Remove irrelevant error check

adding rudimentary debian package building support

Makefile

@@ -5,6 +5,7 @@ PKGNAME=stack_blackbox
 all:
 	@echo 'Menu:'
 	@echo '  make packages          Make RPM packages'
+	@echo '  make packages-deb      Make DEB packages'
 	@echo '  make install           (incomplete)'
 
 install:
@@ -24,13 +25,12 @@ packages: packages-rpm
 tools/mk_macports.vcs_blackbox.txt: tools/mk_rpm_fpmdir.stack_blackbox.txt
 	sed -e 's@/usr/blackbox/bin/@bin/@g' -e '/profile.d-usrblackbox.sh/d' <tools/mk_rpm_fpmdir.stack_blackbox.txt >$@
 
-check-destdir:
-	ifndef DESTDIR
-	  $(error DESTDIR is undefined)
-	endif
+# Make mk_deb_fpmdir.vcs_blackbox.txt from mk_rpm_fpmdir.stack_blackbox.txt:
+tools/mk_deb_fpmdir.stack_blackbox.txt: tools/mk_rpm_fpmdir.stack_blackbox.txt
+	sed -e 's@/usr/blackbox/bin/@/usr/bin/@g' -e '/profile.d-usrblackbox.sh/d' <tools/mk_deb_fpmdir.stack_blackbox.txt >$@
 
 # MacPorts expects to run: make packages-macports DESTDIR=${destroot}
-packages-macports: tools/mk_macports.vcs_blackbox.txt check-destdir
+packages-macports: tools/mk_macports.vcs_blackbox.txt
 	mkdir -p $(DESTDIR)/bin
 	cd tools && ./mk_macports mk_macports.vcs_blackbox.txt
 
@@ -60,16 +60,35 @@ lock-rpm:
 unlock-rpm:
 	sudo yum versionlock clear
 
+#
+# DEB builds
+#
+
+packages-deb:	tools/mk_deb_fpmdir.stack_blackbox.txt
+	cd tools && PKGRELEASE="$${PKGRELEASE}" PKGDESCRIPTION="Safely store secrets in git/hg/svn repos using GPG encryption" ./mk_deb_fpmdir stack_blackbox mk_deb_fpmdir.stack_blackbox.txt
+
+packages-deb-debug:	tools/mk_deb_fpmdir.stack_blackbox.txt
+	@echo BUILD:
+	@PKGRELEASE=99 make packages-deb
+	@echo ITEMS TO BE PACKAGED:
+	find ~/debbuild-$(PKGNAME)/installroot -type f
+	@echo ITEMS ACTUALLY IN PACKAGE:
+	@dpkg --contents $$(cat ~/debbuild-$(PKGNAME)/bin-packages.txt)
+
+local-deb:
+	@PKGRELEASE=1 make packages
+	-@sudo dpkg -e $(PKGNAME)
+	sudo dpkg -i $$(cat ~/rpmbuild-$(PKGNAME)/bin-packages.txt)
+
 # Add other package types here.
 
 #
 # System Test:
 #
-
 confidence:
-	@if [[ -e ~/.gnupg ]]; then echo ERROR: '~/.gnupg should not exist. If it does, bugs may polute your .gnupg configuration. If the code has no bugs everything will be fine. Do you feel lucky?'; false ; fi
+	@if [ -e ~/.gnupg ]; then echo ERROR: '~/.gnupg should not exist. If it does, bugs may polute your .gnupg configuration. If the code has no bugs everything will be fine. Do you feel lucky?'; false ; fi
 	@if which >/dev/null gpg-agent ; then pkill gpg-agent ; rm -rf /tmp/tmp.* ; fi
-	@export PATH=~/gitwork/blackbox/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin ; 
+	@export PATH=~/gitwork/blackbox/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/local/bin ; tools/confidence_test.sh
 		cd ~/gitwork/blackbox && tools/confidence_test.sh
 	@if which >/dev/null gpg-agent ; then pkill gpg-agent ; fi
-	@if [[ -e ~/.gnupg ]]; then echo ERROR: '~/.gnupg was created which means the scripts might be poluting GnuPG configuration.  Fix this bug.'; false ; fi
+	@if [ -e ~/.gnupg ]; then echo ERROR: '~/.gnupg was created which means the scripts might be poluting GnuPG configuration.  Fix this bug.'; false ; fi

README.md

@@ -74,6 +74,16 @@ exception of a few specific files, is key to the kind of
 collaboration that DevOps and modern IT practitioniers
 need to do.
 
