Update debian/changelog for 0.6.0-1

Longer term, I will port git-crypt to OpenSSL 1.1.x.  This suffices for
now - git-crypt wouldn't have benefited from any of the 1.1 features
anyways.

.github/workflows/release-linux-arm64.yml

@@ -1,46 +0,0 @@
-on:
-  release:
-    types: [published]
-name: Build Release Binary (Linux ARM64)
-jobs:
-  build:
-    name: Build Release Binary
-    runs-on: ubuntu-22.04-arm
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Install dependencies
-        run: sudo apt install libssl-dev
-      - name: Build binary
-        run: make
-      - name: Upload release artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: git-crypt-artifacts
-          path: git-crypt
-  upload:
-    name: Upload Release Binary
-    runs-on: ubuntu-latest
-    needs: build
-    permissions:
-      contents: write
-    steps:
-      - name: Download release artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: git-crypt-artifacts
-      - name: Upload release asset
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const fs = require("fs").promises;
-            const { repo: { owner, repo }, sha } = context;
-            await github.rest.repos.uploadReleaseAsset({
-              owner, repo,
-              release_id: ${{ github.event.release.id }},
-              name: 'git-crypt-${{ github.event.release.name }}-linux-aarch64',
-              data: await fs.readFile('git-crypt'),
-            });

.github/workflows/release-linux.yml

@@ -1,46 +0,0 @@
-on:
-  release:
-    types: [published]
-name: Build Release Binary (Linux)
-jobs:
-  build:
-    name: Build Release Binary
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Install dependencies
-        run: sudo apt install libssl-dev
-      - name: Build binary
-        run: make
-      - name: Upload release artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: git-crypt-artifacts
-          path: git-crypt
-  upload:
-    name: Upload Release Binary
-    runs-on: ubuntu-latest
-    needs: build
-    permissions:
-      contents: write
-    steps:
-      - name: Download release artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: git-crypt-artifacts
-      - name: Upload release asset
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const fs = require("fs").promises;
-            const { repo: { owner, repo }, sha } = context;
-            await github.rest.repos.uploadReleaseAsset({
-              owner, repo,
-              release_id: ${{ github.event.release.id }},
-              name: 'git-crypt-${{ github.event.release.name }}-linux-x86_64',
-              data: await fs.readFile('git-crypt'),
-            });

.github/workflows/release-windows.yml

@@ -1,56 +0,0 @@
-on:
-  release:
-    types: [published]
-name: Build Release Binary (Windows)
-jobs:
-  build:
-    name: Build Release Binary
-    runs-on: windows-2022
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Setup msys2
-        uses: msys2/setup-msys2@v2
-        with:
-          msystem: MINGW64
-          update: true
-          install: >-
-            base-devel
-            msys2-devel
-            mingw-w64-x86_64-toolchain
-            mingw-w64-x86_64-openssl
-            openssl-devel
-      - name: Build binary
-        shell: msys2 {0}
-        run: make LDFLAGS="-static-libstdc++ -static -lcrypto -lws2_32 -lcrypt32"
-      - name: Upload release artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: git-crypt-artifacts
-          path: git-crypt.exe
-  upload:
-    name: Upload Release Binary
-    runs-on: ubuntu-latest
-    needs: build
-    permissions:
-      contents: write
-    steps:
-      - name: Download release artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: git-crypt-artifacts
-      - name: Upload release asset
-        uses: actions/github-script@v6
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const fs = require("fs").promises;
-            const { repo: { owner, repo }, sha } = context;
-            await github.rest.repos.uploadReleaseAsset({
-              owner, repo,
-              release_id: ${{ github.event.release.id }},
-              name: 'git-crypt-${{ github.event.release.name }}-x86_64.exe',
-              data: await fs.readFile('git-crypt.exe'),
-            });

CONTRIBUTING.md

@@ -4,7 +4,8 @@ documentation, bug reports, or anything else that improves git-crypt.
 
 When contributing code, please consider the following guidelines:
 
- * You are encouraged to open an issue on GitHub to discuss any non-trivial
+ * You are encouraged to open an issue on GitHub or send mail to
+   git-crypt-discuss@lists.cloudmutt.com to discuss any non-trivial
    changes before you start coding.
 
  * Please mimic the existing code style as much as possible.  In
@@ -14,7 +15,8 @@ When contributing code, please consider the following guidelines:
  * To minimize merge commits, please rebase your changes before opening
    a pull request.
 
- * To submit your patch, open a pull request on GitHub.
+ * To submit your patch, open a pull request on GitHub or send a
+   properly-formatted patch to git-crypt-discuss@lists.cloudmutt.com.
 
 Finally, be aware that since git-crypt is security-sensitive software,
 the bar for contributions is higher than average.  Please don't be

Makefile

@@ -11,7 +11,7 @@ BINDIR ?= $(PREFIX)/bin
 MANDIR ?= $(PREFIX)/share/man
 
 ENABLE_MAN ?= no
-DOCBOOK_XSL ?= http://cdn.docbook.org/release/xsl-nons/current/manpages/docbook.xsl
+DOCBOOK_XSL ?= http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
 
 OBJFILES = \
     git-crypt.o \
@@ -24,7 +24,7 @@ OBJFILES = \
     coprocess.o \
     fhstream.o
 
-OBJFILES += crypto-openssl-11.o
+OBJFILES += crypto-openssl-10.o crypto-openssl-11.o
 LDFLAGS += -lcrypto
 
 XSLTPROC ?= xsltproc

NEWS

@@ -0,0 +1,70 @@
+v0.6.0 (2017-11-26)
+  * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0).
+  * Switch to C++11 (gcc 4.9 or higher now required to build).
+  * Allow GPG to fail on some keys (makes unlock work better if there are
+    multiple keys that can unlock the repo but only some are available).
+  * Allow the repo state directory to be configured with the
+    git-crypt.repoStateDir git config option.
+  * Respect the gpg.program git config option.
+  * Don't hard code path to git-crypt in .git/config on Linux (ensures
+    repo continues to work if git-crypt is moved).
+  * Ensure git-crypt's gpg files won't be treated as text by Git.
+  * Minor improvements to build system, documentation.
+
+v0.5.0 (2015-05-30)
+  * Drastically speed up lock/unlock when used with Git 1.8.5 or newer.
+  * Add git-crypt(1) man page (pass ENABLE_MAN=yes to make to build).
+  * Add --trusted option to 'git-crypt gpg-add-user' to add user even if
+    GPG doesn't trust user's key.
+  * Improve 'git-crypt lock' usability, add --force option.
+  * Ignore symlinks and other non-files when running 'git-crypt status'.
+  * Fix compilation on old versions of Mac OS X.
+  * Fix GPG mode when with-fingerprint enabled in gpg.conf.
+  * Minor bug fixes and improvements to help/error messages.
+
+v0.4.2 (2015-01-31)
+  * Fix unlock and lock under Git 2.2.2 and higher.
+  * Drop support for versions of Git older than 1.7.2.
+  * Minor improvements to some help/error messages.
+
+v0.4.1 (2015-01-08)
+  * Important usability fix to ensure that the .git-crypt directory
+    can't be encrypted by accident (see RELEASE_NOTES-0.4.1.md for
+    more information).
+
+v0.4 (2014-11-16)
+  (See RELEASE_NOTES-0.4.md for important details.)
+  * Add optional GPG support: GPG can be used to share the repository
+    between one or more users in lieu of sharing a secret key.
+  * New workflow: the symmetric key is now stored inside the .git
+    directory.  Although backwards compatibility has been preserved
+    with repositories created by old versions of git-crypt, the
+    commands for setting up a repository have changed.  See the
+    release notes file for details.
+  * Multiple key support: it's now possible to encrypt different parts
+    of a repository with different keys.
+  * Initial 'git-crypt status' command to report which files are
+    encrypted and to fix problems that are detected.
+  * Numerous usability, documentation, and error reporting improvements.
+  * Major internal code improvements that will make future development
+    easier.
+  * Initial experimental Windows support.
+
+v0.3 (2013-04-05)
+  * Fix 'git-crypt init' on newer versions of Git.  Previously,
+    encrypted files were not being automatically decrypted after
+    running 'git-crypt init' with recent versions of Git.
+  * Allow 'git-crypt init' to be run even if the working tree contains
+    untracked files.
+  * 'git-crypt init' now properly escapes arguments to the filter
+    commands it configures, allowing both the path to git-crypt and the
+    path to the key file to contain arbitrary characters such as spaces.
+
+v0.2 (2013-01-25)
+  * Numerous improvements to 'git-crypt init' usability.
+  * Fix gitattributes example in README: the old example showed a colon
+    after the filename where there shouldn't be one.
+  * Various build fixes and improvements.
+
+v0.1 (2012-11-29)
+  * Initial release.

