Document xxd requirement, and make optional with OpenSSL < 3 (#138)

Author: jmurty

CHANGELOG.md

@@ -30,7 +30,7 @@ The format is based on [Keep a Changelog][1], and this project adheres to
 ### Fixed
 
 - Remain compatible with OpenSSL versions 3 and above which changes the way
-  explicit salt values are expressed in ciphertext (#133)
+  explicit salt values are expressed in ciphertext, requires `xxd` command (#133)
 - Ensure Git index is up-to-date before checking for dirty repo, to avoid
   failures seen in CI systems where the repo seems dirty when it isn't. (#37)
 - Respect Git `core.hooksPath` setting when installing the pre-commit hook. (#104)

INSTALL.md

@@ -5,6 +5,13 @@ The requirements to run transcrypt are minimal:
 - Bash
 - Git
 - OpenSSL
+- `column` command (on Ubuntu/Debian install `bsdmainutils`)
+- `xxd` command if using OpenSSL version 3
+  (on Ubuntu/Debian is included with `vim`)
+
+...and optionally:
+
+- GnuPG - for secure configuration import/export
 
 You also need access to the _transcrypt_ script itself...
 

README.md

@@ -56,6 +56,8 @@ The requirements to run transcrypt are minimal:
 - Git
 - OpenSSL
 - `column` command (on Ubuntu/Debian install `bsdmainutils`)
+- `xxd` command if using OpenSSL version 3
+  (on Ubuntu/Debian is included with `vim`)
 
 ...and optionally:
 

transcrypt

@@ -139,16 +139,20 @@ git_clean() {
 		password=$(git config --get --local transcrypt.password)
 		openssl_path=$(git config --get --local transcrypt.openssl-path)
 		salt=$("${openssl_path}" dgst -hmac "${filename}:${password}" -sha256 "$tempfile" | tr -d '\r\n' | tail -c16)
-		# Encrypt the file to base64, ensuring it always includes the prefix 'Salted__' with the salt. #133
-		(
-			# Always prepend encrypted ciphertext with "Salted__" prefix and binary salt value
-			echo -n "Salted__" && echo -n "$salt" | xxd -r -p &&
-				# Encrypt file to binary ciphertext
-				ENC_PASS=$password "$openssl_path" enc -e "-${cipher}" -md MD5 -pass env:ENC_PASS -S "$salt" -in "$tempfile" |
-				# Strip "Salted__" prefix and salt value if also added by OpenSSL (version < 3)
-				LC_ALL=C sed -e "s/^\(Salted__.\{8\}\)\(.*\)/\2/"
-		) |
-			base64
+
+		openssl_major_version=$($openssl_path version | cut -d' ' -f2 | cut -d'.' -f1)
+		if [ "$openssl_major_version" -ge "3" ]; then
+			# Encrypt the file to base64, ensuring it includes the prefix 'Salted__' with the salt. #133
+			(
+				echo -n "Salted__" && echo -n "$salt" | xxd -r -p &&
+					# Encrypt file to binary ciphertext
+					ENC_PASS=$password "$openssl_path" enc -e "-${cipher}" -md MD5 -pass env:ENC_PASS -S "$salt" -in "$tempfile"
+			) |
+				base64
+		else
+			# Encrypt file to base64 ciphertext
+			ENC_PASS=$password "$openssl_path" enc -e -a "-${cipher}" -md MD5 -pass env:ENC_PASS -S "$salt" -in "$tempfile"
+		fi
 	fi
 }
 
@@ -305,6 +309,12 @@ run_safety_checks() {
 	for cmd in {column,grep,mktemp,"${openssl_path}",sed,tee}; do
 		command -v "$cmd" >/dev/null || die 'required command "%s" was not found' "$cmd"
 	done
+	# check for extra `xxd` dependency when running against OpenSSL version 3+
+	openssl_major_version=$($openssl_path version | cut -d' ' -f2 | cut -d'.' -f1)
+	if [ "$openssl_major_version" -ge "3" ]; then
+		cmd="xxd"
+		command -v "$cmd" >/dev/null || die 'required command "%s" was not found' "$cmd"
+	fi
 
 	# ensure the repository is clean (if it has a HEAD revision) so we can force
 	# checkout files without the destruction of uncommitted changes