw Error("'git config' missing value for key '" + name +"'");
+	}
+
+	std::string		value;
+	std::getline(output, value);
+
+	return value;
+}
+
 static std::string get_repo_state_path ()
 {
 	// git rev-parse --show-toplevel
@@ -208,7 +320,18 @@ static std::string get_repo_state_path ()
 		throw Error("Could not determine Git working tree - is this a non-bare repo?");
 	}
 
-	path += "/.git-crypt";
+	// Check if the repo state dir has been explicitly configured. If so, use that in path construction.
+	if (git_has_config("git-crypt.repoStateDir")) {
+		std::string		repoStateDir = get_git_config("git-crypt.repoStateDir");
+
+		// The repoStateDir value must always be relative to git work tree to ensure the repoStateDir can be committed
+		// along with the remainder of the repository.
+		path += '/' + repoStateDir;
+	} else {
+		// There is no explicitly configured repo state dir configured, so use the default.
+		path += "/.git-crypt";
+	}
+
 	return path;
 }
 
@@ -256,23 +379,10 @@ static void get_git_status (std::ostream& output)
 	}
 }
 
-static bool check_if_head_exists ()
-{
-	// git rev-parse HEAD
-	std::vector<std::string>	command;
-	command.push_back("git");
-	command.push_back("rev-parse");
-	command.push_back("HEAD");
-
-	std::stringstream		output;
-	return successful_exit(exec_command(command, output));
-}
-
 // returns filter and diff attributes as a pair
 static std::pair<std::string, std::string> get_file_attributes (const std::string& filename)
 {
 	// git check-attr filter diff -- filename
-	// TODO: pass -z to get machine-parseable output (this requires Git 1.8.5 or higher, which was released on 27 Nov 2013)
 	std::vector<std::string>	command;
 	command.push_back("git");
 	command.push_back("check-attr");
@@ -321,6 +431,36 @@ static std::pair<std::string, std::string> get_file_attributes (const std::strin
 	return std::make_pair(filter_attr, diff_attr);
 }
 
+// returns filter and diff attributes as a pair
+static std::pair<std::string, std::string> get_file_attributes (const std::string& filename, std::ostream& check_attr_stdin, std::istream& check_attr_stdout)
+{
+	check_attr_stdin << filename << '\0' << std::flush;
+
+	std::string			filter_attr;
+	std::string			diff_attr;
+
+	// Example output:
+	// filename\0filter\0git-crypt\0filename\0diff\0git-crypt\0
+	for (int i = 0; i < 2; ++i) {
+		std::string		filename;
+		std::string		attr_name;
+		std::string		attr_value;
+		std::getline(check_attr_stdout, filename, '\0');
+		std::getline(check_attr_stdout, attr_name, '\0');
+		std::getline(check_attr_stdout, attr_value, '\0');
+
+		if (attr_value != "unspecified" && attr_value != "unset" && attr_value != "set") {
+			if (attr_name == "filter") {
+				filter_attr = attr_value;
+			} else if (attr_name == "diff") {
+				diff_attr = attr_value;
+			}
+		}
+	}
+
+	return std::make_pair(filter_attr, diff_attr);
+}
+
 static bool check_if_blob_is_encrypted (const std::string& object_id)
 {
 	// git cat-file blob object_id
@@ -368,6 +508,84 @@ static bool check_if_file_is_encrypted (const std::string& filename)
 	return check_if_blob_is_encrypted(object_id);
 }
 
+static bool is_git_file_mode (const std::string& mode)
+{
+	return (std::strtoul(mode.c_str(), nullptr, 8) & 0170000) == 0100000;
+}
+
+static void get_encrypted_files (std::vector<std::string>& files, const char* key_name)
+{
+	// git ls-files -cz -- path_to_top
+	std::vector<std::string>	ls_files_command;
+	ls_files_command.push_back("git");
+	ls_files_command.push_back("ls-files");
+	ls_files_command.push_back("-csz");
+	ls_files_command.push_back("--");
+	const std::string		path_to_top(get_path_to_top());
+	if (!path_to_top.empty()) {
+		ls_files_command.push_back(path_to_top);
+	}
+
+	Coprocess			ls_files;
+	std::istream*			ls_files_stdout = ls_files.stdout_pipe();
+	ls_files.spawn(ls_files_command);
+
+	Coprocess			check_attr;
+	std::ostream*			check_attr_stdin = nullptr;
+	std::istream*			check_attr_stdout = nullptr;
+	if (git_version() >= make_version(1, 8, 5)) {
+		// In Git 1.8.5 (released 27 Nov 2013) and higher, we use a single `git check-attr` process
+		// to get the attributes of all files at once.  In prior versions, we have to fork and exec
+		// a separate `git check-attr` process for each file, since -z and --stdin aren't supported.
+		// In a repository with thousands of files, this results in an almost 100x speedup.
+		std::vector<std::string>	check_attr_command;
+		check_attr_command.push_back("git");
+		check_attr_command.push_back("check-attr");
+		check_attr_command.push_back("--stdin");
+		check_attr_command.push_back("-z");
+		check_attr_command.push_back("filter");
+		check_attr_command.push_back("diff");
+
+		check_attr_stdin = check_attr.stdin_pipe();
+		check_attr_stdout = check_attr.stdout_pipe();
+		check_attr.spawn(check_attr_command);
+	}
+
+	while (ls_files_stdout->peek() != -1) {
+		std::string		mode;
+		std::string		object_id;
+		std::string		stage;
+		std::string		filename;
+		*ls_files_stdout >> mode >> object_id >> stage >> std::ws;
+		std::getline(*ls_files_stdout, filename, '\0');
+
+		if (is_git_file_mode(mode)) {
+			std::string	filter_attribute;
+
+			if (check_attr_stdin) {
+				filter_attribute = get_file_attributes(filename, *check_attr_stdin, *check_attr_stdout).first;
+			} else {
+				filter_attribute = get_file_attributes(filename).first;
+			}
+
+			if (filter_attribute == attribute_name(key_name)) {
+				files.push_back(filename);
+			}
+		}
+	}
+
+	if (!successful_exit(ls_files.wait())) {
+		throw Error("'git ls-files' failed - is this a Git repository?");
+	}
+
+	if (check_attr_stdin) {
+		check_attr.close_stdin();
+		if (!successful_exit(check_attr.wait())) {
+			throw Error("'git check-attr' failed - is this a Git repository?");
+		}
+	}
+}
+
 static void load_key (Key_file& key_file, const char* key_name, const char* key_path =0, const char* legacy_path =0)
 {
 	if (legacy_path) {
@@ -394,13 +612,20 @@ static void load_key (Key_file& key_file, const char* key_name, const char* key_
 
 static bool decrypt_repo_key (Key_file& key_file, const char* key_name, uint32_t key_version, const std::vector<std::string>& secret_keys, const std::string& keys_path)
 {
+	std::exception_ptr gpg_error;
+
 	for (std::vector<std::string>::const_iterator seckey(secret_keys.begin()); seckey != secret_keys.end(); ++seckey) {
 		std::ostringstream		path_builder;
 		path_builder << keys_path << '/' << (key_name ? key_name : "default") << '/' << key_version << '/' << *seckey << ".gpg";
 		std::string			path(path_builder.str());
 		if (access(path.c_str(), F_OK) == 0) {
 			std::stringstream	decrypted_contents;
-			gpg_decrypt_from_file(path, decrypted_contents);
+			try {
+				gpg_decrypt_from_file(path, decrypted_contents);
+			} catch (const Gpg_error&) {
+				gpg_error = std::current_exception();
+				continue;
+			}
 			Key_file		this_version_key_file;
 			this_version_key_file.load(decrypted_contents);
 			const Key_file::Entry*	this_version_entry = this_version_key_file.get(key_version);
@@ -415,6 +640,11 @@ static bool decrypt_repo_key (Key_file& key_file, const char* key_name, uint32_t
 			return true;
 		}
 	}
+
+	if (gpg_error) {
+		std::rethrow_exception(gpg_error);
+	}
+
 	return false;
 }
 
@@ -445,7 +675,7 @@ static bool decrypt_repo_keys (std::vector<Key_file>& key_files, uint32_t key_ve
 	return successful;
 }
 
-static void encrypt_repo_key (const char* key_name, const Key_file::Entry& key, const std::vector<std::string>& collab_keys, const std::string& keys_path, std::vector<std::string>* new_files)
+static void encrypt_repo_key (const char* key_name, const Key_file::Entry& key, const std::vector<std::pair<std::string, bool> >& collab_keys, const std::string& keys_path, std::vector<std::string>* new_files)
 {
 	std::string	key_file_data;
 	{
@@ -455,9 +685,11 @@ static void encrypt_repo_key (const char* key_name, const Key_file::Entry& key,
 		key_file_data = this_version_key_file.store_to_string();
 	}
 
-	for (std::vector<std::string>::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
+	for (std::vector<std::pair<std::string, bool> >::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
+		const std::string&	fingerprint(collab->first);
+		const bool		key_is_trusted(collab->second);
 		std::ostringstream	path_builder;
-		path_builder << keys_path << '/' << (key_name ? key_name : "default") << '/' << key.version << '/' << *collab << ".gpg";
+		path_builder << keys_path << '/' << (key_name ? key_name : "default") << '/' << key.version << '/' << fingerprint << ".gpg";
 		std::string		path(path_builder.str());
 
 		if (access(path.c_str(), F_OK) == 0) {
@@ -465,7 +697,7 @@ static void encrypt_repo_key (const char* key_name, const Key_file::Entry& key,
 		}
 
 		mkdir_parent(path);
-		gpg_encrypt_to_file(path, *collab, key_file_data.data(), key_file_data.size());
+		gpg_encrypt_to_file(path, fingerprint, key_is_trusted, key_file_data.data(), key_file_data.size());
 		new_files->push_back(path);
 	}
 }
@@ -781,34 +1013,22 @@ void help_unlock (std::ostream& out)
 }
 int unlock (int argc, const char** argv)
 {
-	// 0. Make sure working directory is clean (ignoring untracked files)
+	// 1. Make sure working directory is clean (ignoring untracked files)
-	// We do this because we run 'git checkout -f HEAD' later and we don't
+	// We do this because we check out files later, and we don't want the
-	// want the user to lose any changes.  'git checkout -f HEAD' doesn't touch
+	// user to lose any changes.  (TODO: only care if encrypted files are
-	// untracked files so it's safe to ignore those.
+	// modified, since we only check out encrypted files)
 
 	// Running 'git status' also serves as a check that the Git repo is accessible.
 
 	std::stringstream	status_output;
 	get_git_status(status_output);
-
+	if (status_output.peek() != -1) {
-	// 1. Check to see if HEAD exists.  See below why we do this.
-	bool			head_exists = check_if_head_exists();
-
-	if (status_output.peek() != -1 && head_exists) {
-		// We only care that the working directory is dirty if HEAD exists.
-		// If HEAD doesn't exist, we won't be resetting to it (see below) so
-		// it doesn't matter that the working directory is dirty.
 		std::clog << "Error: Working directory not clean." << std::endl;
-		std::clog << "Please commit your changes or 'git stash' them before running 'git-crypt' unlock." << std::endl;
+		std::clog << "Please commit your changes or 'git stash' them before running 'git-crypt unlock'." << std::endl;
 		return 1;
 	}
 
-	// 2. Determine the path to the top of the repository.  We pass this as the argument
+	// 2. Load the key(s)
-	// to 'git checkout' below. (Determine the path now so in case it fails we haven't already
-	// mucked with the git config.)
-	std::string		path_to_top(get_path_to_top());
-
-	// 3. Load the key(s)
 	std::vector<Key_file>	key_files;
 	if (argc > 0) {
 		// Read from the symmetric key file(s)
@@ -850,13 +1070,14 @@ int unlock (int argc, const char** argv)
 		if (!decrypt_repo_keys(key_files, 0, gpg_secret_keys, repo_keys_path)) {
 			std::clog << "Error: no GPG secret key available to unlock this repository." << std::endl;
 			std::clog << "To unlock with a shared symmetric key instead, specify the path to the symmetric key as an argument to 'git-crypt unlock'." << std::endl;
-			std::clog << "To see a list of GPG keys authorized to unlock this repository, run 'git-crypt ls-collabs'." << std::endl;
+			// TODO std::clog << "To see a list of GPG keys authorized to unlock this repository, run 'git-crypt ls-gpg-users'." << std::endl;
 			return 1;
 		}
 	}
 
