- Add blackbox_list_files to RPM and MacPorts packages.

- Makefile should not require DESTDIR variable.

Makefile

@@ -25,9 +25,9 @@ tools/mk_macports.vcs_blackbox.txt: tools/mk_rpm_fpmdir.stack_blackbox.txt
 	sed -e 's@/usr/blackbox/bin/@bin/@g' -e '/profile.d-usrblackbox.sh/d' <tools/mk_rpm_fpmdir.stack_blackbox.txt >$@
 
 check-destdir:
-ifndef DESTDIR
+	ifndef DESTDIR
-  $(error DESTDIR is undefined)
+	  $(error DESTDIR is undefined)
-endif
+	endif
 
 # MacPorts expects to run: make packages-macports DESTDIR=${destroot}
 packages-macports: tools/mk_macports.vcs_blackbox.txt check-destdir

README.md

@@ -74,6 +74,24 @@ exception of a few specific files, is key to the kind of
 collaboration that DevOps and modern IT practitioniers
 need to do.
 
+Commands:
+============================
+
+
+| Name: | Description: |
+| --- | --- |
+| `blackbox_addadmin` | Add someone to the list of people that can encrypt/decrypt secrets |
+| `blackbox_cat` | Decrypt and view the contents of a file |
+| `blackbox_edit` | Decrypt, run $EDITOR, re-encrypt a file |
+| `blackbox_edit_start` | Decrypt a file so it can be updated |
+| `blackbox_edit_end` | Encrypt a file after blackbox_edit_start was used |
+| `blackbox_initialize` | Enable blackbox for a GIT or HG repo |
+| `blackbox_postdeploy` | Decrypt all managed files |
+| `blackbox_register_new_file` | Encrypt a file for the first time |
+| `blackbox_removeadmin` | Remove someone from the list of people that can encrypt/decrypt secrets |
+| `blackbox_shred_all_files` | Safely delete any decrypted files |
+| `blackbox_update_all_file` | Decrypt then re-encrypt all files. Useful after keys are changed |
+
 Compatibility:
 ============================
 
@@ -87,7 +105,7 @@ It has been tested to work with many operating systems.
   * `hg` -- Mercurial
   * `svn` -- SubVersion (Thanks, Ben Drasin!)
 * Operating system
-  * CentOS
+  * CentOS / RedHat
   * MacOS X
   * Cygwin (Thanks, Ben Drasin!)
 

bin/_blackbox_common.sh

@@ -12,6 +12,11 @@
 # Where in the VCS repo should the blackbox data be found?
 : ${BLACKBOXDATA:=keyrings/live} ;   # If BLACKBOXDATA not set, set it.
 
+
+# If $EDITOR is not set, set it to "vi":
+: ${EDITOR:=vi} ;
+
+ 
 # Outputs a string that is the base directory of this VCS repo.
 # By side-effect, sets the variable VCS_TYPE to either 'git', 'hg',
 # 'svn' or 'unknown'.
@@ -56,7 +61,8 @@ BB_FILES_FILE="blackbox-files.txt"
 BB_FILES="${KEYRINGDIR}/${BB_FILES_FILE}"
 SECRING="${KEYRINGDIR}/secring.gpg"
 PUBRING="${KEYRINGDIR}/pubring.gpg"
-: ${DECRYPT_UMASK:=o=} ;
+: ${DECRYPT_UMASK:=0022} ;
+# : ${DECRYPT_UMASK:=o=} ;
 
 # Return error if not on cryptlist.
 function is_on_cryptlist() {

bin/blackbox_list_files

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+#
+# blackbox_list_files.sh -- List files that black box is tracking
+#
+set -e
+blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${blackbox_home}/_blackbox_common.sh
+cat "$BB_FILES"

bin/blackbox_register_new_file

@@ -46,6 +46,8 @@ if $SECRETSEXPOSED ; then
   COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"
 else
   COMMIT_FILES="$BB_FILES $encrypted_file"
+  # FIXME(tal): This should be an array so that filenames with
+  # spaces aren't a problem.
 fi
 
