A bash script to list keys and remove users from git-crypt enabled repos

git-crypt-remove-gpg-user

#!/bin/bash
#
# Script to remove GPG key from git-crypt
#
# It will re-initialize git-crypt for the repository and re-add all keys except
# the one requested for removal.
#
# Note: You still need to change all your secrets to fully protect yourself.
# Removing a user will prevent them from reading future changes but they will
# still have a copy of the data up to the point of their removal.
#
# The script will create multiple commits to your repo. Feel free to squash them
# all down to one.
#
# Adapted from https://gist.github.com/glogiotatidis/e0ab45ed5575a9d7973390dace0552b0
#

__name=$(basename $0)

__RED_BOLD_ON="\033[31;1m"
__CLEAR='\033[0m'

bold_red() {
  echo -e -n "${__RED_BOLD_ON}$1${__CLEAR}"
}

help() {
  echo -e "\
$__name: Remove a given GPG key from a git-crypt enabled repository
Usage: $__name <subcommand>

Available subcommands:
    list - list keys in git-crypt configuration
    remove <FULL-GPG-FINGERPRINT> - remove key from git-crypt configuration
" >&2
}

key_info() {
  local fpr=$(gpg -k --with-colons $1 | awk -F: '/^fpr:/ { print $10; exit; }')
  local email=$(gpg -k --with-colons $1 | awk -F: '/^uid:/ { print $10; exit; }')

  echo "$fpr $email"
}

list() {
  echo "FINGERPRINT                              USER"
  for key in .git-crypt/keys/default/0/* ; do key_info $(basename $key .gpg) ; done ;
}

remove() {
  local TMPDIR=`mktemp -d`
  local CURRENT_DIR=`git rev-parse --show-toplevel`
  local BASENAME=$(basename `pwd`)

  # Unlock the directory, we need to copy encrypted versions of the files
  git crypt unlock

  # Work on copy.
  cp -rp `pwd` $TMPDIR

  pushd $TMPDIR/$BASENAME

  # Remove encrypted files and git-crypt
  git crypt status | grep -v "not encrypted" > encrypted-files
  awk '{print $2}' encrypted-files | xargs rm
  git commit -a -m "Remove encrypted files"
  rm -rf .git-crypt
  git commit -a -m "Remove git-crypt"
  rm -rf .git/git-crypt

  # Re-initialize git crypt
  git crypt init

  # Add existing users, except the
  for keyfilename in `ls $CURRENT_DIR/.git-crypt/keys/default/0/*gpg`; do
      basename=`basename $keyfilename`
      key=${basename%.*}
      if [[ $key == $1 ]]; then
          continue;
      fi
      git crypt add-gpg-user $key
  done

  cd $CURRENT_DIR
  for i in `awk '{print $2}' ${TMPDIR}/${BASENAME}/encrypted-files`; do
      rsync -rp $i $TMPDIR/$BASENAME;
  done
  cd $TMPDIR/$BASENAME
  for i in `awk '{print $2}' encrypted-files`; do
      git add $i
  done
  git commit -a -m "New encrypted files"
  popd

  git crypt lock
  git pull $TMPDIR/$BASENAME

  rm -rf $TMPDIR
}

remove_prompt() {
  bold_red "\
/!\ Are you sure you want to delete the key ($1) from the directory?
    This action is not reversible!
    Only 'yes' will be accepted to approve.

    Enter a value: "
  read input
  if [ $input == "yes" ]; then
    remove $1
  else
    echo "Cancelling..."
    exit 0
  fi
}

# START ################################################################

set -e

if [ $# -eq 0 ]; then
  echo "$__name: no options provided... try '$__name help' for help" >&2
else
  case $1 in
    remove) shift; remove_prompt $1 ;;
    list) list ;;
    help) help ;;
    *) echo "$__name: subcommand not recognized... try '$__name help' for help" >&2 ;;
  esac
fi