 
-	// 4. Install the key(s) and configure the git filters
+	// 3. Install the key(s) and configure the git filters
+	std::vector<std::string>	encrypted_files;
 	for (std::vector<Key_file>::iterator key_file(key_files.begin()); key_file != key_files.end(); ++key_file) {
 		std::string		internal_key_path(get_internal_key_path(key_file->get_key_name()));
 		// TODO: croak if internal_key_path already exists???
@@ -867,18 +1088,18 @@ int unlock (int argc, const char** argv)
 		}
 
 		configure_git_filters(key_file->get_key_name());
+		get_encrypted_files(encrypted_files, key_file->get_key_name());
 	}
 
-	// 5. Do a force checkout so any files that were previously checked out encrypted
+	// 4. Check out the files that are currently encrypted.
-	//    will now be checked out decrypted.
+	// Git won't check out a file if its mtime hasn't changed, so touch every file first.
-	// If HEAD doesn't exist (perhaps because this repo doesn't have any files yet)
+	for (std::vector<std::string>::const_iterator file(encrypted_files.begin()); file != encrypted_files.end(); ++file) {
-	// just skip the checkout.
+		touch_file(*file);
-	if (head_exists) {
+	}
-		if (!git_checkout_head(path_to_top)) {
+	if (!git_checkout(encrypted_files)) {
-			std::clog << "Error: 'git checkout' failed" << std::endl;
+		std::clog << "Error: 'git checkout' failed" << std::endl;
-			std::clog << "git-crypt has been set up but existing encrypted files have not been decrypted" << std::endl;
+		std::clog << "git-crypt has been set up but existing encrypted files have not been decrypted" << std::endl;
-			return 1;
+		return 1;
-		}
 	}
 
 	return 0;
@@ -889,19 +1110,23 @@ void help_lock (std::ostream& out)
 	//     |--------------------------------------------------------------------------------| 80 chars
 	out << "Usage: git-crypt lock [OPTIONS]" << std::endl;
 	out << std::endl;
-	out << "    -a, --all                   Lock all keys, instead of just the default" << std::endl;
+	out << "    -a, --all                Lock all keys, instead of just the default" << std::endl;
-	out << "    -k, --key-name KEYNAME      Lock the given key, instead of the default" << std::endl;
+	out << "    -k, --key-name KEYNAME   Lock the given key, instead of the default" << std::endl;
+	out << "    -f, --force              Lock even if unclean (you may lose uncommited work)" << std::endl;
 	out << std::endl;
 }
 int lock (int argc, const char** argv)
 {
 	const char*	key_name = 0;
-	bool all_keys = false;
+	bool		all_keys = false;
+	bool		force = false;
 	Options_list	options;
 	options.push_back(Option_def("-k", &key_name));
 	options.push_back(Option_def("--key-name", &key_name));
 	options.push_back(Option_def("-a", &all_keys));
 	options.push_back(Option_def("--all", &all_keys));
+	options.push_back(Option_def("-f", &force));
+	options.push_back(Option_def("--force", &force));
 
 	int			argi = parse_options(options, argc, argv);
 
@@ -916,48 +1141,39 @@ int lock (int argc, const char** argv)
 		return 2;
 	}
 
-	// 0. Make sure working directory is clean (ignoring untracked files)
+	// 1. Make sure working directory is clean (ignoring untracked files)
-	// We do this because we run 'git checkout -f HEAD' later and we don't
+	// We do this because we check out files later, and we don't want the
-	// want the user to lose any changes.  'git checkout -f HEAD' doesn't touch
+	// user to lose any changes.  (TODO: only care if encrypted files are
-	// untracked files so it's safe to ignore those.
+	// modified, since we only check out encrypted files)
 
 	// Running 'git status' also serves as a check that the Git repo is accessible.
 
 	std::stringstream	status_output;
 	get_git_status(status_output);
-
+	if (!force && status_output.peek() != -1) {
-	// 1. Check to see if HEAD exists.  See below why we do this.
-	bool			head_exists = check_if_head_exists();
-
-	if (status_output.peek() != -1 && head_exists) {
-		// We only care that the working directory is dirty if HEAD exists.
-		// If HEAD doesn't exist, we won't be resetting to it (see below) so
-		// it doesn't matter that the working directory is dirty.
 		std::clog << "Error: Working directory not clean." << std::endl;
-		std::clog << "Please commit your changes or 'git stash' them before running 'git-crypt' lock." << std::endl;
+		std::clog << "Please commit your changes or 'git stash' them before running 'git-crypt lock'." << std::endl;
+		std::clog << "Or, use 'git-crypt lock --force' and possibly lose uncommitted changes." << std::endl;
 		return 1;
 	}
 
-	// 2. Determine the path to the top of the repository.  We pass this as the argument
+	// 2. deconfigure the git filters and remove decrypted keys
-	// to 'git checkout' below. (Determine the path now so in case it fails we haven't already
+	std::vector<std::string>	encrypted_files;
-	// mucked with the git config.)
-	std::string		path_to_top(get_path_to_top());
-
-	// 3. unconfigure the git filters and remove decrypted keys
 	if (all_keys) {
-		// unconfigure for all keys
+		// deconfigure for all keys
 		std::vector<std::string> dirents = get_directory_contents(get_internal_keys_path().c_str());
 
 		for (std::vector<std::string>::const_iterator dirent(dirents.begin()); dirent != dirents.end(); ++dirent) {
 			const char* this_key_name = (*dirent == "default" ? 0 : dirent->c_str());
 			remove_file(get_internal_key_path(this_key_name));
-			unconfigure_git_filters(this_key_name);
+			deconfigure_git_filters(this_key_name);
+			get_encrypted_files(encrypted_files, this_key_name);
 		}
 	} else {
 		// just handle the given key
 		std::string	internal_key_path(get_internal_key_path(key_name));
 		if (access(internal_key_path.c_str(), F_OK) == -1 && errno == ENOENT) {
-			std::clog << "Error: this repository is not currently locked";
+			std::clog << "Error: this repository is already locked";
 			if (key_name) {
 				std::clog << " with key '" << key_name << "'";
 			}
@@ -966,19 +1182,19 @@ int lock (int argc, const char** argv)
 		}
 
 		remove_file(internal_key_path);
-		unconfigure_git_filters(key_name);
+		deconfigure_git_filters(key_name);
+		get_encrypted_files(encrypted_files, key_name);
 	}
 
-	// 4. Do a force checkout so any files that were previously checked out decrypted
+	// 3. Check out the files that are currently decrypted but should be encrypted.
-	//    will now be checked out encrypted.
+	// Git won't check out a file if its mtime hasn't changed, so touch every file first.
-	// If HEAD doesn't exist (perhaps because this repo doesn't have any files yet)
+	for (std::vector<std::string>::const_iterator file(encrypted_files.begin()); file != encrypted_files.end(); ++file) {
-	// just skip the checkout.
+		touch_file(*file);
-	if (head_exists) {
+	}
-		if (!git_checkout_head(path_to_top)) {
+	if (!git_checkout(encrypted_files)) {
-			std::clog << "Error: 'git checkout' failed" << std::endl;
+		std::clog << "Error: 'git checkout' failed" << std::endl;
-			std::clog << "git-crypt has been locked but up but existing decrypted files have not been encrypted" << std::endl;
+		std::clog << "git-crypt has been locked up but existing decrypted files have not been encrypted" << std::endl;
-			return 1;
+		return 1;
-		}
 	}
 
 	return 0;
@@ -991,17 +1207,20 @@ void help_add_gpg_user (std::ostream& out)
 	out << std::endl;
 	out << "    -k, --key-name KEYNAME      Add GPG user to given key, instead of default" << std::endl;
 	out << "    -n, --no-commit             Don't automatically commit" << std::endl;
+	out << "    --trusted                   Assume the GPG user IDs are trusted" << std::endl;
 	out << std::endl;
 }
 int add_gpg_user (int argc, const char** argv)
 {
 	const char*		key_name = 0;
 	bool			no_commit = false;
+	bool			trusted = false;
 	Options_list		options;
 	options.push_back(Option_def("-k", &key_name));
 	options.push_back(Option_def("--key-name", &key_name));
 	options.push_back(Option_def("-n", &no_commit));
 	options.push_back(Option_def("--no-commit", &no_commit));
+	options.push_back(Option_def("--trusted", &trusted));
 
 	int			argi = parse_options(options, argc, argv);
 	if (argc - argi == 0) {
@@ -1010,8 +1229,8 @@ int add_gpg_user (int argc, const char** argv)
 		return 2;
 	}
 
-	// build a list of key fingerprints for every collaborator specified on the command line
+	// build a list of key fingerprints, and whether the key is trusted, for every collaborator specified on the command line
-	std::vector<std::string>	collab_keys;
+	std::vector<std::pair<std::string, bool> >	collab_keys;
 
 	for (int i = argi; i < argc; ++i) {
 		std::vector<std::string> keys(gpg_lookup_key(argv[i]));
@@ -1023,7 +1242,9 @@ int add_gpg_user (int argc, const char** argv)
 			std::clog << "Error: more than one public key matches '" << argv[i] << "' - please be more specific" << std::endl;
 			return 1;
 		}
-		collab_keys.push_back(keys[0]);
+
+		const bool is_full_fingerprint(std::strncmp(argv[i], "0x", 2) == 0 && std::strlen(argv[i]) == 42);
+		collab_keys.push_back(std::make_pair(keys[0], trusted || is_full_fingerprint));
 	}
 
 	// TODO: have a retroactive option to grant access to all key versions, not just the most recent
@@ -1044,7 +1265,11 @@ int add_gpg_user (int argc, const char** argv)
 	const std::string		state_gitattributes_path(state_path + "/.gitattributes");
 	if (access(state_gitattributes_path.c_str(), F_OK) != 0) {
 		std::ofstream		state_gitattributes_file(state_gitattributes_path.c_str());
+		//                          |--------------------------------------------------------------------------------| 80 chars
+		state_gitattributes_file << "# Do not edit this file.  To specify the files to encrypt, create your own\n";
+		state_gitattributes_file << "# .gitattributes file in the directory where your files are.\n";
 		state_gitattributes_file << "* !filter !diff\n";
+		state_gitattributes_file << "*.gpg binary\n";
 		state_gitattributes_file.close();
 		if (!state_gitattributes_file) {
 			std::clog << "Error: unable to write " << state_gitattributes_path << std::endl;
@@ -1071,8 +1296,9 @@ int add_gpg_user (int argc, const char** argv)
 			// TODO: include key_name in commit message
 			std::ostringstream	commit_message_builder;
 			commit_message_builder << "Add " << collab_keys.size() << " git-crypt collaborator" << (collab_keys.size() != 1 ? "s" : "") << "\n\nNew collaborators:\n\n";
-			for (std::vector<std::string>::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
+			for (std::vector<std::pair<std::string, bool> >::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
-				commit_message_builder << '\t' << gpg_shorten_fingerprint(*collab) << ' ' << gpg_get_uid(*collab) << '\n';
+				commit_message_builder << "    " << collab->first << '\n';
+				commit_message_builder << "        " << gpg_get_uid(collab->first) << '\n';
 			}
 
 			// git commit -m MESSAGE NEW_FILE ...
@@ -1392,6 +1618,9 @@ int status (int argc, const char** argv)
 			std::string	mode;
 			std::string	stage;
 			output >> mode >> object_id >> stage;
+			if (!is_git_file_mode(mode)) {
+				continue;
+			}
 		}
 		output >> std::ws;
 		std::getline(output, filename, '\0');

commands.hpp

@@ -70,4 +70,7 @@ void help_migrate_key (std::ostream&);
 void help_refresh (std::ostream&);
 void help_status (std::ostream&);
 