+Installation Instructions:
+==========================
+
+  * *The RPM way*: `make packages-rpm` and now you have an RPM you can install.
+  * *The MacPorts Way*: `sudo port install vcs_blackbox`
+  * *The hard way*: Copy all the files in "bin" to your "bin".
+  * *The Antigen Way*: Add `antigen bundle StackExchange/blackbox` to your .zshrc
+  * *The Zgen Way*: Add `zgen load StackExchange/blackbox` to your .zshrc where you're loading your other plugins.
+
+
 Commands:
 ============================
 
@@ -90,7 +100,7 @@ Commands:
 | `blackbox_register_new_file` | Encrypt a file for the first time |
 | `blackbox_removeadmin` | Remove someone from the list of people that can encrypt/decrypt secrets |
 | `blackbox_shred_all_files` | Safely delete any decrypted files |
-| `blackbox_update_all_file` | Decrypt then re-encrypt all files. Useful after keys are changed |
+| `blackbox_update_all_files` | Decrypt then re-encrypt all files. Useful after keys are changed |
 
 Compatibility:
 ============================

RELEASE_ENGINEERING.TXT

@@ -43,3 +43,77 @@ R="v1.$(date +%Y%m%d)"
 git tag "$R"
 git push origin tag "$R"
 ```
+
+# Updating MacPorts (automatic)
+
+Step 1: Generate the Portfile
+
+```
+tools/macports_report_upgrade.sh  1.20150222
+```
+
+This script will generate a file called `Portfile-vcs_blackbox.diff` and instructions on how to submit it as a update request.
+
+Step 2: Submit the update request.
+
+Submit the diff file as a bug as instructed. The instructions should look like this:
+
+* PLEASE OPEN A TICKET WITH THIS INFORMATION:
+    https://trac.macports.org/newticket
+* Summary: `vcs_blackbox @1.20150222 Update to latest upstream`
+* Description: ```New upstream of vcs_blackbox.
+github.setup and checksums updated.```
+* Type: `update`
+* Component: `ports`
+* Port: `vcs_blackbox`
+* Keywords: `maintainer`
+* Attach this file: `Portfile-vcs_blackbox.diff`
+
+Step 3: Watch for the update to happen.
+
+# Updating MacPorts (manual)
+
+This is the old, manual, procedure.  If the automated procedure work, these notes may or may not be helpful.
+
+The ultimate result of the script should be a `diff -u Portfile.orig Portfile`.  The new `Portfile` should have these changes:
+
+1. The `github.setup` line should have a new version number.
+2. The `checksums` line(s) should have updated checksums.
+
+How to generate the checksums?
+
+The easiest way is to to make a Portfile with incorrect checksums, then run `sudo port -v checksum vcs_blackbox` to see what they should have been.  Fix the file, and try again.
+
+When the the checksum command works, run `port lint vcs_blackbox` and make sure it has no errors.
+
+Some useful commands:
+
+Change repos in sources.conf:
+```
+sudo vi /opt/local/etc/macports/sources.conf
+  Add this line early in the file:
+  file:///var/tmp/ports
+```
+
+Add a local repo in an automated manner:
+```
+fgrep >/dev/null -x 'file:///var/tmp/ports' /opt/local/etc/macports/sources.conf || sudo sed -i -e '1s@^@file:///var/tmp/ports\'$'\n@' /opt/local/etc/macports/sources.conf
+```
+
+Remove the local repo in an automated manner:
+```
