Update Debian packaging for 0.5.0-1

git-crypt 0.5.0

git-crypt 0.5.0 brings a substantial performance boost to 'git-crypt
unlock' and 'git-crypt lock' under Git 1.8.5 and higher.  The improvement
should be particularly noticeable in repositories with lots of files.

In addition, there are some minor bug fixes and usability improvements.
'git-crypt gpg-add-user' now has a --trusted option which you can use
to force the addition of a user even if GPG doesn't trust the key.

Finally, git-crypt now has a man page!  To install it, pass ENABLE_MAN=yes
to 'make' and 'make install' (this will be the default once I iron out
the build system).

See the NEWS file, or the Git commit history, for a more detailed list
of changes.

INSTALL

@@ -1,23 +1,48 @@
 DEPENDENCIES
 
+To build git-crypt, you need:
+
+                                Debian/Ubuntu package   RHEL/CentOS package
+  -----------------------------------------------------------------------------
+  Make                          make                    make
+  A C++ compiler (e.g. gcc)     g++                     gcc-c++
+  OpenSSL development files     libssl-dev              openssl-devel
+
+
 To use git-crypt, you need:
 
-	* Git 1.7.2 or newer
-	* OpenSSL
+                                Debian/Ubuntu package   RHEL/CentOS package
+  -----------------------------------------------------------------------------
+  Git 1.7.2 or newer            git                     git
+  OpenSSL                       openssl                 openssl
 
-To build git-crypt, you need a C++ compiler and OpenSSL development
-headers.
+Note: Git 1.8.5 or newer is recommended for best performance.
 
 
 BUILDING GIT-CRYPT
 
-The Makefile is tailored for g++, but should work with other compilers.
+Run:
 
 	$ make
-	$ cp git-crypt /usr/local/bin/
+	$ make install
 
-It doesn't matter where you install the git-crypt binary - choose wherever
-is most convenient for you.
+To install to a specific location:
+
+	$ make install PREFIX=/usr/local
+
+Or, just copy the git-crypt binary to wherever is most convenient for you.
+
+
+BUILDING THE MAN PAGE
+
+To build and install the git-crypt(1) man page, pass ENABLE_MAN=yes to make:
+
+	$ make ENABLE_MAN=yes
+	$ make ENABLE_MAN=yes install
+
+xsltproc is required to build the man page.  Note that xsltproc will access
+the Internet to retrieve its stylesheet unless the Docbook stylesheet is
+installed locally and registered in the system's XML catalog.
 
 
 BUILDING A DEBIAN PACKAGE

INSTALL.md

@@ -1,29 +1,51 @@
-Dependencies
-------------
+### Dependencies
+
+To build git-crypt, you need:
+
+                           | Debian/Ubuntu package | RHEL/CentOS package
+---------------------------|-----------------------|------------------------
+Make                       | make                  | make
+A C++ compiler (e.g. gcc)  | g++                   | gcc-c++
+OpenSSL development files  | libssl-dev            | openssl-devel
+
 
 To use git-crypt, you need:
 
-*   Git 1.7.2 or newer
-*   OpenSSL
+                           | Debian/Ubuntu package | RHEL/CentOS package
+---------------------------|-----------------------|------------------------
+Git 1.7.2 or newer         | git                   | git
+OpenSSL                    | openssl               | openssl
 
-To build git-crypt, you need a C++ compiler and OpenSSL development
-headers.
+Note: Git 1.8.5 or newer is recommended for best performance.
 
 
-Building git-crypt
-------------------
+### Building git-crypt
 
-The Makefile is tailored for g++, but should work with other compilers.
+Run:
 
     make
-    cp git-crypt /usr/local/bin/
+    make install
 
-It doesn't matter where you install the git-crypt binary - choose
-wherever is most convenient for you.
+To install to a specific location:
+
+    make install PREFIX=/usr/local
+
+Or, just copy the git-crypt binary to wherever is most convenient for you.
 
 
-Building A Debian Package
--------------------------
+### Building The Man Page
+
+To build and install the git-crypt(1) man page, pass `ENABLE_MAN=yes` to make:
+
+    make ENABLE_MAN=yes
+    make ENABLE_MAN=yes install
+
+xsltproc is required to build the man page.  Note that xsltproc will access
+the Internet to retrieve its stylesheet unless the Docbook stylesheet is
+installed locally and registered in the system's XML catalog.
+
+
+### Building A Debian Package
 
 Debian packaging can be found in the 'debian' branch of the project Git
 repository.  The package is built using git-buildpackage as follows:
@@ -32,15 +54,13 @@ repository.  The package is built using git-buildpackage as follows:
     git-buildpackage -uc -us
 
 
-Installing On Mac OS X
-----------------------
+### Installing On Mac OS X
 
 Using the brew package manager, simply run:
 
     brew install git-crypt
 
-Experimental Windows Support
-----------------------------
+### Experimental Windows Support
 
 git-crypt should build on Windows with MinGW, although the build system
 is not yet finalized so you will need to pass your own CXX, CXXFLAGS, and

Makefile

@@ -1,7 +1,16 @@
-CXX := c++
-CXXFLAGS := -Wall -pedantic -Wno-long-long -O2
-LDFLAGS :=
-PREFIX := /usr/local
+#
+# Copyright (c) 2015 Andrew Ayer
+#
+# See COPYING file for license information.
+#
+
+CXXFLAGS ?= -Wall -pedantic -Wno-long-long -O2
+PREFIX ?= /usr/local
+BINDIR ?= $(PREFIX)/bin
+MANDIR ?= $(PREFIX)/share/man
+
+ENABLE_MAN ?= no
+DOCBOOK_XSL ?= http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
 
 OBJFILES = \
     git-crypt.o \
@@ -10,22 +19,76 @@ OBJFILES = \
     gpg.o \
     key.o \
     util.o \
-    parse_options.o
+    parse_options.o \
+    coprocess.o \
+    fhstream.o
 
 OBJFILES += crypto-openssl.o
 LDFLAGS += -lcrypto
 
-all: git-crypt
+XSLTPROC ?= xsltproc
+DOCBOOK_FLAGS += --param man.output.in.separate.dir 1 \
+		 --stringparam man.output.base.dir man/ \
+		 --param man.output.subdirs.enabled 1 \
+		 --param man.authors.section.enabled 1
+
+all: build
+
+#
+# Build
+#
+BUILD_MAN_TARGETS-yes = build-man
+BUILD_MAN_TARGETS-no =
+BUILD_TARGETS := build-bin $(BUILD_MAN_TARGETS-$(ENABLE_MAN))
+
+build: $(BUILD_TARGETS)
+
+build-bin: git-crypt
 
 git-crypt: $(OBJFILES)
 	$(CXX) $(CXXFLAGS) -o $@ $(OBJFILES) $(LDFLAGS)
 
 util.o: util.cpp util-unix.cpp util-win32.cpp
+coprocess.o: coprocess.cpp coprocess-unix.cpp coprocess-win32.cpp
 
-clean:
-	rm -f *.o git-crypt
+build-man: man/man1/git-crypt.1
 
-install: git-crypt
-	install -m 755 git-crypt $(DESTDIR)$(PREFIX)/bin/
+man/man1/git-crypt.1: man/git-crypt.xml
+	$(XSLTPROC) $(DOCBOOK_FLAGS) $(DOCBOOK_XSL) $<
 
-.PHONY: all clean install
+#
+# Clean
+#
+CLEAN_MAN_TARGETS-yes = clean-man
+CLEAN_MAN_TARGETS-no =
+CLEAN_TARGETS := clean-bin $(CLEAN_MAN_TARGETS-$(ENABLE_MAN))
+
+clean: $(CLEAN_TARGETS)
+
+clean-bin:
+	rm -f $(OBJFILES) git-crypt
+
+clean-man:
+	rm -f man/man1/git-crypt.1
+
+#
+# Install
+#
+INSTALL_MAN_TARGETS-yes = install-man
+INSTALL_MAN_TARGETS-no =
+INSTALL_TARGETS := install-bin $(INSTALL_MAN_TARGETS-$(ENABLE_MAN))
+
+install: $(INSTALL_TARGETS)
+
+install-bin: build-bin
+	install -d $(DESTDIR)$(BINDIR)
+	install -m 755 git-crypt $(DESTDIR)$(BINDIR)/
+
+install-man: build-man
+	install -d $(DESTDIR)$(MANDIR)/man1
+	install -m 644 man/man1/git-crypt.1 $(DESTDIR)$(MANDIR)/man1/
+
+.PHONY: all \
+	build build-bin build-man \
+	clean clean-bin clean-man \
+	install install-bin install-man

NEWS

@@ -1,3 +1,14 @@
+v0.5.0 (2015-05-30)
+  * Drastically speed up lock/unlock when used with Git 1.8.5 or newer.
+  * Add git-crypt(1) man page (pass ENABLE_MAN=yes to make to build).
+  * Add --trusted option to 'git-crypt gpg-add-user' to add user even if
+    GPG doesn't trust user's key.
+  * Improve 'git-crypt lock' usability, add --force option.
+  * Ignore symlinks and other non-files when running 'git-crypt status'.
+  * Fix compilation on old versions of Mac OS X.
+  * Fix GPG mode when with-fingerprint enabled in gpg.conf.
+  * Minor bug fixes and improvements to help/error messages.
+
 v0.4.2 (2015-01-31)
   * Fix unlock and lock under Git 2.2.2 and higher.
   * Drop support for versions of Git older than 1.7.2.

NEWS.md

@@ -1,6 +1,17 @@
 News
 ====
 
+######v0.5.0 (2015-05-30)
+* Drastically speed up lock/unlock when used with Git 1.8.5 or newer.
+* Add git-crypt(1) man page (pass `ENABLE_MAN=yes` to make to build).
+* Add --trusted option to `git-crypt gpg-add-user` to add user even if
+  GPG doesn't trust user's key.
+* Improve `git-crypt lock` usability, add --force option.
+* Ignore symlinks and other non-files when running `git-crypt status`.
+* Fix compilation on old versions of Mac OS X.
+* Fix GPG mode when with-fingerprint enabled in gpg.conf.
+* Minor bug fixes and improvements to help/error messages.
+
 ######v0.4.2 (2015-01-31)
 * Fix unlock and lock under Git 2.2.2 and higher.
 * Drop support for versions of Git older than 1.7.2.

README

@@ -33,7 +33,10 @@ Specify files to encrypt by creating a .gitattributes file:
 
 Like a .gitignore file, it can match wildcards and should be checked into
 the repository.  See below for more information about .gitattributes.
-Make sure you don't accidentally encrypt the .gitattributes file itself!
+Make sure you don't accidentally encrypt the .gitattributes file itself
+(or other git files like .gitignore or .gitmodules).  Make sure your
+.gitattributes rules are in place *before* you add sensitive files, or
+those files won't be encrypted!
 
 Share the repository with others (or with yourself) using GPG:
 
@@ -66,7 +69,7 @@ encryption and decryption happen transparently.
 
 CURRENT STATUS
 
-The latest version of git-crypt is 0.4.2, released on 2015-01-31.
+The latest version of git-crypt is 0.5.0, released on 2015-05-30.
 git-crypt aims to be bug-free and reliable, meaning it shouldn't
 crash, malfunction, or expose your confidential data.  However,
 it has not yet reached maturity, meaning it is not as documented,
@@ -78,13 +81,13 @@ SECURITY
 
 git-crypt is more secure that other transparent git encryption systems.
 git-crypt encrypts files using AES-256 in CTR mode with a synthetic IV
-derived from the SHA-1 HMAC of the file.  This is provably semantically
-secure under deterministic chosen-plaintext attack.  That means that
-although the encryption is deterministic (which is required so git can
-distinguish when a file has and hasn't changed), it leaks no information
-beyond whether two files are identical or not.  Other proposals for
-transparent git encryption use ECB or CBC with a fixed IV.  These systems
-are not semantically secure and leak information.
+derived from the SHA-1 HMAC of the file.  This mode of operation is
+provably semantically secure under deterministic chosen-plaintext attack.
+That means that although the encryption is deterministic (which is
+required so git can distinguish when a file has and hasn't changed),
+it leaks no information beyond whether two files are identical or not.
+Other proposals for transparent git encryption use ECB or CBC with a
+fixed IV.  These systems are not semantically secure and leak information.
 
 
 LIMITATIONS
@@ -98,7 +101,12 @@ need to encrypt.  For encrypting an entire repository, consider using a
 system like git-remote-gcrypt <https://github.com/joeyh/git-remote-gcrypt>
 instead.  (Note: no endorsement is made of git-remote-gcrypt's security.)
 
-git-crypt does not encrypt file names, commit messages, or other metadata.
+git-crypt does not encrypt file names, commit messages, symlink targets,
+gitlinks, or other metadata.
+
+git-crypt does not hide when a file does or doesn't change, the length
+of a file, or the fact that two files are identical (see "Security"
+section above).
 
 Files encrypted with git-crypt are not compressible.  Even the smallest
 change to an encrypted file requires git to store the entire changed file,
@@ -116,9 +124,9 @@ the patch itself is encrypted.  To generate an encrypted patch, use `git
 diff --no-textconv --binary`.  Alternatively, you can apply a plaintext
 patch outside of git using the patch command.
 
-git-crypt does not work reliably with Atlassian SourceTree.
-Files might be left in an unencrypted state.  See
-<https://jira.atlassian.com/browse/SRCTREE-2511>.
+git-crypt does not work reliably with some third-party git GUIs, such
+as Atlassian SourceTree <https://jira.atlassian.com/browse/SRCTREE-2511>
+and GitHub for Mac.  Files might be left in an unencrypted state.
 
 
 GITATTRIBUTES FILE

README.md

@@ -34,7 +34,10 @@ Specify files to encrypt by creating a .gitattributes file:
 
 Like a .gitignore file, it can match wildcards and should be checked into
 the repository.  See below for more information about .gitattributes.
-Make sure you don't accidentally encrypt the .gitattributes file itself!
+Make sure you don't accidentally encrypt the .gitattributes file itself
+(or other git files like .gitignore or .gitmodules).  Make sure your
+.gitattributes rules are in place *before* you add sensitive files, or
+those files won't be encrypted!
 
 Share the repository with others (or with yourself) using GPG:
 
@@ -67,8 +70,8 @@ encryption and decryption happen transparently.
 Current Status
 --------------
 
-The latest version of git-crypt is [0.4.2](NEWS.md), released on
-2015-01-31.  git-crypt aims to be bug-free and reliable, meaning it
+The latest version of git-crypt is [0.5.0](NEWS.md), released on
+2015-05-30.  git-crypt aims to be bug-free and reliable, meaning it
 shouldn't crash, malfunction, or expose your confidential data.
 However, it has not yet reached maturity, meaning it is not as
 documented, featureful, or easy-to-use as it should be.  Additionally,
@@ -80,13 +83,13 @@ Security
 
 git-crypt is more secure that other transparent git encryption systems.
 git-crypt encrypts files using AES-256 in CTR mode with a synthetic IV
-derived from the SHA-1 HMAC of the file.  This is provably semantically
-secure under deterministic chosen-plaintext attack.  That means that
-although the encryption is deterministic (which is required so git can
-distinguish when a file has and hasn't changed), it leaks no information
-beyond whether two files are identical or not.  Other proposals for
-transparent git encryption use ECB or CBC with a fixed IV.  These
-systems are not semantically secure and leak information.
+derived from the SHA-1 HMAC of the file.  This mode of operation is
+provably semantically secure under deterministic chosen-plaintext attack.
+That means that although the encryption is deterministic (which is
+required so git can distinguish when a file has and hasn't changed),
+it leaks no information beyond whether two files are identical or not.
+Other proposals for transparent git encryption use ECB or CBC with a
+fixed IV.  These systems are not semantically secure and leak information.
 
