Skip to content

Instantly share code, notes, and snippets.

@glogiotatidis

glogiotatidis/remove-gpg-user.sh

Created May 24, 2016 11:50
Show Gist options
  • Save glogiotatidis/e0ab45ed5575a9d7973390dace0552b0 to your computer and use it in GitHub Desktop.
Save glogiotatidis/e0ab45ed5575a9d7973390dace0552b0 to your computer and use it in GitHub Desktop.
Download ZIP
Git-crypt remove user.
Raw
remove-gpg-user.sh
#!/bin/bash
#
# Script to remove GPG key from git-crypt
#
# It will re-initialize git-crypt for the repository and re-add all keys except
# the one requested for removal.
#
# Note: You still need to change all your secrets to fully protect yourself.
# Removing a user will prevent them from reading future changes but they will
# still have a copy of the data up to the point of their removal.
#
# Use:
# ./remove-gpg-user.sh [FULL_GPG_FINGERPRINT]
#
# E.g.:
# ./remove-gpg-user.sh 3BC18383F838C0B815B961480F8CAF5467D
#
# The script will create multiple commits to your repo. Feel free to squash them
# all down to one.
#
# Based on https://github.com/AGWA/git-crypt/issues/47#issuecomment-212734882
#
#
set -e
if [ -z "$1" ]
then
echo " Use:"
echo " ./remove-gpg-user.sh [FULL_GPG_FINGERPRINT]"
echo ""
echo " E.g.:"
echo " ./remove-gpg-user.sh 3BC18383F838C0B815B961480F8CAF5467D"
exit;
fi
TMPDIR=`mktemp -d`
CURRENT_DIR=`git rev-parse --show-toplevel`
BASENAME=$(basename `pwd`)
# Unlock the directory, we need to copy encrypted versions of the files
git crypt unlock
# Work on copy.
cp -rp `pwd` $TMPDIR
pushd $TMPDIR/$BASENAME
# Remove encrypted files and git-crypt
git crypt status | grep -v "not encrypted" > encrypted-files
awk '{print $2}' encrypted-files | xargs rm
git commit -a -m "Remove encrypted files"
rm -rf .git-crypt
git commit -a -m "Remove git-crypt"
rm -rf .git/git-crypt
# Re-initialize git crypt
git crypt init
# Add existing users, except the
for keyfilename in `ls $CURRENT_DIR/.git-crypt/keys/default/0/*gpg`; do
basename=`basename $keyfilename`
key=${basename%.*}
if [[ $key == $1 ]]; then
continue;
fi
git crypt add-gpg-user $key
done
cd $CURRENT_DIR
for i in `awk '{print $2}' ${TMPDIR}/${BASENAME}/encrypted-files`; do
cp -rp --parents $i $TMPDIR/$BASENAME;
done
cd $TMPDIR/$BASENAME
for i in `awk '{print $2}' encrypted-files`; do
git add $i
done
git commit -a -m "New encrypted files"
popd
git crypt lock
git pull $TMPDIR/$BASENAME
rm -rf $TMPDIR
@glogiotatidis
Copy link
Author

glogiotatidis commented May 24, 2016
edited
Loading

Relevant blog post https://giorgos.sealabs.net/remove-users-from-git-crypt-enabled-repository.html

@xueshanf
Copy link

xueshanf commented Sep 1, 2016

should all git crypt commands be git-crypt?

@phunehehe
Copy link

phunehehe commented Sep 27, 2016

Hmm no pull requests for gists? I hacked the script a bit more to allow multiple keys https://gist.github.com/phunehehe/c083a3d27c1e1c8f316ad6790368b8b5.

@koalalorenzo
Copy link

koalalorenzo commented Jul 7, 2017

Please make this into a pr! 😄

@odedsh
Copy link

odedsh commented Nov 23, 2017

I believe that --parents is not supported on MAC OS/X machines.

@Falkor
Copy link

Falkor commented Sep 17, 2019

As indicated on Stack Overflow, you can use either gcp (coming from the coreutils homebrew: brew install coreutils) or rsync -rp -R $i $TMPDIR/$BASENAME; -- see https://gist.github.com/Falkor/7b29f16f5f79404fe41476be0d992783 (@glogiotatidis if you want to update your own gist ;))

@elektro-wolle
Copy link

elektro-wolle commented Mar 31, 2022

Added a new version, which allows spaces in filenames: https://gist.github.com/elektro-wolle/ed8da166474af46aad3bd7189665077f
Uses /usr/local/bin/gcp for MacOS-compatibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment