refactor: Improve git-crypt verification logic

This commit is contained in:
Matteo Cherubini 2026-06-09 19:43:47 +02:00
parent bee2596001
commit 2669a76711

View file

@ -21,18 +21,29 @@ gcrypt_export_key() {
gcrypt_verify() {
local genome_name="$1"
local key_path="${KEYS_DIR}/${genome_name}.key"
info "Verifying git-crypt status for ${genome_name}..."
git-crypt lock
info "Verifying git-crypt configuration for ${genome_name}..."
if file "raw/private/.gitkeep" 2>/dev/null | grep -q "data"; then
success "Encryption verified: private/ directory is protected."
# `git-crypt status` reports the CONFIGURED status (from `.gitattributes`), not the
# lock/unlock status of the working tree. Encrypted lines have their labels right-aligned
# (with leading whitespace), so you CANNOT anchor on `^encrypted`.
# We filter by private/ and distinguish “encrypted” from “not encrypted” without
# relying on exact spacing.
local status_out encrypted_count not_encrypted_count
status_out=$(git-crypt status 2>/dev/null || true)
encrypted_count=$(printf '%s\n' "$status_out" | grep 'private/' | grep -cE '^[[:space:]]*encrypted:' || true)
not_encrypted_count=$(printf '%s\n' "$status_out" | grep 'private/' | grep -cE '^not encrypted:' || true)
if [[ "$encrypted_count" -gt 0 ]]; then
success "Encryption configured: ${encrypted_count} private file(s) under git-crypt."
if [[ "$not_encrypted_count" -gt 0 ]]; then
warn "${not_encrypted_count} file(s) under private/ are NOT covered by the git-crypt filter — check .gitattributes (leak risk)."
fi
elif [[ "$not_encrypted_count" -gt 0 ]]; then
warn "private/ files exist but none are covered by the git-crypt filter — check the .gitattributes filter (leak risk)."
else
warn "Encryption check inconclusive. Run 'git-crypt status' manually."
info "No private/ files present yet — nothing to verify."
fi
[[ -f "$key_path" ]] && git-crypt unlock "$key_path"
}
# ---------------------------------------------------------------------------