 Limitations
 -----------
@@ -100,7 +103,12 @@ need to encrypt.  For encrypting an entire repository, consider using a
 system like [git-remote-gcrypt](https://github.com/joeyh/git-remote-gcrypt)
 instead.  (Note: no endorsement is made of git-remote-gcrypt's security.)
 
-git-crypt does not encrypt file names, commit messages, or other metadata.
+git-crypt does not encrypt file names, commit messages, symlink targets,
+gitlinks, or other metadata.
+
+git-crypt does not hide when a file does or doesn't change, the length
+of a file, or the fact that two files are identical (see "Security"
+section above).
 
 Files encrypted with git-crypt are not compressible.  Even the smallest
 change to an encrypted file requires git to store the entire changed file,
@@ -118,9 +126,9 @@ the patch itself is encrypted.  To generate an encrypted patch, use `git
 diff --no-textconv --binary`.  Alternatively, you can apply a plaintext
 patch outside of git using the patch command.
 
-git-crypt does [not work reliably with Atlassian
-SourceTree](https://jira.atlassian.com/browse/SRCTREE-2511).  Files might
-be left in an unencrypted state.
+git-crypt does not work reliably with some third-party git GUIs, such
+as [Atlassian SourceTree](https://jira.atlassian.com/browse/SRCTREE-2511)
+and GitHub for Mac.  Files might be left in an unencrypted state.
 
 Gitattributes File
 ------------------

commands.cpp

@@ -34,6 +34,7 @@
 #include "key.hpp"
 #include "gpg.hpp"
 #include "parse_options.hpp"
+#include "coprocess.hpp"
 #include <unistd.h>
 #include <stdint.h>
 #include <algorithm>
@@ -60,6 +61,49 @@ static std::string attribute_name (const char* key_name)
 	}
 }
 
+static std::string git_version_string ()
+{
+	std::vector<std::string>	command;
+	command.push_back("git");
+	command.push_back("version");
+
+	std::stringstream		output;
+	if (!successful_exit(exec_command(command, output))) {
+		throw Error("'git version' failed - is Git installed?");
+	}
+	std::string			word;
+	output >> word; // "git"
+	output >> word; // "version"
+	output >> word; // "1.7.10.4"
+	return word;
+}
+
+static std::vector<int> parse_version (const std::string& str)
+{
+	std::istringstream	in(str);
+	std::vector<int>	version;
+	std::string		component;
+	while (std::getline(in, component, '.')) {
+		version.push_back(std::atoi(component.c_str()));
+	}
+	return version;
+}
+
+static const std::vector<int>& git_version ()
+{
+	static const std::vector<int> version(parse_version(git_version_string()));
+	return version;
+}
+
+static std::vector<int> make_version (int a, int b, int c)
+{
+	std::vector<int>	version;
+	version.push_back(a);
+	version.push_back(b);
+	version.push_back(c);
+	return version;
+}
+
 static void git_config (const std::string& name, const std::string& value)
 {
 	std::vector<std::string>	command;
@@ -73,7 +117,23 @@ static void git_config (const std::string& name, const std::string& value)
 	}
 }
 
-static void git_unconfig (const std::string& name)
+static bool git_has_config (const std::string& name)
+{
+	std::vector<std::string>	command;
+	command.push_back("git");
+	command.push_back("config");
+	command.push_back("--get-all");
+	command.push_back(name);
+
+	std::stringstream		output;
+	switch (exit_status(exec_command(command, output))) {
+		case 0:  return true;
+		case 1:  return false;
+		default: throw Error("'git config' failed");
+	}
+}
+
+static void git_deconfig (const std::string& name)
 {
 	std::vector<std::string>	command;
 	command.push_back("git");
@@ -107,11 +167,19 @@ static void configure_git_filters (const char* key_name)
 	}
 }
 
-static void unconfigure_git_filters (const char* key_name)
+static void deconfigure_git_filters (const char* key_name)
 {
-	// unconfigure the git-crypt filters
-	git_unconfig("filter." + attribute_name(key_name));
-	git_unconfig("diff." + attribute_name(key_name));
+	// deconfigure the git-crypt filters
+	if (git_has_config("filter." + attribute_name(key_name) + ".smudge") ||
+			git_has_config("filter." + attribute_name(key_name) + ".clean") ||
+			git_has_config("filter." + attribute_name(key_name) + ".required")) {
+
+		git_deconfig("filter." + attribute_name(key_name));
+	}
+
+	if (git_has_config("diff." + attribute_name(key_name) + ".textconv")) {
+		git_deconfig("diff." + attribute_name(key_name));
+	}
 }
 
 static bool git_checkout (const std::vector<std::string>& paths)
@@ -260,7 +328,6 @@ static void get_git_status (std::ostream& output)
 static std::pair<std::string, std::string> get_file_attributes (const std::string& filename)
 {
 	// git check-attr filter diff -- filename
-	// TODO: pass -z to get machine-parseable output (this requires Git 1.8.5 or higher, which was released on 27 Nov 2013)
 	std::vector<std::string>	command;
 	command.push_back("git");
 	command.push_back("check-attr");
@@ -309,6 +376,36 @@ static std::pair<std::string, std::string> get_file_attributes (const std::strin
 	return std::make_pair(filter_attr, diff_attr);
 }
 
+// returns filter and diff attributes as a pair
+static std::pair<std::string, std::string> get_file_attributes (const std::string& filename, std::ostream& check_attr_stdin, std::istream& check_attr_stdout)
+{
+	check_attr_stdin << filename << '\0' << std::flush;
+
+	std::string			filter_attr;
+	std::string			diff_attr;
+
+	// Example output:
+	// filename\0filter\0git-crypt\0filename\0diff\0git-crypt\0
+	for (int i = 0; i < 2; ++i) {
+		std::string		filename;
+		std::string		attr_name;
+		std::string		attr_value;
+		std::getline(check_attr_stdout, filename, '\0');
+		std::getline(check_attr_stdout, attr_name, '\0');
+		std::getline(check_attr_stdout, attr_value, '\0');
+
+		if (attr_value != "unspecified" && attr_value != "unset" && attr_value != "set") {
+			if (attr_name == "filter") {
+				filter_attr = attr_value;
+			} else if (attr_name == "diff") {
+				diff_attr = attr_value;
+			}
+		}
+	}
+
+	return std::make_pair(filter_attr, diff_attr);
+}
+
 static bool check_if_blob_is_encrypted (const std::string& object_id)
 {
 	// git cat-file blob object_id
@@ -356,31 +453,80 @@ static bool check_if_file_is_encrypted (const std::string& filename)
 	return check_if_blob_is_encrypted(object_id);
 }
 
+static bool is_git_file_mode (const std::string& mode)
+{
+	return (std::strtoul(mode.c_str(), NULL, 8) & 0170000) == 0100000;
+}
+
 static void get_encrypted_files (std::vector<std::string>& files, const char* key_name)
 {
 	// git ls-files -cz -- path_to_top
-	std::vector<std::string>	command;
-	command.push_back("git");
-	command.push_back("ls-files");
-	command.push_back("-cz");
-	command.push_back("--");
+	std::vector<std::string>	ls_files_command;
+	ls_files_command.push_back("git");
+	ls_files_command.push_back("ls-files");
+	ls_files_command.push_back("-csz");
+	ls_files_command.push_back("--");
 	const std::string		path_to_top(get_path_to_top());
 	if (!path_to_top.empty()) {
-		command.push_back(path_to_top);
+		ls_files_command.push_back(path_to_top);
 	}
 
-	std::stringstream		output;
-	if (!successful_exit(exec_command(command, output))) {
+	Coprocess			ls_files;
+	std::istream*			ls_files_stdout = ls_files.stdout_pipe();
+	ls_files.spawn(ls_files_command);
+
+	Coprocess			check_attr;
+	std::ostream*			check_attr_stdin = NULL;
+	std::istream*			check_attr_stdout = NULL;
+	if (git_version() >= make_version(1, 8, 5)) {
+		// In Git 1.8.5 (released 27 Nov 2013) and higher, we use a single `git check-attr` process
+		// to get the attributes of all files at once.  In prior versions, we have to fork and exec
+		// a separate `git check-attr` process for each file, since -z and --stdin aren't supported.
+		// In a repository with thousands of files, this results in an almost 100x speedup.
+		std::vector<std::string>	check_attr_command;
+		check_attr_command.push_back("git");
+		check_attr_command.push_back("check-attr");
+		check_attr_command.push_back("--stdin");
+		check_attr_command.push_back("-z");
+		check_attr_command.push_back("filter");
+		check_attr_command.push_back("diff");
+
+		check_attr_stdin = check_attr.stdin_pipe();
+		check_attr_stdout = check_attr.stdout_pipe();
+		check_attr.spawn(check_attr_command);
+	}
+
+	while (ls_files_stdout->peek() != -1) {
+		std::string		mode;
+		std::string		object_id;
+		std::string		stage;
+		std::string		filename;
+		*ls_files_stdout >> mode >> object_id >> stage >> std::ws;
+		std::getline(*ls_files_stdout, filename, '\0');
+
+		if (is_git_file_mode(mode)) {
+			std::string	filter_attribute;
+
+			if (check_attr_stdin) {
+				filter_attribute = get_file_attributes(filename, *check_attr_stdin, *check_attr_stdout).first;
+			} else {
+				filter_attribute = get_file_attributes(filename).first;
+			}
+
+			if (filter_attribute == attribute_name(key_name)) {
+				files.push_back(filename);
+			}
+		}
+	}
+
+	if (!successful_exit(ls_files.wait())) {
 		throw Error("'git ls-files' failed - is this a Git repository?");
 	}
 
-	while (output.peek() != -1) {
-		std::string		filename;
-		std::getline(output, filename, '\0');
-
-		// TODO: get file attributes en masse for efficiency... unfortunately this requires machine-parseable output from git check-attr to be workable, and this is only supported in Git 1.8.5 and above (released 27 Nov 2013)
-		if (get_file_attributes(filename).first == attribute_name(key_name)) {
-			files.push_back(filename);
+	if (check_attr_stdin) {
+		check_attr.close_stdin();
+		if (!successful_exit(check_attr.wait())) {
+			throw Error("'git check-attr' failed - is this a Git repository?");
 		}
 	}
 }
@@ -462,7 +608,7 @@ static bool decrypt_repo_keys (std::vector<Key_file>& key_files, uint32_t key_ve
 	return successful;
 }
 
-static void encrypt_repo_key (const char* key_name, const Key_file::Entry& key, const std::vector<std::string>& collab_keys, const std::string& keys_path, std::vector<std::string>* new_files)
+static void encrypt_repo_key (const char* key_name, const Key_file::Entry& key, const std::vector<std::pair<std::string, bool> >& collab_keys, const std::string& keys_path, std::vector<std::string>* new_files)
 {
 	std::string	key_file_data;
 	{
@@ -472,9 +618,11 @@ static void encrypt_repo_key (const char* key_name, const Key_file::Entry& key,
 		key_file_data = this_version_key_file.store_to_string();
 	}
 
-	for (std::vector<std::string>::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
+	for (std::vector<std::pair<std::string, bool> >::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
+		const std::string&	fingerprint(collab->first);
+		const bool		key_is_trusted(collab->second);
 		std::ostringstream	path_builder;
-		path_builder << keys_path << '/' << (key_name ? key_name : "default") << '/' << key.version << '/' << *collab << ".gpg";
+		path_builder << keys_path << '/' << (key_name ? key_name : "default") << '/' << key.version << '/' << fingerprint << ".gpg";
 		std::string		path(path_builder.str());
 
 		if (access(path.c_str(), F_OK) == 0) {
@@ -482,7 +630,7 @@ static void encrypt_repo_key (const char* key_name, const Key_file::Entry& key,
 		}
 
 		mkdir_parent(path);
-		gpg_encrypt_to_file(path, *collab, key_file_data.data(), key_file_data.size());
+		gpg_encrypt_to_file(path, fingerprint, key_is_trusted, key_file_data.data(), key_file_data.size());
 		new_files->push_back(path);
 	}
 }
@@ -813,12 +961,7 @@ int unlock (int argc, const char** argv)
 		return 1;
 	}
 
-	// 2. Determine the path to the top of the repository.  We pass this as the argument
-	// to 'git checkout' below. (Determine the path now so in case it fails we haven't already
-	// mucked with the git config.)
-	std::string		path_to_top(get_path_to_top());
-
-	// 3. Load the key(s)
+	// 2. Load the key(s)
 	std::vector<Key_file>	key_files;
 	if (argc > 0) {
 		// Read from the symmetric key file(s)
@@ -866,7 +1009,7 @@ int unlock (int argc, const char** argv)
 	}
 
 
-	// 4. Install the key(s) and configure the git filters
+	// 3. Install the key(s) and configure the git filters
 	std::vector<std::string>	encrypted_files;
 	for (std::vector<Key_file>::iterator key_file(key_files.begin()); key_file != key_files.end(); ++key_file) {
 		std::string		internal_key_path(get_internal_key_path(key_file->get_key_name()));
@@ -881,7 +1024,7 @@ int unlock (int argc, const char** argv)
 		get_encrypted_files(encrypted_files, key_file->get_key_name());
 	}
 
-	// 5. Check out the files that are currently encrypted.
+	// 4. Check out the files that are currently encrypted.
 	// Git won't check out a file if its mtime hasn't changed, so touch every file first.
 	for (std::vector<std::string>::const_iterator file(encrypted_files.begin()); file != encrypted_files.end(); ++file) {
 		touch_file(*file);
@@ -900,19 +1043,23 @@ void help_lock (std::ostream& out)
 	//     |--------------------------------------------------------------------------------| 80 chars
 	out << "Usage: git-crypt lock [OPTIONS]" << std::endl;
 	out << std::endl;
-	out << "    -a, --all                   Lock all keys, instead of just the default" << std::endl;
-	out << "    -k, --key-name KEYNAME      Lock the given key, instead of the default" << std::endl;
+	out << "    -a, --all                Lock all keys, instead of just the default" << std::endl;
+	out << "    -k, --key-name KEYNAME   Lock the given key, instead of the default" << std::endl;
+	out << "    -f, --force              Lock even if unclean (you may lose uncommited work)" << std::endl;
 	out << std::endl;
 }
 int lock (int argc, const char** argv)
 {
 	const char*	key_name = 0;
-	bool all_keys = false;
+	bool		all_keys = false;
+	bool		force = false;
 	Options_list	options;
 	options.push_back(Option_def("-k", &key_name));
 	options.push_back(Option_def("--key-name", &key_name));
 	options.push_back(Option_def("-a", &all_keys));
 	options.push_back(Option_def("--all", &all_keys));
+	options.push_back(Option_def("-f", &force));
+	options.push_back(Option_def("--force", &force));
 
 	int			argi = parse_options(options, argc, argv);
 
@@ -936,34 +1083,30 @@ int lock (int argc, const char** argv)
 
 	std::stringstream	status_output;
 	get_git_status(status_output);
-	if (status_output.peek() != -1) {
+	if (!force && status_output.peek() != -1) {
 		std::clog << "Error: Working directory not clean." << std::endl;
 		std::clog << "Please commit your changes or 'git stash' them before running 'git-crypt lock'." << std::endl;
+		std::clog << "Or, use 'git-crypt lock --force' and possibly lose uncommitted changes." << std::endl;
 		return 1;
 	}
 