+// other
+std::string get_git_config (const std::string& name);
+
 #endif

coprocess-unix.cpp

@@ -0,0 +1,186 @@
+/*
+ * Copyright 2015 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#include "coprocess.hpp"
+#include "util.hpp"
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <errno.h>
+
+static int execvp (const std::string& file, const std::vector<std::string>& args)
+{
+	std::vector<const char*>	args_c_str;
+	args_c_str.reserve(args.size());
+	for (std::vector<std::string>::const_iterator arg(args.begin()); arg != args.end(); ++arg) {
+		args_c_str.push_back(arg->c_str());
+	}
+	args_c_str.push_back(nullptr);
+	return execvp(file.c_str(), const_cast<char**>(&args_c_str[0]));
+}
+
+Coprocess::Coprocess ()
+{
+	pid = -1;
+	stdin_pipe_reader = -1;
+	stdin_pipe_writer = -1;
+	stdin_pipe_ostream = nullptr;
+	stdout_pipe_reader = -1;
+	stdout_pipe_writer = -1;
+	stdout_pipe_istream = nullptr;
+}
+
+Coprocess::~Coprocess ()
+{
+	close_stdin();
+	close_stdout();
+}
+
+std::ostream*	Coprocess::stdin_pipe ()
+{
+	if (!stdin_pipe_ostream) {
+		int	fds[2];
+		if (pipe(fds) == -1) {
+			throw System_error("pipe", "", errno);
+		}
+		stdin_pipe_reader = fds[0];
+		stdin_pipe_writer = fds[1];
+		stdin_pipe_ostream = new ofhstream(this, write_stdin);
+	}
+	return stdin_pipe_ostream;
+}
+
+void		Coprocess::close_stdin ()
+{
+	delete stdin_pipe_ostream;
+	stdin_pipe_ostream = nullptr;
+	if (stdin_pipe_writer != -1) {
+		close(stdin_pipe_writer);
+		stdin_pipe_writer = -1;
+	}
+	if (stdin_pipe_reader != -1) {
+		close(stdin_pipe_reader);
+		stdin_pipe_reader = -1;
+	}
+}
+
+std::istream*	Coprocess::stdout_pipe ()
+{
+	if (!stdout_pipe_istream) {
+		int	fds[2];
+		if (pipe(fds) == -1) {
+			throw System_error("pipe", "", errno);
+		}
+		stdout_pipe_reader = fds[0];
+		stdout_pipe_writer = fds[1];
+		stdout_pipe_istream = new ifhstream(this, read_stdout);
+	}
+	return stdout_pipe_istream;
+}
+
+void		Coprocess::close_stdout ()
+{
+	delete stdout_pipe_istream;
+	stdout_pipe_istream = nullptr;
+	if (stdout_pipe_writer != -1) {
+		close(stdout_pipe_writer);
+		stdout_pipe_writer = -1;
+	}
+	if (stdout_pipe_reader != -1) {
+		close(stdout_pipe_reader);
+		stdout_pipe_reader = -1;
+	}
+}
+
+void		Coprocess::spawn (const std::vector<std::string>& args)
+{
+	pid = fork();
+	if (pid == -1) {
+		throw System_error("fork", "", errno);
+	}
+	if (pid == 0) {
+		if (stdin_pipe_writer != -1) {
+			close(stdin_pipe_writer);
+		}
+		if (stdout_pipe_reader != -1) {
+			close(stdout_pipe_reader);
+		}
+		if (stdin_pipe_reader != -1) {
+			dup2(stdin_pipe_reader, 0);
+			close(stdin_pipe_reader);
+		}
+		if (stdout_pipe_writer != -1) {
+			dup2(stdout_pipe_writer, 1);
+			close(stdout_pipe_writer);
+		}
+
+		execvp(args[0], args);
+		perror(args[0].c_str());
+		_exit(-1);
+	}
+	if (stdin_pipe_reader != -1) {
+		close(stdin_pipe_reader);
+		stdin_pipe_reader = -1;
+	}
+	if (stdout_pipe_writer != -1) {
+		close(stdout_pipe_writer);
+		stdout_pipe_writer = -1;
+	}
+}
+
+int		Coprocess::wait ()
+{
+	int		status = 0;
+	if (waitpid(pid, &status, 0) == -1) {
+		throw System_error("waitpid", "", errno);
+	}
+	return status;
+}
+
+size_t		Coprocess::write_stdin (void* handle, const void* buf, size_t count)
+{
+	const int	fd = static_cast<Coprocess*>(handle)->stdin_pipe_writer;
+	ssize_t		ret;
+	while ((ret = write(fd, buf, count)) == -1 && errno == EINTR); // restart if interrupted
+	if (ret < 0) {
+		throw System_error("write", "", errno);
+	}
+	return ret;
+}
+
+size_t		Coprocess::read_stdout (void* handle, void* buf, size_t count)
+{
+	const int	fd = static_cast<Coprocess*>(handle)->stdout_pipe_reader;
+	ssize_t		ret;
+	while ((ret = read(fd, buf, count)) == -1 && errno == EINTR); // restart if interrupted
+	if (ret < 0) {
+		throw System_error("read", "", errno);
+	}
+	return ret;
+}

coprocess-unix.hpp

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2015 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#ifndef GIT_CRYPT_COPROCESS_HPP
+#define GIT_CRYPT_COPROCESS_HPP
+
+#include "fhstream.hpp"
+#include <unistd.h>
+#include <vector>
+
+class Coprocess {
+	pid_t		pid;
+
+	int		stdin_pipe_reader;
+	int		stdin_pipe_writer;
+	ofhstream*	stdin_pipe_ostream;
+	static size_t	write_stdin (void*, const void*, size_t);
+
+	int		stdout_pipe_reader;
+	int		stdout_pipe_writer;
+	ifhstream*	stdout_pipe_istream;
+	static size_t	read_stdout (void*, void*, size_t);
+
+			Coprocess (const Coprocess&);	// Disallow copy
+	Coprocess&	operator= (const Coprocess&);	// Disallow assignment
+public:
+			Coprocess ();
+			~Coprocess ();
+
+	std::ostream*	stdin_pipe ();
+	void		close_stdin ();
+
+	std::istream*	stdout_pipe ();
+	void		close_stdout ();
+
+	void		spawn (const std::vector<std::string>&);
+
+	int		wait ();
+};
+
+#endif

coprocess-win32.cpp

@@ -0,0 +1,269 @@
+/*
+ * Copyright 2015 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#include "coprocess-win32.hpp"
+#include "util.hpp"
+
+
+static void escape_cmdline_argument (std::string& cmdline, const std::string& arg)
+{
+	// For an explanation of Win32's arcane argument quoting rules, see:
+	//  http://msdn.microsoft.com/en-us/library/17w5ykft%28v=vs.85%29.aspx
+	//  http://msdn.microsoft.com/en-us/library/bb776391%28v=vs.85%29.aspx
+	//  http://blogs.msdn.com/b/twistylittlepassagesallalike/archive/2011/04/23/everyone-quotes-arguments-the-wrong-way.aspx
+	//  http://blogs.msdn.com/b/oldnewthing/archive/2010/09/17/10063629.aspx
+	cmdline.push_back('"');
+
+	std::string::const_iterator	p(arg.begin());
+	while (p != arg.end()) {
+		if (*p == '"') {
+			cmdline.push_back('\\');
+			cmdline.push_back('"');
+			++p;
+		} else if (*p == '\\') {
+			unsigned int	num_backslashes = 0;
+			while (p != arg.end() && *p == '\\') {
+				++num_backslashes;
+				++p;
+			}
+			if (p == arg.end() || *p == '"') {
+				// Backslashes need to be escaped
+				num_backslashes *= 2;
+			}
+			while (num_backslashes--) {
+				cmdline.push_back('\\');
+			}
+		} else {
+			cmdline.push_back(*p++);
+		}
+	}
+
+	cmdline.push_back('"');
+}
+
+static std::string format_cmdline (const std::vector<std::string>& command)
+{
+	std::string		cmdline;
+	for (std::vector<std::string>::const_iterator arg(command.begin()); arg != command.end(); ++arg) {
+		if (arg != command.begin()) {
+			cmdline.push_back(' ');
+		}
+		escape_cmdline_argument(cmdline, *arg);
+	}
+	return cmdline;
+}
+
+static HANDLE spawn_command (const std::vector<std::string>& command, HANDLE stdin_handle, HANDLE stdout_handle, HANDLE stderr_handle)
+{
+	PROCESS_INFORMATION	proc_info;
+	ZeroMemory(&proc_info, sizeof(proc_info));
+
+	STARTUPINFO		start_info;
+	ZeroMemory(&start_info, sizeof(start_info));
+
+	start_info.cb = sizeof(STARTUPINFO);
+	start_info.hStdInput = stdin_handle ? stdin_handle : GetStdHandle(STD_INPUT_HANDLE);
+	start_info.hStdOutput = stdout_handle ? stdout_handle : GetStdHandle(STD_OUTPUT_HANDLE);
+	start_info.hStdError = stderr_handle ? stderr_handle : GetStdHandle(STD_ERROR_HANDLE);
+	start_info.dwFlags |= STARTF_USESTDHANDLES;
+
+	std::string		cmdline(format_cmdline(command));
+
+	if (!CreateProcessA(nullptr,		// application name (nullptr to use command line)
+				const_cast<char*>(cmdline.c_str()),
+				nullptr,	// process security attributes
+				nullptr,	// primary thread security attributes
+				TRUE,		// handles are inherited
+				0,		// creation flags
+				nullptr,	// use parent's environment
+				nullptr,	// use parent's current directory
+				&start_info,
+				&proc_info)) {
+		throw System_error("CreateProcess", cmdline, GetLastError());
+	}
+
+	CloseHandle(proc_info.hThread);
+
+	return proc_info.hProcess;
+}
+
+
+Coprocess::Coprocess ()
+{
+	proc_handle = nullptr;
+	stdin_pipe_reader = nullptr;
+	stdin_pipe_writer = nullptr;
+	stdin_pipe_ostream = nullptr;
+	stdout_pipe_reader = nullptr;
+	stdout_pipe_writer = nullptr;
+	stdout_pipe_istream = nullptr;
+}
+
+Coprocess::~Coprocess ()
+{
+	close_stdin();
+	close_stdout();
+	if (proc_handle) {
+		CloseHandle(proc_handle);
+	}
+}
+
+std::ostream*	Coprocess::stdin_pipe ()
+{
+	if (!stdin_pipe_ostream) {
+		SECURITY_ATTRIBUTES	sec_attr;
+
+		// Set the bInheritHandle flag so pipe handles are inherited.
+		sec_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
+		sec_attr.bInheritHandle = TRUE;
+		sec_attr.lpSecurityDescriptor = nullptr;
+
+		// Create a pipe for the child process's STDIN.
+		if (!CreatePipe(&stdin_pipe_reader, &stdin_pipe_writer, &sec_attr, 0)) {
+			throw System_error("CreatePipe", "", GetLastError());
+		}
+
+		// Ensure the write handle to the pipe for STDIN is not inherited.
+		if (!SetHandleInformation(stdin_pipe_writer, HANDLE_FLAG_INHERIT, 0)) {
+			throw System_error("SetHandleInformation", "", GetLastError());
+		}
+
+		stdin_pipe_ostream = new ofhstream(this, write_stdin);
+	}
+	return stdin_pipe_ostream;
+}
+
+void		Coprocess::close_stdin ()
+{
+	delete stdin_pipe_ostream;
+	stdin_pipe_ostream = nullptr;
+	if (stdin_pipe_writer) {
+		CloseHandle(stdin_pipe_writer);
+		stdin_pipe_writer = nullptr;
+	}
+	if (stdin_pipe_reader) {
+		CloseHandle(stdin_pipe_reader);
+		stdin_pipe_reader = nullptr;
+	}
+}
+
+std::istream*	Coprocess::stdout_pipe ()
+{
+	if (!stdout_pipe_istream) {
+		SECURITY_ATTRIBUTES	sec_attr;
+
+		// Set the bInheritHandle flag so pipe handles are inherited.
+		sec_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
+		sec_attr.bInheritHandle = TRUE;
+		sec_attr.lpSecurityDescriptor = nullptr;
+
+		// Create a pipe for the child process's STDOUT.
+		if (!CreatePipe(&stdout_pipe_reader, &stdout_pipe_writer, &sec_attr, 0)) {
+			throw System_error("CreatePipe", "", GetLastError());
+		}
+
+		// Ensure the read handle to the pipe for STDOUT is not inherited.
+		if (!SetHandleInformation(stdout_pipe_reader, HANDLE_FLAG_INHERIT, 0)) {
+			throw System_error("SetHandleInformation", "", GetLastError());
+		}
+
+		stdout_pipe_istream = new ifhstream(this, read_stdout);
+	}
+	return stdout_pipe_istream;
+}
+
+void		Coprocess::close_stdout ()
+{
+	delete stdout_pipe_istream;
+	stdout_pipe_istream = nullptr;
+	if (stdout_pipe_writer) {
+		CloseHandle(stdout_pipe_writer);
+		stdout_pipe_writer = nullptr;
+	}
+	if (stdout_pipe_reader) {
+		CloseHandle(stdout_pipe_reader);
+		stdout_pipe_reader = nullptr;
+	}
+}
+
+void		Coprocess::spawn (const std::vector<std::string>& args)
+{
+	proc_handle = spawn_command(args, stdin_pipe_reader, stdout_pipe_writer, nullptr);
+	if (stdin_pipe_reader) {
+		CloseHandle(stdin_pipe_reader);
+		stdin_pipe_reader = nullptr;
+	}
+	if (stdout_pipe_writer) {
+		CloseHandle(stdout_pipe_writer);
+		stdout_pipe_writer = nullptr;
+	}
+}
+
+int		Coprocess::wait ()
+{
+	if (WaitForSingleObject(proc_handle, INFINITE) == WAIT_FAILED) {
+		throw System_error("WaitForSingleObject", "", GetLastError());
+	}
+
+	DWORD			exit_code;
+	if (!GetExitCodeProcess(proc_handle, &exit_code)) {
+		throw System_error("GetExitCodeProcess", "", GetLastError());
+	}
+
+	return exit_code;
+}
+
+size_t		Coprocess::write_stdin (void* handle, const void* buf, size_t count)
+{
+	DWORD		bytes_written;
+	if (!WriteFile(static_cast<Coprocess*>(handle)->stdin_pipe_writer, buf, count, &bytes_written, nullptr)) {
+		throw System_error("WriteFile", "", GetLastError());
+	}
+	return bytes_written;
+}
+
+size_t		Coprocess::read_stdout (void* handle, void* buf, size_t count)
+{
+	// Note that ReadFile on a pipe may return with bytes_read==0 if the other
+	// end of the pipe writes zero bytes, so retry when this happens.
+	// When the other end of the pipe actually closes, ReadFile
+	// fails with ERROR_BROKEN_PIPE.
+	DWORD bytes_read;
+	do {
+		if (!ReadFile(static_cast<Coprocess*>(handle)->stdout_pipe_reader, buf, count, &bytes_read, nullptr)) {
+			const DWORD	read_error = GetLastError();
+			if (read_error != ERROR_BROKEN_PIPE) {
+				throw System_error("ReadFile", "", read_error);
+			}
+			return 0;
+		}
+	} while (bytes_read == 0);
+	return bytes_read;
+}