+sudo sed -i -e '\@^file:///var/tmp/ports@d' /opt/local/etc/macports/sources.conf
+```
+
+Test a Portfile:
+``` 
+sudo port uninstall vcs_blackbox
+sudo port clean --all vcs_blackbox
+rm -rf ~/.macports/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/vcs_blackbox/
+rm -rf /var/tmp/ports
+mkdir -p /var/tmp/ports/security/vcs_blackbox
+cp Portfile /var/tmp/ports/security/vcs_blackbox
+cd /var/tmp/ports && portindex
+sudo port -v checksum vcs_blackbox
+sudo port install vcs_blackbox
+```

bin/_blackbox_common.sh

@@ -10,13 +10,13 @@
 #   . _blackbox_common.sh
 
 # Where in the VCS repo should the blackbox data be found?
-: ${BLACKBOXDATA:=keyrings/live} ;   # If BLACKBOXDATA not set, set it.
+: "${BLACKBOXDATA:=keyrings/live}" ;   # If BLACKBOXDATA not set, set it.
 
 
 # If $EDITOR is not set, set it to "vi":
-: ${EDITOR:=vi} ;
+: "${EDITOR:=vi}" ;
+
 
- 
 # Outputs a string that is the base directory of this VCS repo.
 # By side-effect, sets the variable VCS_TYPE to either 'git', 'hg',
 # 'svn' or 'unknown'.
@@ -27,19 +27,19 @@ function _determine_vcs_base_and_type() {
     #find topmost dir with .svn sub-dir
     parent=""
     grandparent="."
-    mydir=`pwd`
+    mydir=$(pwd)
     while [ -d "$grandparent/.svn" ]; do
       parent=$grandparent
       grandparent="$parent/.."
     done
 
     if [ ! -z "$parent" ]; then
-      cd $parent
-      echo `pwd`
+      cd "$parent"
+      echo "$(pwd)"
     else
       exit 1
     fi
-    cd $mydir
+    cd "$mydir"
     VCS_TYPE=svn
   elif hg root 2>/dev/null ; then
     # NOTE: hg has to be tested last because it always "succeeds".
@@ -61,7 +61,7 @@ BB_FILES_FILE="blackbox-files.txt"
 BB_FILES="${KEYRINGDIR}/${BB_FILES_FILE}"
 SECRING="${KEYRINGDIR}/secring.gpg"
 PUBRING="${KEYRINGDIR}/pubring.gpg"
-: ${DECRYPT_UMASK:=0022} ;
+: "${DECRYPT_UMASK:=0022}" ;
 # : ${DECRYPT_UMASK:=o=} ;
 
 # Return error if not on cryptlist.
@@ -184,9 +184,9 @@ function decrypt_file() {
   echo "========== EXTRACTING $unencrypted"
 
   old_umask=$(umask)
-  umask $DECRYPT_UMASK
+  umask "$DECRYPT_UMASK"
   gpg -q --decrypt -o "$unencrypted" "$encrypted"
-  umask $old_umask
+  umask "$old_umask"
 }
 
 # Decrypt .gpg file, overwriting unencrypted file if it exists.
@@ -206,12 +206,12 @@ function decrypt_file_overwrite() {
   fi
 
   old_umask=$(umask)
-  umask $DECRYPT_UMASK
+  umask "$DECRYPT_UMASK"
   gpg --yes -q --decrypt -o "$unencrypted" "$encrypted"
-  umask $old_umask
+  umask "$old_umask"
 
   new_hash=$(md5sum_file "$unencrypted")
-  if [[ $old_hash != $new_hash ]]; then
+  if [[ "$old_hash" != "$new_hash" ]]; then
     echo "========== EXTRACTED $unencrypted"
   fi
 }
@@ -250,8 +250,8 @@ function enumerate_subdirs() {
   while read filename; do
     dir=$(dirname "$filename")
     while [[ $dir != '.' && $dir != '/' ]]; do
-      echo $dir
-      dir=$(dirname $dir)
+      echo "$dir"
+      dir=$(dirname "$dir")
     done
   done <"$listfile" | sort -u
 }
@@ -260,7 +260,7 @@ function enumerate_subdirs() {
 function vcs_relative_path() {
   # Usage: vcs_relative_path file
   local name="$1"
-  python -c 'import os ; print(os.path.relpath("'$(pwd -P)'/'"$name"'", "'"$REPOBASE"'"))'