-	// 2. Determine the path to the top of the repository.  We pass this as the argument
-	// to 'git checkout' below. (Determine the path now so in case it fails we haven't already
-	// mucked with the git config.)
-	std::string		path_to_top(get_path_to_top());
-
-	// 3. unconfigure the git filters and remove decrypted keys
+	// 2. deconfigure the git filters and remove decrypted keys
 	std::vector<std::string>	encrypted_files;
 	if (all_keys) {
-		// unconfigure for all keys
+		// deconfigure for all keys
 		std::vector<std::string> dirents = get_directory_contents(get_internal_keys_path().c_str());
 
 		for (std::vector<std::string>::const_iterator dirent(dirents.begin()); dirent != dirents.end(); ++dirent) {
 			const char* this_key_name = (*dirent == "default" ? 0 : dirent->c_str());
 			remove_file(get_internal_key_path(this_key_name));
-			unconfigure_git_filters(this_key_name);
+			deconfigure_git_filters(this_key_name);
 			get_encrypted_files(encrypted_files, this_key_name);
 		}
 	} else {
 		// just handle the given key
 		std::string	internal_key_path(get_internal_key_path(key_name));
 		if (access(internal_key_path.c_str(), F_OK) == -1 && errno == ENOENT) {
-			std::clog << "Error: this repository is not currently locked";
+			std::clog << "Error: this repository is already locked";
 			if (key_name) {
 				std::clog << " with key '" << key_name << "'";
 			}
@@ -972,11 +1115,11 @@ int lock (int argc, const char** argv)
 		}
 
 		remove_file(internal_key_path);
-		unconfigure_git_filters(key_name);
+		deconfigure_git_filters(key_name);
 		get_encrypted_files(encrypted_files, key_name);
 	}
 
-	// 4. Check out the files that are currently decrypted but should be encrypted.
+	// 3. Check out the files that are currently decrypted but should be encrypted.
 	// Git won't check out a file if its mtime hasn't changed, so touch every file first.
 	for (std::vector<std::string>::const_iterator file(encrypted_files.begin()); file != encrypted_files.end(); ++file) {
 		touch_file(*file);
@@ -997,17 +1140,20 @@ void help_add_gpg_user (std::ostream& out)
 	out << std::endl;
 	out << "    -k, --key-name KEYNAME      Add GPG user to given key, instead of default" << std::endl;
 	out << "    -n, --no-commit             Don't automatically commit" << std::endl;
+	out << "    --trusted                   Assume the GPG user IDs are trusted" << std::endl;
 	out << std::endl;
 }
 int add_gpg_user (int argc, const char** argv)
 {
 	const char*		key_name = 0;
 	bool			no_commit = false;
+	bool			trusted = false;
 	Options_list		options;
 	options.push_back(Option_def("-k", &key_name));
 	options.push_back(Option_def("--key-name", &key_name));
 	options.push_back(Option_def("-n", &no_commit));
 	options.push_back(Option_def("--no-commit", &no_commit));
+	options.push_back(Option_def("--trusted", &trusted));
 
 	int			argi = parse_options(options, argc, argv);
 	if (argc - argi == 0) {
@@ -1016,8 +1162,8 @@ int add_gpg_user (int argc, const char** argv)
 		return 2;
 	}
 
-	// build a list of key fingerprints for every collaborator specified on the command line
-	std::vector<std::string>	collab_keys;
+	// build a list of key fingerprints, and whether the key is trusted, for every collaborator specified on the command line
+	std::vector<std::pair<std::string, bool> >	collab_keys;
 
 	for (int i = argi; i < argc; ++i) {
 		std::vector<std::string> keys(gpg_lookup_key(argv[i]));
@@ -1029,7 +1175,9 @@ int add_gpg_user (int argc, const char** argv)
 			std::clog << "Error: more than one public key matches '" << argv[i] << "' - please be more specific" << std::endl;
 			return 1;
 		}
-		collab_keys.push_back(keys[0]);
+
+		const bool is_full_fingerprint(std::strncmp(argv[i], "0x", 2) == 0 && std::strlen(argv[i]) == 42);
+		collab_keys.push_back(std::make_pair(keys[0], trusted || is_full_fingerprint));
 	}
 
 	// TODO: have a retroactive option to grant access to all key versions, not just the most recent
@@ -1050,6 +1198,9 @@ int add_gpg_user (int argc, const char** argv)
 	const std::string		state_gitattributes_path(state_path + "/.gitattributes");
 	if (access(state_gitattributes_path.c_str(), F_OK) != 0) {
 		std::ofstream		state_gitattributes_file(state_gitattributes_path.c_str());
+		//                          |--------------------------------------------------------------------------------| 80 chars
+		state_gitattributes_file << "# Do not edit this file.  To specify the files to encrypt, create your own\n";
+		state_gitattributes_file << "# .gitattributes file in the directory where your files are.\n";
 		state_gitattributes_file << "* !filter !diff\n";
 		state_gitattributes_file.close();
 		if (!state_gitattributes_file) {
@@ -1077,8 +1228,8 @@ int add_gpg_user (int argc, const char** argv)
 			// TODO: include key_name in commit message
 			std::ostringstream	commit_message_builder;
 			commit_message_builder << "Add " << collab_keys.size() << " git-crypt collaborator" << (collab_keys.size() != 1 ? "s" : "") << "\n\nNew collaborators:\n\n";
-			for (std::vector<std::string>::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
-				commit_message_builder << '\t' << gpg_shorten_fingerprint(*collab) << ' ' << gpg_get_uid(*collab) << '\n';
+			for (std::vector<std::pair<std::string, bool> >::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
+				commit_message_builder << '\t' << gpg_shorten_fingerprint(collab->first) << ' ' << gpg_get_uid(collab->first) << '\n';
 			}
 
 			// git commit -m MESSAGE NEW_FILE ...
@@ -1398,6 +1549,9 @@ int status (int argc, const char** argv)
 			std::string	mode;
 			std::string	stage;
 			output >> mode >> object_id >> stage;
+			if (!is_git_file_mode(mode)) {
+				continue;
+			}
 		}
 		output >> std::ws;
 		std::getline(output, filename, '\0');

coprocess-unix.cpp

@@ -0,0 +1,186 @@
+/*
+ * Copyright 2015 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#include "coprocess.hpp"
+#include "util.hpp"
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <errno.h>
+
+static int execvp (const std::string& file, const std::vector<std::string>& args)
+{
+	std::vector<const char*>	args_c_str;
+	args_c_str.reserve(args.size());
+	for (std::vector<std::string>::const_iterator arg(args.begin()); arg != args.end(); ++arg) {
+		args_c_str.push_back(arg->c_str());
+	}
+	args_c_str.push_back(NULL);
+	return execvp(file.c_str(), const_cast<char**>(&args_c_str[0]));
+}
+
+Coprocess::Coprocess ()
+{
+	pid = -1;
+	stdin_pipe_reader = -1;
+	stdin_pipe_writer = -1;
+	stdin_pipe_ostream = NULL;
+	stdout_pipe_reader = -1;
+	stdout_pipe_writer = -1;
+	stdout_pipe_istream = NULL;
+}
+
+Coprocess::~Coprocess ()
+{
+	close_stdin();
+	close_stdout();
+}
+
+std::ostream*	Coprocess::stdin_pipe ()
+{
+	if (!stdin_pipe_ostream) {
+		int	fds[2];
+		if (pipe(fds) == -1) {
+			throw System_error("pipe", "", errno);
+		}
+		stdin_pipe_reader = fds[0];
+		stdin_pipe_writer = fds[1];
+		stdin_pipe_ostream = new ofhstream(this, write_stdin);
+	}
+	return stdin_pipe_ostream;
+}
+
+void		Coprocess::close_stdin ()
+{
+	delete stdin_pipe_ostream;
+	stdin_pipe_ostream = NULL;
+	if (stdin_pipe_writer != -1) {
+		close(stdin_pipe_writer);
+		stdin_pipe_writer = -1;
+	}
+	if (stdin_pipe_reader != -1) {
+		close(stdin_pipe_reader);
+		stdin_pipe_reader = -1;
+	}
+}
+
+std::istream*	Coprocess::stdout_pipe ()
+{
+	if (!stdout_pipe_istream) {
+		int	fds[2];
+		if (pipe(fds) == -1) {
+			throw System_error("pipe", "", errno);
+		}
+		stdout_pipe_reader = fds[0];
+		stdout_pipe_writer = fds[1];
+		stdout_pipe_istream = new ifhstream(this, read_stdout);
+	}
+	return stdout_pipe_istream;
+}
+
+void		Coprocess::close_stdout ()
+{
+	delete stdout_pipe_istream;
+	stdout_pipe_istream = NULL;
+	if (stdout_pipe_writer != -1) {
+		close(stdout_pipe_writer);
+		stdout_pipe_writer = -1;
+	}
+	if (stdout_pipe_reader != -1) {
+		close(stdout_pipe_reader);
+		stdout_pipe_reader = -1;
+	}
+}
+
+void		Coprocess::spawn (const std::vector<std::string>& args)
+{
+	pid = fork();
+	if (pid == -1) {
+		throw System_error("fork", "", errno);
+	}
+	if (pid == 0) {
+		if (stdin_pipe_writer != -1) {
+			close(stdin_pipe_writer);
+		}
+		if (stdout_pipe_reader != -1) {
+			close(stdout_pipe_reader);
+		}
+		if (stdin_pipe_reader != -1) {
+			dup2(stdin_pipe_reader, 0);
+			close(stdin_pipe_reader);
+		}
+		if (stdout_pipe_writer != -1) {
+			dup2(stdout_pipe_writer, 1);
+			close(stdout_pipe_writer);
+		}
+
+		execvp(args[0], args);
+		perror(args[0].c_str());
+		_exit(-1);
+	}
+	if (stdin_pipe_reader != -1) {
+		close(stdin_pipe_reader);
+		stdin_pipe_reader = -1;
+	}
+	if (stdout_pipe_writer != -1) {
+		close(stdout_pipe_writer);
+		stdout_pipe_writer = -1;
+	}
+}
+
+int		Coprocess::wait ()
+{
+	int		status = 0;
+	if (waitpid(pid, &status, 0) == -1) {
+		throw System_error("waitpid", "", errno);
+	}
+	return status;
+}
+
+size_t		Coprocess::write_stdin (void* handle, const void* buf, size_t count)
+{
+	const int	fd = static_cast<Coprocess*>(handle)->stdin_pipe_writer;
+	ssize_t		ret;
+	while ((ret = write(fd, buf, count)) == -1 && errno == EINTR); // restart if interrupted
+	if (ret < 0) {
+		throw System_error("write", "", errno);
+	}
+	return ret;
+}
+
+size_t		Coprocess::read_stdout (void* handle, void* buf, size_t count)
+{
+	const int	fd = static_cast<Coprocess*>(handle)->stdout_pipe_reader;
+	ssize_t		ret;
+	while ((ret = read(fd, buf, count)) == -1 && errno == EINTR); // restart if interrupted
+	if (ret < 0) {
+		throw System_error("read", "", errno);
+	}
+	return ret;
+}

coprocess-unix.hpp

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2015 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#ifndef GIT_CRYPT_COPROCESS_HPP
+#define GIT_CRYPT_COPROCESS_HPP
+
+#include "fhstream.hpp"
+#include <unistd.h>
+#include <vector>
+
+class Coprocess {
+	pid_t		pid;
+
+	int		stdin_pipe_reader;
+	int		stdin_pipe_writer;
+	ofhstream*	stdin_pipe_ostream;
+	static size_t	write_stdin (void*, const void*, size_t);
+
+	int		stdout_pipe_reader;
+	int		stdout_pipe_writer;
+	ifhstream*	stdout_pipe_istream;
+	static size_t	read_stdout (void*, void*, size_t);
+
+			Coprocess (const Coprocess&);	// Disallow copy
+	Coprocess&	operator= (const Coprocess&);	// Disallow assignment
+public:
+			Coprocess ();
+			~Coprocess ();
+
+	std::ostream*	stdin_pipe ();
+	void		close_stdin ();
+
+	std::istream*	stdout_pipe ();
+	void		close_stdout ();
+
+	void		spawn (const std::vector<std::string>&);
+
+	int		wait ();
+};
+
+#endif