coprocess-win32.hpp

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2015 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#ifndef GIT_CRYPT_COPROCESS_HPP
+#define GIT_CRYPT_COPROCESS_HPP
+
+#include "fhstream.hpp"
+#include <windows.h>
+#include <vector>
+
+class Coprocess {
+	HANDLE		proc_handle;
+
+	HANDLE		stdin_pipe_reader;
+	HANDLE		stdin_pipe_writer;
+	ofhstream*	stdin_pipe_ostream;
+	static size_t	write_stdin (void*, const void*, size_t);
+
+	HANDLE		stdout_pipe_reader;
+	HANDLE		stdout_pipe_writer;
+	ifhstream*	stdout_pipe_istream;
+	static size_t	read_stdout (void*, void*, size_t);
+
+			Coprocess (const Coprocess&);	// Disallow copy
+	Coprocess&	operator= (const Coprocess&);	// Disallow assignment
+public:
+			Coprocess ();
+			~Coprocess ();
+
+	std::ostream*	stdin_pipe ();
+	void		close_stdin ();
+
+	std::istream*	stdout_pipe ();
+	void		close_stdout ();
+
+	void		spawn (const std::vector<std::string>&);
+
+	int		wait ();
+};
+
+#endif

coprocess.cpp

@@ -0,0 +1,5 @@
+#ifdef _WIN32
+#include "coprocess-win32.cpp"
+#else
+#include "coprocess-unix.cpp"
+#endif

coprocess.hpp

@@ -0,0 +1,5 @@
+#ifdef _WIN32
+#include "coprocess-win32.hpp"
+#else
+#include "coprocess-unix.hpp"
+#endif

crypto-openssl-11.cpp

@@ -28,6 +28,8 @@
  * as that of the covered work.
  */
 
+#include <openssl/opensslconf.h>
+
 #include "crypto.hpp"
 #include "key.hpp"
 #include "util.hpp"
@@ -59,8 +61,8 @@ Aes_ecb_encryptor::Aes_ecb_encryptor (const unsigned char* raw_key)
 
 Aes_ecb_encryptor::~Aes_ecb_encryptor ()
 {
-	// Note: Explicit destructor necessary because class contains an auto_ptr
+	// Note: Explicit destructor necessary because class contains an unique_ptr
-	// which contains an incomplete type when the auto_ptr is declared.
+	// which contains an incomplete type when the unique_ptr is declared.
 
 	explicit_memset(&impl->key, '\0', sizeof(impl->key));
 }
@@ -71,32 +73,31 @@ void Aes_ecb_encryptor::encrypt(const unsigned char* plain, unsigned char* ciphe
 }
 
 struct Hmac_sha1_state::Hmac_impl {
-	HMAC_CTX ctx;
+	HMAC_CTX *ctx;
 };
 
 Hmac_sha1_state::Hmac_sha1_state (const unsigned char* key, size_t key_len)
 : impl(new Hmac_impl)
 {
-	HMAC_Init(&(impl->ctx), key, key_len, EVP_sha1());
+
+	impl->ctx = HMAC_CTX_new();
+	HMAC_Init_ex(impl->ctx, key, key_len, EVP_sha1(), nullptr);
 }
 
 Hmac_sha1_state::~Hmac_sha1_state ()
 {
-	// Note: Explicit destructor necessary because class contains an auto_ptr
+	HMAC_CTX_free(impl->ctx);
-	// which contains an incomplete type when the auto_ptr is declared.
-
-	HMAC_cleanup(&(impl->ctx));
 }
 
 void Hmac_sha1_state::add (const unsigned char* buffer, size_t buffer_len)
 {
-	HMAC_Update(&(impl->ctx), buffer, buffer_len);
+	HMAC_Update(impl->ctx, buffer, buffer_len);
 }
 
 void Hmac_sha1_state::get (unsigned char* digest)
 {
 	unsigned int len;
-	HMAC_Final(&(impl->ctx), digest, &len);
+	HMAC_Final(impl->ctx, digest, &len);
 }
 
 
@@ -112,4 +113,3 @@ void random_bytes (unsigned char* buffer, size_t len)
 		throw Crypto_error("random_bytes", message.str());
 	}
 }
-

crypto.hpp

@@ -57,7 +57,7 @@ public:
 private:
 	struct Aes_impl;
 
-	std::auto_ptr<Aes_impl>	impl;
+	std::unique_ptr<Aes_impl>	impl;
 
 public:
 	Aes_ecb_encryptor (const unsigned char* key);
@@ -102,7 +102,7 @@ public:
 private:
 	struct Hmac_impl;
 
-	std::auto_ptr<Hmac_impl>	impl;
+	std::unique_ptr<Hmac_impl>	impl;
 
 public:
 	Hmac_sha1_state (const unsigned char* key, size_t key_len);

fhstream.cpp

@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) 2012, 2015 Andrew Ayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Except as contained in this notice, the name(s) of the above copyright
+ * holders shall not be used in advertising or otherwise to promote the
+ * sale, use or other dealings in this Software without prior written
+ * authorization.
+ */
+
+#include <cstring>
+#include <algorithm> // for std::min
+
+#include "fhstream.hpp"
+
+/*
+ * ofhstream
+ */
+
+ofhbuf::ofhbuf (void* arg_handle, size_t (*arg_write_fun)(void*, const void*, size_t))
+: handle(arg_handle),
+  write_fun(arg_write_fun),
+  buffer(new char[default_buffer_size]),
+  buffer_size(default_buffer_size)
+{
+	reset_buffer();
+}
+
+ofhbuf::~ofhbuf ()
+{
+	if (handle) {
+		try {
+			sync();
+		} catch (...) {
+			// Ignore exception since we're in the destructor.
+			// To catch write errors, call sync() explicitly.
+		}
+	}
+	delete[] buffer;
+}
+
+ofhbuf::int_type	ofhbuf::overflow (ofhbuf::int_type c)
+{
+	const char*	p = pbase();
+	std::streamsize	bytes_to_write = pptr() - p;
+
+	if (!is_eof(c)) {
+	      *pptr() = c;
+	      ++bytes_to_write;
+	}
+
+	while (bytes_to_write > 0) {
+		const size_t	bytes_written = write_fun(handle, p, bytes_to_write);
+		bytes_to_write -= bytes_written;
+		p += bytes_written;
+	}
+
+	reset_buffer();
+
+	return traits_type::to_int_type(0);
+}
+
+int		ofhbuf::sync ()
+{
+	return !is_eof(overflow(traits_type::eof())) ? 0 : -1;
+}
+
+std::streamsize	ofhbuf::xsputn (const char* s, std::streamsize n)
+{
+	// Use heuristic to decide whether to write directly or just use buffer
+	// Write directly only if n >= MIN(4096, available buffer capacity)
+	// (this is similar to what basic_filebuf does)
+
+	if (n < std::min<std::streamsize>(4096, epptr() - pptr())) {
+		// Not worth it to do a direct write
+		return std::streambuf::xsputn(s, n);
+	}
+
+	// Before we can do a direct write of this string, we need to flush
+	// out the current contents of the buffer.
+	if (pbase() != pptr()) {
+		overflow(traits_type::eof()); // throws an exception or it succeeds
+	}
+
+	// Now we can go ahead and write out the string.
+	size_t		bytes_to_write = n;
+
+	while (bytes_to_write > 0) {
+		const size_t	bytes_written = write_fun(handle, s, bytes_to_write);
+		bytes_to_write -= bytes_written;
+		s += bytes_written;
+	}
+
+	return n; // Return the total bytes written
+}
+
+std::streambuf*	ofhbuf::setbuf (char* s, std::streamsize n)
+{
+	if (s == 0 && n == 0) {
+		// Switch to unbuffered
+		// This won't take effect until the next overflow or sync
+		// (We defer it taking effect so that write errors can be properly reported)
+		// To cause it to take effect as soon as possible, we artificially reduce the
+		// size of the buffer so it has no space left.  This will trigger an overflow
+		// on the next put.
+		std::streambuf::setp(pbase(), pptr());
+		std::streambuf::pbump(pptr() - pbase());
+		buffer_size = 1;
+	}
+	return this;
+}
+
+
+
+/*
+ * ifhstream
+ */
+
+ifhbuf::ifhbuf (void* arg_handle, size_t (*arg_read_fun)(void*, void*, size_t))
+: handle(arg_handle),
+  read_fun(arg_read_fun),
+  buffer(new char[default_buffer_size + putback_size]),
+  buffer_size(default_buffer_size)
+{
+	reset_buffer(0, 0);
+}
+
+ifhbuf::~ifhbuf ()
+{
+	delete[] buffer;
+}
+
+ifhbuf::int_type	ifhbuf::underflow ()
+{
+	if (gptr() >= egptr()) { // A true underflow (no bytes in buffer left to read)
+
+		// Move the putback_size most-recently-read characters into the putback area
+		size_t		nputback = std::min<size_t>(gptr() - eback(), putback_size);
+		std::memmove(buffer + (putback_size - nputback), gptr() - nputback, nputback);
+
+		// Now read new characters from the file descriptor
+		const size_t	nread = read_fun(handle, buffer + putback_size, buffer_size);
+		if (nread == 0) {
+			// EOF
+			return traits_type::eof();
+		}
+
+		// Reset the buffer
+		reset_buffer(nputback, nread);
+	}
+
+	// Return the next character
+	return traits_type::to_int_type(*gptr());
+}
+
+std::streamsize	ifhbuf::xsgetn (char* s, std::streamsize n)
+{
+	// Use heuristic to decide whether to read directly
+	// Read directly only if n >= bytes_available + 4096
+
+	std::streamsize	bytes_available = egptr() - gptr();
+
+	if (n < bytes_available + 4096) {
+		// Not worth it to do a direct read
+		return std::streambuf::xsgetn(s, n);
+	}
+
+	std::streamsize	total_bytes_read = 0;
+
+	// First, copy out the bytes currently in the buffer
+	std::memcpy(s, gptr(), bytes_available);
+
+	s += bytes_available;
+	n -= bytes_available;
+	total_bytes_read += bytes_available;
+
+	// Now do the direct read
+	while (n > 0) {
+		const size_t	bytes_read = read_fun(handle, s, n);
+		if (bytes_read == 0) {
+			// EOF
+			break;
+		}
+
+		s += bytes_read;
+		n -= bytes_read;
+		total_bytes_read += bytes_read;
+	}
+
+	// Fill up the putback area with the most recently read characters
+	size_t		nputback = std::min<size_t>(total_bytes_read, putback_size);
+	std::memcpy(buffer + (putback_size - nputback), s - nputback, nputback);
+
+	// Reset the buffer with no bytes available for reading, but with some putback characters
+	reset_buffer(nputback, 0);
+
+	// Return the total number of bytes read
+	return total_bytes_read;
+}
+
+std::streambuf*	ifhbuf::setbuf (char* s, std::streamsize n)
+{
+	if (s == 0 && n == 0) {
+		// Switch to unbuffered
+		// This won't take effect until the next underflow (we don't want to
+		// lose what's currently in the buffer!)
+		buffer_size = 1;
+	}
+	return this;
+}