 # TODO(tlim): This should be moved to _blackbox_common.sh in a
@@ -61,7 +63,7 @@ if [[ $VCS_TYPE = 'git' ]]; then
 fi
 
 echo 'NOTE: "already tracked!" messages are safe to ignore.'
-vcs_add $BB_FILES $encrypted_file
+vcs_add "$BB_FILES" $encrypted_file
 vcs_commit "registered in blackbox: ${unencrypted_file}" $COMMIT_FILES
 echo "========== UPDATING VCS: DONE"
 echo "Local repo updated.  Please push when ready."

bin/blackbox_shred_all_files

@@ -22,7 +22,7 @@ source ${blackbox_home}/_blackbox_common.sh
 change_to_root
 
 echo '========== FILES BEING SHREDDED:'
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   if [[ -f "$unencrypted_file" ]]; then

bin/blackbox_update_all_files

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 #
-# blackbox_update_all_files -- Re-encrypt file after edits.
+# blackbox_update_all_files -- Decrypt then re-encrypt all files. Useful after keys are changed.
 #
 
 set -e
@@ -23,7 +23,7 @@ awk <"$BB_FILES" '{ print "    " $1 ".gpg" }'
 
 echo '========== FILES IN THE WAY:'
 need_warning=false
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   if [[ -f "$unencrypted_file" ]]; then
@@ -40,7 +40,7 @@ else
 fi
 
 echo '========== RE-ENCRYPTING FILES:'
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   echo ========== PROCESSING "$unencrypted_file"
@@ -53,7 +53,7 @@ done
 fail_if_keychain_has_secrets
 
 echo '========== COMMITING TO VCS:'
-vcs_commit 'Re-encrypted keys' $(awk <$BB_FILES '{ print $1 ".gpg" }' )
+vcs_commit 'Re-encrypted keys' $(awk <"$BB_FILES" '{ print $1 ".gpg" }' )
 
 VCSCMD=$(which_vcs)
 echo '========== DONE.'

tools/mk_macports.vcs_blackbox.txt

@@ -11,3 +11,4 @@ exec bin/blackbox_register_new_file ../bin/blackbox_register_new_file
 exec bin/blackbox_removeadmin      ../bin/blackbox_removeadmin
 exec bin/blackbox_shred_all_files  ../bin/blackbox_shred_all_files
 exec bin/blackbox_update_all_files ../bin/blackbox_update_all_files
+exec bin/blackbox_list_files       ../bin/blackbox_list_files

tools/mk_rpm_fpmdir

@@ -24,6 +24,8 @@ shift
 : ${PKGVERSION:=1.0} ;
 # If there is no iteration setting, assume "1":
 : ${PKGRELEASE:=1}
+# If there is no epoch, assume 0
+: ${PKGEPOCH:=0}
 
 # The RPM is output here: (should be a place that can be wiped)
 OUTPUTDIR="${HOME}/rpmbuild-$PACKAGENAME"
@@ -37,6 +39,7 @@ rm -rf "$OUTPUTDIR"
 mkdir -p "$OUTPUTDIR/installroot"
 
 # Copy the files into place:
+set -o pipefail  # Error out if any manifest is not found.
 cat """$@""" | while read -a arr ; do
   PERM="${arr[0]}"
   case $PERM in
@@ -56,12 +59,13 @@ done
 # Build the RPM:
 cd "$OUTPUTDIR" && fpm -s dir -t rpm \
   -a x86_64 \
-  --epoch '0' \
   -n "${PACKAGENAME}" \
+  --epoch "${PKGEPOCH}" \
   --version "${PKGVERSION}" \
   --iteration "${PKGRELEASE}" \
+  ${PKGDESCRIPTION:+ --description="${PKGDESCRIPTION}"} \
+  ${PKGVENDOR:+ --vendor="${PKGVENDOR}"} \
   -C "$OUTPUTDIR/installroot" \
-  --description="$PKGDESCRIPTION" \
   .
 
 # TeamCity templates for RPMS expect to find

tools/mk_rpm_fpmdir.stack_blackbox.txt

@@ -12,3 +12,4 @@ exec /usr/blackbox/bin/blackbox_register_new_file ../bin/blackbox_register_new_f
 exec /usr/blackbox/bin/blackbox_removeadmin      ../bin/blackbox_removeadmin
 exec /usr/blackbox/bin/blackbox_shred_all_files  ../bin/blackbox_shred_all_files
 exec /usr/blackbox/bin/blackbox_update_all_files ../bin/blackbox_update_all_files
+exec /usr/blackbox/bin/blackbox_list_files       ../bin/blackbox_list_files