coprocess-win32.cpp

@@ -0,0 +1,269 @@
+/*
+ * Copyright 2015 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#include "coprocess-win32.hpp"
+#include "util.hpp"
+
+
+static void escape_cmdline_argument (std::string& cmdline, const std::string& arg)
+{
+	// For an explanation of Win32's arcane argument quoting rules, see:
+	//  http://msdn.microsoft.com/en-us/library/17w5ykft%28v=vs.85%29.aspx
+	//  http://msdn.microsoft.com/en-us/library/bb776391%28v=vs.85%29.aspx
+	//  http://blogs.msdn.com/b/twistylittlepassagesallalike/archive/2011/04/23/everyone-quotes-arguments-the-wrong-way.aspx
+	//  http://blogs.msdn.com/b/oldnewthing/archive/2010/09/17/10063629.aspx
+	cmdline.push_back('"');
+
+	std::string::const_iterator	p(arg.begin());
+	while (p != arg.end()) {
+		if (*p == '"') {
+			cmdline.push_back('\\');
+			cmdline.push_back('"');
+			++p;
+		} else if (*p == '\\') {
+			unsigned int	num_backslashes = 0;
+			while (p != arg.end() && *p == '\\') {
+				++num_backslashes;
+				++p;
+			}
+			if (p == arg.end() || *p == '"') {
+				// Backslashes need to be escaped
+				num_backslashes *= 2;
+			}
+			while (num_backslashes--) {
+				cmdline.push_back('\\');
+			}
+		} else {
+			cmdline.push_back(*p++);
+		}
+	}
+
+	cmdline.push_back('"');
+}
+
+static std::string format_cmdline (const std::vector<std::string>& command)
+{
+	std::string		cmdline;
+	for (std::vector<std::string>::const_iterator arg(command.begin()); arg != command.end(); ++arg) {
+		if (arg != command.begin()) {
+			cmdline.push_back(' ');
+		}
+		escape_cmdline_argument(cmdline, *arg);
+	}
+	return cmdline;
+}
+
+static HANDLE spawn_command (const std::vector<std::string>& command, HANDLE stdin_handle, HANDLE stdout_handle, HANDLE stderr_handle)
+{
+	PROCESS_INFORMATION	proc_info;
+	ZeroMemory(&proc_info, sizeof(proc_info));
+
+	STARTUPINFO		start_info;
+	ZeroMemory(&start_info, sizeof(start_info));
+
+	start_info.cb = sizeof(STARTUPINFO);
+	start_info.hStdInput = stdin_handle ? stdin_handle : GetStdHandle(STD_INPUT_HANDLE);
+	start_info.hStdOutput = stdout_handle ? stdout_handle : GetStdHandle(STD_OUTPUT_HANDLE);
+	start_info.hStdError = stderr_handle ? stderr_handle : GetStdHandle(STD_ERROR_HANDLE);
+	start_info.dwFlags |= STARTF_USESTDHANDLES;
+
+	std::string		cmdline(format_cmdline(command));
+
+	if (!CreateProcessA(NULL,		// application name (NULL to use command line)
+				const_cast<char*>(cmdline.c_str()),
+				NULL,		// process security attributes
+				NULL,		// primary thread security attributes
+				TRUE,		// handles are inherited
+				0,		// creation flags
+				NULL,		// use parent's environment
+				NULL,		// use parent's current directory
+				&start_info,
+				&proc_info)) {
+		throw System_error("CreateProcess", cmdline, GetLastError());
+	}
+
+	CloseHandle(proc_info.hThread);
+
+	return proc_info.hProcess;
+}
+
+
+Coprocess::Coprocess ()
+{
+	proc_handle = NULL;
+	stdin_pipe_reader = NULL;
+	stdin_pipe_writer = NULL;
+	stdin_pipe_ostream = NULL;
+	stdout_pipe_reader = NULL;
+	stdout_pipe_writer = NULL;
+	stdout_pipe_istream = NULL;
+}
+
+Coprocess::~Coprocess ()
+{
+	close_stdin();
+	close_stdout();
+	if (proc_handle) {
+		CloseHandle(proc_handle);
+	}
+}
+
+std::ostream*	Coprocess::stdin_pipe ()
+{
+	if (!stdin_pipe_ostream) {
+		SECURITY_ATTRIBUTES	sec_attr;
+
+		// Set the bInheritHandle flag so pipe handles are inherited.
+		sec_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
+		sec_attr.bInheritHandle = TRUE;
+		sec_attr.lpSecurityDescriptor = NULL;
+
+		// Create a pipe for the child process's STDIN.
+		if (!CreatePipe(&stdin_pipe_reader, &stdin_pipe_writer, &sec_attr, 0)) {
+			throw System_error("CreatePipe", "", GetLastError());
+		}
+
+		// Ensure the write handle to the pipe for STDIN is not inherited.
+		if (!SetHandleInformation(stdin_pipe_writer, HANDLE_FLAG_INHERIT, 0)) {
+			throw System_error("SetHandleInformation", "", GetLastError());
+		}
+
+		stdin_pipe_ostream = new ofhstream(this, write_stdin);
+	}
+	return stdin_pipe_ostream;
+}
+
+void		Coprocess::close_stdin ()
+{
+	delete stdin_pipe_ostream;
+	stdin_pipe_ostream = NULL;
+	if (stdin_pipe_writer) {
+		CloseHandle(stdin_pipe_writer);
+		stdin_pipe_writer = NULL;
+	}
+	if (stdin_pipe_reader) {
+		CloseHandle(stdin_pipe_reader);
+		stdin_pipe_reader = NULL;
+	}
+}
+
+std::istream*	Coprocess::stdout_pipe ()
+{
+	if (!stdout_pipe_istream) {
+		SECURITY_ATTRIBUTES	sec_attr;
+
+		// Set the bInheritHandle flag so pipe handles are inherited.
+		sec_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
+		sec_attr.bInheritHandle = TRUE;
+		sec_attr.lpSecurityDescriptor = NULL;
+
+		// Create a pipe for the child process's STDOUT.
+		if (!CreatePipe(&stdout_pipe_reader, &stdout_pipe_writer, &sec_attr, 0)) {
+			throw System_error("CreatePipe", "", GetLastError());
+		}
+
+		// Ensure the read handle to the pipe for STDOUT is not inherited.
+		if (!SetHandleInformation(stdout_pipe_reader, HANDLE_FLAG_INHERIT, 0)) {
+			throw System_error("SetHandleInformation", "", GetLastError());
+		}
+
+		stdout_pipe_istream = new ifhstream(this, read_stdout);
+	}
+	return stdout_pipe_istream;
+}
+
+void		Coprocess::close_stdout ()
+{
+	delete stdout_pipe_istream;
+	stdout_pipe_istream = NULL;
+	if (stdout_pipe_writer) {
+		CloseHandle(stdout_pipe_writer);
+		stdout_pipe_writer = NULL;
+	}
+	if (stdout_pipe_reader) {
+		CloseHandle(stdout_pipe_reader);
+		stdout_pipe_reader = NULL;
+	}
+}
+
+void		Coprocess::spawn (const std::vector<std::string>& args)
+{
+	proc_handle = spawn_command(args, stdin_pipe_reader, stdout_pipe_writer, NULL);
+	if (stdin_pipe_reader) {
+		CloseHandle(stdin_pipe_reader);
+		stdin_pipe_reader = NULL;
+	}
+	if (stdout_pipe_writer) {
+		CloseHandle(stdout_pipe_writer);
+		stdout_pipe_writer = NULL;
+	}
+}
+
+int		Coprocess::wait ()
+{
+	if (WaitForSingleObject(proc_handle, INFINITE) == WAIT_FAILED) {
+		throw System_error("WaitForSingleObject", "", GetLastError());
+	}
+
+	DWORD			exit_code;
+	if (!GetExitCodeProcess(proc_handle, &exit_code)) {
+		throw System_error("GetExitCodeProcess", "", GetLastError());
+	}
+
+	return exit_code;
+}
+
+size_t		Coprocess::write_stdin (void* handle, const void* buf, size_t count)
+{
+	DWORD		bytes_written;
+	if (!WriteFile(static_cast<Coprocess*>(handle)->stdin_pipe_writer, buf, count, &bytes_written, NULL)) {
+		throw System_error("WriteFile", "", GetLastError());
+	}
+	return bytes_written;
+}
+
+size_t		Coprocess::read_stdout (void* handle, void* buf, size_t count)
+{
+	// Note that ReadFile on a pipe may return with bytes_read==0 if the other
+	// end of the pipe writes zero bytes, so retry when this happens.
+	// When the other end of the pipe actually closes, ReadFile
+	// fails with ERROR_BROKEN_PIPE.
+	DWORD bytes_read;
+	do {
+		if (!ReadFile(static_cast<Coprocess*>(handle)->stdout_pipe_reader, buf, count, &bytes_read, NULL)) {
+			const DWORD	read_error = GetLastError();
+			if (read_error != ERROR_BROKEN_PIPE) {
+				throw System_error("ReadFile", "", read_error);
+			}
+			return 0;
+		}
+	} while (bytes_read == 0);
+	return bytes_read;
+}

coprocess-win32.hpp

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2015 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#ifndef GIT_CRYPT_COPROCESS_HPP
+#define GIT_CRYPT_COPROCESS_HPP
+
+#include "fhstream.hpp"
+#include <windows.h>
+#include <vector>
+
+class Coprocess {
+	HANDLE		proc_handle;
+
+	HANDLE		stdin_pipe_reader;
+	HANDLE		stdin_pipe_writer;
+	ofhstream*	stdin_pipe_ostream;
+	static size_t	write_stdin (void*, const void*, size_t);
+
+	HANDLE		stdout_pipe_reader;
+	HANDLE		stdout_pipe_writer;
+	ifhstream*	stdout_pipe_istream;
+	static size_t	read_stdout (void*, void*, size_t);
+
+			Coprocess (const Coprocess&);	// Disallow copy
+	Coprocess&	operator= (const Coprocess&);	// Disallow assignment
+public:
+			Coprocess ();
+			~Coprocess ();
+
+	std::ostream*	stdin_pipe ();
+	void		close_stdin ();
+
+	std::istream*	stdout_pipe ();
+	void		close_stdout ();
+
+	void		spawn (const std::vector<std::string>&);
+
+	int		wait ();
+};
+
+#endif

coprocess.cpp

@@ -0,0 +1,5 @@
+#ifdef _WIN32
+#include "coprocess-win32.cpp"
+#else
+#include "coprocess-unix.cpp"
+#endif

coprocess.hpp

@@ -0,0 +1,5 @@
+#ifdef _WIN32
+#include "coprocess-win32.hpp"
+#else
+#include "coprocess-unix.hpp"
+#endif

debian/changelog

@@ -0,0 +1,5 @@
+git-crypt (0.5.0-1) unstable; urgency=medium
+
+  * Initial release. (Closes: #785346)
+
+ -- Andrew Ayer <agwa@andrewayer.name>  Sat, 30 May 2015 20:22:22 -0700

debian/compat

@@ -0,0 +1 @@
+9

debian/control

@@ -0,0 +1,24 @@
+Source: git-crypt
+Maintainer: Andrew Ayer <agwa@andrewayer.name>
+Section: vcs
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: debhelper (>= 9), libssl-dev, xsltproc, docbook-xml, docbook-xsl
+Vcs-Git: https://www.agwa.name/git/git-crypt.git -b debian
+Homepage: https://www.agwa.name/projects/git-crypt
+
+Package: git-crypt
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, git (>= 1.7.2)
+Recommends: gnupg
+Enhances: git
+Description: Transparent file encryption in git
+ git-crypt enables transparent encryption and decryption of files in a
+ git repository.  Files which you choose to protect are encrypted when
+ committed, and decrypted when checked out.  git-crypt lets you freely
+ share a repository containing a mix of public and private content.
+ git-crypt gracefully degrades, so developers without the secret key
+ can still clone and commit to a repository with encrypted files.
+ This lets you store your secret material (such as keys or passwords)
+ in the same repository as your code, without requiring you to lock down
+ your entire repository.

debian/copyright

@@ -0,0 +1,64 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: git-crypt
+Source: https://www.agwa.name/projects/git-crypt
+
+Files: *
+Copyright: Copyright 2012-2015 Andrew Ayer
+License: GPL-3+ with OpenSSL exception
+
+Files: fhstream.cpp fhstream.hpp parse_options.cpp parse_options.hpp
+Copyright: Copyright 2012, 2014, 2015 Andrew Ayer
+License: X11
+
+License: GPL-3+ with OpenSSL exception
+ git-crypt is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ git-crypt is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 3 can be found in the file
+ `/usr/share/common-licenses/GPL-3'.
+ .
+ Additional permission under GNU GPL version 3 section 7:
+ .
+ If you modify the Program, or any covered work, by linking or
+ combining it with the OpenSSL project's OpenSSL library (or a
+ modified version of that library), containing parts covered by the
+ terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ grant you additional permission to convey the resulting work.
+ Corresponding Source for a non-source form of such a combination
+ shall include the source code for the parts of OpenSSL used as well
+ as that of the covered work.
+
+License: X11
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+ to deal in the Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ OTHER DEALINGS IN THE SOFTWARE.
+ .
+ Except as contained in this notice, the name(s) of the above copyright
+ holders shall not be used in advertising or otherwise to promote the
+ sale, use or other dealings in this Software without prior written
+ authorization.

debian/gbp.conf

@@ -0,0 +1,5 @@
+[DEFAULT]
+pristine-tar = True
+pristine-tar-commit = True
+debian-branch = debian
+upstream-tag = %(version)s

debian/git-crypt.docs

@@ -0,0 +1,8 @@
+CONTRIBUTING.md
+NEWS
+NEWS.md
+README
+README.md
+RELEASE_NOTES-0.4.1.md
+RELEASE_NOTES-0.4.md
+THANKS.md

debian/rules

@@ -0,0 +1,7 @@
+#!/usr/bin/make -f
+
+export PREFIX=/usr
+export ENABLE_MAN=yes
+
+%:
+	dh  $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/source/options

@@ -0,0 +1 @@
+single-debian-patch

debian/source/patch-header

@@ -0,0 +1,17 @@
+Subject: Collected Debian patches for git-crypt
+Author: Andrew Ayer <agwa@andrewayer.name>
+
+Since I am also upstream for this package, there will normally not be
+any patches to apply to the upstream source.  However, occasionally
+I'll pull up specific upstream commits prior to making an upstream
+release.  When this happens, this patch will collect all of those
+modifications.
+
+I use Git to maintain both the upstream source and the Debian
+packages, and generating individual patches rather than using git
+cherry-pick takes extra work for no gain.  Since I'm also upstream,
+there's no need to separate the patches for later upstream submission.
+Hence, I take this approach with a unified patch when it's necessary.
+
+For full commit history and separated commits, see the upstream Git
+repository.