+  python -c 'import os ; print(os.path.relpath("'"$(pwd -P)"'/'"$name"'", "'"$REPOBASE"'"))'
 }
 
 #
@@ -338,7 +338,7 @@ function is_in_svn() {
     echo true
   else
     echo false
-  fi 
+  fi
 }
 
 

bin/_stack_lib.sh

@@ -79,7 +79,7 @@ function make_tempdir() {
 
   case $(uname -s) in
     Darwin )
-      : ${TMPDIR:=/tmp} ;
+      : "${TMPDIR:=/tmp}" ;
       name=$(mktemp -d -t _stacklib_ )
       ;;
     Linux )

bin/blackbox_addadmin

@@ -16,17 +16,7 @@ source ${blackbox_home}/_stack_lib.sh
 fail_if_not_in_repo
 
 KEYNAME="$1"
-: ${KEYNAME:?ERROR: First argument must be a keyname (email address)} ;
-
-# The second argument, if present, is the directory to find the GPG keys to be imported.
-if [[ "$2" == "" ]]; then
-  GPGEXPORTOPTIONS=""
-else
-  GPGEXPORTOPTIONS=--homedir="${2}"
-fi
-# TODO(tlim): This could probably be done with GNUPGHOME
-# but that affects all commands; we just want it to affect the key export.
-
+: "${KEYNAME:?ERROR: First argument must be a keyname (email address)}" ;
 
 # Add the email address to the BB_ADMINS file.  Remove any duplicates.
 # The file must exist for sort to act as we expect.
@@ -38,7 +28,16 @@ sort  -fdu -o "$BB_ADMINS" <(echo "$1") "$BB_ADMINS"
 
 # Extract it:
 make_self_deleting_tempfile pubkeyfile
-gpg $GPGEXPORTOPTIONS --export -a "$KEYNAME" >"$pubkeyfile"
+
+# The second argument, if present, is the directory to find the GPG keys to be imported.
+if [[ -z $2 ]]; then
+  gpg --export -a "$KEYNAME" >"$pubkeyfile"
+else
+  # TODO(tlim): This could probably be done with GNUPGHOME
+  # but that affects all commands; we just want it to affect the key export.
+  gpg --homedir="$2" --export -a "$KEYNAME" >"$pubkeyfile"
+fi
+
 if [[ $(wc -l < "$pubkeyfile") = 0 ]]; then
   fail_out "GPG key '$KEYNAME' not found.  Please create it with: gpg --gen-key"
   exit 1

bin/blackbox_cat

@@ -5,7 +5,7 @@
 #
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 for param in """$@""" ; do
   shreddable=0

bin/blackbox_edit

@@ -5,7 +5,7 @@
 #
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 for param in """$@""" ; do
   unencrypted_file=$(get_unencrypted_filename "$param")
@@ -22,6 +22,6 @@ for param in """$@""" ; do
     esac
   fi
   blackbox_edit_start "$param"
-  $EDITOR $(get_unencrypted_filename $param)
+  "$EDITOR" "$(get_unencrypted_filename "$param")"
   blackbox_edit_end "$param"
 done

bin/blackbox_edit_end

@@ -6,7 +6,7 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 unencrypted_file=$(get_unencrypted_filename "$1")
 encrypted_file=$(get_encrypted_filename "$1")

bin/blackbox_edit_start

@@ -6,7 +6,7 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 for param in """$@""" ; do
   unencrypted_file=$(get_unencrypted_filename "$param")

bin/blackbox_initialize

@@ -10,7 +10,7 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 _determine_vcs_base_and_type  # Sets VCS_TYPE
 

bin/blackbox_list_files

@@ -5,5 +5,5 @@
 #
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 cat "$BB_FILES"

bin/blackbox_postdeploy

@@ -15,7 +15,7 @@ export PATH=/usr/bin:/bin:"$PATH"