NEWS.md

@@ -1,15 +1,7 @@
-# Change Log
+News
+====
 
-## v0.8.0 (2025-09-23)
+######v0.6.0 (2017-11-26)
-* Remove OpenSSL 1.0 support, fix compilation with OpenSSL 3.
-* Avoid use of problematic short GPG key IDs.
-
-## v0.7.0 (2022-04-21)
-* Avoid "argument list too long" errors on macOS.
-* Fix handling of "-" arguments.
-* Minor documentation improvements.
-
-## v0.6.0 (2017-11-26)
 * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0).
 * Switch to C++11 (gcc 4.9 or higher now required to build).
 * Allow GPG to fail on some keys (makes unlock work better if there are
@@ -22,7 +14,7 @@
 * Ensure git-crypt's gpg files won't be treated as text by Git.
 * Minor improvements to build system, documentation.
 
-## v0.5.0 (2015-05-30)
+######v0.5.0 (2015-05-30)
 * Drastically speed up lock/unlock when used with Git 1.8.5 or newer.
 * Add git-crypt(1) man page (pass `ENABLE_MAN=yes` to make to build).
 * Add --trusted option to `git-crypt gpg-add-user` to add user even if
@@ -33,49 +25,49 @@
 * Fix GPG mode when with-fingerprint enabled in gpg.conf.
 * Minor bug fixes and improvements to help/error messages.
 
-## v0.4.2 (2015-01-31)
+######v0.4.2 (2015-01-31)
 * Fix unlock and lock under Git 2.2.2 and higher.
 * Drop support for versions of Git older than 1.7.2.
 * Minor improvements to some help/error messages.
 
-## v0.4.1 (2015-01-08)
+######v0.4.1 (2015-01-08)
 * Important usability fix to ensure that the .git-crypt directory
   can't be encrypted by accident (see
   [the release notes](RELEASE_NOTES-0.4.1.md) for more information).
 
-## v0.4 (2014-11-16)
+######v0.4 (2014-11-16)
 (See [the release notes](RELEASE_NOTES-0.4.md) for important details.)
-* Add optional GPG support: GPG can be used to share the repository
+*   Add optional GPG support: GPG can be used to share the repository
-  between one or more users in lieu of sharing a secret key.
+    between one or more users in lieu of sharing a secret key.
-* New workflow: the symmetric key is now stored inside the .git
+*   New workflow: the symmetric key is now stored inside the .git
-  directory.  Although backwards compatibility has been preserved
+    directory.  Although backwards compatibility has been preserved
-  with repositories created by old versions of git-crypt, the
+    with repositories created by old versions of git-crypt, the
-  commands for setting up a repository have changed.  See the
+    commands for setting up a repository have changed.  See the
-  release notes file for details.
+    release notes file for details.
-* Multiple key support: it's now possible to encrypt different parts
+*   Multiple key support: it's now possible to encrypt different parts
-  of a repository with different keys.
+    of a repository with different keys.
-* Initial `git-crypt status` command to report which files are
+*   Initial `git-crypt status` command to report which files are
-  encrypted and to fix problems that are detected.
+    encrypted and to fix problems that are detected.
-* Numerous usability, documentation, and error reporting improvements.
+*   Numerous usability, documentation, and error reporting improvements.
-* Major internal code improvements that will make future development
+*   Major internal code improvements that will make future development
-  easier.
+    easier.
-* Initial experimental Windows support.
+*   Initial experimental Windows support.
 
-## v0.3 (2013-04-05)
+######v0.3 (2013-04-05)
-* Fix `git-crypt init` on newer versions of Git.  Previously,
+*   Fix `git-crypt init` on newer versions of Git.  Previously,
-  encrypted files were not being automatically decrypted after running
+    encrypted files were not being automatically decrypted after running
-  `git-crypt init` with recent versions of Git.
+    `git-crypt init` with recent versions of Git.
-* Allow `git-crypt init` to be run even if the working tree contains
+*   Allow `git-crypt init` to be run even if the working tree contains
-  untracked files.
+    untracked files.
-* `git-crypt init` now properly escapes arguments to the filter
+*   `git-crypt init` now properly escapes arguments to the filter
-  commands it configures, allowing both the path to git-crypt and the
+    commands it configures, allowing both the path to git-crypt and the
-  path to the key file to contain arbitrary characters such as spaces.
+    path to the key file to contain arbitrary characters such as spaces.
 
-## v0.2 (2013-01-25)
+######v0.2 (2013-01-25)
-* Numerous improvements to `git-crypt init` usability.
+*   Numerous improvements to `git-crypt init` usability.
-* Fix gitattributes example in [README](README.md): the old example
+*   Fix gitattributes example in [README](README.md): the old example
-  showed a colon after the filename where there shouldn't be one.
+    showed a colon after the filename where there shouldn't be one.
-* Various build fixes and improvements.
+*   Various build fixes and improvements.
 
-## v0.1 (2012-11-29)
+######v0.1 (2012-11-29)
-* Initial release.
+*   Initial release.

