Merge branch '2.2'

jmurty · jmurty · commit a3a77c2e82a7 · 2023-02-11T23:04:09.000+11:00
* 2.2: Release 2.2.1 Run tests for PR changes even if it doesn't target `main` Detect and fix decryption of files encrypted with doubled "Salted" prefixes due to #147 Fix compatibility with LibreSSL v3+ `openssl` command and MacOS Ventura (#148 #147) # Conflicts: # CHANGELOG.md # transcrypt
diff --git a/.github/workflows/run-bats-core-tests.yml b/.github/workflows/run-bats-core-tests.yml
@@ -6,7 +6,7 @@ on:
     branches: [main]
   # Run tests for all pull request changes targeting main
   pull_request:
-    branches: [main]
+    branches: "**"
 
 jobs:
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,30 @@ The format is based on [Keep a Changelog][1], and this project adheres to
 [1]: https://keepachangelog.com/en/1.0.0/
 [2]: https://semver.org/spec/v2.0.0.html
 
+## Steps to Upgrade
+
+To upgrade _transcrypt_ it is not enough to have a newer version on your
+system, you must also run the `--upgrade` command in each repository:
+
+1. Check the version of _transcrypt_ on your system:
+
+   ```bash
+   $ transcrypt --version
+   ```
+
+2. Check the version of _transcrypt_ in your Git repository, which may be
+   different:
+
+   ```bash
+   $ .git/crypt/transcrypt --version
+   ```
+
+3. Upgrade the version of _transcrypt_ in your Git repository:
+
+   ```
+   $ transcrypt --upgrade
+   ```
+
 ## [Unreleased]
 
 ### Added
@@ -17,10 +41,12 @@ The format is based on [Keep a Changelog][1], and this project adheres to
   normal repository users. See `--context=` / `-C` / `--list-context` arguments
   and documentation for this advanced feature.
 
+## [2.2.1] - 2023-02-11
+
 ### Fixed
 
 - Compatibility fix for LibreSSL versions 3 (and above) especially for MacOS
-  13 Ventura to more carefully apply a work-around required for OpenSSL 3+
+  13 Ventura, to more carefully apply a work-around required for OpenSSL 3+
   that isn't required for LibreSSL 3+ (#147 #133)
 - Fix errors applying a stash containing a secret file that needs to be merged
   with staged changes to the same file (#150)
@@ -254,7 +280,8 @@ Since the v0.9.7 release, these are the notable improvements made to transcrypt:
 
 ## [0.9.4] - 2014-03-03
 
-[unreleased]: https://github.com/elasticdog/transcrypt/compare/v2.2.0...HEAD
+[unreleased]: https://github.com/elasticdog/transcrypt/compare/v2.2.1...HEAD
+[2.2.1]: https://github.com/elasticdog/transcrypt/compare/v2.2.0...v2.2.1
 [2.2.0]: https://github.com/elasticdog/transcrypt/compare/v2.1.0...v2.2.0
 [2.1.0]: https://github.com/elasticdog/transcrypt/compare/v2.0.0...v2.1.0
 [2.0.0]: https://github.com/elasticdog/transcrypt/compare/v1.1.0...v2.0.0
diff --git a/transcrypt b/transcrypt
@@ -222,6 +222,7 @@ git_clean() {
 	fi
 }
 
+# shellcheck disable=SC2005,SC2155
 git_smudge() {
 	tempfile=$(mktemp 2>/dev/null || mktemp -t tmp)
 	trap 'rm -f "$tempfile"' EXIT
@@ -230,7 +231,32 @@ git_smudge() {
 	cipher=$(git config --get --local "transcrypt${context_config_group}.cipher")
 	password=$(load_password "$context_config_group")
 	openssl_path=$(git config --get --local transcrypt.openssl-path)
-	tee "$tempfile" | ENC_PASS=$password "$openssl_path" enc -d "-${cipher}" -md MD5 -pass env:ENC_PASS -a 2>/dev/null || cat "$tempfile"
+
+	# Write stdin to $tempfile, while skimming the first bytes at the same time
+	local firstbytes=$(tee "$tempfile" | head -c8 | LC_ALL=C tr -d '\0')
+	# If the first bytes are "Salted", then the file is encrypted
+	if [[ $firstbytes == "U2FsdGVk" ]]; then
+		# Fix for file mistakenly encrypted with double "Salted" prefixes due to #147
+		# that causes garbage characters at top of decrypted files.
+		#
+		# Check file header, which we already know starts with "Salted", to see if
+		# it has exactly the same "Salted__XYZ" prefix mistakenly repeated twice
+		local header_decoded=$(echo "$(head -c48 <"$tempfile")" | openssl base64 -d)
+		local first_salt_prefix=$(echo "$header_decoded" | cut -b 1-16)         # First 16 bytes
+		local maybe_second_salt_prefix=$(echo "$header_decoded" | cut -b 17-32) # Second 16 bytes
+
+		# If the salted prefix is repeated -- and not empty, to avoid mistaken match if
+		# base64 decoding fails -- remove the first occurrence before decrypting...
+		if [[ "$first_salt_prefix" && "$first_salt_prefix" == "$maybe_second_salt_prefix" ]]; then
+			openssl base64 -d <"$tempfile" | tail -c+17 | ENC_PASS=$password "$openssl_path" enc -d "-${cipher}" -md MD5 -pass env:ENC_PASS 2>/dev/null
+		# ...otherwise decrypt as normal
+		else
+			ENC_PASS=$password "$openssl_path" enc -d -a "-${cipher}" -md MD5 -pass env:ENC_PASS <"$tempfile" 2>/dev/null
+		fi
+	# If the first bytes are not "Salted", the file is not encrypted so output it unchanged
+	else
+		cat "$tempfile"
+	fi
 }
 
 git_textconv() {
