Is there a way to test if a file is GPG encrypted in a git hook?

Question

I have a git repository that tracks a couple config files. One of the config files is plain text, while the other is gpg encrypted. They are named as such.

• myconfig.yaml
• myconfig.yaml.gpg

I would like to create a server-side hook in git to ensure that no version of any file ending in .gpg is committed as plaintext.

I think it would be good to have a client-side hook, and a server-side hook to prevent a developer from making a bunch of changes, and then becoming stuck once trying to push their changes up because the history of a gpg file contains unencrypted data.

I can't simply encrypt/decrypt the gpg files during commit/clone because some people shouldn't have access to decrypt the file.

I'm not sure how to accomplish the task of ensuring that only encrypted data is included in all version of .gpg files. Any ideas?

Answer 1

You can use the file command to examine a file and automatically figure out what type it appears to be. For example:

$ file foo.gpg
foo.gpg: GPG encrypted data
$ file foo
foo: ASCII text

You can match against this in a hook. Something like:

case "$filename" in
  *.gpg) if [ "$(file -b "$filename")" != "GPG encrypted data" ]; then
             echo "Error: $filename should be encrypted but isn't" >&2
             exit 1
         fi
         ;;
esac

For the client-side hook, you can use a pre-commit hook using git diff --cached --name-only to get a list of names to check.

The server side hook is more difficult. I think you could hook on pre-receive, check out the proposed refs to a temporary location, verify them (perhaps using git diff --name-only HEAD^ to acquire a list of files modified), and then reject the update from there if it violates your requirements.