git cannot preserve permissions on the secret file
francisATgwn opened this issue · comments
What are the steps to reproduce this issue?
- mkdir test; cd test
- git init
- git secret init
- git secret tell REDACTED
- touch password
- chmod 600 password
- echo REDACTED >password
- git secret add password
- git secret hide -P
What happens?
stat: cannot read file system information for '%04OLp': No such file or directory
chmod: invalid mode: ‘ File: "/Users/fferrell/tmp/test/password"\n ID: 10000120000001a Namelen: ? Type: apfs\nBlock size: 4096 Fundamental block size: 4096\nBlocks: Total: 120699413 Free: 80695380 Available: 80695380\nInodes: Total: 3228701185 Free: 3227815200’
Try 'chmod --help' for more information.
What were you expecting to happen?
The encrypted file would be added and, after removing the password
file, executing git secret reveal
would restore it with permissions 0600
Any logs, error output, etc?
(If it’s long, please paste to https://ghostbin.com/ and insert the link here.)
Any other comments?
~/tmp/test > which stat
/opt/homebrew/opt/coreutils/libexec/gnubin/stat
~/tmp/test > stat --version
stat (GNU coreutils) 9.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Michael Meskes.
What versions of software are you using?
Operating system: (uname -a
) Darwin fferrell-mac 21.6.0 Darwin Kernel Version 21.6.0: Sat Jun 18 17:05:47 PDT 2022; root:xnu-8020.140.41~1/RELEASE_ARM64_T8101 arm64 arm Darwin
git-secret
path: (which git-secret
) /opt/homebrew/bin/git-secret
git-secret
version: (git secret --version
) 0.5.0
git
version: (git --version
) git version 2.37.1
Shell type and version: ($SHELL --version
) zsh 5.8.1 (x86_64-apple-darwin21.0)
gpg
version: (gpg --version
)
gpg (GnuPG) 2.3.7
libgcrypt 1.10.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/fferrell/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Thank you for this report. We will investigate and let you know the result.
I cannot replicate this issue on macOS Big Sur.
This functionality is also automatically tested on github actions with macOS Big Sur version 11.6.7 (20G630)
.
@francisATgwn Can you please post what macOS version you're using?
Also can you please confirm you're using the stock version of stat
by posting the output of which stat
?
@joshrabinowitz MacOS 12.5. Please see info about stat above, under Any other comments?
Ah, I see. git-secret expects OSX's version of stat
. I think the fix is for git-secret to always use the OSX provided version of stat on OSX.
@francisATgwn can you please re-test with the code in PR #920
That does resolve the error message, but it doesn't really seem to preserve permissions very well. Maybe I'm not expecting the right behavior from git secret add -P
.
The encrypted file has the same permissions as the secret file. That's not what I want preserved. I would expect that git secret reveal
in a collaborator's git clone would produce the same permissions on the untracked, unecrypted file.
After committing the password.secret
file (which has permissions 600
), I rm password
and then git secret reveal
and the newly produced password
file has permissions 644
.
~/test > ls
total 8.0K
-rw-r--r-- 1 fferrell staff 9 Aug 8 14:43 password
-rw------- 1 fferrell staff 184 Aug 8 14:43 password.secret
I believe git
only tracks the executable
bit of the permissions. git-secret
cannot change (reasonably) this behavior in git
Understood, there is nothing git-secret can do to change which permissions that git tracks.
Am I understanding correctly, then, that the intention of the hide -P
and reveal -P
options are only to preserve the executable permission?
once the a file takes a round-trip through git, that's all that is preserved.
But the -P
options to hide
and reveal
do change the perms to match the corresponding file on your local system.