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 if [[ "$1" == "" ]]; then
   FILE_GROUP=""
@@ -33,7 +33,7 @@ while IFS= read <&99 -r unencrypted_file; do
   decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
   chmod g+r "$unencrypted_file"
   if [[ ! -z "$FILE_GROUP" ]]; then
-    chgrp $FILE_GROUP "$unencrypted_file"
+    chgrp "$FILE_GROUP" "$unencrypted_file"
   fi
 done 99<"$BB_FILES"
 echo '========== Decrypting new/changed files: DONE'

bin/blackbox_register_new_file

@@ -12,13 +12,13 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 _determine_vcs_base_and_type
 
 unencrypted_file=$(get_unencrypted_filename "$1")
 encrypted_file=$(get_encrypted_filename "$1")
 
-if [[ $1 == $encrypted_file ]]; then
+if [[ "$1" == "$encrypted_file" ]]; then
   echo ERROR: Please only register unencrypted files.
   exit 1
 fi
@@ -34,13 +34,13 @@ encrypt_file "$unencrypted_file" "$encrypted_file"
 add_filename_to_cryptlist "$unencrypted_file"
 
 # Is the unencrypted file already in HG? (ie. are we correcting a bad situation)
-SECRETSEXPOSED=$(is_in_vcs ${unencrypted_file})
+SECRETSEXPOSED=$(is_in_vcs "${unencrypted_file}")
 echo "========== CREATED: ${encrypted_file}"
 echo "========== UPDATING REPO:"
 shred_file "$unencrypted_file"
 
 VCSCMD=$(which_vcs)
-if $SECRETSEXPOSED ; then
+if "$SECRETSEXPOSED" ; then
   vcs_remove "$unencrypted_file"
   vcs_add "$encrypted_file"
   COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"

bin/blackbox_removeadmin

@@ -11,13 +11,13 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
-source ${blackbox_home}/_stack_lib.sh
+source "${blackbox_home}/_blackbox_common.sh"
+source "${blackbox_home}/_stack_lib.sh"
 
 fail_if_not_in_repo
 
 KEYNAME="$1"
-: ${KEYNAME:?ERROR: First argument must be a keyname (email address)} ;
+: "${KEYNAME:?ERROR: First argument must be a keyname (email address)}" ;
 
 # Remove the email address from the BB_ADMINS file.
 make_self_deleting_tempfile bbtemp

bin/blackbox_shred_all_files

@@ -17,7 +17,7 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 change_to_root
 

bin/blackbox_update_all_files

@@ -6,7 +6,7 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 if [[ -z $GPG_AGENT_INFO ]]; then
   echo 'WARNING: You probably want to run gpg-agent as'
@@ -31,7 +31,7 @@ for i in $(<"$BB_FILES") ; do
     echo "    $unencrypted_file"
   fi
 done
-if $need_warning ; then
+if "$need_warning" ; then
   echo
   echo 'WARNING: This will overwrite any unencrypted files laying about.'
   read -r -p 'Press CTRL-C now to stop. ENTER to continue: '

tools/Portfile.template

@@ -0,0 +1,31 @@
+# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
+# $Id: Portfile 132962 2015-02-16 10:33:02Z ryandesign@macports.org $
+
+PortSystem          1.0
+PortGroup           github 1.0
+
+github.setup        StackExchange blackbox @@VERSION@@ v
+name                vcs_blackbox
+categories          security
+platforms           darwin
+maintainers         whatexit.org:tal openmaintainer
+license             BSD
+supported_archs     noarch
+
+description         Safely store secrets in git/hg/svn repos using GPG encryption
+