README

@@ -0,0 +1,157 @@
+ABOUT GIT-CRYPT
+
+git-crypt enables transparent encryption and decryption of files in a
+git repository.  Files which you choose to protect are encrypted when
+committed, and decrypted when checked out.  git-crypt lets you freely
+share a repository containing a mix of public and private content.
+git-crypt gracefully degrades, so developers without the secret key can
+still clone and commit to a repository with encrypted files.  This lets
+you store your secret material (such as keys or passwords) in the same
+repository as your code, without requiring you to lock down your entire
+repository.
+
+git-crypt was written by Andrew Ayer <agwa@andrewayer.name>.  For more
+information, see <https://www.agwa.name/projects/git-crypt>.
+
+
+BUILDING GIT-CRYPT
+
+See the INSTALL file.
+
+
+USING GIT-CRYPT
+
+Configure a repository to use git-crypt:
+
+	$ cd repo
+	$ git-crypt init
+
+Specify files to encrypt by creating a .gitattributes file:
+
+	secretfile filter=git-crypt diff=git-crypt
+	*.key filter=git-crypt diff=git-crypt
+
+Like a .gitignore file, it can match wildcards and should be checked into
+the repository.  See below for more information about .gitattributes.
+Make sure you don't accidentally encrypt the .gitattributes file itself
+(or other git files like .gitignore or .gitmodules).  Make sure your
+.gitattributes rules are in place *before* you add sensitive files, or
+those files won't be encrypted!
+
+Share the repository with others (or with yourself) using GPG:
+
+	$ git-crypt add-gpg-user USER_ID
+
+USER_ID can be a key ID, a full fingerprint, an email address, or anything
+else that uniquely identifies a public key to GPG (see "HOW TO SPECIFY
+A USER ID" in the gpg man page).  Note: `git-crypt add-gpg-user` will
+add and commit a GPG-encrypted key file in the .git-crypt directory of
+the root of your repository.
+
+Alternatively, you can export a symmetric secret key, which you must
+securely convey to collaborators (GPG is not required, and no files
+are added to your repository):
+
+	$ git-crypt export-key /path/to/key
+
+After cloning a repository with encrypted files, unlock with with GPG:
+
+	$ git-crypt unlock
+
+Or with a symmetric key:
+
+	$ git-crypt unlock /path/to/key
+
+That's all you need to do - after git-crypt is set up (either with
+`git-crypt init` or `git-crypt unlock`), you can use git normally -
+encryption and decryption happen transparently.
+
+
+CURRENT STATUS
+
+The latest version of git-crypt is 0.6.0, released on 2017-11-26.
+git-crypt aims to be bug-free and reliable, meaning it shouldn't
+crash, malfunction, or expose your confidential data.  However,
+it has not yet reached maturity, meaning it is not as documented,
+featureful, or easy-to-use as it should be.  Additionally, there may be
+backwards-incompatible changes introduced before version 1.0.
+
+
+SECURITY
+
+git-crypt is more secure than other transparent git encryption systems.
+git-crypt encrypts files using AES-256 in CTR mode with a synthetic IV
+derived from the SHA-1 HMAC of the file.  This mode of operation is
+provably semantically secure under deterministic chosen-plaintext attack.
+That means that although the encryption is deterministic (which is
+required so git can distinguish when a file has and hasn't changed),
+it leaks no information beyond whether two files are identical or not.
+Other proposals for transparent git encryption use ECB or CBC with a
+fixed IV.  These systems are not semantically secure and leak information.
+
+
+LIMITATIONS
+
+git-crypt relies on git filters, which were not designed with encryption
+in mind.  As such, git-crypt is not the best tool for encrypting most or
+all of the files in a repository. Where git-crypt really shines is where
+most of your repository is public, but you have a few files (perhaps
+private keys named *.key, or a file with API credentials) which you
+need to encrypt.  For encrypting an entire repository, consider using a
+system like git-remote-gcrypt <https://spwhitton.name/tech/code/git-remote-gcrypt/>
+instead.  (Note: no endorsement is made of git-remote-gcrypt's security.)
+
+git-crypt does not encrypt file names, commit messages, symlink targets,
+gitlinks, or other metadata.
+
+git-crypt does not hide when a file does or doesn't change, the length
+of a file, or the fact that two files are identical (see "Security"
+section above).
+
+Files encrypted with git-crypt are not compressible.  Even the smallest
+change to an encrypted file requires git to store the entire changed file,
+instead of just a delta.
+
+Although git-crypt protects individual file contents with a SHA-1
+HMAC, git-crypt cannot be used securely unless the entire repository is
+protected against tampering (an attacker who can mutate your repository
+can alter your .gitattributes file to disable encryption).  If necessary,
+use git features such as signed tags instead of relying solely on
+git-crypt for integrity.
+
+Files encrypted with git-crypt cannot be patched with git-apply, unless
+the patch itself is encrypted.  To generate an encrypted patch, use `git
+diff --no-textconv --binary`.  Alternatively, you can apply a plaintext
+patch outside of git using the patch command.
+
+git-crypt does not work reliably with some third-party git GUIs, such
+as Atlassian SourceTree <https://jira.atlassian.com/browse/SRCTREE-2511>
+and GitHub for Mac.  Files might be left in an unencrypted state.
+
+
+GITATTRIBUTES FILE
+
+The .gitattributes file is documented in the gitattributes(5) man page.
+The file pattern format is the same as the one used by .gitignore,
+as documented in the gitignore(5) man page, with the exception that
+specifying merely a directory (e.g. `/dir/`) is NOT sufficient to
+encrypt all files beneath it.
+
+Also note that the pattern `dir/*` does not match files under
+sub-directories of dir/.  To encrypt an entire sub-tree dir/, place the
+following in dir/.gitattributes:
+
+	* filter=git-crypt diff=git-crypt
+	.gitattributes !filter !diff
+
+The second pattern is essential for ensuring that .gitattributes itself
+is not encrypted.
+
+
+MAILING LISTS
+
+To stay abreast of, and provide input to, git-crypt development, consider
+subscribing to one or both of our mailing lists:
+
+Announcements: https://lists.cloudmutt.com/mailman/listinfo/git-crypt-announce
+Discussion:    https://lists.cloudmutt.com/mailman/listinfo/git-crypt-discuss

README.md

@@ -31,7 +31,6 @@ Specify files to encrypt by creating a .gitattributes file:
 
     secretfile filter=git-crypt diff=git-crypt
     *.key filter=git-crypt diff=git-crypt
-    secretdir/** filter=git-crypt diff=git-crypt
 
 Like a .gitignore file, it can match wildcards and should be checked into
 the repository.  See below for more information about .gitattributes.
@@ -56,7 +55,7 @@ are added to your repository):
 
     git-crypt export-key /path/to/key
 
-After cloning a repository with encrypted files, unlock with GPG:
+After cloning a repository with encrypted files, unlock with with GPG:
 
     git-crypt unlock
 
@@ -71,8 +70,8 @@ encryption and decryption happen transparently.
 Current Status
 --------------
 
-The latest version of git-crypt is [0.8.0](NEWS.md), released on
+The latest version of git-crypt is [0.6.0](NEWS.md), released on
-2025-09-23.  git-crypt aims to be bug-free and reliable, meaning it
+2017-11-26.  git-crypt aims to be bug-free and reliable, meaning it
 shouldn't crash, malfunction, or expose your confidential data.
 However, it has not yet reached maturity, meaning it is not as
 documented, featureful, or easy-to-use as it should be.  Additionally,
@@ -111,16 +110,6 @@ git-crypt does not hide when a file does or doesn't change, the length
 of a file, or the fact that two files are identical (see "Security"
 section above).
 