fhstream.hpp

@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2012, 2015 Andrew Ayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Except as contained in this notice, the name(s) of the above copyright
+ * holders shall not be used in advertising or otherwise to promote the
+ * sale, use or other dealings in this Software without prior written
+ * authorization.
+ */
+
+#ifndef GIT_CRYPT_FHSTREAM_HPP
+#define GIT_CRYPT_FHSTREAM_HPP
+
+#include <ostream>
+#include <istream>
+#include <streambuf>
+
+/*
+ * ofhstream
+ */
+class ofhbuf : public std::streambuf {
+	enum { default_buffer_size = 8192 };
+
+	void*			handle;
+	size_t			(*write_fun)(void*, const void*, size_t);
+	char*			buffer;
+	size_t			buffer_size;
+
+	inline void reset_buffer ()
+	{
+		std::streambuf::setp(buffer, buffer + buffer_size - 1);
+	}
+	static inline bool is_eof (int_type ch) { return traits_type::eq_int_type(ch, traits_type::eof()); }
+
+	// Disallow copy
+#if __cplusplus >= 201103L /* C++11 */
+	ofhbuf (const ofhbuf&) = delete;
+	ofhbuf& operator= (const ofhbuf&) = delete;
+#else
+	ofhbuf (const ofhbuf&);
+	ofhbuf& operator= (const ofhbuf&);
+#endif
+
+protected:
+	virtual int_type	overflow (int_type ch =traits_type::eof());
+	virtual int		sync ();
+	virtual std::streamsize	xsputn (const char*, std::streamsize);
+	virtual	std::streambuf*	setbuf (char*, std::streamsize);
+
+public:
+	ofhbuf (void*, size_t (*)(void*, const void*, size_t));
+	~ofhbuf (); // WARNING: calls sync() and ignores exceptions
+};
+
+class ofhstream : public std::ostream {
+	mutable ofhbuf	buf;
+public:
+	ofhstream (void* handle, size_t (*write_fun)(void*, const void*, size_t))
+	: std::ostream(0), buf(handle, write_fun)
+	{
+		std::ostream::rdbuf(&buf);
+	}
+
+	ofhbuf*	rdbuf () const { return &buf; }
+};
+
+
+/*
+ * ifhstream
+ */
+class ifhbuf : public std::streambuf {
+	enum {
+		default_buffer_size = 8192,
+		putback_size = 4
+	};
+
+	void*			handle;
+	size_t			(*read_fun)(void*, void*, size_t);
+	char*			buffer;
+	size_t			buffer_size;
+
+	inline void reset_buffer (size_t nputback, size_t nread)
+	{
+		std::streambuf::setg(buffer + (putback_size - nputback), buffer + putback_size, buffer + putback_size + nread);
+	}
+	// Disallow copy
+#if __cplusplus >= 201103L /* C++11 */
+	ifhbuf (const ifhbuf&) = delete;
+	ifhbuf& operator= (const ifhbuf&) = delete;
+#else
+	ifhbuf (const ifhbuf&);
+	ifhbuf& operator= (const ifhbuf&);
+#endif
+
+protected:
+	virtual int_type	underflow ();
+	virtual std::streamsize	xsgetn (char*, std::streamsize);
+	virtual	std::streambuf*	setbuf (char*, std::streamsize);
+
+public:
+	ifhbuf (void*, size_t (*)(void*, void*, size_t));
+	~ifhbuf (); // Can't fail
+};
+
+class ifhstream : public std::istream {
+	mutable ifhbuf	buf;
+public:
+	explicit ifhstream (void* handle, size_t (*read_fun)(void*, void*, size_t))
+	: std::istream(0), buf(handle, read_fun)
+	{
+		std::istream::rdbuf(&buf);
+	}
+
+	ifhbuf*	rdbuf () const { return &buf; }
+};
+
+#endif

git-crypt.hpp

@@ -31,7 +31,7 @@
 #ifndef GIT_CRYPT_GIT_CRYPT_HPP
 #define GIT_CRYPT_GIT_CRYPT_HPP
 
-#define VERSION "0.4.1"
+#define VERSION "0.8.0"
 
 extern const char*	argv0;	// initialized in main() to argv[0]
 

gpg.cpp

@@ -30,8 +30,18 @@
 
 #include "gpg.hpp"
 #include "util.hpp"
+#include "commands.hpp"
 #include <sstream>
 
+static std::string gpg_get_executable()
+{
+	std::string gpgbin = "gpg";
+	try {
+		gpgbin = get_git_config("gpg.program");
+	} catch (...) {
+	}
+	return gpgbin;
+}
 static std::string gpg_nth_column (const std::string& line, unsigned int col)
 {
 	std::string::size_type	pos = 0;
@@ -51,18 +61,12 @@ static std::string gpg_nth_column (const std::string& line, unsigned int col)
 	       line.substr(pos);
 }
 
-// given a key fingerprint, return the last 8 nibbles
-std::string gpg_shorten_fingerprint (const std::string& fingerprint)
-{
-	return fingerprint.size() == 40 ? fingerprint.substr(32) : fingerprint;
-}
-
 // given a key fingerprint, return the key's UID (e.g. "John Smith <jsmith@example.com>")
 std::string gpg_get_uid (const std::string& fingerprint)
 {
 	// gpg --batch --with-colons --fixed-list-mode --list-keys 0x7A399B2DB06D039020CD1CE1D0F3702D61489532
 	std::vector<std::string>	command;
-	command.push_back("gpg");
+	command.push_back(gpg_get_executable());
 	command.push_back("--batch");
 	command.push_back("--with-colons");
 	command.push_back("--fixed-list-mode");
@@ -94,7 +98,7 @@ std::vector<std::string> gpg_lookup_key (const std::string& query)
 
 	// gpg --batch --with-colons --fingerprint --list-keys jsmith@example.com
 	std::vector<std::string>	command;
-	command.push_back("gpg");
+	command.push_back(gpg_get_executable());
 	command.push_back("--batch");
 	command.push_back("--with-colons");
 	command.push_back("--fingerprint");
@@ -102,10 +106,15 @@ std::vector<std::string> gpg_lookup_key (const std::string& query)
 	command.push_back(query);
 	std::stringstream		command_output;
 	if (successful_exit(exec_command(command, command_output))) {
+		bool			is_pubkey = false;
 		while (command_output.peek() != -1) {
 			std::string		line;
 			std::getline(command_output, line);
-			if (line.substr(0, 4) == "fpr:") {
+			if (line.substr(0, 4) == "pub:") {
+				is_pubkey = true;
+			} else if (line.substr(0, 4) == "sub:") {
+				is_pubkey = false;
+			} else if (is_pubkey && line.substr(0, 4) == "fpr:") {
 				// fpr:::::::::7A399B2DB06D039020CD1CE1D0F3702D61489532:
 				// want the 9th column (counting from 0)
 				fingerprints.push_back(gpg_nth_column(line, 9));
@@ -120,7 +129,7 @@ std::vector<std::string> gpg_list_secret_keys ()
 {
 	// gpg --batch --with-colons --list-secret-keys --fingerprint
 	std::vector<std::string>	command;
-	command.push_back("gpg");
+	command.push_back(gpg_get_executable());
 	command.push_back("--batch");
 	command.push_back("--with-colons");
 	command.push_back("--list-secret-keys");
@@ -145,12 +154,16 @@ std::vector<std::string> gpg_list_secret_keys ()
 	return secret_keys;
 }
 
-void gpg_encrypt_to_file (const std::string& filename, const std::string& recipient_fingerprint, const char* p, size_t len)
+void gpg_encrypt_to_file (const std::string& filename, const std::string& recipient_fingerprint, bool key_is_trusted, const char* p, size_t len)
 {
 	// gpg --batch -o FILENAME -r RECIPIENT -e
 	std::vector<std::string>	command;
-	command.push_back("gpg");
+	command.push_back(gpg_get_executable());
 	command.push_back("--batch");
+	if (key_is_trusted) {
+		command.push_back("--trust-model");
+		command.push_back("always");
+	}
 	command.push_back("-o");
 	command.push_back(filename);
 	command.push_back("-r");
@@ -165,7 +178,7 @@ void gpg_decrypt_from_file (const std::string& filename, std::ostream& output)
 {
 	// gpg -q -d FILENAME
 	std::vector<std::string>	command;
-	command.push_back("gpg");
+	command.push_back(gpg_get_executable());
 	command.push_back("-q");
 	command.push_back("-d");
 	command.push_back(filename);

gpg.hpp

@@ -41,11 +41,10 @@ struct Gpg_error {
 	explicit Gpg_error (std::string m) : message(m) { }
 };
 
-std::string			gpg_shorten_fingerprint (const std::string& fingerprint);
 std::string			gpg_get_uid (const std::string& fingerprint);
 std::vector<std::string>	gpg_lookup_key (const std::string& query);
 std::vector<std::string>	gpg_list_secret_keys ();
-void				gpg_encrypt_to_file (const std::string& filename, const std::string& recipient_fingerprint, const char* p, size_t len);
+void				gpg_encrypt_to_file (const std::string& filename, const std::string& recipient_fingerprint, bool key_is_trusted, const char* p, size_t len);
 void				gpg_decrypt_from_file (const std::string& filename, std::ostream&);
 
