Merge Release 2.2.3

jmurty · jmurty · commit 605d9d04bad2 · 2023-03-09T22:41:28.000+11:00
Revert ill-judged attempt to auto-fix faulty encrypted files with doubled "Salted" prefix #158 The automatic fix for mistakenly double-salted encrypted files seems to be causing file- and system-dependent failures for people, and is almost certainly not worth this hassle, or the performance overhead, since I haven't heard of anyone having a double-salted file to recover. Reverting this now as a bad idea, to return the `smudge` operation back to its original implementation which is massively simpler and hopefully no longer sometimes broken.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -43,6 +43,22 @@ system, you must also run the `--upgrade` command in each repository:
 - When transcrypt refuses to do work in a dirty repository, print a list of
   changed files to help the user understand and fix the issue.
 
+### Fixed
+
+- Prevent `cd` commands printing out excess details when `CDPATH` is set (#156)
+
+## [2.2.3] - 2023-03-09
+
+### Fixed
+
+- Revert faulty automatic fix for mistakenly double-salted encrypted files,
+  which caused more problems than it solved by preventing decryption of some
+  files on some systems #158
+
+### Changed
+
+- The `hexdump` command is no longer required by Transcrypt.
+
 ## [2.2.2] - 2023-03-01
 
 ### Changed
@@ -56,7 +72,6 @@ system, you must also run the `--upgrade` command in each repository:
 - Avoid null byte warnings when decrypting certain files, caused by a work-
   around in 2.2.1 to repair files that could have been incorrectly encrypted
   with 2.2.0 due to issue #147
-- Prevent `cd` commands printing out excess details when `CDPATH` is set (#156)
 
 ## [2.2.1] - 2023-02-11
 
@@ -297,7 +312,8 @@ Since the v0.9.7 release, these are the notable improvements made to transcrypt:
 
 ## [0.9.4] - 2014-03-03
 
-[unreleased]: https://github.com/elasticdog/transcrypt/compare/v2.2.2...HEAD
+[unreleased]: https://github.com/elasticdog/transcrypt/compare/v2.2.3...HEAD
+[2.2.3]: https://github.com/elasticdog/transcrypt/compare/v2.2.2...v2.2.3
 [2.2.2]: https://github.com/elasticdog/transcrypt/compare/v2.2.1...v2.2.2
 [2.2.1]: https://github.com/elasticdog/transcrypt/compare/v2.2.0...v2.2.1
 [2.2.0]: https://github.com/elasticdog/transcrypt/compare/v2.1.0...v2.2.0
diff --git a/transcrypt b/transcrypt
@@ -222,7 +222,6 @@ git_clean() {
 	fi
 }
 
-# shellcheck disable=SC2005,SC2155
 git_smudge() {
 	tempfile=$(mktemp 2>/dev/null || mktemp -t tmp)
 	trap 'rm -f "$tempfile"' EXIT
@@ -231,33 +230,7 @@ git_smudge() {
 	cipher=$(git config --get --local "transcrypt${context_config_group}.cipher")
 	password=$(load_password "$context_config_group")
 	openssl_path=$(git config --get --local transcrypt.openssl-path)
-
-	# Write stdin to $tempfile, while skimming the first bytes at the same time
-	local firstbytes=$(tee "$tempfile" | head -c8 | LC_ALL=C tr -d '\0')
-	# If the first bytes are "Salted", then the file is encrypted
-	if [[ $firstbytes == "U2FsdGVk" ]]; then
-		# Fix for file mistakenly encrypted with double "Salted" prefixes due to #147
-		# that causes garbage characters at top of decrypted files.
-		#
-		# Check file header, which we already know starts with "Salted", to see if
-		# it has exactly the same "Salted__XYZ" prefix mistakenly repeated twice.
-		# Base64 decode gives raw bytes, hexdump gives bytes as ASCII hex characters.
-		local header_as_hex=$(echo "$(head -c48 <"$tempfile")" | openssl base64 -d | hexdump -ve '1/1 "%02x"')
-		local first_salt_prefix=$(echo "$header_as_hex" | cut -b 1-32)         # First 32 chars
-		local maybe_second_salt_prefix=$(echo "$header_as_hex" | cut -b 33-64) # Second 32 chars
-
-		# If the salted prefix is repeated -- and not empty, to avoid mistaken match if
-		# base64 decoding fails -- remove the first occurrence before decrypting...
-		if [[ "$first_salt_prefix" && "$first_salt_prefix" == "$maybe_second_salt_prefix" ]]; then
-			openssl base64 -d <"$tempfile" | tail -c+17 | ENC_PASS=$password "$openssl_path" enc -d "-${cipher}" -md MD5 -pass env:ENC_PASS 2>/dev/null
-		# ...otherwise decrypt as normal
-		else
-			ENC_PASS=$password "$openssl_path" enc -d -a "-${cipher}" -md MD5 -pass env:ENC_PASS <"$tempfile" 2>/dev/null
-		fi
-	# If the first bytes are not "Salted", the file is not encrypted so output it unchanged
-	else
-		cat "$tempfile"
-	fi
+	tee "$tempfile" | ENC_PASS=$password "$openssl_path" enc -d "-${cipher}" -md MD5 -pass env:ENC_PASS -a 2>/dev/null || cat "$tempfile"
 }
 
 git_textconv() {