-git-crypt does not support revoking access to an encrypted repository
-which was previously granted. This applies to both multi-user GPG
-mode (there's no del-gpg-user command to complement add-gpg-user)
-and also symmetric key mode (there's no support for rotating the key).
-This is because it is an inherently complex problem in the context
-of historical data. For example, even if a key was rotated at one
-point in history, a user having the previous key can still access
-previous repository history. This problem is discussed in more detail in
-<https://github.com/AGWA/git-crypt/issues/47>.
-
 Files encrypted with git-crypt are not compressible.  Even the smallest
 change to an encrypted file requires git to store the entire changed file,
 instead of just a delta.
@@ -151,12 +140,20 @@ specifying merely a directory (e.g. `/dir/`) is *not* sufficient to
 encrypt all files beneath it.
 
 Also note that the pattern `dir/*` does not match files under
-sub-directories of dir/.  To encrypt an entire sub-tree dir/, use `dir/**`:
+sub-directories of dir/.  To encrypt an entire sub-tree dir/, place the
-
+following in dir/.gitattributes:
-    dir/** filter=git-crypt diff=git-crypt
-
-The .gitattributes file must not be encrypted, so make sure wildcards don't
-match it accidentally.  If necessary, you can exclude .gitattributes from
-encryption like this:
 
+    * filter=git-crypt diff=git-crypt
     .gitattributes !filter !diff
+
+The second pattern is essential for ensuring that .gitattributes itself
+is not encrypted.
+
+Mailing Lists
+-------------
+
+To stay abreast of, and provide input to, git-crypt development,
+consider subscribing to one or both of our mailing lists:
+
+* [Announcements](https://lists.cloudmutt.com/mailman/listinfo/git-crypt-announce)
+* [Discussion](https://lists.cloudmutt.com/mailman/listinfo/git-crypt-discuss)

commands.cpp

@@ -51,12 +51,6 @@
 #include <exception>
 #include <vector>
 
-enum {
-	// # of arguments per git checkout call; must be large enough to be efficient but small
-	// enough to avoid operating system limits on argument length
-	GIT_CHECKOUT_BATCH_SIZE = 100
-};
-
 static std::string attribute_name (const char* key_name)
 {
 	if (key_name) {
@@ -189,19 +183,15 @@ static void deconfigure_git_filters (const char* key_name)
 	}
 }
 
-static bool git_checkout_batch (std::vector<std::string>::const_iterator paths_begin, std::vector<std::string>::const_iterator paths_end)
+static bool git_checkout (const std::vector<std::string>& paths)
 {
-	if (paths_begin == paths_end) {
-		return true;
-	}
-
 	std::vector<std::string>	command;
 
 	command.push_back("git");
 	command.push_back("checkout");
 	command.push_back("--");
 
-	for (auto path(paths_begin); path != paths_end; ++path) {
+	for (std::vector<std::string>::const_iterator path(paths.begin()); path != paths.end(); ++path) {
 		command.push_back(*path);
 	}
 
@@ -212,18 +202,6 @@ static bool git_checkout_batch (std::vector<std::string>::const_iterator paths_b
 	return true;
 }
 
-static bool git_checkout (const std::vector<std::string>& paths)
-{
-	auto paths_begin(paths.begin());
-	while (paths.end() - paths_begin >= GIT_CHECKOUT_BATCH_SIZE) {
-		if (!git_checkout_batch(paths_begin, paths_begin + GIT_CHECKOUT_BATCH_SIZE)) {
-			return false;
-		}
-		paths_begin += GIT_CHECKOUT_BATCH_SIZE;
-	}
-	return git_checkout_batch(paths_begin, paths.end());
-}
-
 static bool same_key_name (const char* a, const char* b)
 {
 	return (!a && !b) || (a && b && std::strcmp(a, b) == 0);
@@ -1193,7 +1171,7 @@ int lock (int argc, const char** argv)
 	}
 	if (!git_checkout(encrypted_files)) {
 		std::clog << "Error: 'git checkout' failed" << std::endl;
-		std::clog << "git-crypt has been locked up but existing decrypted files have not been encrypted" << std::endl;
+		std::clog << "git-crypt has been locked but up but existing decrypted files have not been encrypted" << std::endl;
 		return 1;
 	}
 
@@ -1297,8 +1275,7 @@ int add_gpg_user (int argc, const char** argv)
 			std::ostringstream	commit_message_builder;
 			commit_message_builder << "Add " << collab_keys.size() << " git-crypt collaborator" << (collab_keys.size() != 1 ? "s" : "") << "\n\nNew collaborators:\n\n";
 			for (std::vector<std::pair<std::string, bool> >::const_iterator collab(collab_keys.begin()); collab != collab_keys.end(); ++collab) {
-				commit_message_builder << "    " << collab->first << '\n';
+				commit_message_builder << '\t' << gpg_shorten_fingerprint(collab->first) << ' ' << gpg_get_uid(collab->first) << '\n';
-				commit_message_builder << "        " << gpg_get_uid(collab->first) << '\n';
 			}
 
 			// git commit -m MESSAGE NEW_FILE ...

crypto-openssl-10.cpp

@@ -0,0 +1,120 @@
+/*
+ * Copyright 2012, 2014 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#include <openssl/opensslconf.h>
+
+#if !defined(OPENSSL_API_COMPAT)
+
+#include "crypto.hpp"
+#include "key.hpp"
+#include "util.hpp"
+#include <openssl/aes.h>
+#include <openssl/sha.h>
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <sstream>
+#include <cstring>
+
+void init_crypto ()
+{
+	ERR_load_crypto_strings();
+}
+
+struct Aes_ecb_encryptor::Aes_impl {
+	AES_KEY key;
+};
+
+Aes_ecb_encryptor::Aes_ecb_encryptor (const unsigned char* raw_key)
+: impl(new Aes_impl)
+{
+	if (AES_set_encrypt_key(raw_key, KEY_LEN * 8, &(impl->key)) != 0) {
+		throw Crypto_error("Aes_ctr_encryptor::Aes_ctr_encryptor", "AES_set_encrypt_key failed");
+	}
+}
+
+Aes_ecb_encryptor::~Aes_ecb_encryptor ()
+{
+	// Note: Explicit destructor necessary because class contains an unique_ptr
+	// which contains an incomplete type when the unique_ptr is declared.
+
+	explicit_memset(&impl->key, '\0', sizeof(impl->key));
+}
+
+void Aes_ecb_encryptor::encrypt(const unsigned char* plain, unsigned char* cipher)
+{
+	AES_encrypt(plain, cipher, &(impl->key));
+}
+
+struct Hmac_sha1_state::Hmac_impl {
+	HMAC_CTX ctx;
+};
+
+Hmac_sha1_state::Hmac_sha1_state (const unsigned char* key, size_t key_len)
+: impl(new Hmac_impl)
+{
+	HMAC_Init(&(impl->ctx), key, key_len, EVP_sha1());
+}
+
+Hmac_sha1_state::~Hmac_sha1_state ()
+{
+	// Note: Explicit destructor necessary because class contains an unique_ptr
+	// which contains an incomplete type when the unique_ptr is declared.
+
+	HMAC_cleanup(&(impl->ctx));
+}
+
+void Hmac_sha1_state::add (const unsigned char* buffer, size_t buffer_len)
+{
+	HMAC_Update(&(impl->ctx), buffer, buffer_len);
+}
+
+void Hmac_sha1_state::get (unsigned char* digest)
+{
+	unsigned int len;
+	HMAC_Final(&(impl->ctx), digest, &len);
+}
+
+
+void random_bytes (unsigned char* buffer, size_t len)
+{
+	if (RAND_bytes(buffer, len) != 1) {
+		std::ostringstream	message;
+		while (unsigned long code = ERR_get_error()) {
+			char		error_string[120];
+			ERR_error_string_n(code, error_string, sizeof(error_string));
+			message << "OpenSSL Error: " << error_string << "; ";
+		}
+		throw Crypto_error("random_bytes", message.str());
+	}
+}
+
+#endif