 #endif

man/git-crypt.xml

@@ -0,0 +1,493 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry>
+	<!--
+		Copyright (c) 2015 Andrew Ayer
+
+		See COPYING file for license information.
+	-->
+	<refentryinfo>
+		<title>git-crypt</title>
+		<date>2022-04-21</date>
+		<productname>git-crypt 0.8.0</productname>
+
+		<author>
+			<othername>Andrew Ayer</othername>
+			<contrib></contrib>
+			<email>agwa@andrewayer.name</email>
+			<uri>https://www.agwa.name</uri>
+		</author>
+	</refentryinfo>
+
+	<refmeta>
+		<refentrytitle>git-crypt</refentrytitle>
+		<manvolnum>1</manvolnum>
+	</refmeta>
+
+	<refnamediv>
+		<refname>git-crypt</refname>
+		<refpurpose>transparent file encryption in Git</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>git-crypt <arg choice="opt"><replaceable>OPTIONS</replaceable></arg> <arg choice="plain"><replaceable>COMMAND</replaceable></arg> <arg choice="opt" rep="repeat"><replaceable>ARGS</replaceable></arg></command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsynopsisdiv>
+		<title>Common commands</title>
+		<cmdsynopsis>
+			<command>git-crypt init</command>
+		</cmdsynopsis>
+		<cmdsynopsis>
+			<command>git-crypt status</command>
+		</cmdsynopsis>
+		<cmdsynopsis>
+			<command>git-crypt lock</command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+	<refsynopsisdiv>
+		<title>GPG commands</title>
+		<cmdsynopsis>
+			<command>git-crypt add-gpg-user <arg choice="plain"><replaceable>GPG_USER_ID</replaceable></arg></command>
+		</cmdsynopsis>
+		<cmdsynopsis>
+			<command>git-crypt unlock</command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+	<refsynopsisdiv>
+		<title>Symmetric key commands</title>
+		<cmdsynopsis>
+			<command>git-crypt export-key <arg choice="plain"><replaceable>OUTPUT_KEY_FILE</replaceable></arg></command>
+		</cmdsynopsis>
+		<cmdsynopsis>
+			<command>git-crypt unlock <arg choice="plain"><replaceable>KEY_FILE</replaceable></arg></command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+
+		<para>
+			<command>git-crypt</command> enables transparent encryption and decryption
+			of files in a git repository. Files which you choose to protect are encrypted when committed,
+			and decrypted when checked out. git-crypt lets you freely share a repository containing a mix of
+			public and private content. git-crypt gracefully degrades, so developers without the secret key
+			can still clone and commit to a repository with encrypted files. This lets you store your secret
+			material (such as keys or passwords) in the same repository as your code, without requiring you
+			to lock down your entire repository.  
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Commands</title>
+
+		<para>
+			<command>git-crypt</command> is logically divided into several sub-commands which
+			perform distinct tasks.  Each sub-command, and its arguments,
+			are documented below.  Note that arguments and options to sub-commands must be
+			specified on the command line <emphasis>after</emphasis> the name of the sub-command.
+		</para>
+
+		<variablelist>
+			<varlistentry>
+				<term><option>init <arg choice="opt"><replaceable>OPTIONS</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Generate a key and prepare the current Git repository to use git-crypt.
+					</para>
+
+					<para>
+						The following options are understood:
+					</para>
+					<variablelist>
+						<varlistentry>
+							<term><option>-k</option> <replaceable>KEY_NAME</replaceable></term>
+							<term><option>--key-name</option> <replaceable>KEY_NAME</replaceable></term>
+
+							<listitem>
+								<para>
+									Initialize the given key instead of the default key.  git-crypt
+									supports multiple keys per repository, allowing you to share
+									different files with different sets of collaborators.
+								</para>
+							</listitem>
+						</varlistentry>
+					</variablelist>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>status <arg choice="opt"><replaceable>OPTIONS</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Display a list of files in the repository, with their status (encrypted or unencrypted).
+					</para>
+
+					<para>
+						The following options are understood:
+					</para>
+					<variablelist>
+						<varlistentry>
+							<term><option>-e</option></term>
+
+							<listitem>
+								<para>
+									Show only encrypted files.
+								</para>
+							</listitem>
+						</varlistentry>
+						<varlistentry>
+							<term><option>-u</option></term>
+
+							<listitem>
+								<para>
+									Show only unencrypted files.
+								</para>
+							</listitem>
+						</varlistentry>
+						<varlistentry>
+							<term><option>-f</option></term>
+							<term><option>--fix</option></term>
+
+							<listitem>
+								<para>
+									Encrypt files that should be encrypted but were
+									committed to the repository or added to the index
+									without encryption.  (This can happen if a file
+									is added before git-crypt is initialized or before
+									the file is added to the gitattributes file.)
+								</para>
+							</listitem>
+						</varlistentry>
+					</variablelist>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>add-gpg-user <arg choice="opt"><replaceable>OPTIONS</replaceable></arg> <arg choice="plain" rep="repeat"><replaceable>GPG_USER_ID</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Add the users with the given GPG user IDs as collaborators.  Specifically,
+						git-crypt uses <citerefentry><refentrytitle>gpg</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+						to encrypt the shared symmetric key
+						to the public keys of each GPG user ID, and stores the GPG-encrypted
+						keys in the <filename>.git-crypt</filename> directory at the root of the repository.
+					</para>
+
+					<para>
+						<replaceable>GPG_USER_ID</replaceable> can be a key ID, a full fingerprint, an email address, or anything
+						else that uniquely identifies a public key to GPG (see "HOW TO SPECIFY
+						A USER ID" in the <citerefentry><refentrytitle>gpg</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+						man page).
+					</para>
+
+					<para>
+						The following options are understood:
+					</para>
+					<variablelist>
+						<varlistentry>
+							<term><option>-k</option> <replaceable>KEY_NAME</replaceable></term>
+							<term><option>--key-name</option> <replaceable>KEY_NAME</replaceable></term>
+
+							<listitem>
+								<para>
+									Grant access to the given key, rather than the default key.
+								</para>
+							</listitem>
+						</varlistentry>
+						<varlistentry>
+							<term><option>-n</option></term>
+							<term><option>--no-commit</option></term>
+
+							<listitem>
+								<para>
+									Don't automatically commit the changes to the <filename>.git-crypt</filename>
+									directory.
+								</para>
+							</listitem>
+						</varlistentry>
+						<varlistentry>
+							<term><option>--trusted</option></term>
+
+							<listitem>
+								<para>
+									Assume that the GPG keys specified on the command line are trusted;
+									i.e. they actually belong to the users that they claim to belong to.
+								</para>
+								<para>
+									Without this option, git-crypt uses the same trust model as GPG,
+									which is based on the Web of Trust by default.  Under this
+									model, git-crypt will reject GPG keys that do not have
+									trusted signatures.
+								</para>
+								<para>
+									If you don't want to use the Web of Trust, you can either change
+									GPG's trust model by setting the <option>trust-model</option>
+									option in <filename>~/.gnupg/gpg.conf</filename> (see
+									<citerefentry><refentrytitle>gpg</refentrytitle><manvolnum>1</manvolnum></citerefentry>),
+									or use the <option>--trusted</option> option to <command>add-gpg-user</command>
+									on a case-by-case basis.
+								</para>
+							</listitem>
+						</varlistentry>
+					</variablelist>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>unlock <!--<arg choice="opt"><replaceable>OPTIONS</replaceable></arg> --><arg choice="opt" rep="repeat"><replaceable>KEY_FILE</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Decrypt the repository.  If one or more key files are specified on the command line,
+						git-crypt attempts to decrypt using those shared symmetric keys.  If no key files
+						are specified, git-crypt attempts to decrypt using a GPG-encrypted key stored in
+						the repository's .git-crypt directory.
+					</para>
+
+					<para>
+						This command takes no options.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>export-key <arg choice="opt"><replaceable>OPTIONS</replaceable></arg> <arg choice="plain"><replaceable>FILENAME</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Export the repository's shared symmetric key to the given file.
+					</para>
+
+					<para>
+						The following options are understood:
+					</para>
+					<variablelist>
+						<varlistentry>
+							<term><option>-k</option> <replaceable>KEY_NAME</replaceable></term>
+							<term><option>--key-name</option> <replaceable>KEY_NAME</replaceable></term>
+
+							<listitem>
+								<para>
+									Export the given key, rather than the default key.
+								</para>
+							</listitem>
+						</varlistentry>
+					</variablelist>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>help <arg choice="opt"><replaceable>COMMAND</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Display help for the given <arg choice="plain"><replaceable>COMMAND</replaceable></arg>,
+						or an overview of all commands if no command is specified.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>version</option></term>
+				<listitem>
+					<para>
+						Print the currently-installed version of <command>git-crypt</command>.
+						The format of the output is always "git-crypt", followed by a space,
+						followed by the dotted version number.
+					</para>
+				</listitem>
+			</varlistentry>
+
+		</variablelist>
+	</refsect1>
+
+	<refsect1>
+		<title>Using git-crypt</title>
+
+		<para>
+			First, you prepare a repository to use git-crypt by running <command>git-crypt init</command>.
+		</para>
+
+		<para>
+			Then, you specify the files to encrypt by creating a
+			<citerefentry><refentrytitle>gitattributes</refentrytitle><manvolnum>5</manvolnum></citerefentry> file.
+			Each file which you want to encrypt should be assigned the "<literal>filter=git-crypt diff=git-crypt</literal>"
+			attributes.  For example:
+		</para>
+
+		<screen>secretfile filter=git-crypt diff=git-crypt&#10;*.key filter=git-crypt diff=git-crypt</screen>
+
+		<para>
+			Like a <filename>.gitignore</filename> file, <filename>.gitattributes</filename> files can match wildcards and
+			should be checked into the repository.  Make sure you don't accidentally encrypt the
+			<filename>.gitattributes</filename> file itself (or other git files like <filename>.gitignore</filename>
+			or <filename>.gitmodules</filename>).  Make sure your <filename>.gitattributes</filename> rules
+			are in place <emphasis>before</emphasis> you add sensitive files, or those files won't be encrypted!
+		</para>
+
+		<para>
+			To share the repository with others (or with yourself) using GPG, run:
+		</para>
+
+		<screen>git-crypt add-gpg-user <replaceable>GPG_USER_ID</replaceable></screen>
+
+		<para>
+			<replaceable>GPG_USER_ID</replaceable> can be a key ID, a full fingerprint, an email address, or anything
+			else that uniquely identifies a public key to GPG.  Note: <command>git-crypt add-gpg-user</command> will
+			add and commit a GPG-encrypted key file in the <filename>.git-crypt</filename> directory of
+			the root of your repository.
+		</para>
+
+		<para>
+			Alternatively, you can export a symmetric secret key, which you must
+			securely convey to collaborators (GPG is not required, and no files
+			are added to your repository):
+		</para>
+
+		<screen>git-crypt export-key <replaceable>/path/to/key</replaceable></screen>
+
+		<para>
+			After cloning a repository with encrypted files, unlock with with GPG:
+		</para>
+
+		<screen>git-crypt unlock</screen>
+
+		<para>
+			Or with a symmetric key:
+		</para>
+
+		<screen>git-crypt unlock /path/to/key</screen>
+
+		<para>
+			That's all you need to do - after git-crypt is set up (either with
+			<command>git-crypt init</command> or <command>git-crypt unlock</command>),
+			you can use git normally - encryption and decryption happen transparently.
+		</para>
+
+	</refsect1>
+
+	<refsect1>
+		<title>The .gitattributes file</title>
+
+		<para>
+			The <filename>.gitattributes</filename> file is documented in
+			<citerefentry><refentrytitle>gitattributes</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+			The file pattern format is the same as the one used by <filename>.gitignore</filename>,
+			as documented in <citerefentry><refentrytitle>gitignore</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+			with the exception that specifying merely a directory (e.g. "<literal>/dir/</literal>")
+			is <emphasis>not</emphasis> sufficient to encrypt all files beneath it.
+		</para>
+
+		<para>
+			Also note that the pattern "<literal>dir/*</literal>" does not match files under
+			sub-directories of dir/.  To encrypt an entire sub-tree dir/, place the
+			following in <filename>dir/.gitattributes</filename>:
+		</para>
+
+		<screen>* filter=git-crypt diff=git-crypt&#10;.gitattributes !filter !diff</screen>
+
+		<para>
+			The second pattern is essential for ensuring that <filename>.gitattributes</filename> itself
+			is not encrypted.
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Multiple Key Support</title>
+
+		<para>
+			In addition to the implicit default key, git-crypt supports alternative
+			keys which can be used to encrypt specific files and can be shared with
+			specific GPG users.  This is useful if you want to grant different
+			collaborators access to different sets of files.
+		</para>
+
+		<para>
+			To generate an alternative key named <replaceable>KEYNAME</replaceable>,
+			pass the <command>-k <replaceable>KEYNAME</replaceable></command>
+			option to <command>git-crypt init</command> as follows:
+		</para>
+
+		<screen>git-crypt init -k <replaceable>KEYNAME</replaceable></screen>
+
+		<para>
+			To encrypt a file with an alternative key, use the <literal>git-crypt-<replaceable>KEYNAME</replaceable></literal>
+			filter in <filename>.gitattributes</filename> as follows:
+		</para>
+
+		<screen><replaceable>secretfile</replaceable> filter=git-crypt-<replaceable>KEYNAME</replaceable> diff=git-crypt-<replaceable>KEYNAME</replaceable></screen>
+
+		<para>
+			To export an alternative key or share it with a GPG user, pass the
+			<command>-k <replaceable>KEYNAME</replaceable></command> option to
+			<command>git-crypt export-key</command> or <command>git-crypt add-gpg-user</command>
+			as follows:
+		</para>
+
+		<screen>git-crypt export-key -k <replaceable>KEYNAME</replaceable> <filename><replaceable>/path/to/keyfile</replaceable></filename>&#10;git-crypt add-gpg-user -k <replaceable>KEYNAME</replaceable> <replaceable>GPG_USER_ID</replaceable></screen>
+
+		<para>
+			To unlock a repository with an alternative key, use <command>git-crypt unlock</command>
+			normally.  git-crypt will automatically determine which key is being used.
+		</para>
+	</refsect1>
+	<!--
+	<refsect1>
+		<title>Global options</title>
+
+		<para>
+			The following options are understood by <command>git-crypt</command> and can
+			be used with any sub-command.  Since they apply globally
+			to <command>git-crypt</command>, they must be specified on the command line
+			<emphasis>before</emphasis> the sub-command name.
+		</para>
+		<variablelist>
+		</variablelist>
+	</refsect1>
+	-->
+
+	<!--
+	<refsect1>
+		<title>Files</title>
+		<variablelist>
+			<varlistentry>
+				<term><filename>/path/to/file</filename></term>
+				<listitem><para>Description.</para></listitem>
+			</varlistentry>
+		</variablelist>
+	</refsect1>
+	-->
+
+	<!--
+	<refsect1>
+		<title>Environment Variables</title>
+
+		<variablelist class='environment-variables'>
+			<varlistentry>
+				<term><varname>NAME</varname></term>
+				<listitem>
+					<para>Description.</para>
+				</listitem>
+			</varlistentry>
+		</variablelist>
+	</refsect1>
+	-->
+
+	<!-- TODO: examples section
+	<refsect1>
+		<title>Examples</title>
+
+		<para>Hello world?</para>
+	</refsect1>
+	-->
+
+	<refsect1>
+		<title>See Also</title>
+		<para>
+			<citerefentry><refentrytitle>git</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+			<citerefentry><refentrytitle>gitattributes</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+			<ulink url="https://www.agwa.name/projects/git-crypt">git-crypt home page</ulink>,
+			<ulink url="https://github.com/AGWA/git-crypt">GitHub repository</ulink>
+		</para>
+	</refsect1>
+
+</refentry>