+long_description    Storing secrets such as passwords, certificates and private keys \
+                    in Git/Mercurial/SubVersion is dangerous. Blackbox makes it easy \
+                    to store secrets safely using GPG encryption. They can be easily \
+                    decrypted for editing or use in production.
+
+checksums           rmd160  @@RMD160@@ \
+                    sha256  @@SHA256@@
+
+use_configure       no
+
+build               {}
+
+# This project's Makefile uses DESTDIR incorrectly.
+destroot.destdir    DESTDIR=${destroot}${prefix}
+destroot.target     packages-macports

tools/confidence_test.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/../bin
-export PATH=${blackbox_home}:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin
+export PATH="${blackbox_home}:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/local/bin"
 
 . _stack_lib.sh
 
@@ -15,6 +15,25 @@ function PHASE() {
   echo '********************'
 }
 
+function md5sum_file() {
+  # Portably generate the MD5 hash of file $1.
+  case $(uname -s) in
+    Darwin )
+      md5 -r "$1" | awk '{ print $1 }'
+      ;;
+    Linux )
+      md5sum "$1" | awk '{ print $1 }'
+      ;;
+    CYGWIN* )
+      md5sum "$1" | awk '{ print $1 }'
+      ;;
+    * )
+      echo 'ERROR: Unknown OS. Exiting.'
+      exit 1
+      ;;
+  esac
+}
+
 function assert_file_missing() {
   if [[ -e "$1" ]]; then
     echo "ASSERT FAILED: ${1} should not exist."
@@ -36,7 +55,7 @@ function assert_file_md5hash() {
   local file="$1"
   local wanted="$2"
   assert_file_exists "$file"
-  local found=$(md5sum <"$file" | cut -d' ' -f1 )
+  local found=$(md5sum_file "$file")
   if [[ "$wanted" != "$found" ]]; then
     echo "ASSERT FAILED: $file hash wanted=$wanted found=$found"
     exit 1
@@ -54,7 +73,7 @@ function assert_file_group() {
       ;;
   esac
 
-  local found=$(ls -l "$file" | awk '{ print $4 }')
+  local found=$(ls -lg "$file" | awk '{ print $3 }')
   # NB(tlim): We could do this with 'stat' but it would break on BSD-style OSs.
   if [[ "$wanted" != "$found" ]]; then
     echo "ASSERT FAILED: $file chgrp wanted=$wanted found=$found"
@@ -96,7 +115,7 @@ eval $(gpg-agent --homedir "$fake_alice_home" --daemon)
 GPG_AGENT_INFO_ALICE="$GPG_AGENT_INFO"
 
 export GNUPGHOME="$fake_bob_home"
-eval $(gpg-agent --homedir "$fake_alice_home" --daemon)
+eval $(gpg-agent --homedir "$fake_bob_home" --daemon)
 GPG_AGENT_INFO_BOB="$GPG_AGENT_INFO"
 
 function become_alice() {
@@ -108,8 +127,8 @@ function become_alice() {
 }
 
 function become_bob() {
-  export GNUPGHOME="$fake_alice_home"
-  export GPG_AGENT_INFO="$GPG_AGENT_INFO_ALICE"
+  export GNUPGHOME="$fake_bob_home"
+  export GPG_AGENT_INFO="$GPG_AGENT_INFO_BOB"
   git config --global user.name "Bob Example"
   git config --global user.email bob@example.com
 }
@@ -217,12 +236,14 @@ PHASE 'Bob makes sure he has all new keys.'
 gpg --import keyrings/live/pubring.gpg
 
 # Pick a GID to use:
+# This users's default group:
+DEFAULT_GID_NAME=$(id -gn)
+# Pick a group that is not the default group:
 TEST_GID_NUM=$(id -G | fmt -1 | tail -n +2 | grep -xv $(id -u) | head -n 1)