debian/upstream/signing-key.asc

@@ -0,0 +1,135 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFNTDEsBEACiZ+AWNaj80CvSIV9T+mlPClETM+pxEHuB+vldasG+BWsyyb2d
+AH390MSjXzs4RaiDGAXgZKnP9bhlWV/6BYcF0edz+G+Ux89L+D/c6miWFqwywQ7G
+FRBh10WDriNbSF6UoD6TJX9Kc2KIgeDQ7LFL1PsiFjsO/cUBfDmSvMWd/zzIV4Ug
+QdqFjjHdPSTr5w9D5YDS5FY2UOmcrxyNU66PoGkIp0Cqjgaieszxx3/CkGtktn0T
+M/dwP+yafgH5uUDRfgFR5McTvu4E53CAimsiv05wodXmnoELojVDrEYciJIrfGRx
+fCj+tiWsz0IcJCJ/ND1UExlI5so5tx0YaYMapx3PCb7+ZrZEUrRa3xK6m+ZU2Qfk
+XQJmUSnKuIsKP4Uo8ysMPxDuWrCap4nxw2uNsGgPXXnExJgVoWfyR0qMr16+BUSu
+Yrtfng19npv/Y381Y6hB8uRWRNRbaG8MEAHrgdPkb6853cbXT6A+k3KbZJVcEZsv
+XCS2lFuWaZTQGA1G4mj7TbudjvHLuDV8VbPsyxotgAHITSh6pekBuJFPOVhAZN41
+HyPNMZnE7eoW6DmShrdC+TjIVpzliqiLytDfGabIMNbnQDWdHxhzqq/Vn07ObOVp
+0MGn7PaGeyF+rmi0h1ttab3Dioku49dljjuz+uNhBcu1CB/CegIdtRVyDwARAQAB
+tCJBbmRyZXcgQXllciA8YWd3YUBhbmRyZXdheWVyLm5hbWU+iQI6BBMBCAAkAhsB
+BQsJCAcDBRUKCQgLBRYDAgEAAh4BAheABQJTUwz6AhkBAAoJEBA3jvwggAgM0BwQ
+AI8tAYxpeHyN+6StVAiu+wY2n2SNuunsORVmqyiICDOruxPTr4ulsP8vKM7Y4L9H
+lpJqfW/g65cByuZ48dFciQmI97RfZjjZgAxejM1dq/Y0RJGpZ6I7pNNbWIxvDm7o
+8mMeEQYT5S4vZKmreYZpzjLLZin+3gpBfljapGRikZNC1dzQu5JA0iCkWqIWmgto
+O/kEmGKID9ShLB0H/f26K+jKfKuQ2unqlPgUPlQfd65yBN0m0SaESozs5hnCjMxS
+oJSDnI0Kst0W/E/c0RZp5WJ3PECqnV0ru7xazMPLP3yNMrJVv3s6rKdiwzkQYUDj
+10KxCDOChc9UfVRZfiVc4OlnK77L5EM3AWLrNOwx8ntcs67hJXrppoDVin87PyMG
+SJE+DNKZk40oHLIrWCE43zS8p0k4OSGpJhiVev/o2FJImIiZXdYrm0gA3rA5OOM2
+nDSyPlB0kOzMN03z7pzT319OMhf5KZgYRuoAU59IqdW+Iz2q1vfusuh0UU5GfP+U
+XOuiiv9O9VqPTxpDOzmk5qnw8p3NNdwnqzop64wcBsNebyWGM52Hetd8bIwdFniI
+XsBhzRxnMVmNdXwQ7zhPKwpgGA9vWkyZ15EuhDK0Wc3XQf51NWVjY9Pt/NgpwKli
+CEqnd+sUszM78jXhvZjsWEkophudU6O615zYEEpTe+b/tB5BbmRyZXcgQXllciA8
+YW5kcmV3QGFnd2EubmFtZT6JAjcEEwEIACEFAlNTDM8CGwEFCwkIBwMFFQoJCAsF
+FgMCAQACHgECF4AACgkQEDeO/CCACAxWoA/+NYvxCoJ4V/TGZnYQJxT95qK+8uGS
+sQmlAYlIbYAAr0zxe1+U0HxMVMh0pj211B8Nd6Qq46X2ZYmWSyAPA6tiiSg+Y5C9
+2IGyCZ11oG98Op99nnPOEnKAPVgTtGgpMeomTPo768ucj0kvvbibGg3yMs1JBH2p
+wBULHZLCswlKzDOgg4YZfa5eicXRJOjl1EVbdhPyMZrnJB5bFnkno8rSIJ1h3QkV
+kWAJ0bPggHxsWiYOEJUjEkzr4zXjcCJKIyPWY9rZcgJNvo1Bwqx/E7Cs+XABuPtU
+0OPIysXROANzsUMVt0NpcSJsAPJxt5L5EoCVRhTDjaK6kXglEcxqOqSzTsu61cKj
+MAAyZY+qfTA2ILzPYgxiy+h4ReUxAHx0Bzd7w6L+tn1aPlc9nqDm1nzk9U8rzA5j
+XDJJJOuC5yCzhQ2tpsAp/RRE+1sgiGV8D+LSXf2ZYBQbV9V6icFdhHUrqKzQsw7m
+5C4n2Fk1wk54JTFO1j4rWarHiVeKuKWiBrQhhUJqFtJ/lpr6tIVsI5KuoWczHpQ0
+RhCnUNFPj1JaMM09pLEkg9u/RRrVo6eSHy0vHKCqYZYUAldTGpE18kRlpTDgrN8T
+jhBaiFrk8PBKPiE4Pt+5BgDZr8jP+CWA9Bc06E6EtV+fDdTexAj2Uw0JE0zZdhQc
+1J1NNIMHc4WpS6+0JEFuZHJldyBBeWVyIDxhbmRyZXdAYW5kcmV3YXllci5uYW1l
+PokCNwQTAQgAIQUCU1MMjQIbAQULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAAKCRAQ
+N478IIAIDDg1EACQ+stApB16L54LnS7YMFUHeUgaG3Hfu+WmIrvRn5UcT4hxRNsY
+/c7nDumrwAmg8HiOXwe7V8MJMFUEEoQylWpYLFzOTlwDmVGUMczQScgi7RvK9zwJ
+0475Wlpr/7wUrG0LyinLVf7GoKPtIkefzlydTzMu4xSr52t1sSGQqcWXDVJ2bCGf
+KuvmDpv1gOORdp4g2lI0wOPWgPzm4ctqhzT58jFR5vQpzpr+H0qB35prcKa9TAIG
+sbtF1bdSaOBkXev/IFhY07Fq35aqEuv27+aMJkYjhzIVSnm+/9Io/1L0RTpHZpgc
+px08yfllq7Vf0buCiC8uEvdFVL4sHOlp9gVU21boLj4JJnZvlJ1m+gfIMAfhtt4R
+2QNxKxC+jO2bBvj4j9dHBz0MQvAoJl121cjOAxZGMHye3eV0sHtE7UntxA5pQQv0
+U2hx7A70yAlN2Np76xVDO9cae4aVUV7lCdY14L9e5Ww4mAknFMeIgbkoxWT2lMA+
+1pfn541c6XUuuNfr1D9flYHbDFEYTUOFZ6ypAgOxkK+/wPYlz4d6MTBJ4fcoEhSF
+qX0JVFW8Jrnqs4GsDmej9dibfYdk2a0qG69oSRF8Bujxdh41R+/C03LSnRBXhjHJ
+SG/xSYoCcOL6y3aiJb2gK2lbrLxmeysCn7goGPp16VikSxHNFJkigRUqDbQhQW5k
+cmV3IEF5ZXIgPGFnd2FAYW5kcmV3YXllci5jb20+iQI3BBMBCAAhBQJTUwyrAhsB
+BQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJEBA3jvwggAgMfWsP/2F+Ds4lIn7p
+rdgEeK2kT4Sxn4ldATU8ZKjVe/RnTxWx+jqEHdsXkUAVEHNuUPYwtvETub2mMFBr
+lguL1WWW09J1ihYEk4ErDT81kNP+8cGGDjLkv8FWjlLPUGrcZRMj52JP0saW7AIJ
+2/OxvpC00xkpb5goy5yXUKVgzBhVUAcSx1a3vY92y+RnmcwhnQmlhAy+xpyO0Ju+
+dEhNfBny+gc/YdWfha6sWed6fL0VWut2l1euEU9WIH/Mcd8NWGs10ez9iqVhRWi3
+zpTWxkVBY0+PaPaHkqh6N3cCDEdFXXmVtP3nPvC+4k6vIUK+frIIffjDlOXhXaPB
+bGZ2SyJcYJdsh6Lb3cnQ2ISHrlKy2CgVkExdgz8JeSF296OInQJmS/U9XFH2iN/w
+Yivi93pUV9xvPaJTXOSUMA+szKXapPTH8zUNQ99tm7KiwV0aMXWKG0iNxjg7C0kO
+vVuKGBKEpFdyNLL7uAE/bzs7WVZ8ztebZJTlScIU7KZUr931kR++VAzIFr7yYlaC
+4c2TjiinStFsHgfRqaVoJfQIWQzxrli46LkaIVur3rzBJERNSpDcPlpF1wngXkFo
+Jqt+c7MTVBeoaaAv5TAK0a/D027fUNtAyxtCPmkoHs6BWh38NDGO7VNBRNog0Vnm
+ItcFmFtM0rcQV6DbUjUZdTYygPGq0MAWtCNBbmRyZXcgQXllciA8YW5kcmV3QGFu
+ZHJld2F5ZXIuY29tPokCNwQTAQgAIQUCU1MMwgIbAQULCQgHAwUVCgkICwUWAwIB
+AAIeAQIXgAAKCRAQN478IIAIDDN4D/0eINLgeE2mHs68kM6fXRf0jfDdyVYMvxnK
+ZO0jq1sjurEYgw+tHQRHo5bsu52E1yneoam5pzucu6TXUVc2X7dGKfuqvsU55+Qo
+IlqE0ai0tXlmc7orVzZFgLCTGrZgL2NL208h3EvlSeqy//6yA/rirMIRiD/vSb3A
+u0EBXSav+x/o092W904jPzeLGGL9c9G6HxmAzGxRO0q5FfB7u1sI9bpgljC3mBVb
+jUhD/ynIwkIZfTgQFRlBHtzy0HpcnlzxzcY7b/SB+8was1aEDetzuEeXOdTDXxd6
+gVBFDZMyKtZU5jsprZDU6/nleka6/ji6ZMNIJvMgcJbgwV3i/ipKH3FfItcnTt+F
+gx2q3j/pVYPyKo05tp2dBCgdyEKsTgc+QTqo0EOk5to8Gz7ebkyPGIELqIfBtPjp
+hoB9oTpgmnAsgSnSGDfz4yD+8uU3FBOjrMNe5tucq+N8VVYZhCQFs8fAbrghh568
+ahBcLDu4n9OvjZz5hHnpARtSOw2WmLdQ43JAnFa6F8rN98ymlP6X8CT3lTnPwkRL
++9l008KXP64nZStISozKwDb4zMfRn7iHbqs6reIlvgIOevkiMmPTyhhQ0zz6aLwy
+ZNcQPK7wdXtynPydzAPfKbxfQkVpkQb/mgBgr2blZSu4Z5W491tDOTI/MF0gMTfA
+eqavC9PhRrkCDQRTUw1OARAAyr3w+DujjQ+oiLrlnGu+DArnxK5lf8DzeVokFlSX
+TJXSgCl4niJeQhodn3EtnDRdKimdvMxgW+iVU4MKhK/2xbf0rNSQDJv4iIub0wHH
+Y8kkqsBU3vDjoTYraoFMjKWIvZEr9FJTiDgX4VruJAhwydjknrSWdK7As9PzqU0l
+C7ReHRJIJLu20EeVCVoGuyVmRfendTXDbflvZhUhTitcgJbNek272u521lYbk3g1
+knMWhwmdsy95ZqNbjk4iMJ6eq4l2MA/yka4V4zA7P9L0WBjuFyImVix4WyaF+TIN
+/t8eX+zF6VfImoKlMer8qpMmGaFBKxOdGdAH+YpoP8sysSrFDV0iSbA/WwbNa4e7
+F8eras4B/sFWIldXlSd0yLqdNe8ZB0vPDS44tNcmDYz3cWIH1mDF1AbHDBbOxwa+
+FkcHDPjYrnIQbFI3Z+rzOqc8vOeiNPHggPSDRjM6duah4aOLp6RYEYc/2ouO1yMD
+UlWQ+eGDvqAvIt3HH2y78fbkl3K2VVA+gd5w9oxDKxXKZxp/y5RVVYCZUAv1lllT
+87dRMXignTVEIsF8VdESrHhRYUQW+2wP40hKZIPEaWS5BSH/d/qGgDSBsVPbDlas
+4n3FJ+SVil6xm0hJ+29Xw/GDMc+uQfs8TkPxbM0cjn59oZb6I3Zhxy+KWSxdCN2g
+8nMAEQEAAYkERAQYAQgADwIbAgUCU1MO8wUJB4TPXQIpwV0gBBkBCAAGBQJTUw1O
+AAoJEJ0V9ORH5MgyJTQP/0cSeXYZ+G7EKEjM+xHfjUyNavahVZ+rfiLzZpU+os4s
+SGwd4annJ4Z56UMA+1U5Qm34+rH+E72qTJAEhg512CQJnFejVKqBuVzBsxaO5aLK
+nSafGk3Ixev4JraspFtDmSflVHrQFVKeu3oF+tjE2elHHhhV8I1N8eA2HTiwlTpD
+9RgQ1nFw9KM4+ncBm56dK3lVQbgT7XPz6noIPhXpAKH1THthvIyjUDyTqeRUrgHL
+eeFtKXWnsiUMi5z3dz1lK0QacGaykl+VtLXlUIffh7IpLp3MoiaboXV2UdocIrZ3
+vg00wBrZ01w7L10LB0Jl1NEH5ccbezAVCaW3/2MT6C7BnQZqpjQiKncrnx2YoupJ
++OWJT2QOQoLOKwL4ShHB8Dae4RD0aTcmTTVBEteSvH32hhcsXChMi1Dzsf6cvNmV
+pl54VkfWmZqyfTl7LjqpQsOcUtDshFPQMziKF8pSyhSYiuImvLFwypTe4KtDqA/U
+d1v9XB40mniAUTC5dWO+80MhOB4NpXNNSXP22DzpDZvfhdTxSCwc70bpWJIRVpuT
+gVvVjqOiCVanNXqwh14Nn+/SaRDx19BglXhniBWNEXN8f2dhI3YkZ2ovS/t6mfxn
+aymghsKL1yvu8zdTFZsmAhYdpTBIB9zMjoNs3TNb8I+X26oPUjSKZ1/+oAacGTtJ
+CRAQN478IIAIDBXvD/sG09+tMC30Tcq6DuycebKiuHfIioBdWTNLTz3Pahi0C/4e
+WDcd0H8hcxUz9cdBnUs5uvUwdo07bqVb+zJ0PidDdCpCSDwNH9Zn98Duy7QVPtAU
+psPApSe2Y23zh4tr37c31dlUIsRCiGfjIjjoCFg3NZMxmw4y3UhUMPNemDt+rB+t
+XmstUc03xdaUrrssAxZf/qhNy9tPucHGl1Uuq1c8ANhdgmosMacfxb9i/kcCErTl
+Kz3DwZPVdE4Q/KcaiTOBxBthlvpZM27h//BeT/Yo2Hy/X7nzhhyscPqaDj/HOCbt
+O/wyH/kv4z++bzy7FSERMJTQvAaYEbhWE71l+sSBJT1ZJnafDXX+b9ZlSE7Im5C8
+mjGc1XX9Mw1eXzLh7wiC+BEEr4S9qOkyKtSKcQ/m+UjOARXrqA1qhDp1mmhSVNsW
+UnhWabsO9TwxcRdSX98ql+rNYBjN7tsqzq3G3R3oFeaGevAqPqJFbAFhGhB33UP1
+yolOPxGP6u2NdNFmGQ2vVlzJNzY5QAk2cekIZWJLd8YEcXeijPo1BX4eTg4V6d61
+EWIKoSHBeKVwhuCg9l6ZFrNzUoHGP4yKDXJood71KBulDSSUkzIM05ngfcajz1RS
+R9szqJlNAuLHpQHOZEI1k38sQrnPoqwzyshgU7S/vLAT6hr666bJ2i9l82X077kC
+DQRTUw4RARAA30ouhOBeAX4ORzDmeyP9MjuDZWArkJv22PI5ijISIyRjUdYogvqY
+XAm2z0RTzD4waW9lSabumDqVGd5MzTm0GTaIw/E+7rx08vnBVRlHLpAOZMUogNEG
+p+3uXhgHmar0uhVhYar1v6SUqscray+wtnkRnXQkitkD0zzTWGx17LnWPOguNDsU
+uYjWoAYgEiS9g3UYLfexQRVxae7n6YTDedNfjuMKAmmc+ixWDHQ9Dcjc4oJacV5z
+iz78NYdXoPA3101lKPzUGqRye/Rvm0/GXzht5nhsIMB/X/FIk6qlbCAP/VpVRpYD
+KE7N3juJY7jwoCze9d3TZx6jU8IR/rD1uuDW/gjyPVAHAcE1fRwjErtR1TsFcXdY
+wtTJx+Rzq6gaS1mfeV90/V2RY0i+nqGhmY+o+lLt1uozX3iTO2X9cF/REp9i6Rly
+TOUMAPW7mOryN9Yv/WAkG4S/WgtnZRCA0M88jFSgX8go+Y2Z6yAUynEXDREH9VMI
+rw0kNhvOzfWSAyBOuNfNrehShR6RMtAKs/JC+VEwhvDD+avFNHywpn7fGMa2WqFw
+x337Yz6wARJ5g9vBCMJBWMhWT62cMQK62TLVkW5lbULSVwUAsbNyZMaQks7kfas3
+9w3gr66Bc/2v4PaQMUQ3I79yO/f6zsxu9vZ1yxPtKOGwGHQvnCdRMlMAEQEAAYkC
+JQQYAQgADwIbDAUCU1MPDQUJB4TO+QAKCRAQN478IIAIDFQcEACFi6e4/++dhkPT
+e1dnaifmSINXthSFkOAp8OR0mK2/0Ged6UmbyxPd7gKQJUXFV5Mz5Sj8G6N4YCLl
++55k67gwZwzZ62EYB41FnjkXKILBgP+mt2c0SCuwwwz9g8Jx351l2Cfatz6SoviE
+XjQURDHPxsqK1mfKMmoMWo4Ii68hzKrBg0mcdxeJeYj/t8l0ug2JQApnJsaE+5QC
+3U9txBYm1Rpsaz/IFvlGJS9CkZyQA7ci/eMmoKn+/R8Gk48avkM0vFmUz9T8saIr
+g0F5T7ThjC8575PNtInpDZRp9V3PdeKtiA9Fky11fNi0VS7luurKQ3I0UJfdyxe1
+Sb/kvwSu++zEDEG5/li4GfMBqiZTV6oZJ9fzZnrGjEyiRSLN7GA4T1KC795zm/63
+MrTaTf/3G6iRLNcvEdcWTiSHlFSkpx+qQHoijs0KU6uzdvHwtKKX/UBrk837SOFL
+AEqn8ebsOKYiO4gA0ismpAt9NQwqsKq0rhyZAIDl9hSjwGBqX24NA7qnkoZNZySC
+YBn0ZZRr3VGyeNWgtZg/KIiyKX7xmEUgBswt/U42x5wG3SdhAiSn6If/y8dTpfzT
+kXF2+jp/tbGpm1qHi6qrkdMqCHCf67beh9SmlKa8nYyb1fpEcNBBElA8AAFgaYKh
+zZq3C24mS3JwlqDwjT/Ut1/tChr3wQ==
+=ZMwd
+-----END PGP PUBLIC KEY BLOCK-----

debian/watch

@@ -0,0 +1,2 @@
+version=3
+opts=pgpsigurlmangle=s/$/.asc/ https://www.agwa.name/projects/git-crypt/ .*/git-crypt-(\d.*)\.(?:zip|tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))