man/man1/.gitignore

@@ -0,0 +1 @@
+git-crypt.1

parse_options.cpp

@@ -1,31 +1,28 @@
 /*
  * Copyright 2014 Andrew Ayer
  *
- * This file is part of git-crypt.
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
  *
- * git-crypt is free software: you can redistribute it and/or modify
+ * The above copyright notice and this permission notice shall be included
- * it under the terms of the GNU General Public License as published by
+ * in all copies or substantial portions of the Software.
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
  *
- * git-crypt is distributed in the hope that it will be useful,
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- * GNU General Public License for more details.
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
  *
- * You should have received a copy of the GNU General Public License
+ * Except as contained in this notice, the name(s) of the above copyright
- * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ * holders shall not be used in advertising or otherwise to promote the
- *
+ * sale, use or other dealings in this Software without prior written
- * Additional permission under GNU GPL version 3 section 7:
+ * authorization.
- *
- * If you modify the Program, or any covered work, by linking or
- * combining it with the OpenSSL project's OpenSSL library (or a
- * modified version of that library), containing parts covered by the
- * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
- * grant you additional permission to convey the resulting work.
- * Corresponding Source for a non-source form of such a combination
- * shall include the source code for the parts of OpenSSL used as well
- * as that of the covered work.
  */
 
 #include "parse_options.hpp"
@@ -46,7 +43,7 @@ int parse_options (const Options_list& options, int argc, const char** argv)
 {
 	int	argi = 0;
 
-	while (argi < argc && argv[argi][0] == '-') {
+	while (argi < argc && argv[argi][0] == '-' && argv[argi][1] != '\0') {
 		if (std::strcmp(argv[argi], "--") == 0) {
 			++argi;
 			break;

parse_options.hpp

@@ -1,31 +1,28 @@
 /*
  * Copyright 2014 Andrew Ayer
  *
- * This file is part of git-crypt.
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
  *
- * git-crypt is free software: you can redistribute it and/or modify
+ * The above copyright notice and this permission notice shall be included
- * it under the terms of the GNU General Public License as published by
+ * in all copies or substantial portions of the Software.
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
  *
- * git-crypt is distributed in the hope that it will be useful,
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- * GNU General Public License for more details.
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
  *
- * You should have received a copy of the GNU General Public License
+ * Except as contained in this notice, the name(s) of the above copyright
- * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ * holders shall not be used in advertising or otherwise to promote the
- *
+ * sale, use or other dealings in this Software without prior written
- * Additional permission under GNU GPL version 3 section 7:
+ * authorization.
- *
- * If you modify the Program, or any covered work, by linking or
- * combining it with the OpenSSL project's OpenSSL library (or a
- * modified version of that library), containing parts covered by the
- * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
- * grant you additional permission to convey the resulting work.
- * Corresponding Source for a non-source form of such a combination
- * shall include the source code for the parts of OpenSSL used as well
- * as that of the covered work.
  */
 
 #ifndef PARSE_OPTIONS_HPP

util-unix.cpp

@@ -43,6 +43,8 @@
 #include <vector>
 #include <string>
 #include <cstring>
+#include <cstddef>
+#include <algorithm>
 
 std::string System_error::message () const
 {
@@ -123,171 +125,38 @@ void	mkdir_parent (const std::string& path)
 	}
 }
 
-static std::string readlink (const char* pathname)
-{
-	std::vector<char>	buffer(64);
-	ssize_t			len;
-
-	while ((len = ::readlink(pathname, &buffer[0], buffer.size())) == static_cast<ssize_t>(buffer.size())) {
-		// buffer may have been truncated - grow and try again
-		buffer.resize(buffer.size() * 2);
-	}
-	if (len == -1) {
-		throw System_error("readlink", pathname, errno);
-	}
-
-	return std::string(buffer.begin(), buffer.begin() + len);
-}
-
 std::string our_exe_path ()
 {
-	try {
+	if (argv0[0] == '/') {
-		return readlink("/proc/self/exe");
+		// argv[0] starts with / => it's an absolute path
-	} catch (const System_error&) {
+		return argv0;
-		if (argv0[0] == '/') {
+	} else if (std::strchr(argv0, '/')) {
-			// argv[0] starts with / => it's an absolute path
+		// argv[0] contains / => it a relative path that should be resolved
-			return argv0;
+		char*		resolved_path_p = realpath(argv0, nullptr);
-		} else if (std::strchr(argv0, '/')) {
+		std::string	resolved_path(resolved_path_p);
-			// argv[0] contains / => it a relative path that should be resolved
+		free(resolved_path_p);
-			char*		resolved_path_p = realpath(argv0, NULL);
+		return resolved_path;
-			std::string	resolved_path(resolved_path_p);
+	} else {
-			free(resolved_path_p);
+		// argv[0] is just a bare filename => not much we can do
-			return resolved_path;
+		return argv0;
-		} else {
-			// argv[0] is just a bare filename => not much we can do
-			return argv0;
-		}
 	}
 }
 
-static int execvp (const std::string& file, const std::vector<std::string>& args)
+int	exit_status (int wait_status)
 {
-	std::vector<const char*>	args_c_str;
+	return wait_status != -1 && WIFEXITED(wait_status) ? WEXITSTATUS(wait_status) : -1;
-	args_c_str.reserve(args.size());
-	for (std::vector<std::string>::const_iterator arg(args.begin()); arg != args.end(); ++arg) {
-		args_c_str.push_back(arg->c_str());
-	}
-	args_c_str.push_back(NULL);
-	return execvp(file.c_str(), const_cast<char**>(&args_c_str[0]));
-}
-
-int exec_command (const std::vector<std::string>& command)
-{
-	pid_t		child = fork();
-	if (child == -1) {
-		throw System_error("fork", "", errno);
-	}
-	if (child == 0) {
-		execvp(command[0], command);
-		perror(command[0].c_str());
-		_exit(-1);
-	}
-	int		status = 0;
-	if (waitpid(child, &status, 0) == -1) {
-		throw System_error("waitpid", "", errno);
-	}
-	return status;
-}
-
-int exec_command (const std::vector<std::string>& command, std::ostream& output)
-{
-	int		pipefd[2];
-	if (pipe(pipefd) == -1) {
-		throw System_error("pipe", "", errno);
-	}
-	pid_t		child = fork();
-	if (child == -1) {
-		int	fork_errno = errno;
-		close(pipefd[0]);
-		close(pipefd[1]);
-		throw System_error("fork", "", fork_errno);
-	}
-	if (child == 0) {
-		close(pipefd[0]);
-		if (pipefd[1] != 1) {
-			dup2(pipefd[1], 1);
-			close(pipefd[1]);
-		}
-		execvp(command[0], command);
-		perror(command[0].c_str());
-		_exit(-1);
-	}
-	close(pipefd[1]);
-	char		buffer[1024];
-	ssize_t		bytes_read;
-	while ((bytes_read = read(pipefd[0], buffer, sizeof(buffer))) > 0) {
-		output.write(buffer, bytes_read);
-	}
-	if (bytes_read == -1) {
-		int	read_errno = errno;
-		close(pipefd[0]);
-		throw System_error("read", "", read_errno);
-	}
-	close(pipefd[0]);
-	int		status = 0;
-	if (waitpid(child, &status, 0) == -1) {
-		throw System_error("waitpid", "", errno);
-	}
-	return status;
-}
-
-int exec_command_with_input (const std::vector<std::string>& command, const char* p, size_t len)
-{
-	int		pipefd[2];
-	if (pipe(pipefd) == -1) {
-		throw System_error("pipe", "", errno);
-	}
-	pid_t		child = fork();
-	if (child == -1) {
-		int	fork_errno = errno;
-		close(pipefd[0]);
-		close(pipefd[1]);
-		throw System_error("fork", "", fork_errno);
-	}
-	if (child == 0) {
-		close(pipefd[1]);
-		if (pipefd[0] != 0) {
-			dup2(pipefd[0], 0);
-			close(pipefd[0]);
-		}
-		execvp(command[0], command);
-		perror(command[0].c_str());
-		_exit(-1);
-	}
-	close(pipefd[0]);
-	while (len > 0) {
-		ssize_t	bytes_written = write(pipefd[1], p, len);
-		if (bytes_written == -1) {
-			int	write_errno = errno;
-			close(pipefd[1]);
-			throw System_error("write", "", write_errno);
-		}
-		p += bytes_written;
-		len -= bytes_written;
-	}
-	close(pipefd[1]);
-	int		status = 0;
-	if (waitpid(child, &status, 0) == -1) {
-		throw System_error("waitpid", "", errno);
-	}
-	return status;
-}
-
-bool successful_exit (int status)
-{
-	return status != -1 && WIFEXITED(status) && WEXITSTATUS(status) == 0;
 }
 
 void	touch_file (const std::string& filename)
 {
-	if (utimes(filename.c_str(), NULL) == -1) {
+	if (utimes(filename.c_str(), nullptr) == -1 && errno != ENOENT) {
 		throw System_error("utimes", filename, errno);
 	}
 }
 
 void	remove_file (const std::string& filename)
 {
-	if (unlink(filename.c_str()) == -1) {
+	if (unlink(filename.c_str()) == -1 && errno != ENOENT) {
 		throw System_error("unlink", filename, errno);
 	}
 }
@@ -310,25 +179,38 @@ int util_rename (const char* from, const char* to)
 	return rename(from, to);
 }
 
-static int dirfilter (const struct dirent* ent)
-{
-	// filter out . and ..
-	return std::strcmp(ent->d_name, ".") != 0 && std::strcmp(ent->d_name, "..") != 0;
-}
-
 std::vector<std::string> get_directory_contents (const char* path)
 {
-	struct dirent**		namelist;
+	std::vector<std::string>		contents;
-	int			n = scandir(path, &namelist, dirfilter, alphasort);
-	if (n == -1) {
-		throw System_error("scandir", path, errno);
-	}
-	std::vector<std::string>	contents(n);
-	for (int i = 0; i < n; ++i) {
-		contents[i] = namelist[i]->d_name;
-		free(namelist[i]);
-	}
-	free(namelist);
 
+	DIR*					dir = opendir(path);
+	if (!dir) {
+		throw System_error("opendir", path, errno);
+	}
+	try {
+		errno = 0;
+		// Note: readdir is reentrant in new implementations. In old implementations,
+		// it might not be, but git-crypt isn't multi-threaded so that's OK.
+		// We don't use readdir_r because it's buggy and deprecated:
+		//  https://womble.decadent.org.uk/readdir_r-advisory.html
+		//  http://austingroupbugs.net/view.php?id=696
+		//  http://man7.org/linux/man-pages/man3/readdir_r.3.html
+		while (struct dirent* ent = readdir(dir)) {
+			if (!(std::strcmp(ent->d_name, ".") == 0 || std::strcmp(ent->d_name, "..") == 0)) {
+				contents.push_back(ent->d_name);
+			}
+		}
+
+		if (errno) {
+			throw System_error("readdir", path, errno);
+		}
+
+	} catch (...) {
+		closedir(dir);
+		throw;
+	}
+	closedir(dir);
+
+	std::sort(contents.begin(), contents.end());
 	return contents;
 }

util-win32.cpp

@@ -46,12 +46,12 @@ std::string System_error::message () const
 		LPTSTR	error_message;
 		FormatMessageA(
 			FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
-			NULL,
+			nullptr,
 			error,
 			MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
 			reinterpret_cast<LPTSTR>(&error_message),
 			0,
-			NULL);
+			nullptr);
 		mesg += error_message;
 		LocalFree(error_message);
 	}
@@ -100,7 +100,7 @@ void	mkdir_parent (const std::string& path)
 		std::string		prefix(path.substr(0, slash));
 		if (GetFileAttributes(prefix.c_str()) == INVALID_FILE_ATTRIBUTES) {
 			// prefix does not exist, so try to create it
-			if (!CreateDirectory(prefix.c_str(), NULL)) {
+			if (!CreateDirectory(prefix.c_str(), nullptr)) {
 				throw System_error("CreateDirectory", prefix, GetLastError());
 			}
 		}
@@ -114,7 +114,7 @@ std::string our_exe_path ()
 	std::vector<char>	buffer(128);
 	size_t			len;
 