crypto-openssl-11.cpp

@@ -28,6 +28,10 @@
  * as that of the covered work.
  */
 
+#include <openssl/opensslconf.h>
+
+#if defined(OPENSSL_API_COMPAT)
+
 #include "crypto.hpp"
 #include "key.hpp"
 #include "util.hpp"
@@ -111,3 +115,5 @@ void random_bytes (unsigned char* buffer, size_t len)
 		throw Crypto_error("random_bytes", message.str());
 	}
 }
+
+#endif

debian/changelog

@@ -0,0 +1,19 @@
+git-crypt (0.6.0-1) unstable; urgency=medium
+
+  * New upstream release.
+  * Build against OpenSSL 1.1.  (Closes: #851078)
+
+ -- Andrew Ayer <agwa@andrewayer.name>  Sun, 26 Nov 2017 10:35:27 -0800
+
+git-crypt (0.5.0-2) unstable; urgency=medium
+
+  * Build against OpenSSL 1.0.x.  (Closes: #828312)
+  * Bump standards version (no changes needed).
+
+ -- Andrew Ayer <agwa@andrewayer.name>  Wed, 23 Nov 2016 12:51:51 -0800
+
+git-crypt (0.5.0-1) unstable; urgency=medium
+
+  * Initial release. (Closes: #785346)
+
+ -- Andrew Ayer <agwa@andrewayer.name>  Sat, 30 May 2015 20:22:22 -0700

debian/compat

@@ -0,0 +1 @@
+9

debian/control

@@ -0,0 +1,24 @@
+Source: git-crypt
+Maintainer: Andrew Ayer <agwa@andrewayer.name>
+Section: vcs
+Priority: optional
+Standards-Version: 3.9.8
+Build-Depends: debhelper (>= 9), libssl-dev | libssl1.0-dev, xsltproc, docbook-xml, docbook-xsl
+Vcs-Git: https://www.agwa.name/git/git-crypt.git -b debian
+Homepage: https://www.agwa.name/projects/git-crypt
+
+Package: git-crypt
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, git (>= 1.7.2)
+Recommends: gnupg
+Enhances: git
+Description: Transparent file encryption in git
+ git-crypt enables transparent encryption and decryption of files in a
+ git repository.  Files which you choose to protect are encrypted when
+ committed, and decrypted when checked out.  git-crypt lets you freely
+ share a repository containing a mix of public and private content.
+ git-crypt gracefully degrades, so developers without the secret key
+ can still clone and commit to a repository with encrypted files.
+ This lets you store your secret material (such as keys or passwords)
+ in the same repository as your code, without requiring you to lock down
+ your entire repository.

debian/copyright

@@ -0,0 +1,64 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: git-crypt
+Source: https://www.agwa.name/projects/git-crypt
+
+Files: *
+Copyright: Copyright 2012-2015 Andrew Ayer
+License: GPL-3+ with OpenSSL exception
+
+Files: fhstream.cpp fhstream.hpp parse_options.cpp parse_options.hpp
+Copyright: Copyright 2012, 2014, 2015 Andrew Ayer
+License: X11
+
+License: GPL-3+ with OpenSSL exception
+ git-crypt is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ git-crypt is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with git-crypt.  If not, see <http://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 3 can be found in the file
+ `/usr/share/common-licenses/GPL-3'.
+ .
+ Additional permission under GNU GPL version 3 section 7:
+ .
+ If you modify the Program, or any covered work, by linking or
+ combining it with the OpenSSL project's OpenSSL library (or a
+ modified version of that library), containing parts covered by the
+ terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ grant you additional permission to convey the resulting work.
+ Corresponding Source for a non-source form of such a combination
+ shall include the source code for the parts of OpenSSL used as well
+ as that of the covered work.
+
+License: X11
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+ to deal in the Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ OTHER DEALINGS IN THE SOFTWARE.
+ .
+ Except as contained in this notice, the name(s) of the above copyright
+ holders shall not be used in advertising or otherwise to promote the
+ sale, use or other dealings in this Software without prior written
+ authorization.

debian/gbp.conf

@@ -0,0 +1,5 @@
+[DEFAULT]
+pristine-tar = True
+pristine-tar-commit = True
+debian-branch = debian
+upstream-tag = %(version)s

debian/git-crypt.docs

@@ -0,0 +1,8 @@
+CONTRIBUTING.md
+NEWS
+NEWS.md
+README
+README.md
+RELEASE_NOTES-0.4.1.md
+RELEASE_NOTES-0.4.md
+THANKS.md

debian/rules

@@ -0,0 +1,7 @@
+#!/usr/bin/make -f
+
+export PREFIX=/usr
+export ENABLE_MAN=yes
+
+%:
+	dh  $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/source/options

@@ -0,0 +1 @@
+single-debian-patch

debian/source/patch-header

@@ -0,0 +1,17 @@
+Subject: Collected Debian patches for git-crypt
+Author: Andrew Ayer <agwa@andrewayer.name>
+
+Since I am also upstream for this package, there will normally not be
+any patches to apply to the upstream source.  However, occasionally
+I'll pull up specific upstream commits prior to making an upstream
+release.  When this happens, this patch will collect all of those
+modifications.
+
+I use Git to maintain both the upstream source and the Debian
+packages, and generating individual patches rather than using git
+cherry-pick takes extra work for no gain.  Since I'm also upstream,
+there's no need to separate the patches for later upstream submission.
+Hence, I take this approach with a unified patch when it's necessary.
+
+For full commit history and separated commits, see the upstream Git
+repository.