fhstream.cpp

@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) 2012, 2015 Andrew Ayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Except as contained in this notice, the name(s) of the above copyright
+ * holders shall not be used in advertising or otherwise to promote the
+ * sale, use or other dealings in this Software without prior written
+ * authorization.
+ */
+
+#include <cstring>
+#include <algorithm> // for std::min
+
+#include "fhstream.hpp"
+
+/*
+ * ofhstream
+ */
+
+ofhbuf::ofhbuf (void* arg_handle, size_t (*arg_write_fun)(void*, const void*, size_t))
+: handle(arg_handle),
+  write_fun(arg_write_fun),
+  buffer(new char[default_buffer_size]),
+  buffer_size(default_buffer_size)
+{
+	reset_buffer();
+}
+
+ofhbuf::~ofhbuf ()
+{
+	if (handle) {
+		try {
+			sync();
+		} catch (...) {
+			// Ignore exception since we're in the destructor.
+			// To catch write errors, call sync() explicitly.
+		}
+	}
+	delete[] buffer;
+}
+
+ofhbuf::int_type	ofhbuf::overflow (ofhbuf::int_type c)
+{
+	const char*	p = pbase();
+	std::streamsize	bytes_to_write = pptr() - p;
+
+	if (!is_eof(c)) {
+	      *pptr() = c;
+	      ++bytes_to_write;
+	}
+
+	while (bytes_to_write > 0) {
+		const size_t	bytes_written = write_fun(handle, p, bytes_to_write);
+		bytes_to_write -= bytes_written;
+		p += bytes_written;
+	}
+
+	reset_buffer();
+
+	return traits_type::to_int_type(0);
+}
+
+int		ofhbuf::sync ()
+{
+	return !is_eof(overflow(traits_type::eof())) ? 0 : -1;
+}
+
+std::streamsize	ofhbuf::xsputn (const char* s, std::streamsize n)
+{
+	// Use heuristic to decide whether to write directly or just use buffer
+	// Write directly only if n >= MIN(4096, available buffer capacity)
+	// (this is similar to what basic_filebuf does)
+
+	if (n < std::min<std::streamsize>(4096, epptr() - pptr())) {
+		// Not worth it to do a direct write
+		return std::streambuf::xsputn(s, n);
+	}
+
+	// Before we can do a direct write of this string, we need to flush
+	// out the current contents of the buffer.
+	if (pbase() != pptr()) {
+		overflow(traits_type::eof()); // throws an exception or it succeeds
+	}
+
+	// Now we can go ahead and write out the string.
+	size_t		bytes_to_write = n;
+
+	while (bytes_to_write > 0) {
+		const size_t	bytes_written = write_fun(handle, s, bytes_to_write);
+		bytes_to_write -= bytes_written;
+		s += bytes_written;
+	}
+
+	return n; // Return the total bytes written
+}
+
+std::streambuf*	ofhbuf::setbuf (char* s, std::streamsize n)
+{
+	if (s == 0 && n == 0) {
+		// Switch to unbuffered
+		// This won't take effect until the next overflow or sync
+		// (We defer it taking effect so that write errors can be properly reported)
+		// To cause it to take effect as soon as possible, we artificially reduce the
+		// size of the buffer so it has no space left.  This will trigger an overflow
+		// on the next put.
+		std::streambuf::setp(pbase(), pptr());
+		std::streambuf::pbump(pptr() - pbase());
+		buffer_size = 1;
+	}
+	return this;
+}
+
+
+
+/*
+ * ifhstream
+ */
+
+ifhbuf::ifhbuf (void* arg_handle, size_t (*arg_read_fun)(void*, void*, size_t))
+: handle(arg_handle),
+  read_fun(arg_read_fun),
+  buffer(new char[default_buffer_size + putback_size]),
+  buffer_size(default_buffer_size)
+{
+	reset_buffer(0, 0);
+}
+
+ifhbuf::~ifhbuf ()
+{
+	delete[] buffer;
+}
+
+ifhbuf::int_type	ifhbuf::underflow ()
+{
+	if (gptr() >= egptr()) { // A true underflow (no bytes in buffer left to read)
+
+		// Move the putback_size most-recently-read characters into the putback area
+		size_t		nputback = std::min<size_t>(gptr() - eback(), putback_size);
+		std::memmove(buffer + (putback_size - nputback), gptr() - nputback, nputback);
+
+		// Now read new characters from the file descriptor
+		const size_t	nread = read_fun(handle, buffer + putback_size, buffer_size);
+		if (nread == 0) {
+			// EOF
+			return traits_type::eof();
+		}
+
+		// Reset the buffer
+		reset_buffer(nputback, nread);
+	}
+
+	// Return the next character
+	return traits_type::to_int_type(*gptr());
+}
+
+std::streamsize	ifhbuf::xsgetn (char* s, std::streamsize n)
+{
+	// Use heuristic to decide whether to read directly
+	// Read directly only if n >= bytes_available + 4096
+
+	std::streamsize	bytes_available = egptr() - gptr();
+
+	if (n < bytes_available + 4096) {
+		// Not worth it to do a direct read
+		return std::streambuf::xsgetn(s, n);
+	}
+
+	std::streamsize	total_bytes_read = 0;
+
+	// First, copy out the bytes currently in the buffer
+	std::memcpy(s, gptr(), bytes_available);
+
+	s += bytes_available;
+	n -= bytes_available;
+	total_bytes_read += bytes_available;
+
+	// Now do the direct read
+	while (n > 0) {
+		const size_t	bytes_read = read_fun(handle, s, n);
+		if (bytes_read == 0) {
+			// EOF
+			break;
+		}
+
+		s += bytes_read;
+		n -= bytes_read;
+		total_bytes_read += bytes_read;
+	}
+
+	// Fill up the putback area with the most recently read characters
+	size_t		nputback = std::min<size_t>(total_bytes_read, putback_size);
+	std::memcpy(buffer + (putback_size - nputback), s - nputback, nputback);
+
+	// Reset the buffer with no bytes available for reading, but with some putback characters
+	reset_buffer(nputback, 0);
+
+	// Return the total number of bytes read
+	return total_bytes_read;
+}
+
+std::streambuf*	ifhbuf::setbuf (char* s, std::streamsize n)
+{
+	if (s == 0 && n == 0) {
+		// Switch to unbuffered
+		// This won't take effect until the next underflow (we don't want to
+		// lose what's currently in the buffer!)
+		buffer_size = 1;
+	}
+	return this;
+}

fhstream.hpp

@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2012, 2015 Andrew Ayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Except as contained in this notice, the name(s) of the above copyright
+ * holders shall not be used in advertising or otherwise to promote the
+ * sale, use or other dealings in this Software without prior written
+ * authorization.
+ */
+
+#ifndef GIT_CRYPT_FHSTREAM_HPP
+#define GIT_CRYPT_FHSTREAM_HPP
+
+#include <ostream>
+#include <istream>
+#include <streambuf>
+
+/*
+ * ofhstream
+ */
+class ofhbuf : public std::streambuf {
+	enum { default_buffer_size = 8192 };
+
+	void*			handle;
+	size_t			(*write_fun)(void*, const void*, size_t);
+	char*			buffer;
+	size_t			buffer_size;
+
+	inline void reset_buffer ()
+	{
+		std::streambuf::setp(buffer, buffer + buffer_size - 1);
+	}
+	static inline bool is_eof (int_type ch) { return traits_type::eq_int_type(ch, traits_type::eof()); }
+
+	// Disallow copy
+#if __cplusplus >= 201103L /* C++11 */
+	ofhbuf (const ofhbuf&) = delete;
+	ofhbuf& operator= (const ofhbuf&) = delete;
+#else
+	ofhbuf (const ofhbuf&);
+	ofhbuf& operator= (const ofhbuf&);
+#endif
+
+protected:
+	virtual int_type	overflow (int_type ch =traits_type::eof());
+	virtual int		sync ();
+	virtual std::streamsize	xsputn (const char*, std::streamsize);
+	virtual	std::streambuf*	setbuf (char*, std::streamsize);
+
+public:
+	ofhbuf (void*, size_t (*)(void*, const void*, size_t));
+	~ofhbuf (); // WARNING: calls sync() and ignores exceptions
+};
+
+class ofhstream : public std::ostream {
+	mutable ofhbuf	buf;
+public:
+	ofhstream (void* handle, size_t (*write_fun)(void*, const void*, size_t))
+	: std::ostream(0), buf(handle, write_fun)
+	{
+		std::ostream::rdbuf(&buf);
+	}
+
+	ofhbuf*	rdbuf () const { return &buf; }
+};
+
+
+/*
+ * ifhstream
+ */
+class ifhbuf : public std::streambuf {
+	enum {
+		default_buffer_size = 8192,
+		putback_size = 4
+	};
+
+	void*			handle;
+	size_t			(*read_fun)(void*, void*, size_t);
+	char*			buffer;
+	size_t			buffer_size;
+
+	inline void reset_buffer (size_t nputback, size_t nread)
+	{
+		std::streambuf::setg(buffer + (putback_size - nputback), buffer + putback_size, buffer + putback_size + nread);
+	}
+	// Disallow copy
+#if __cplusplus >= 201103L /* C++11 */
+	ifhbuf (const ifhbuf&) = delete;
+	ifhbuf& operator= (const ifhbuf&) = delete;
+#else
+	ifhbuf (const ifhbuf&);
+	ifhbuf& operator= (const ifhbuf&);
+#endif
+
+protected:
+	virtual int_type	underflow ();
+	virtual std::streamsize	xsgetn (char*, std::streamsize);
+	virtual	std::streambuf*	setbuf (char*, std::streamsize);
+
+public:
+	ifhbuf (void*, size_t (*)(void*, void*, size_t));
+	~ifhbuf (); // Can't fail
+};
+
+class ifhstream : public std::istream {
+	mutable ifhbuf	buf;
+public:
+	explicit ifhstream (void* handle, size_t (*read_fun)(void*, void*, size_t))
+	: std::istream(0), buf(handle, read_fun)
+	{
+		std::istream::rdbuf(&buf);
+	}
+
+	ifhbuf*	rdbuf () const { return &buf; }
+};
+
+#endif

git-crypt.hpp

@@ -31,7 +31,7 @@
 #ifndef GIT_CRYPT_GIT_CRYPT_HPP
 #define GIT_CRYPT_GIT_CRYPT_HPP
 
-#define VERSION "0.4.2"
+#define VERSION "0.5.0"
 
 extern const char*	argv0;	// initialized in main() to argv[0]
 

gpg.cpp

@@ -102,10 +102,15 @@ std::vector<std::string> gpg_lookup_key (const std::string& query)
 	command.push_back(query);
 	std::stringstream		command_output;
 	if (successful_exit(exec_command(command, command_output))) {
+		bool			is_pubkey = false;
 		while (command_output.peek() != -1) {
 			std::string		line;
 			std::getline(command_output, line);
-			if (line.substr(0, 4) == "fpr:") {
+			if (line.substr(0, 4) == "pub:") {
+				is_pubkey = true;
+			} else if (line.substr(0, 4) == "sub:") {
+				is_pubkey = false;
+			} else if (is_pubkey && line.substr(0, 4) == "fpr:") {
 				// fpr:::::::::7A399B2DB06D039020CD1CE1D0F3702D61489532:
 				// want the 9th column (counting from 0)
 				fingerprints.push_back(gpg_nth_column(line, 9));
@@ -145,12 +150,16 @@ std::vector<std::string> gpg_list_secret_keys ()
 	return secret_keys;
 }
 
-void gpg_encrypt_to_file (const std::string& filename, const std::string& recipient_fingerprint, const char* p, size_t len)
+void gpg_encrypt_to_file (const std::string& filename, const std::string& recipient_fingerprint, bool key_is_trusted, const char* p, size_t len)
 {
 	// gpg --batch -o FILENAME -r RECIPIENT -e
 	std::vector<std::string>	command;
 	command.push_back("gpg");
 	command.push_back("--batch");
+	if (key_is_trusted) {
+		command.push_back("--trust-model");
+		command.push_back("always");
+	}
 	command.push_back("-o");
 	command.push_back(filename);
 	command.push_back("-r");

gpg.hpp

@@ -45,7 +45,7 @@ std::string			gpg_shorten_fingerprint (const std::string& fingerprint);
 std::string			gpg_get_uid (const std::string& fingerprint);
 std::vector<std::string>	gpg_lookup_key (const std::string& query);
 std::vector<std::string>	gpg_list_secret_keys ();
-void				gpg_encrypt_to_file (const std::string& filename, const std::string& recipient_fingerprint, const char* p, size_t len);
+void				gpg_encrypt_to_file (const std::string& filename, const std::string& recipient_fingerprint, bool key_is_trusted, const char* p, size_t len);
 void				gpg_decrypt_from_file (const std::string& filename, std::ostream&);
 