-	while ((len = GetModuleFileNameA(NULL, &buffer[0], buffer.size())) == buffer.size()) {
+	while ((len = GetModuleFileNameA(nullptr, &buffer[0], buffer.size())) == buffer.size()) {
 		// buffer may have been truncated - grow and try again
 		buffer.resize(buffer.size() * 2);
 	}
@@ -125,214 +125,28 @@ std::string our_exe_path ()
 	return std::string(buffer.begin(), buffer.begin() + len);
 }
 
-static void escape_cmdline_argument (std::string& cmdline, const std::string& arg)
+int exit_status (int status)
 {
-	// For an explanation of Win32's arcane argument quoting rules, see:
+	return status;
-	//  http://msdn.microsoft.com/en-us/library/17w5ykft%28v=vs.85%29.aspx
-	//  http://msdn.microsoft.com/en-us/library/bb776391%28v=vs.85%29.aspx
-	//  http://blogs.msdn.com/b/twistylittlepassagesallalike/archive/2011/04/23/everyone-quotes-arguments-the-wrong-way.aspx
-	//  http://blogs.msdn.com/b/oldnewthing/archive/2010/09/17/10063629.aspx
-	cmdline.push_back('"');
-
-	std::string::const_iterator	p(arg.begin());
-	while (p != arg.end()) {
-		if (*p == '"') {
-			cmdline.push_back('\\');
-			cmdline.push_back('"');
-			++p;
-		} else if (*p == '\\') {
-			unsigned int	num_backslashes = 0;
-			while (p != arg.end() && *p == '\\') {
-				++num_backslashes;
-				++p;
-			}
-			if (p == arg.end() || *p == '"') {
-				// Backslashes need to be escaped
-				num_backslashes *= 2;
-			}
-			while (num_backslashes--) {
-				cmdline.push_back('\\');
-			}
-		} else {
-			cmdline.push_back(*p++);
-		}
-	}
-
-	cmdline.push_back('"');
-}
-
-static std::string format_cmdline (const std::vector<std::string>& command)
-{
-	std::string		cmdline;
-	for (std::vector<std::string>::const_iterator arg(command.begin()); arg != command.end(); ++arg) {
-		if (arg != command.begin()) {
-			cmdline.push_back(' ');
-		}
-		escape_cmdline_argument(cmdline, *arg);
-	}
-	return cmdline;
-}
-
-static int wait_for_child (HANDLE child_handle)
-{
-	if (WaitForSingleObject(child_handle, INFINITE) == WAIT_FAILED) {
-		throw System_error("WaitForSingleObject", "", GetLastError());
-	}
-
-	DWORD			exit_code;
-	if (!GetExitCodeProcess(child_handle, &exit_code)) {
-		throw System_error("GetExitCodeProcess", "", GetLastError());
-	}
-
-	return exit_code;
-}
-
-static HANDLE spawn_command (const std::vector<std::string>& command, HANDLE stdin_handle, HANDLE stdout_handle, HANDLE stderr_handle)
-{
-	PROCESS_INFORMATION	proc_info;
-	ZeroMemory(&proc_info, sizeof(proc_info));
-
-	STARTUPINFO		start_info;
-	ZeroMemory(&start_info, sizeof(start_info));
-
-	start_info.cb = sizeof(STARTUPINFO);
-	start_info.hStdInput = stdin_handle ? stdin_handle : GetStdHandle(STD_INPUT_HANDLE);
-	start_info.hStdOutput = stdout_handle ? stdout_handle : GetStdHandle(STD_OUTPUT_HANDLE);
-	start_info.hStdError = stderr_handle ? stderr_handle : GetStdHandle(STD_ERROR_HANDLE);
-	start_info.dwFlags |= STARTF_USESTDHANDLES;
-
-	std::string		cmdline(format_cmdline(command));
-
-	if (!CreateProcessA(NULL,		// application name (NULL to use command line)
-				const_cast<char*>(cmdline.c_str()),
-				NULL,		// process security attributes
-				NULL,		// primary thread security attributes
-				TRUE,		// handles are inherited
-				0,		// creation flags
-				NULL,		// use parent's environment
-				NULL,		// use parent's current directory
-				&start_info,
-				&proc_info)) {
-		throw System_error("CreateProcess", cmdline, GetLastError());
-	}
-
-	CloseHandle(proc_info.hThread);
-
-	return proc_info.hProcess;
-}
-
-int exec_command (const std::vector<std::string>& command)
-{
-	HANDLE			child_handle = spawn_command(command, NULL, NULL, NULL);
-	int			exit_code = wait_for_child(child_handle);
-	CloseHandle(child_handle);
-	return exit_code;
-}
-
-int exec_command (const std::vector<std::string>& command, std::ostream& output)
-{
-	HANDLE			stdout_pipe_reader = NULL;
-	HANDLE			stdout_pipe_writer = NULL;
-	SECURITY_ATTRIBUTES	sec_attr;
-
-	// Set the bInheritHandle flag so pipe handles are inherited.
-	sec_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
-	sec_attr.bInheritHandle = TRUE;
-	sec_attr.lpSecurityDescriptor = NULL;
-
-	// Create a pipe for the child process's STDOUT.
-	if (!CreatePipe(&stdout_pipe_reader, &stdout_pipe_writer, &sec_attr, 0)) {
-		throw System_error("CreatePipe", "", GetLastError());
-	}
-
-	// Ensure the read handle to the pipe for STDOUT is not inherited.
-	if (!SetHandleInformation(stdout_pipe_reader, HANDLE_FLAG_INHERIT, 0)) {
-		throw System_error("SetHandleInformation", "", GetLastError());
-	}
-
-	HANDLE			child_handle = spawn_command(command, NULL, stdout_pipe_writer, NULL);
-	CloseHandle(stdout_pipe_writer);
-
-	// Read from stdout_pipe_reader.
-	// Note that ReadFile on a pipe may return with bytes_read==0 if the other
-	// end of the pipe writes zero bytes, so don't break out of the read loop
-	// when this happens.  When the other end of the pipe closes, ReadFile
-	// fails with ERROR_BROKEN_PIPE.
-	char			buffer[1024];
-	DWORD			bytes_read;
-	while (ReadFile(stdout_pipe_reader, buffer, sizeof(buffer), &bytes_read, NULL)) {
-		output.write(buffer, bytes_read);
-	}
-	const DWORD		read_error = GetLastError();
-	if (read_error != ERROR_BROKEN_PIPE) {
-		throw System_error("ReadFile", "", read_error);
-	}
-
-	CloseHandle(stdout_pipe_reader);
-
-	int			exit_code = wait_for_child(child_handle);
-	CloseHandle(child_handle);
-	return exit_code;
-}
-
-int exec_command_with_input (const std::vector<std::string>& command, const char* p, size_t len)
-{
-	HANDLE			stdin_pipe_reader = NULL;
-	HANDLE			stdin_pipe_writer = NULL;
-	SECURITY_ATTRIBUTES	sec_attr;
-
-	// Set the bInheritHandle flag so pipe handles are inherited.
-	sec_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
-	sec_attr.bInheritHandle = TRUE;
-	sec_attr.lpSecurityDescriptor = NULL;
-
-	// Create a pipe for the child process's STDIN.
-	if (!CreatePipe(&stdin_pipe_reader, &stdin_pipe_writer, &sec_attr, 0)) {
-		throw System_error("CreatePipe", "", GetLastError());
-	}
-
-	// Ensure the write handle to the pipe for STDIN is not inherited.
-	if (!SetHandleInformation(stdin_pipe_writer, HANDLE_FLAG_INHERIT, 0)) {
-		throw System_error("SetHandleInformation", "", GetLastError());
-	}
-
-	HANDLE			child_handle = spawn_command(command, stdin_pipe_reader, NULL, NULL);
-	CloseHandle(stdin_pipe_reader);
-
-	// Write to stdin_pipe_writer.
-	while (len > 0) {
-		DWORD		bytes_written;
-		if (!WriteFile(stdin_pipe_writer, p, len, &bytes_written, NULL)) {
-			throw System_error("WriteFile", "", GetLastError());
-		}
-		p += bytes_written;
-		len -= bytes_written;
-	}
-
-	CloseHandle(stdin_pipe_writer);
-
-	int			exit_code = wait_for_child(child_handle);
-	CloseHandle(child_handle);
-	return exit_code;
-}
-
-bool successful_exit (int status)
-{
-	return status == 0;
 }
 
 void	touch_file (const std::string& filename)
 {
-	HANDLE	fh = CreateFileA(filename.c_str(), FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
+	HANDLE	fh = CreateFileA(filename.c_str(), FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
 	if (fh == INVALID_HANDLE_VALUE) {
-		throw System_error("CreateFileA", filename, GetLastError());
+		DWORD	error = GetLastError();
+		if (error == ERROR_FILE_NOT_FOUND) {
+			return;
+		} else {
+			throw System_error("CreateFileA", filename, error);
+		}
 	}
 	SYSTEMTIME	system_time;
 	GetSystemTime(&system_time);
 	FILETIME	file_time;
 	SystemTimeToFileTime(&system_time, &file_time);
 
-	if (!SetFileTime(fh, NULL, NULL, &file_time)) {
+	if (!SetFileTime(fh, nullptr, nullptr, &file_time)) {
 		DWORD	error = GetLastError();
 		CloseHandle(fh);
 		throw System_error("SetFileTime", filename, error);
@@ -343,7 +157,12 @@ void	touch_file (const std::string& filename)
 void	remove_file (const std::string& filename)
 {
 	if (!DeleteFileA(filename.c_str())) {
-		throw System_error("DeleteFileA", filename, GetLastError());
+		DWORD	error = GetLastError();
+		if (error == ERROR_FILE_NOT_FOUND) {
+			return;
+		} else {
+			throw System_error("DeleteFileA", filename, error);
+		}
 	}
 }
 

util.cpp

@@ -30,9 +30,36 @@
 
 #include "git-crypt.hpp"
 #include "util.hpp"
+#include "coprocess.hpp"
 #include <string>
 #include <iostream>
 
+int exec_command (const std::vector<std::string>& args)
+{
+	Coprocess	proc;
+	proc.spawn(args);
+	return proc.wait();
+}
+
+int exec_command (const std::vector<std::string>& args, std::ostream& output)
+{
+	Coprocess	proc;
+	std::istream*	proc_stdout = proc.stdout_pipe();
+	proc.spawn(args);
+	output << proc_stdout->rdbuf();
+	return proc.wait();
+}
+
+int exec_command_with_input (const std::vector<std::string>& args, const char* p, size_t len)
+{
+	Coprocess	proc;
+	std::ostream*	proc_stdin = proc.stdin_pipe();
+	proc.spawn(args);
+	proc_stdin->write(p, len);
+	proc.close_stdin();
+	return proc.wait();
+}
+
 std::string	escape_shell_arg (const std::string& str)
 {
 	std::string	new_str;

util.hpp

@@ -63,9 +63,10 @@ std::string	our_exe_path ();
 int		exec_command (const std::vector<std::string>&);
 int		exec_command (const std::vector<std::string>&, std::ostream& output);
 int		exec_command_with_input (const std::vector<std::string>&, const char* p, size_t len);
-bool		successful_exit (int status);
+int		exit_status (int wait_status); // returns -1 if process did not exit (but was signaled, etc.)
-void		touch_file (const std::string&);
+inline bool	successful_exit (int wait_status) { return exit_status(wait_status) == 0; }
-void		remove_file (const std::string&);
+void		touch_file (const std::string&); // ignores non-existent files
+void		remove_file (const std::string&); // ignores non-existent files
 std::string	escape_shell_arg (const std::string&);
 uint32_t	load_be32 (const unsigned char*);
 void		store_be32 (unsigned char*, uint32_t);