git-crypt-delete

git-crypt-delete

#!/bin/bash -e

set -o pipefail


case "$1" in
  --list|-l)
    list_only=1
    ;;
  --dry-run|-n)
    dry_run=1
    ;;
esac

keys_to_regen=()
to_remove=(${@})

key_should_be_removed() {
  local key="$1"
  gpg --list-key "$key" | grep -E "^uid" | grep -q -F -f <(printf '%s\n' "${to_remove[@]}")
  return $?
}

email_from_key() {
  local key="$1"
  email="$(gpg --list-key "$key" | awk '/^uid/ { $1="";print $0;exit}')"
  echo "${key:(-8)}$email"
}

for keyfile in .git-crypt/keys/default/0/*
do
  key="$(basename "$keyfile" .gpg)"
  if [ -n "$list_only" ]; then
    gpg --list-key "$key" || {
      echo "Couldn't find info about $key";
      exit 1
    }
    continue;
  fi

  key_should_be_removed "$key" && keys_to_remove+=("$(email_from_key "$key")") || keys_to_regen+=("$(email_from_key "$key")")
done

[ -z "$list_only" ] || exit 0

message="Regenerate git-crypt keys after removing ${#keys_to_remove[@]} collaborator(s)

Removed collaborators:
$(printf ' %s\n' "${keys_to_remove[@]}")

Current collaborators:
$(printf ' %s\n' "${keys_to_regen[@]}")
"

[ -z "$dry_run" ] || { echo "$message"; exit 0; }

git rm -rf .git-crypt/keys/default/0

git-crypt add-gpg-user -n --trusted "${keys_to_regen[@]}"

git ci -m"$message"

This works by getting a list of all users that currently have access to decrypt the repo under the default key "0", filter out the ones that we want to remove, then remove the key and add new users.

Run it like this:

~/bin/git-crypt-delete --list # Show who's there currently
~/bin/git-crypt-delete --dry-run "Kyriakos" "Ash" # Show who would be kept/deleted

# Delete me and K, then push updated versions
~/bin/git-crypt-delete "Kyriakos" "Ash" && git push