 #endif

man/git-crypt.xml

@@ -0,0 +1,493 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry>
+	<!--
+		Copyright (c) 2015 Andrew Ayer
+
+		See COPYING file for license information.
+	-->
+	<refentryinfo>
+		<title>git-crypt</title>
+		<date>2015-05-30</date>
+		<productname>git-crypt 0.5.0</productname>
+
+		<author>
+			<othername>Andrew Ayer</othername>
+			<contrib></contrib>
+			<email>agwa@andrewayer.name</email>
+			<uri>https://www.agwa.name</uri>
+		</author>
+	</refentryinfo>
+
+	<refmeta>
+		<refentrytitle>git-crypt</refentrytitle>
+		<manvolnum>1</manvolnum>
+	</refmeta>
+
+	<refnamediv>
+		<refname>git-crypt</refname>
+		<refpurpose>transparent file encryption in Git</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>git-crypt <arg choice="opt"><replaceable>OPTIONS</replaceable></arg> <arg choice="plain"><replaceable>COMMAND</replaceable></arg> <arg choice="opt" rep="repeat"><replaceable>ARGS</replaceable></arg></command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsynopsisdiv>
+		<title>Common commands</title>
+		<cmdsynopsis>
+			<command>git-crypt init</command>
+		</cmdsynopsis>
+		<cmdsynopsis>
+			<command>git-crypt status</command>
+		</cmdsynopsis>
+		<cmdsynopsis>
+			<command>git-crypt lock</command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+	<refsynopsisdiv>
+		<title>GPG commands</title>
+		<cmdsynopsis>
+			<command>git-crypt add-gpg-user <arg choice="plain"><replaceable>GPG_USER_ID</replaceable></arg></command>
+		</cmdsynopsis>
+		<cmdsynopsis>
+			<command>git-crypt unlock</command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+	<refsynopsisdiv>
+		<title>Symmetric key commands</title>
+		<cmdsynopsis>
+			<command>git-crypt export-key <arg choice="plain"><replaceable>OUTPUT_KEY_FILE</replaceable></arg></command>
+		</cmdsynopsis>
+		<cmdsynopsis>
+			<command>git-crypt unlock <arg choice="plain"><replaceable>KEY_FILE</replaceable></arg></command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+
+		<para>
+			<command>git-crypt</command> enables transparent encryption and decryption
+			of files in a git repository. Files which you choose to protect are encrypted when committed,
+			and decrypted when checked out. git-crypt lets you freely share a repository containing a mix of
+			public and private content. git-crypt gracefully degrades, so developers without the secret key
+			can still clone and commit to a repository with encrypted files. This lets you store your secret
+			material (such as keys or passwords) in the same repository as your code, without requiring you
+			to lock down your entire repository.  
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Commands</title>
+
+		<para>
+			<command>git-crypt</command> is logically divided into several sub-commands which
+			perform distinct tasks.  Each sub-command, and its arguments,
+			are documented below.  Note that arguments and options to sub-commands must be
+			specified on the command line <emphasis>after</emphasis> the name of the sub-command.
+		</para>
+
+		<variablelist>
+			<varlistentry>
+				<term><option>init <arg choice="opt"><replaceable>OPTIONS</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Generate a key and prepare the current Git repository to use git-crypt.
+					</para>
+
+					<para>
+						The following options are understood:
+					</para>
+					<variablelist>
+						<varlistentry>
+							<term><option>-k</option> <replaceable>KEY_NAME</replaceable></term>
+							<term><option>--key-name</option> <replaceable>KEY_NAME</replaceable></term>
+
+							<listitem>
+								<para>
+									Initialize the given key instead of the default key.  git-crypt
+									supports multiple keys per repository, allowing you to share
+									different files with different sets of collaborators.
+								</para>
+							</listitem>
+						</varlistentry>
+					</variablelist>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>status <arg choice="opt"><replaceable>OPTIONS</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Display a list of files in the repository, with their status (encrypted or unencrypted).
+					</para>
+
+					<para>
+						The following options are understood:
+					</para>
+					<variablelist>
+						<varlistentry>
+							<term><option>-e</option></term>
+
+							<listitem>
+								<para>
+									Show only encrypted files.
+								</para>
+							</listitem>
+						</varlistentry>
+						<varlistentry>
+							<term><option>-u</option></term>
+
+							<listitem>
+								<para>
+									Show only unencrypted files.
+								</para>
+							</listitem>
+						</varlistentry>
+						<varlistentry>
+							<term><option>-f</option></term>
+							<term><option>--fix</option></term>
+
+							<listitem>
+								<para>
+									Encrypt files that should be encrypted but were
+									committed to the repository or added to the index
+									without encryption.  (This can happen if a file
+									is added before git-crypt is initialized or before
+									the file is added to the gitattributes file.)
+								</para>
+							</listitem>
+						</varlistentry>
+					</variablelist>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>add-gpg-user <arg choice="opt"><replaceable>OPTIONS</replaceable></arg> <arg choice="plain" rep="repeat"><replaceable>GPG_USER_ID</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Add the users with the given GPG user IDs as collaborators.  Specifically,
+						git-crypt uses <citerefentry><refentrytitle>gpg</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+						to encrypt the shared symmetric key
+						to the public keys of each GPG user ID, and stores the GPG-encrypted
+						keys in the <filename>.git-crypt</filename> directory at the root of the repository.
+					</para>
+
+					<para>
+						<replaceable>GPG_USER_ID</replaceable> can be a key ID, a full fingerprint, an email address, or anything
+						else that uniquely identifies a public key to GPG (see "HOW TO SPECIFY
+						A USER ID" in the <citerefentry><refentrytitle>gpg</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+						man page).
+					</para>
+
+					<para>
+						The following options are understood:
+					</para>
+					<variablelist>
+						<varlistentry>
+							<term><option>-k</option> <replaceable>KEY_NAME</replaceable></term>
+							<term><option>--key-name</option> <replaceable>KEY_NAME</replaceable></term>
+
+							<listitem>
+								<para>
+									Grant access to the given key, rather than the default key.
+								</para>
+							</listitem>
+						</varlistentry>
+						<varlistentry>
+							<term><option>-n</option></term>
+							<term><option>--no-commit</option></term>
+
+							<listitem>
+								<para>
+									Don't automatically commit the changes to the <filename>.git-crypt</filename>
+									directory.
+								</para>
+							</listitem>
+						</varlistentry>
+						<varlistentry>
+							<term><option>--trusted</option></term>
+
+							<listitem>
+								<para>
+									Assume that the GPG keys specified on the command line are trusted;
+									i.e. they actually belong to the users that they claim to belong to.
+								</para>
+								<para>
+									Without this option, git-crypt uses the same trust model as GPG,
+									which is based on the Web of Trust by default.  Under this
+									model, git-crypt will reject GPG keys that do not have
+									trusted signatures.
+								</para>
+								<para>
+									If you don't want to use the Web of Trust, you can either change
+									GPG's trust model by setting the <option>trust-model</option>
+									option in <filename>~/.gnupg/gpg.conf</filename> (see
+									<citerefentry><refentrytitle>gpg</refentrytitle><manvolnum>1</manvolnum></citerefentry>),
+									or use the <option>--trusted</option> option to <command>add-gpg-user</command>
+									on a case-by-case basis.
+								</para>
+							</listitem>
+						</varlistentry>
+					</variablelist>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>unlock <!--<arg choice="opt"><replaceable>OPTIONS</replaceable></arg> --><arg choice="opt" rep="repeat"><replaceable>KEY_FILE</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Decrypt the repository.  If one or more key files are specified on the command line,
+						git-crypt attempts to decrypt using those shared symmetric keys.  If no key files
+						are specified, git-crypt attempts to decrypt using a GPG-encrypted key stored in
+						the repository's .git-crypt directory.
+					</para>
+
+					<para>
+						This command takes no options.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>export-key <arg choice="opt"><replaceable>OPTIONS</replaceable></arg> <arg choice="plain"><replaceable>FILENAME</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Export the repository's shared symmetric key to the given file.
+					</para>
+
+					<para>
+						The following options are understood:
+					</para>
+					<variablelist>
+						<varlistentry>
+							<term><option>-k</option> <replaceable>KEY_NAME</replaceable></term>
+							<term><option>--key-name</option> <replaceable>KEY_NAME</replaceable></term>
+
+							<listitem>
+								<para>
+									Export the given key, rather than the default key.
+								</para>
+							</listitem>
+						</varlistentry>
+					</variablelist>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>help <arg choice="opt"><replaceable>COMMAND</replaceable></arg></option></term>
+				<listitem>
+					<para>
+						Display help for the given <arg choice="plain"><replaceable>COMMAND</replaceable></arg>,
+						or an overview of all commands if no command is specified.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term><option>version</option></term>
+				<listitem>
+					<para>
+						Print the currently-installed version of <command>git-crypt</command>.
+						The format of the output is always "git-crypt", followed by a space,
+						followed by the dotted version number.
+					</para>
+				</listitem>
+			</varlistentry>
+
+		</variablelist>
+	</refsect1>
+
+	<refsect1>
+		<title>Using git-crypt</title>
+
+		<para>
+			First, you prepare a repository to use git-crypt by running <command>git-crypt init</command>.
+		</para>
+
+		<para>
+			Then, you specify the files to encrypt by creating a
+			<citerefentry><refentrytitle>gitattributes</refentrytitle><manvolnum>5</manvolnum></citerefentry> file.
+			Each file which you want to encrypt should be assigned the "<literal>filter=git-crypt diff=git-crypt</literal>"
+			attributes.  For example:
+		</para>
+
+		<screen>secretfile filter=git-crypt diff=git-crypt&#10;*.key filter=git-crypt diff=git-crypt</screen>
+
+		<para>
+			Like a <filename>.gitignore</filename> file, <filename>.gitattributes</filename> files can match wildcards and
+			should be checked into the repository.  Make sure you don't accidentally encrypt the
+			<filename>.gitattributes</filename> file itself (or other git files like <filename>.gitignore</filename>
+			or <filename>.gitmodules</filename>).  Make sure your <filename>.gitattributes</filename> rules
+			are in place <emphasis>before</emphasis> you add sensitive files, or those files won't be encrypted!
+		</para>
+
+		<para>
+			To share the repository with others (or with yourself) using GPG, run:
+		</para>
+
+		<screen>git-crypt add-gpg-user <replaceable>GPG_USER_ID</replaceable></screen>
+
+		<para>
+			<replaceable>GPG_USER_ID</replaceable> can be a key ID, a full fingerprint, an email address, or anything
+			else that uniquely identifies a public key to GPG.  Note: <command>git-crypt add-gpg-user</command> will
+			add and commit a GPG-encrypted key file in the <filename>.git-crypt</filename> directory of
+			the root of your repository.
+		</para>
+
+		<para>
+			Alternatively, you can export a symmetric secret key, which you must
+			securely convey to collaborators (GPG is not required, and no files
+			are added to your repository):
+		</para>
+
+		<screen>git-crypt export-key <replaceable>/path/to/key</replaceable></screen>
+
+		<para>
+			After cloning a repository with encrypted files, unlock with with GPG:
+		</para>
+
+		<screen>git-crypt unlock</screen>
+
+		<para>
+			Or with a symmetric key:
+		</para>
+
+		<screen>git-crypt unlock /path/to/key</screen>
+
+		<para>
+			That's all you need to do - after git-crypt is set up (either with
+			<command>git-crypt init</command> or <command>git-crypt unlock</command>),
+			you can use git normally - encryption and decryption happen transparently.
+		</para>
+
+	</refsect1>
+
+	<refsect1>
+		<title>The .gitattributes file</title>
+
+		<para>
+			The <filename>.gitattributes</filename> file is documented in
+			<citerefentry><refentrytitle>gitattributes</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+			The file pattern format is the same as the one used by <filename>.gitignore</filename>,
+			as documented in <citerefentry><refentrytitle>gitignore</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+			with the exception that specifying merely a directory (e.g. "<literal>/dir/</literal>")
+			is <emphasis>not</emphasis> sufficient to encrypt all files beneath it.
+		</para>
+
+		<para>
+			Also note that the pattern "<literal>dir/*</literal>" does not match files under
+			sub-directories of dir/.  To encrypt an entire sub-tree dir/, place the
+			following in <filename>dir/.gitattributes</filename>:
+		</para>
+
+		<screen>* filter=git-crypt diff=git-crypt&#10;.gitattributes !filter !diff</screen>
+
+		<para>
+			The second pattern is essential for ensuring that <filename>.gitattributes</filename> itself
+			is not encrypted.
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Multiple Key Support</title>
+
+		<para>
+			In addition to the implicit default key, git-crypt supports alternative
+			keys which can be used to encrypt specific files and can be shared with
+			specific GPG users.  This is useful if you want to grant different
+			collaborators access to different sets of files.
+		</para>
+
+		<para>
+			To generate an alternative key named <replaceable>KEYNAME</replaceable>,
+			pass the <command>-k <replaceable>KEYNAME</replaceable></command>
+			option to <command>git-crypt init</command> as follows:
+		</para>
+
+		<screen>git-crypt init -k <replaceable>KEYNAME</replaceable></screen>
+
+		<para>
+			To encrypt a file with an alternative key, use the <literal>git-crypt-<replaceable>KEYNAME</replaceable></literal>
+			filter in <filename>.gitattributes</filename> as follows:
+		</para>
+
+		<screen><replaceable>secretfile</replaceable> filter=git-crypt-<replaceable>KEYNAME</replaceable> diff=git-crypt-<replaceable>KEYNAME</replaceable></screen>
+
+		<para>
+			To export an alternative key or share it with a GPG user, pass the
+			<command>-k <replaceable>KEYNAME</replaceable></command> option to
+			<command>git-crypt export-key</command> or <command>git-crypt add-gpg-user</command>
+			as follows:
+		</para>
+
+		<screen>git-crypt export-key -k <replaceable>KEYNAME</replaceable> <filename><replaceable>/path/to/keyfile</replaceable></filename>&#10;git-crypt add-gpg-user -k <replaceable>KEYNAME</replaceable> <replaceable>GPG_USER_ID</replaceable></screen>
+
+		<para>
+			To unlock a repository with an alternative key, use <command>git-crypt unlock</command>
+			normally.  git-crypt will automatically determine which key is being used.
+		</para>
+	</refsect1>
+	<!--
+	<refsect1>
+		<title>Global options</title>
+
+		<para>
+			The following options are understood by <command>git-crypt</command> and can
+			be used with any sub-command.  Since they apply globally
+			to <command>git-crypt</command>, they must be specified on the command line
+			<emphasis>before</emphasis> the sub-command name.
+		</para>
+		<variablelist>
+		</variablelist>
+	</refsect1>
+	-->
+
+	<!--
+	<refsect1>
+		<title>Files</title>
+		<variablelist>
+			<varlistentry>
+				<term><filename>/path/to/file</filename></term>
+				<listitem><para>Description.</para></listitem>
+			</varlistentry>
+		</variablelist>
+	</refsect1>
+	-->
+
+	<!--
+	<refsect1>
+		<title>Environment Variables</title>
+
+		<variablelist class='environment-variables'>
+			<varlistentry>
+				<term><varname>NAME</varname></term>
+				<listitem>
+					<para>Description.</para>
+				</listitem>
+			</varlistentry>
+		</variablelist>
+	</refsect1>
+	-->
+
+	<!-- TODO: examples section
+	<refsect1>
+		<title>Examples</title>
+
+		<para>Hello world?</para>
+	</refsect1>
+	-->
+
+	<refsect1>
+		<title>See Also</title>
+		<para>
+			<citerefentry><refentrytitle>git</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+			<citerefentry><refentrytitle>gitattributes</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+			<ulink url="https://www.agwa.name/projects/git-crypt">git-crypt home page</ulink>,
+			<ulink url="https://github.com/AGWA/git-crypt">GitHub repository</ulink>
+		</para>
+	</refsect1>
+
+</refentry>

man/man1/.gitignore

@@ -0,0 +1 @@
+git-crypt.1

parse_options.cpp

@@ -1,31 +1,28 @@
 /*
  * Copyright 2014 Andrew Ayer
  *
- * This file is part of git-crypt.
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
  *
- * git-crypt is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
  *
- * git-crypt is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
  *
- * You should have received a copy of the GNU General Public License
- * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
- *
- * Additional permission under GNU GPL version 3 section 7:
- *
- * If you modify the Program, or any covered work, by linking or
- * combining it with the OpenSSL project's OpenSSL library (or a
- * modified version of that library), containing parts covered by the
- * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
- * grant you additional permission to convey the resulting work.
- * Corresponding Source for a non-source form of such a combination
- * shall include the source code for the parts of OpenSSL used as well
- * as that of the covered work.
+ * Except as contained in this notice, the name(s) of the above copyright
+ * holders shall not be used in advertising or otherwise to promote the
+ * sale, use or other dealings in this Software without prior written
+ * authorization.
  */
 
 #include "parse_options.hpp"

parse_options.hpp

@@ -1,31 +1,28 @@
 /*
  * Copyright 2014 Andrew Ayer
  *
- * This file is part of git-crypt.
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
  *
- * git-crypt is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
  *
- * git-crypt is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
  *
- * You should have received a copy of the GNU General Public License
- * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
- *
- * Additional permission under GNU GPL version 3 section 7:
- *
- * If you modify the Program, or any covered work, by linking or
- * combining it with the OpenSSL project's OpenSSL library (or a
- * modified version of that library), containing parts covered by the
- * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
- * grant you additional permission to convey the resulting work.
- * Corresponding Source for a non-source form of such a combination
- * shall include the source code for the parts of OpenSSL used as well
- * as that of the covered work.
+ * Except as contained in this notice, the name(s) of the above copyright
+ * holders shall not be used in advertising or otherwise to promote the
+ * sale, use or other dealings in this Software without prior written
+ * authorization.
  */
 
 #ifndef PARSE_OPTIONS_HPP

util-unix.cpp

@@ -43,6 +43,8 @@
 #include <vector>
 #include <string>
 #include <cstring>
+#include <cstddef>
+#include <algorithm>
 
 std::string System_error::message () const
 {
@@ -160,134 +162,21 @@ std::string our_exe_path ()
 	}
 }
 