debian/upstream/signing-key.asc

@@ -0,0 +1,135 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFNTDEsBEACiZ+AWNaj80CvSIV9T+mlPClETM+pxEHuB+vldasG+BWsyyb2d
+AH390MSjXzs4RaiDGAXgZKnP9bhlWV/6BYcF0edz+G+Ux89L+D/c6miWFqwywQ7G
+FRBh10WDriNbSF6UoD6TJX9Kc2KIgeDQ7LFL1PsiFjsO/cUBfDmSvMWd/zzIV4Ug
+QdqFjjHdPSTr5w9D5YDS5FY2UOmcrxyNU66PoGkIp0Cqjgaieszxx3/CkGtktn0T
+M/dwP+yafgH5uUDRfgFR5McTvu4E53CAimsiv05wodXmnoELojVDrEYciJIrfGRx
+fCj+tiWsz0IcJCJ/ND1UExlI5so5tx0YaYMapx3PCb7+ZrZEUrRa3xK6m+ZU2Qfk
+XQJmUSnKuIsKP4Uo8ysMPxDuWrCap4nxw2uNsGgPXXnExJgVoWfyR0qMr16+BUSu
+Yrtfng19npv/Y381Y6hB8uRWRNRbaG8MEAHrgdPkb6853cbXT6A+k3KbZJVcEZsv
+XCS2lFuWaZTQGA1G4mj7TbudjvHLuDV8VbPsyxotgAHITSh6pekBuJFPOVhAZN41
+HyPNMZnE7eoW6DmShrdC+TjIVpzliqiLytDfGabIMNbnQDWdHxhzqq/Vn07ObOVp
+0MGn7PaGeyF+rmi0h1ttab3Dioku49dljjuz+uNhBcu1CB/CegIdtRVyDwARAQAB
+tCJBbmRyZXcgQXllciA8YWd3YUBhbmRyZXdheWVyLm5hbWU+iQI6BBMBCAAkAhsB
+BQsJCAcDBRUKCQgLBRYDAgEAAh4BAheABQJTUwz6AhkBAAoJEBA3jvwggAgM0BwQ
+AI8tAYxpeHyN+6StVAiu+wY2n2SNuunsORVmqyiICDOruxPTr4ulsP8vKM7Y4L9H
+lpJqfW/g65cByuZ48dFciQmI97RfZjjZgAxejM1dq/Y0RJGpZ6I7pNNbWIxvDm7o
+8mMeEQYT5S4vZKmreYZpzjLLZin+3gpBfljapGRikZNC1dzQu5JA0iCkWqIWmgto
+O/kEmGKID9ShLB0H/f26K+jKfKuQ2unqlPgUPlQfd65yBN0m0SaESozs5hnCjMxS
+oJSDnI0Kst0W/E/c0RZp5WJ3PECqnV0ru7xazMPLP3yNMrJVv3s6rKdiwzkQYUDj
+10KxCDOChc9UfVRZfiVc4OlnK77L5EM3AWLrNOwx8ntcs67hJXrppoDVin87PyMG
+SJE+DNKZk40oHLIrWCE43zS8p0k4OSGpJhiVev/o2FJImIiZXdYrm0gA3rA5OOM2
+nDSyPlB0kOzMN03z7pzT319OMhf5KZgYRuoAU59IqdW+Iz2q1vfusuh0UU5GfP+U
+XOuiiv9O9VqPTxpDOzmk5qnw8p3NNdwnqzop64wcBsNebyWGM52Hetd8bIwdFniI
+XsBhzRxnMVmNdXwQ7zhPKwpgGA9vWkyZ15EuhDK0Wc3XQf51NWVjY9Pt/NgpwKli
+CEqnd+sUszM78jXhvZjsWEkophudU6O615zYEEpTe+b/tB5BbmRyZXcgQXllciA8
+YW5kcmV3QGFnd2EubmFtZT6JAjcEEwEIACEFAlNTDM8CGwEFCwkIBwMFFQoJCAsF
+FgMCAQACHgECF4AACgkQEDeO/CCACAxWoA/+NYvxCoJ4V/TGZnYQJxT95qK+8uGS
+sQmlAYlIbYAAr0zxe1+U0HxMVMh0pj211B8Nd6Qq46X2ZYmWSyAPA6tiiSg+Y5C9
+2IGyCZ11oG98Op99nnPOEnKAPVgTtGgpMeomTPo768ucj0kvvbibGg3yMs1JBH2p
+wBULHZLCswlKzDOgg4YZfa5eicXRJOjl1EVbdhPyMZrnJB5bFnkno8rSIJ1h3QkV
+kWAJ0bPggHxsWiYOEJUjEkzr4zXjcCJKIyPWY9rZcgJNvo1Bwqx/E7Cs+XABuPtU
+0OPIysXROANzsUMVt0NpcSJsAPJxt5L5EoCVRhTDjaK6kXglEcxqOqSzTsu61cKj
+MAAyZY+qfTA2ILzPYgxiy+h4ReUxAHx0Bzd7w6L+tn1aPlc9nqDm1nzk9U8rzA5j
+XDJJJOuC5yCzhQ2tpsAp/RRE+1sgiGV8D+LSXf2ZYBQbV9V6icFdhHUrqKzQsw7m
+5C4n2Fk1wk54JTFO1j4rWarHiVeKuKWiBrQhhUJqFtJ/lpr6tIVsI5KuoWczHpQ0
+RhCnUNFPj1JaMM09pLEkg9u/RRrVo6eSHy0vHKCqYZYUAldTGpE18kRlpTDgrN8T
+jhBaiFrk8PBKPiE4Pt+5BgDZr8jP+CWA9Bc06E6EtV+fDdTexAj2Uw0JE0zZdhQc
+1J1NNIMHc4WpS6+0JEFuZHJldyBBeWVyIDxhbmRyZXdAYW5kcmV3YXllci5uYW1l
+PokCNwQTAQgAIQUCU1MMjQIbAQULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAAKCRAQ
+N478IIAIDDg1EACQ+stApB16L54LnS7YMFUHeUgaG3Hfu+WmIrvRn5UcT4hxRNsY
+/c7nDumrwAmg8HiOXwe7V8MJMFUEEoQylWpYLFzOTlwDmVGUMczQScgi7RvK9zwJ
+0475Wlpr/7wUrG0LyinLVf7GoKPtIkefzlydTzMu4xSr52t1sSGQqcWXDVJ2bCGf
+KuvmDpv1gOORdp4g2lI0wOPWgPzm4ctqhzT58jFR5vQpzpr+H0qB35prcKa9TAIG
+sbtF1bdSaOBkXev/IFhY07Fq35aqEuv27+aMJkYjhzIVSnm+/9Io/1L0RTpHZpgc
+px08yfllq7Vf0buCiC8uEvdFVL4sHOlp9gVU21boLj4JJnZvlJ1m+gfIMAfhtt4R
+2QNxKxC+jO2bBvj4j9dHBz0MQvAoJl121cjOAxZGMHye3eV0sHtE7UntxA5pQQv0
+U2hx7A70yAlN2Np76xVDO9cae4aVUV7lCdY14L9e5Ww4mAknFMeIgbkoxWT2lMA+
+1pfn541c6XUuuNfr1D9flYHbDFEYTUOFZ6ypAgOxkK+/wPYlz4d6MTBJ4fcoEhSF
+qX0JVFW8Jrnqs4GsDmej9dibfYdk2a0qG69oSRF8Bujxdh41R+/C03LSnRBXhjHJ
+SG/xSYoCcOL6y3aiJb2gK2lbrLxmeysCn7goGPp16VikSxHNFJkigRUqDbQhQW5k
+cmV3IEF5ZXIgPGFnd2FAYW5kcmV3YXllci5jb20+iQI3BBMBCAAhBQJTUwyrAhsB
+BQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJEBA3jvwggAgMfWsP/2F+Ds4lIn7p
+rdgEeK2kT4Sxn4ldATU8ZKjVe/RnTxWx+jqEHdsXkUAVEHNuUPYwtvETub2mMFBr
+lguL1WWW09J1ihYEk4ErDT81kNP+8cGGDjLkv8FWjlLPUGrcZRMj52JP0saW7AIJ
+2/OxvpC00xkpb5goy5yXUKVgzBhVUAcSx1a3vY92y+RnmcwhnQmlhAy+xpyO0Ju+
+dEhNfBny+gc/YdWfha6sWed6fL0VWut2l1euEU9WIH/Mcd8NWGs10ez9iqVhRWi3
+zpTWxkVBY0+PaPaHkqh6N3cCDEdFXXmVtP3nPvC+4k6vIUK+frIIffjDlOXhXaPB
+bGZ2SyJcYJdsh6Lb3cnQ2ISHrlKy2CgVkExdgz8JeSF296OInQJmS/U9XFH2iN/w
+Yivi93pUV9xvPaJTXOSUMA+szKXapPTH8zUNQ99tm7KiwV0aMXWKG0iNxjg7C0kO
+vVuKGBKEpFdyNLL7uAE/bzs7WVZ8ztebZJTlScIU7KZUr931kR++VAzIFr7yYlaC
+4c2TjiinStFsHgfRqaVoJfQIWQzxrli46LkaIVur3rzBJERNSpDcPlpF1wngXkFo
+Jqt+c7MTVBeoaaAv5TAK0a/D027fUNtAyxtCPmkoHs6BWh38NDGO7VNBRNog0Vnm
+ItcFmFtM0rcQV6DbUjUZdTYygPGq0MAWtCNBbmRyZXcgQXllciA8YW5kcmV3QGFu
+ZHJld2F5ZXIuY29tPokCNwQTAQgAIQUCU1MMwgIbAQULCQgHAwUVCgkICwUWAwIB
+AAIeAQIXgAAKCRAQN478IIAIDDN4D/0eINLgeE2mHs68kM6fXRf0jfDdyVYMvxnK
+ZO0jq1sjurEYgw+tHQRHo5bsu52E1yneoam5pzucu6TXUVc2X7dGKfuqvsU55+Qo