-TEST_GID_NAME=$(getent group "$TEST_GID_NUM" | cut -d: -f1)
-DEFAULT_GID_NAME=$(getent group $(id -u) | cut -d: -f1)
+TEST_GID_NAME=$(python -c 'import grp; print grp.getgrgid('"$TEST_GID_NUM"').gr_name')
+echo DEFAULT_GID_NAME=$DEFAULT_GID_NAME
 echo TEST_GID_NUM=$TEST_GID_NUM
 echo TEST_GID_NAME=$TEST_GID_NAME
-echo DEFAULT_GID_NAME=$DEFAULT_GID_NAME
 
 PHASE 'Bob postdeploys... default.'
 blackbox_postdeploy

tools/macports_report_upgrade.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+# Turn the Portfile.template into a Portfile.
+# Usage:
+#   mk_portfile.sh TEMPLATE OUTPUTFILE VERSION
+
+set -e
+blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${blackbox_home}/../bin/_stack_lib.sh
+
+TEMPLATEFILE=tools/Portfile.template
+OUTPUTFILE=Portfile
+PORTVERSION=${1?"Arg 1 must be a version number like 1.20150222 (with no v)"} ; shift
+
+# Add the version number to the template.
+sed <"$TEMPLATEFILE" >"$OUTPUTFILE" -e 's/@@VERSION@@/'"$PORTVERSION"'/g'
+
+# Test it. Record the failure in $checksumout
+fgrep >/dev/null -x 'file:///var/tmp/ports' /opt/local/etc/macports/sources.conf || sudo sed -i -e '1s@^@file:///var/tmp/ports\'$'\n@' /opt/local/etc/macports/sources.conf
+rm -rf /var/tmp/ports
+mkdir -p /var/tmp/ports/security/vcs_blackbox
+cp Portfile /var/tmp/ports/security/vcs_blackbox
+( cd /var/tmp/ports && sudo portindex )
+make_self_deleting_tempfile checksumout
+set +e
+sudo port -v checksum vcs_blackbox > "$checksumout" 2>/dev/null
+ret=$?
+
+# If it failed, grab the checksums. Then re-process the template with them.
+if [[ $ret != 0 ]]; then
+  RMD160=$(awk <"$checksumout" '/^Distfile checksum: .*rmd160/ { print $NF }')
+  SHA256=$(awk <"$checksumout" '/^Distfile checksum: .*sha256/ { print $NF }')
+  echo RMD160=$RMD160
+  echo SHA256=$SHA256
+  echo
+  if [[ $RMD160 != '' && $SHA256 != '' ]]; then
+    sed <"$TEMPLATEFILE" >"$OUTPUTFILE" -e 's/@@VERSION@@/'"$PORTVERSION"'/g' -e 's/@@RMD160@@/'"$RMD160"'/g' -e 's/@@SHA256@@/'"$SHA256"'/g'
+    cp Portfile /var/tmp/ports/security/vcs_blackbox
+    ( cd /var/tmp/ports && sudo portindex )
+    sudo port -v checksum vcs_blackbox
+  fi
+fi
+
+# Generate the diff
+cp /opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/vcs_blackbox/Portfile /var/tmp/ports/security/vcs_blackbox/Portfile.orig
+( cd /var/tmp/ports/security/vcs_blackbox && diff -u Portfile.orig Portfile ) > Portfile-vcs_blackbox.diff
+open -R Portfile-vcs_blackbox.diff
+
+echo
+echo 'portfile is in:'
+echo '                /var/tmp/ports/security/vcs_blackbox/Portfile'
+echo 'cleanup:'
+echo '                sudo vi /opt/local/etc/macports/sources.conf'
+
+echo "
+PLEASE OPEN A TICKET WITH THIS INFORMATION:
+    https://trac.macports.org/newticket
+    Summary: vcs_blackbox @$PORTVERSION Update to latest upstream
+    Description: 
+New upstream of vcs_blackbox.
+github.setup and checksums updated.
+    Type: update
+    Component: ports
+    Port: vcs_blackbox
+    Keywords: maintainer
+"
+echo 'Attach: Portfile-vcs_blackbox.diff'

tools/mk_deb_fpmdir

@@ -0,0 +1,76 @@
+#! /usr/bin/env bash
+
+# Use fpm to package up files into a DEB .
