All notable changes to the project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
2.2.0 - 2022-07-09
- Add
--set-openssl-pathoption to configure transcrypt to use a specific openssl version instead of the default version found in$PATH. This will be most useful to macOS users who might want to use a newer version of OpenSSL. This option can be used on init, on upgrade, or by itself. - Add support for an optional
transcrypt.crypt-dirsetting for advanced users to override the path of the .git/crypt/ directory to permit things like installing transcrypt in a repository on a device without execute permissions (#104)
- No longer need stand-alone scripts for git operations
clean,smudge,textconv, andmergein the repository's crypt/ directory; the single consolidatedtranscryptscript is stored there instead.
- Remain compatible with OpenSSL versions 3 and above which changes the way
explicit salt values are expressed in ciphertext, requires
xxdcommand (#133) - Ensure Git index is up-to-date before checking for dirty repo, to avoid failures seen in CI systems where the repo seems dirty when it isn't. (#37)
- Respect Git
core.hooksPathsetting when installing the pre-commit hook. (#104) - Zsh completion. (#107)
- Fix salt generation for partial (patch) commits (#118)
- Improve command hint to fix secret files not encrypted in index (#120)
- Fix handling of files with null in first 8 bytes (#116)
2.1.0 - 2020-09-07
This release includes features to make it easier and safer to use transcrypt, in
particular: fix merge of encrypted files with conflicts, preventing accidental
commit of plain text files by incompatible Git tools, and upgrade easily with
--upgrade.
-
Make sure you are running the latest version of transcrypt:
$ transcrypt --version -
Upgrade a repository:
$ transcrypt --upgrade -
Enable the merge handling fix by adding
merge=cryptto the end of each transcrypt pattern in.gitattribute, to look like this:sensitive_file filter=crypt diff=crypt merge=crypt
- Add
--upgradecommand to apply the latest transcrypt scripts in an already configured repository without the need to re-apply existing settings. - Install a Git pre-commit hook to reject accidental commit of unencrypted plain
text version of sensitive files, which could otherwise happen if a tool does
not respect the
.gitattributefilters Transcrypt needs to do its job.
- Add a functional test suite built on bats-core.
- Apply Continuous Integration: run functional tests with GitHub Actions.
- Fix EditorConfig file config for Markdown files.
- Add CHANGELOG.md file to make it easier to find notes about project changes (see also Release)
- Fix handling of branch merges with conflicts in encrypted files, which would previously leave the user to manually merge files with a mix of encrypted and unencrypted content. (#69, #8, #23, #67)
- Remove any cached unencrypted files from Git's object database when credentials are removed from a repository with a flush or uninstall, so sensitive file data does not remain accessible in a surprising way. (#74)
- Fix handling of sensitive files with non-ASCII file names, such as extended Unicode characters. (#78)
- transcrypt
--versionand--helpcommands now work when run outside a Git repository. (#68) - The
--listcommand now works in a repository that has not yet been init-ed.
2.0.0 - 2019-07-20
*** WARNING: Re-encryption will be required when updating to version 2.0.0! ***
This is not a security issue, but the result of a
bug fix to ensure that the
salt generation is consistent across all operating systems. Once someone on your
team updates to version 2.0.0, it will manifest as the encrypted files in your
repository showing as changed. You should ensure that all users upgrade at the
same time...since transcrypt itself is small, it may make sense to commit the
script directly into your repo to maintain consistency moving forward.
After you've upgraded to v2.0.0...
-
Display the current config so you can reference the command to re-initialize things:
$ transcrypt --display The current repository was configured using transcrypt version 1.1.0 and has the following configuration: GIT_WORK_TREE: /home/elasticdog/src/transcrypt GIT_DIR: /home/elasticdog/src/transcrypt/.git GIT_ATTRIBUTES: /home/elasticdog/src/transcrypt/.gitattributes CIPHER: aes-256-cbc PASSWORD: correct horse battery staple Copy and paste the following command to initialize a cloned repository: transcrypt -c aes-256-cbc -p 'correct horse battery staple' -
Flush the credentials and re-configure the repo with the same settings as above:
$ transcrypt --flush-credentials $ transcrypt -c aes-256-cbc -p 'correct horse battery staple' -
Now that all of the appropriate files have been re-encrypted, add them and commit the changes:
$ git add -- $(transcrypt --list) $ git commit --message="Re-encrypt files protected by transcrypt using new salt value"
- Add an EditorConfig file to help with consistency in formatting (#51)
- Use unofficial Bash strict mode for safety (#53)
- Reformat files using the automated formatting tools Prettier and shfmt
- Ensure that
transcryptaddresses all ShellCheck static analysis warnings
- Force the use of macOS's system
sedbinary to prevent errors (#50) - Fix cross-platform compatibility by making salt generation logic consistent (#57)
1.1.0 - 2018-05-26
- Fix broken cipher validation safety check when running with OpenSSL v1.1.0+. (#48)
1.0.3 - 2017-08-21
- Explicitly set digest hash function to match default settings before OpenSSL v1.1.0. (#41)
1.0.2 - 2017-04-06
- Ensure realpath function does not incorrectly return the current directory for certain inputs. (#38)
1.0.1 - 2017-01-06
- Correct the behavior of
mktempwhen running on OS X versions 10.10 Yosemite and earlier. - Prevent unexpected error output when running transcrypt outside of a Git repository.
1.0.0 - 2017-01-02
Since the v0.9.9 release, these are the notable improvements made to transcrypt:
- properly handle file names with spaces
- adjust usage of
mktemputility to be more cross-platform - additional safety checks for all required cli utility dependencies
0.9.9 - 2016-09-05
Since the v0.9.7 release, these are the notable improvements made to transcrypt:
- support for use of a
wildcard
with
--show-rawto dump the raw commit objects for all encrypted files - GPG import/export of repository configuration
- more strict filter script behavior to adhere to upstream recommendations
- automatic caching of the decrypted content for faster Git operations like
git log -p - ability to configure bare repositories
- ability to configure "fake bare" repositories for use through vcsh
- ability configure multiple worktrees via git-workflow
- support for unencrypted archive exporting via git-archive