+IlqE0ai0tXlmc7orVzZFgLCTGrZgL2NL208h3EvlSeqy//6yA/rirMIRiD/vSb3A
+u0EBXSav+x/o092W904jPzeLGGL9c9G6HxmAzGxRO0q5FfB7u1sI9bpgljC3mBVb
+jUhD/ynIwkIZfTgQFRlBHtzy0HpcnlzxzcY7b/SB+8was1aEDetzuEeXOdTDXxd6
+gVBFDZMyKtZU5jsprZDU6/nleka6/ji6ZMNIJvMgcJbgwV3i/ipKH3FfItcnTt+F
+gx2q3j/pVYPyKo05tp2dBCgdyEKsTgc+QTqo0EOk5to8Gz7ebkyPGIELqIfBtPjp
+hoB9oTpgmnAsgSnSGDfz4yD+8uU3FBOjrMNe5tucq+N8VVYZhCQFs8fAbrghh568
+ahBcLDu4n9OvjZz5hHnpARtSOw2WmLdQ43JAnFa6F8rN98ymlP6X8CT3lTnPwkRL
++9l008KXP64nZStISozKwDb4zMfRn7iHbqs6reIlvgIOevkiMmPTyhhQ0zz6aLwy
+ZNcQPK7wdXtynPydzAPfKbxfQkVpkQb/mgBgr2blZSu4Z5W491tDOTI/MF0gMTfA
+eqavC9PhRrkCDQRTUw1OARAAyr3w+DujjQ+oiLrlnGu+DArnxK5lf8DzeVokFlSX
+TJXSgCl4niJeQhodn3EtnDRdKimdvMxgW+iVU4MKhK/2xbf0rNSQDJv4iIub0wHH
+Y8kkqsBU3vDjoTYraoFMjKWIvZEr9FJTiDgX4VruJAhwydjknrSWdK7As9PzqU0l
+C7ReHRJIJLu20EeVCVoGuyVmRfendTXDbflvZhUhTitcgJbNek272u521lYbk3g1
+knMWhwmdsy95ZqNbjk4iMJ6eq4l2MA/yka4V4zA7P9L0WBjuFyImVix4WyaF+TIN
+/t8eX+zF6VfImoKlMer8qpMmGaFBKxOdGdAH+YpoP8sysSrFDV0iSbA/WwbNa4e7
+F8eras4B/sFWIldXlSd0yLqdNe8ZB0vPDS44tNcmDYz3cWIH1mDF1AbHDBbOxwa+
+FkcHDPjYrnIQbFI3Z+rzOqc8vOeiNPHggPSDRjM6duah4aOLp6RYEYc/2ouO1yMD
+UlWQ+eGDvqAvIt3HH2y78fbkl3K2VVA+gd5w9oxDKxXKZxp/y5RVVYCZUAv1lllT
+87dRMXignTVEIsF8VdESrHhRYUQW+2wP40hKZIPEaWS5BSH/d/qGgDSBsVPbDlas
+4n3FJ+SVil6xm0hJ+29Xw/GDMc+uQfs8TkPxbM0cjn59oZb6I3Zhxy+KWSxdCN2g
+8nMAEQEAAYkERAQYAQgADwIbAgUCU1MO8wUJB4TPXQIpwV0gBBkBCAAGBQJTUw1O
+AAoJEJ0V9ORH5MgyJTQP/0cSeXYZ+G7EKEjM+xHfjUyNavahVZ+rfiLzZpU+os4s
+SGwd4annJ4Z56UMA+1U5Qm34+rH+E72qTJAEhg512CQJnFejVKqBuVzBsxaO5aLK
+nSafGk3Ixev4JraspFtDmSflVHrQFVKeu3oF+tjE2elHHhhV8I1N8eA2HTiwlTpD
+9RgQ1nFw9KM4+ncBm56dK3lVQbgT7XPz6noIPhXpAKH1THthvIyjUDyTqeRUrgHL
+eeFtKXWnsiUMi5z3dz1lK0QacGaykl+VtLXlUIffh7IpLp3MoiaboXV2UdocIrZ3
+vg00wBrZ01w7L10LB0Jl1NEH5ccbezAVCaW3/2MT6C7BnQZqpjQiKncrnx2YoupJ
++OWJT2QOQoLOKwL4ShHB8Dae4RD0aTcmTTVBEteSvH32hhcsXChMi1Dzsf6cvNmV
+pl54VkfWmZqyfTl7LjqpQsOcUtDshFPQMziKF8pSyhSYiuImvLFwypTe4KtDqA/U
+d1v9XB40mniAUTC5dWO+80MhOB4NpXNNSXP22DzpDZvfhdTxSCwc70bpWJIRVpuT
+gVvVjqOiCVanNXqwh14Nn+/SaRDx19BglXhniBWNEXN8f2dhI3YkZ2ovS/t6mfxn
+aymghsKL1yvu8zdTFZsmAhYdpTBIB9zMjoNs3TNb8I+X26oPUjSKZ1/+oAacGTtJ
+CRAQN478IIAIDBXvD/sG09+tMC30Tcq6DuycebKiuHfIioBdWTNLTz3Pahi0C/4e
+WDcd0H8hcxUz9cdBnUs5uvUwdo07bqVb+zJ0PidDdCpCSDwNH9Zn98Duy7QVPtAU
+psPApSe2Y23zh4tr37c31dlUIsRCiGfjIjjoCFg3NZMxmw4y3UhUMPNemDt+rB+t
+XmstUc03xdaUrrssAxZf/qhNy9tPucHGl1Uuq1c8ANhdgmosMacfxb9i/kcCErTl
+Kz3DwZPVdE4Q/KcaiTOBxBthlvpZM27h//BeT/Yo2Hy/X7nzhhyscPqaDj/HOCbt
+O/wyH/kv4z++bzy7FSERMJTQvAaYEbhWE71l+sSBJT1ZJnafDXX+b9ZlSE7Im5C8
+mjGc1XX9Mw1eXzLh7wiC+BEEr4S9qOkyKtSKcQ/m+UjOARXrqA1qhDp1mmhSVNsW
+UnhWabsO9TwxcRdSX98ql+rNYBjN7tsqzq3G3R3oFeaGevAqPqJFbAFhGhB33UP1
+yolOPxGP6u2NdNFmGQ2vVlzJNzY5QAk2cekIZWJLd8YEcXeijPo1BX4eTg4V6d61
+EWIKoSHBeKVwhuCg9l6ZFrNzUoHGP4yKDXJood71KBulDSSUkzIM05ngfcajz1RS
+R9szqJlNAuLHpQHOZEI1k38sQrnPoqwzyshgU7S/vLAT6hr666bJ2i9l82X077kC
+DQRTUw4RARAA30ouhOBeAX4ORzDmeyP9MjuDZWArkJv22PI5ijISIyRjUdYogvqY
+XAm2z0RTzD4waW9lSabumDqVGd5MzTm0GTaIw/E+7rx08vnBVRlHLpAOZMUogNEG
+p+3uXhgHmar0uhVhYar1v6SUqscray+wtnkRnXQkitkD0zzTWGx17LnWPOguNDsU
+uYjWoAYgEiS9g3UYLfexQRVxae7n6YTDedNfjuMKAmmc+ixWDHQ9Dcjc4oJacV5z
+iz78NYdXoPA3101lKPzUGqRye/Rvm0/GXzht5nhsIMB/X/FIk6qlbCAP/VpVRpYD
+KE7N3juJY7jwoCze9d3TZx6jU8IR/rD1uuDW/gjyPVAHAcE1fRwjErtR1TsFcXdY
+wtTJx+Rzq6gaS1mfeV90/V2RY0i+nqGhmY+o+lLt1uozX3iTO2X9cF/REp9i6Rly
+TOUMAPW7mOryN9Yv/WAkG4S/WgtnZRCA0M88jFSgX8go+Y2Z6yAUynEXDREH9VMI
+rw0kNhvOzfWSAyBOuNfNrehShR6RMtAKs/JC+VEwhvDD+avFNHywpn7fGMa2WqFw
+x337Yz6wARJ5g9vBCMJBWMhWT62cMQK62TLVkW5lbULSVwUAsbNyZMaQks7kfas3
+9w3gr66Bc/2v4PaQMUQ3I79yO/f6zsxu9vZ1yxPtKOGwGHQvnCdRMlMAEQEAAYkC
+JQQYAQgADwIbDAUCU1MPDQUJB4TO+QAKCRAQN478IIAIDFQcEACFi6e4/++dhkPT
+e1dnaifmSINXthSFkOAp8OR0mK2/0Ged6UmbyxPd7gKQJUXFV5Mz5Sj8G6N4YCLl
++55k67gwZwzZ62EYB41FnjkXKILBgP+mt2c0SCuwwwz9g8Jx351l2Cfatz6SoviE
+XjQURDHPxsqK1mfKMmoMWo4Ii68hzKrBg0mcdxeJeYj/t8l0ug2JQApnJsaE+5QC
+3U9txBYm1Rpsaz/IFvlGJS9CkZyQA7ci/eMmoKn+/R8Gk48avkM0vFmUz9T8saIr
+g0F5T7ThjC8575PNtInpDZRp9V3PdeKtiA9Fky11fNi0VS7luurKQ3I0UJfdyxe1
+Sb/kvwSu++zEDEG5/li4GfMBqiZTV6oZJ9fzZnrGjEyiRSLN7GA4T1KC795zm/63
+MrTaTf/3G6iRLNcvEdcWTiSHlFSkpx+qQHoijs0KU6uzdvHwtKKX/UBrk837SOFL
+AEqn8ebsOKYiO4gA0ismpAt9NQwqsKq0rhyZAIDl9hSjwGBqX24NA7qnkoZNZySC
+YBn0ZZRr3VGyeNWgtZg/KIiyKX7xmEUgBswt/U42x5wG3SdhAiSn6If/y8dTpfzT
+kXF2+jp/tbGpm1qHi6qrkdMqCHCf67beh9SmlKa8nYyb1fpEcNBBElA8AAFgaYKh
+zZq3C24mS3JwlqDwjT/Ut1/tChr3wQ==
+=ZMwd
+-----END PGP PUBLIC KEY BLOCK-----