+
+# Usage:
+#   mk_deb_fpmdir PACKAGENAME MANIFEST1 MANIFEST2 ...
+
+# Example:
+#   Make a package foopkg manifest.txt
+# Where "manifest.txt" contains:
+#   exec /usr/bin/stack_makefqdn  misc/stack_makefqdn.py
+#   exec /usr/bin/bar             bar/bar.sh
+#   read /usr/man/man1/bar.1      bar/bar.1.man
+#   0444 /etc/foo.conf            bar/foo.conf
+
+set -e
+
+# Parameters for this DEB:
+PACKAGENAME=${1?"First arg must be the package name."}
+shift
+
+# Defaults that can be overridden:
+# All packages are 1.0 unless otherwise specifed:
+: ${PKGVERSION:=1.0} ;
+# If there is no iteration setting, assume "1":
+: ${PKGRELEASE:=1}
+# If there is no epoch, assume 0
+: ${PKGEPOCH:=0}
+
+# The DEB is output here: (should be a place that can be wiped)
+OUTPUTDIR="${HOME}/debbuild-$PACKAGENAME"
+# The TeamCity templates expect to find the list of artifacts here:
+DEB_BIN_LIST="${OUTPUTDIR}/bin-packages.txt"
+
+# -- Now the real work can be done.
+
+# Clean the output dir.
+rm -rf "$OUTPUTDIR"
+mkdir -p "$OUTPUTDIR/installroot"
+
+# Copy the files into place:
+set -o pipefail  # Error out if any manifest is not found.
+cat """$@""" | while read -a arr ; do
+  PERM="${arr[0]}"
+  case $PERM in
+    \#*)  continue ;;   # Skip comments.
+    exec) PERM=0755 ;;
+    read) PERM=0744 ;;
+    *) ;;
+  esac
+  DST="$OUTPUTDIR/installroot/${arr[1]}"
+  SRC="${arr[2]}"
+  if [[ $SRC == "cmd/"* || $SRC == *"/cmd/"* ]]; then
+    ( cd $(dirname "$SRC" ) && go build -a -v ) 
+  fi
+  install -D -T -b -m "$PERM" -T "$SRC" "$DST"
+done
+
+# Build the DEB:
+cd "$OUTPUTDIR" && fpm -s dir -t deb \
+  -a x86_64 \
+  -n "${PACKAGENAME}" \
+  --epoch "${PKGEPOCH}" \
+  --version "${PKGVERSION}" \
+  --iteration "${PKGRELEASE}" \
+  ${PKGDESCRIPTION:+ --description="${PKGDESCRIPTION}"} \
+  ${PKGVENDOR:+ --vendor="${PKGVENDOR}"} \
+  -C "$OUTPUTDIR/installroot" \
+  .
+
+# TeamCity templates for DEBS expect to find
+# the list of all packages created in bin-packages.txt.
+# Generate that list:
+find "$OUTPUTDIR" -maxdepth 1 -name '*.deb' >"$DEB_BIN_LIST"
+# Output it for debugging purposes:
+cat "$DEB_BIN_LIST"

tools/mk_deb_fpmdir.stack_blackbox.txt

@@ -0,0 +1,14 @@
+exec /usr/bin/_blackbox_common.sh       ../bin/_blackbox_common.sh
+exec /usr/bin/_stack_lib.sh             ../bin/_stack_lib.sh
+exec /usr/bin/blackbox_addadmin         ../bin/blackbox_addadmin
+exec /usr/bin/blackbox_cat              ../bin/blackbox_cat
+exec /usr/bin/blackbox_edit             ../bin/blackbox_edit
+exec /usr/bin/blackbox_edit_end         ../bin/blackbox_edit_end
+exec /usr/bin/blackbox_edit_start       ../bin/blackbox_edit_start
+exec /usr/bin/blackbox_initialize       ../bin/blackbox_initialize
+exec /usr/bin/blackbox_postdeploy       ../bin/blackbox_postdeploy
+exec /usr/bin/blackbox_register_new_file ../bin/blackbox_register_new_file
+exec /usr/bin/blackbox_removeadmin      ../bin/blackbox_removeadmin
+exec /usr/bin/blackbox_shred_all_files  ../bin/blackbox_shred_all_files
+exec /usr/bin/blackbox_update_all_files ../bin/blackbox_update_all_files
+exec /usr/bin/blackbox_list_files       ../bin/blackbox_list_files