-static int execvp (const std::string& file, const std::vector<std::string>& args)
+int	exit_status (int wait_status)
 {
-	std::vector<const char*>	args_c_str;
-	args_c_str.reserve(args.size());
-	for (std::vector<std::string>::const_iterator arg(args.begin()); arg != args.end(); ++arg) {
-		args_c_str.push_back(arg->c_str());
-	}
-	args_c_str.push_back(NULL);
-	return execvp(file.c_str(), const_cast<char**>(&args_c_str[0]));
-}
-
-int exec_command (const std::vector<std::string>& command)
-{
-	pid_t		child = fork();
-	if (child == -1) {
-		throw System_error("fork", "", errno);
-	}
-	if (child == 0) {
-		execvp(command[0], command);
-		perror(command[0].c_str());
-		_exit(-1);
-	}
-	int		status = 0;
-	if (waitpid(child, &status, 0) == -1) {
-		throw System_error("waitpid", "", errno);
-	}
-	return status;
-}
-
-int exec_command (const std::vector<std::string>& command, std::ostream& output)
-{
-	int		pipefd[2];
-	if (pipe(pipefd) == -1) {
-		throw System_error("pipe", "", errno);
-	}
-	pid_t		child = fork();
-	if (child == -1) {
-		int	fork_errno = errno;
-		close(pipefd[0]);
-		close(pipefd[1]);
-		throw System_error("fork", "", fork_errno);
-	}
-	if (child == 0) {
-		close(pipefd[0]);
-		if (pipefd[1] != 1) {
-			dup2(pipefd[1], 1);
-			close(pipefd[1]);
-		}
-		execvp(command[0], command);
-		perror(command[0].c_str());
-		_exit(-1);
-	}
-	close(pipefd[1]);
-	char		buffer[1024];
-	ssize_t		bytes_read;
-	while ((bytes_read = read(pipefd[0], buffer, sizeof(buffer))) > 0) {
-		output.write(buffer, bytes_read);
-	}
-	if (bytes_read == -1) {
-		int	read_errno = errno;
-		close(pipefd[0]);
-		throw System_error("read", "", read_errno);
-	}
-	close(pipefd[0]);
-	int		status = 0;
-	if (waitpid(child, &status, 0) == -1) {
-		throw System_error("waitpid", "", errno);
-	}
-	return status;
-}
-
-int exec_command_with_input (const std::vector<std::string>& command, const char* p, size_t len)
-{
-	int		pipefd[2];
-	if (pipe(pipefd) == -1) {
-		throw System_error("pipe", "", errno);
-	}
-	pid_t		child = fork();
-	if (child == -1) {
-		int	fork_errno = errno;
-		close(pipefd[0]);
-		close(pipefd[1]);
-		throw System_error("fork", "", fork_errno);
-	}
-	if (child == 0) {
-		close(pipefd[1]);
-		if (pipefd[0] != 0) {
-			dup2(pipefd[0], 0);
-			close(pipefd[0]);
-		}
-		execvp(command[0], command);
-		perror(command[0].c_str());
-		_exit(-1);
-	}
-	close(pipefd[0]);
-	while (len > 0) {
-		ssize_t	bytes_written = write(pipefd[1], p, len);
-		if (bytes_written == -1) {
-			int	write_errno = errno;
-			close(pipefd[1]);
-			throw System_error("write", "", write_errno);
-		}
-		p += bytes_written;
-		len -= bytes_written;
-	}
-	close(pipefd[1]);
-	int		status = 0;
-	if (waitpid(child, &status, 0) == -1) {
-		throw System_error("waitpid", "", errno);
-	}
-	return status;
-}
-
-bool successful_exit (int status)
-{
-	return status != -1 && WIFEXITED(status) && WEXITSTATUS(status) == 0;
+	return wait_status != -1 && WIFEXITED(wait_status) ? WEXITSTATUS(wait_status) : -1;
 }
 
 void	touch_file (const std::string& filename)
 {
-	if (utimes(filename.c_str(), NULL) == -1) {
+	if (utimes(filename.c_str(), NULL) == -1 && errno != ENOENT) {
 		throw System_error("utimes", filename, errno);
 	}
 }
 
 void	remove_file (const std::string& filename)
 {
-	if (unlink(filename.c_str()) == -1) {
+	if (unlink(filename.c_str()) == -1 && errno != ENOENT) {
 		throw System_error("unlink", filename, errno);
 	}
 }
@@ -310,25 +199,47 @@ int util_rename (const char* from, const char* to)
 	return rename(from, to);
 }
 
-static int dirfilter (const struct dirent* ent)
+static size_t sizeof_dirent_for (DIR* p)
 {
-	// filter out . and ..
-	return std::strcmp(ent->d_name, ".") != 0 && std::strcmp(ent->d_name, "..") != 0;
+	long name_max = fpathconf(dirfd(p), _PC_NAME_MAX);
+	if (name_max == -1) {
+		#ifdef NAME_MAX
+		name_max = NAME_MAX;
+		#else
+		name_max = 255;
+		#endif
+	}
+	return offsetof(struct dirent, d_name) + name_max + 1; // final +1 is for d_name's null terminator
 }
 
 std::vector<std::string> get_directory_contents (const char* path)
 {
-	struct dirent**		namelist;
-	int			n = scandir(path, &namelist, dirfilter, alphasort);
-	if (n == -1) {
-		throw System_error("scandir", path, errno);
-	}
-	std::vector<std::string>	contents(n);
-	for (int i = 0; i < n; ++i) {
-		contents[i] = namelist[i]->d_name;
-		free(namelist[i]);
-	}
-	free(namelist);
+	std::vector<std::string>		contents;
 
+	DIR*					dir = opendir(path);
+	if (!dir) {
+		throw System_error("opendir", path, errno);
+	}
+	try {
+		std::vector<unsigned char>	buffer(sizeof_dirent_for(dir));
+		struct dirent*			dirent_buffer = reinterpret_cast<struct dirent*>(&buffer[0]);
+		struct dirent*			ent = NULL;
+		int				err = 0;
+		while ((err = readdir_r(dir, dirent_buffer, &ent)) == 0 && ent != NULL) {
+			if (std::strcmp(ent->d_name, ".") == 0 || std::strcmp(ent->d_name, "..") == 0) {
+				continue;
+			}
+			contents.push_back(ent->d_name);
+		}
+		if (err != 0) {
+			throw System_error("readdir_r", path, errno);
+		}
+	} catch (...) {
+		closedir(dir);
+		throw;
+	}
+	closedir(dir);
+
+	std::sort(contents.begin(), contents.end());
 	return contents;
 }

util-win32.cpp

@@ -125,207 +125,21 @@ std::string our_exe_path ()
 	return std::string(buffer.begin(), buffer.begin() + len);
 }
 
-static void escape_cmdline_argument (std::string& cmdline, const std::string& arg)
+int exit_status (int status)
 {
-	// For an explanation of Win32's arcane argument quoting rules, see:
-	//  http://msdn.microsoft.com/en-us/library/17w5ykft%28v=vs.85%29.aspx
-	//  http://msdn.microsoft.com/en-us/library/bb776391%28v=vs.85%29.aspx
-	//  http://blogs.msdn.com/b/twistylittlepassagesallalike/archive/2011/04/23/everyone-quotes-arguments-the-wrong-way.aspx
-	//  http://blogs.msdn.com/b/oldnewthing/archive/2010/09/17/10063629.aspx
-	cmdline.push_back('"');
-
-	std::string::const_iterator	p(arg.begin());
-	while (p != arg.end()) {
-		if (*p == '"') {
-			cmdline.push_back('\\');
-			cmdline.push_back('"');
-			++p;
-		} else if (*p == '\\') {
-			unsigned int	num_backslashes = 0;
-			while (p != arg.end() && *p == '\\') {
-				++num_backslashes;
-				++p;
-			}
-			if (p == arg.end() || *p == '"') {
-				// Backslashes need to be escaped
-				num_backslashes *= 2;
-			}
-			while (num_backslashes--) {
-				cmdline.push_back('\\');
-			}
-		} else {
-			cmdline.push_back(*p++);
-		}
-	}
-
-	cmdline.push_back('"');
-}
-
-static std::string format_cmdline (const std::vector<std::string>& command)
-{
-	std::string		cmdline;
-	for (std::vector<std::string>::const_iterator arg(command.begin()); arg != command.end(); ++arg) {
-		if (arg != command.begin()) {
-			cmdline.push_back(' ');
-		}
-		escape_cmdline_argument(cmdline, *arg);
-	}
-	return cmdline;
-}
-
-static int wait_for_child (HANDLE child_handle)
-{
-	if (WaitForSingleObject(child_handle, INFINITE) == WAIT_FAILED) {
-		throw System_error("WaitForSingleObject", "", GetLastError());
-	}
-
-	DWORD			exit_code;
-	if (!GetExitCodeProcess(child_handle, &exit_code)) {
-		throw System_error("GetExitCodeProcess", "", GetLastError());
-	}
-
-	return exit_code;
-}
-
-static HANDLE spawn_command (const std::vector<std::string>& command, HANDLE stdin_handle, HANDLE stdout_handle, HANDLE stderr_handle)
-{
-	PROCESS_INFORMATION	proc_info;
-	ZeroMemory(&proc_info, sizeof(proc_info));
-
-	STARTUPINFO		start_info;
-	ZeroMemory(&start_info, sizeof(start_info));
-
-	start_info.cb = sizeof(STARTUPINFO);
-	start_info.hStdInput = stdin_handle ? stdin_handle : GetStdHandle(STD_INPUT_HANDLE);
-	start_info.hStdOutput = stdout_handle ? stdout_handle : GetStdHandle(STD_OUTPUT_HANDLE);
-	start_info.hStdError = stderr_handle ? stderr_handle : GetStdHandle(STD_ERROR_HANDLE);
-	start_info.dwFlags |= STARTF_USESTDHANDLES;
-
-	std::string		cmdline(format_cmdline(command));
-
-	if (!CreateProcessA(NULL,		// application name (NULL to use command line)
-				const_cast<char*>(cmdline.c_str()),
-				NULL,		// process security attributes
-				NULL,		// primary thread security attributes
-				TRUE,		// handles are inherited
-				0,		// creation flags
-				NULL,		// use parent's environment
-				NULL,		// use parent's current directory
-				&start_info,
-				&proc_info)) {
-		throw System_error("CreateProcess", cmdline, GetLastError());
-	}
-
-	CloseHandle(proc_info.hThread);
-
-	return proc_info.hProcess;
-}
-
-int exec_command (const std::vector<std::string>& command)
-{
-	HANDLE			child_handle = spawn_command(command, NULL, NULL, NULL);
-	int			exit_code = wait_for_child(child_handle);
-	CloseHandle(child_handle);
-	return exit_code;
-}
-
-int exec_command (const std::vector<std::string>& command, std::ostream& output)
-{
-	HANDLE			stdout_pipe_reader = NULL;
-	HANDLE			stdout_pipe_writer = NULL;
-	SECURITY_ATTRIBUTES	sec_attr;
-
-	// Set the bInheritHandle flag so pipe handles are inherited.
-	sec_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
-	sec_attr.bInheritHandle = TRUE;
-	sec_attr.lpSecurityDescriptor = NULL;
-
-	// Create a pipe for the child process's STDOUT.
-	if (!CreatePipe(&stdout_pipe_reader, &stdout_pipe_writer, &sec_attr, 0)) {
-		throw System_error("CreatePipe", "", GetLastError());
-	}
-
-	// Ensure the read handle to the pipe for STDOUT is not inherited.
-	if (!SetHandleInformation(stdout_pipe_reader, HANDLE_FLAG_INHERIT, 0)) {
-		throw System_error("SetHandleInformation", "", GetLastError());
-	}
-
-	HANDLE			child_handle = spawn_command(command, NULL, stdout_pipe_writer, NULL);
-	CloseHandle(stdout_pipe_writer);
-
-	// Read from stdout_pipe_reader.
-	// Note that ReadFile on a pipe may return with bytes_read==0 if the other
-	// end of the pipe writes zero bytes, so don't break out of the read loop
-	// when this happens.  When the other end of the pipe closes, ReadFile
-	// fails with ERROR_BROKEN_PIPE.
-	char			buffer[1024];
-	DWORD			bytes_read;
-	while (ReadFile(stdout_pipe_reader, buffer, sizeof(buffer), &bytes_read, NULL)) {
-		output.write(buffer, bytes_read);
-	}
-	const DWORD		read_error = GetLastError();
-	if (read_error != ERROR_BROKEN_PIPE) {
-		throw System_error("ReadFile", "", read_error);
-	}
-
-	CloseHandle(stdout_pipe_reader);
-
-	int			exit_code = wait_for_child(child_handle);
-	CloseHandle(child_handle);
-	return exit_code;
-}
-
-int exec_command_with_input (const std::vector<std::string>& command, const char* p, size_t len)
-{
-	HANDLE			stdin_pipe_reader = NULL;
-	HANDLE			stdin_pipe_writer = NULL;
-	SECURITY_ATTRIBUTES	sec_attr;
-
-	// Set the bInheritHandle flag so pipe handles are inherited.
-	sec_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
-	sec_attr.bInheritHandle = TRUE;
-	sec_attr.lpSecurityDescriptor = NULL;
-
-	// Create a pipe for the child process's STDIN.
-	if (!CreatePipe(&stdin_pipe_reader, &stdin_pipe_writer, &sec_attr, 0)) {
-		throw System_error("CreatePipe", "", GetLastError());
-	}
-
-	// Ensure the write handle to the pipe for STDIN is not inherited.
-	if (!SetHandleInformation(stdin_pipe_writer, HANDLE_FLAG_INHERIT, 0)) {
-		throw System_error("SetHandleInformation", "", GetLastError());
-	}
-
-	HANDLE			child_handle = spawn_command(command, stdin_pipe_reader, NULL, NULL);
-	CloseHandle(stdin_pipe_reader);
-
-	// Write to stdin_pipe_writer.
-	while (len > 0) {
-		DWORD		bytes_written;
-		if (!WriteFile(stdin_pipe_writer, p, len, &bytes_written, NULL)) {
-			throw System_error("WriteFile", "", GetLastError());
-		}
-		p += bytes_written;
-		len -= bytes_written;
-	}
-
-	CloseHandle(stdin_pipe_writer);
-
-	int			exit_code = wait_for_child(child_handle);
-	CloseHandle(child_handle);
-	return exit_code;
-}
-
-bool successful_exit (int status)
-{
-	return status == 0;
+	return status;
 }
 
 void	touch_file (const std::string& filename)
 {
 	HANDLE	fh = CreateFileA(filename.c_str(), FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
 	if (fh == INVALID_HANDLE_VALUE) {
-		throw System_error("CreateFileA", filename, GetLastError());
+		DWORD	error = GetLastError();
+		if (error == ERROR_FILE_NOT_FOUND) {
+			return;
+		} else {
+			throw System_error("CreateFileA", filename, error);
+		}
 	}
 	SYSTEMTIME	system_time;
 	GetSystemTime(&system_time);
@@ -343,7 +157,12 @@ void	touch_file (const std::string& filename)
 void	remove_file (const std::string& filename)
 {
 	if (!DeleteFileA(filename.c_str())) {
-		throw System_error("DeleteFileA", filename, GetLastError());
+		DWORD	error = GetLastError();
+		if (error == ERROR_FILE_NOT_FOUND) {
+			return;
+		} else {
+			throw System_error("DeleteFileA", filename, error);
+		}
 	}
 }
 

util.cpp

@@ -30,9 +30,36 @@
 
 #include "git-crypt.hpp"
 #include "util.hpp"
+#include "coprocess.hpp"
 #include <string>
 #include <iostream>
 
+int exec_command (const std::vector<std::string>& args)
+{
+	Coprocess	proc;
+	proc.spawn(args);
+	return proc.wait();
+}
+
+int exec_command (const std::vector<std::string>& args, std::ostream& output)
+{
+	Coprocess	proc;
+	std::istream*	proc_stdout = proc.stdout_pipe();
+	proc.spawn(args);
+	output << proc_stdout->rdbuf();
+	return proc.wait();
+}
+
+int exec_command_with_input (const std::vector<std::string>& args, const char* p, size_t len)
+{
+	Coprocess	proc;
+	std::ostream*	proc_stdin = proc.stdin_pipe();
+	proc.spawn(args);
+	proc_stdin->write(p, len);
+	proc.close_stdin();
+	return proc.wait();
+}
+
 std::string	escape_shell_arg (const std::string& str)
 {
 	std::string	new_str;

util.hpp

@@ -63,9 +63,10 @@ std::string	our_exe_path ();
 int		exec_command (const std::vector<std::string>&);
 int		exec_command (const std::vector<std::string>&, std::ostream& output);
 int		exec_command_with_input (const std::vector<std::string>&, const char* p, size_t len);
-bool		successful_exit (int status);
-void		touch_file (const std::string&);
-void		remove_file (const std::string&);
+int		exit_status (int wait_status); // returns -1 if process did not exit (but was signaled, etc.)
+inline bool	successful_exit (int wait_status) { return exit_status(wait_status) == 0; }
+void		touch_file (const std::string&); // ignores non-existent files
+void		remove_file (const std::string&); // ignores non-existent files
 std::string	escape_shell_arg (const std::string&);
 uint32_t	load_be32 (const unsigned char*);
 void		store_be32 (unsigned char*, uint32_t);