debian/watch

@@ -0,0 +1,2 @@
+version=3
+opts=pgpsigurlmangle=s/$/.asc/ https://www.agwa.name/projects/git-crypt/ .*/git-crypt-(\d.*)\.(?:zip|tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))

git-crypt.hpp

@@ -31,7 +31,7 @@
 #ifndef GIT_CRYPT_GIT_CRYPT_HPP
 #define GIT_CRYPT_GIT_CRYPT_HPP
 
-#define VERSION "0.8.0"
+#define VERSION "0.6.0"
 
 extern const char*	argv0;	// initialized in main() to argv[0]
 

gpg.cpp

@@ -61,6 +61,12 @@ static std::string gpg_nth_column (const std::string& line, unsigned int col)
 	       line.substr(pos);
 }
 
+// given a key fingerprint, return the last 8 nibbles
+std::string gpg_shorten_fingerprint (const std::string& fingerprint)
+{
+	return fingerprint.size() == 40 ? fingerprint.substr(32) : fingerprint;
+}
+
 // given a key fingerprint, return the key's UID (e.g. "John Smith <jsmith@example.com>")
 std::string gpg_get_uid (const std::string& fingerprint)
 {

gpg.hpp

@@ -41,6 +41,7 @@ struct Gpg_error {
 	explicit Gpg_error (std::string m) : message(m) { }
 };
 
+std::string			gpg_shorten_fingerprint (const std::string& fingerprint);
 std::string			gpg_get_uid (const std::string& fingerprint);
 std::vector<std::string>	gpg_lookup_key (const std::string& query);
 std::vector<std::string>	gpg_list_secret_keys ();

man/git-crypt.xml

@@ -7,8 +7,8 @@
 	-->
 	<refentryinfo>
 		<title>git-crypt</title>
-		<date>2022-04-21</date>
+		<date>2017-11-26</date>
-		<productname>git-crypt 0.8.0</productname>
+		<productname>git-crypt 0.6.0</productname>
 
 		<author>
 			<othername>Andrew Ayer</othername>

parse_options.cpp

@@ -43,7 +43,7 @@ int parse_options (const Options_list& options, int argc, const char** argv)
 {
 	int	argi = 0;
 
-	while (argi < argc && argv[argi][0] == '-' && argv[argi][1] != '\0') {
+	while (argi < argc && argv[argi][0] == '-') {
 		if (std::strcmp(argv[argi], "--") == 0) {
 			++argi;
 			break;