git-crypt icon indicating copy to clipboard operation
git-crypt copied to clipboard

Published 20 hours ago verified publisher icon AGWA

Option to allow unlocking when working directory is not clean?

Open lpasselin opened this issue 3 years ago • 7 comments

Error: Working directory not clean. Please commit your changes or 'git stash' them before running 'git-crypt unlock'.

Is it possible to add an option that allows unlocking when changes are not stashed? Would be useful for situations where changes are not related to encrypted files.

lpasselin avatar Sep 02 '21 21:09 lpasselin

This does not sound very smart. There are too many possible edge cases (such as other clean/fudge filters) that could cause this to go wrong. Requiring a clean state makes sure any user data is at least backed up in a stash and hence avoids data loss in unforeseen edge cases.

You could easily write your own command to automatically stash, unlock, and attempt a stash pop. If the pop works cleanly you are good, and if not instead of the unlock failing you need to deal with the stash conflicts. From my view that is just moving the target, but perhaps it would suite your use case better and be your deferred point of intervention.

alerque avatar Sep 03 '21 09:09 alerque

I don't know much about git-crypt and I don't understand what edge cases you are talking about.

Of course requiring a clean state is safer and yes, I could write my own command. But both are not answering the question. Would it be possible? Are you saying it cannot be done?

A lot of users use git-crypt to encrypt only one or two files in the repository. There has to be a way to list these files and consider these only instead of asking for a full clean state.

lpasselin avatar Sep 03 '21 12:09 lpasselin

Jan-2023, is there any solution that popped up? Exactly @lpasselin I'm also wondering why we need to stash all the files when we only applied encryption on a couple of files.

wahabmangat avatar Jan 24 '23 17:01 wahabmangat

I would also be interested in such a feature, why does git-crypt depend on a clean work dir anyway?

schowave avatar Mar 17 '23 08:03 schowave

I would gladly have this kind of feature. My usecase for this is running git-crypt unlock as part of an ArgoCD plugin running as a sidecar container to the ArgoCD repo server (which is Argos recommended and soon only supported way of doing it). Git repos are not checked out by the sidecar it seems but from the repo server itself. Syncing the repo files over to the sidecar somehow. Running then git-crypt unlock leads to the above mentioned error.

So I had to do a git stash as a workaround as part of this plugin.

Kind regards Philip

thedatabaseme avatar Jun 09 '23 16:06 thedatabaseme

@lpasselin I'm trying someting very similar to your setup. I'm getting the same error as you are. tried doing a git stash right before the git-crypt unlock but does not seem to be working. I feel there is something wrong with my setup al together. Could you share your snippet if possible? Mine looks like this

apiVersion: v1
kind: ConfigMap
metadata:
  name: gitcrypt-yaml-cm-plugin
  namespace: argocd
data:
  git-crypt-plugin.yaml: |
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: git-crypt-plugin
    spec:
      version: v1.0
      init:
        command: [sh, -c]
        # args: ["apk add git-crypt gpg-agent gpg; export GNUPGHOME=/home/argocd/.gnupg; export HOME=/home/argocd; eval $(gpg-agent --daemon); gpg --import /home/argocd/gpg-keys/gitcrypt.gpg; git crypt unlock"]
        args: ["export GNUPGHOME=/home/argocd/.gnupg; export HOME=/home/argocd; eval $(gpg-agent --daemon); git stash; gpg --import /home/argocd/gpg-keys/gitcrypt.gpg; git crypt unlock"]
      generate:
        command: [sh, -c]
        args: ["find . -name '__*.yaml' -exec cat {} \\;"]
      discover:
        find:
          command: [sh, -c]
          args: ["find . -name '__*.yaml'"]
      allowConcurrency: false
      lockRepo: true

as you can see all the __*.yaml files in my case will be encrypted with git-crypt

And yeah, the error that I get is

Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: `sh -c "export GNUPGHOME=/home/argocd/.gnupg; export HOME=/home/argocd; eval $(gpg-agent --daemon); gpg --import /home/argocd/gpg-keys/gitcrypt.gpg; git crypt unlock"` failed exit status 1: gpg-agent: a gpg-agent is already running - not starting a new one gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Error: Working directory not clean. Please commit your changes or 'git stash' them before running 'git-crypt unlock'.

kartik-moolya avatar Sep 13 '23 17:09 kartik-moolya

It might be bit late to reply but this is also happening to us. Here the problem is not git-crypt itself but Argo Repo Server with CMP in combination with our repository containing symbolic links. Try to reproduce with a repository containing symlinks and one not containing those, you will see that you will be able to reproduce the same. The fix has been proposed but so far not merged. https://github.com/argoproj/argo-cd/pull/12098 solve the issue but it is not passing security tests

ctrombet avatar Jan 04 '24 10:01 ctrombet