Remove irrelevant error check

adding rudimentary debian package building support

Makefile

@@ -1,12 +1,12 @@
 SHELL=/bin/sh
-BIN=tools
 
 PKGNAME=stack_blackbox
 
 all:
 	@echo 'Menu:'
 	@echo '  make packages          Make RPM packages'
-	@echo '  make install           (incomplete)
+	@echo '  make packages-deb      Make DEB packages'
+	@echo '  make install           (incomplete)'
 
 install:
 	@echo 'To install, copy the files from bin to somewhere in your PATH.'
@@ -15,12 +15,31 @@ install:
 # The default package type is RPM.
 packages: packages-rpm
 
+#
+# MacPorts builds
+#
+# To test:
+# rm -rf /tmp/foo ; mkdir -p /tmp/foo;make packages-macports DESTDIR=/tmp/foo;find /tmp/foo -ls
+
+# Make mk_macports.vcs_blackbox.txt from mk_rpm_fpmdir.stack_blackbox.txt:
+tools/mk_macports.vcs_blackbox.txt: tools/mk_rpm_fpmdir.stack_blackbox.txt
+	sed -e 's@/usr/blackbox/bin/@bin/@g' -e '/profile.d-usrblackbox.sh/d' <tools/mk_rpm_fpmdir.stack_blackbox.txt >$@
+
+# Make mk_deb_fpmdir.vcs_blackbox.txt from mk_rpm_fpmdir.stack_blackbox.txt:
+tools/mk_deb_fpmdir.stack_blackbox.txt: tools/mk_rpm_fpmdir.stack_blackbox.txt
+	sed -e 's@/usr/blackbox/bin/@/usr/bin/@g' -e '/profile.d-usrblackbox.sh/d' <tools/mk_deb_fpmdir.stack_blackbox.txt >$@
+
+# MacPorts expects to run: make packages-macports DESTDIR=${destroot}
+packages-macports: tools/mk_macports.vcs_blackbox.txt
+	mkdir -p $(DESTDIR)/bin
+	cd tools && ./mk_macports mk_macports.vcs_blackbox.txt
+
 #
 # RPM builds
 #
 
 packages-rpm:
-	PKGRELEASE="$${PKGRELEASE}" $(BIN)/build_rpm.sh stack_blackbox tools/rpm_filelist.txt
+	cd tools && PKGRELEASE="$${PKGRELEASE}" PKGDESCRIPTION="Safely store secrets in git/hg/svn repos using GPG encryption" ./mk_rpm_fpmdir stack_blackbox mk_rpm_fpmdir.stack_blackbox.txt
 
 packages-rpm-debug:
 	@echo BUILD:
@@ -41,16 +60,35 @@ lock-rpm:
 unlock-rpm:
 	sudo yum versionlock clear
 
+#
+# DEB builds
+#
+
+packages-deb:	tools/mk_deb_fpmdir.stack_blackbox.txt
+	cd tools && PKGRELEASE="$${PKGRELEASE}" PKGDESCRIPTION="Safely store secrets in git/hg/svn repos using GPG encryption" ./mk_deb_fpmdir stack_blackbox mk_deb_fpmdir.stack_blackbox.txt
+
+packages-deb-debug:	tools/mk_deb_fpmdir.stack_blackbox.txt
+	@echo BUILD:
+	@PKGRELEASE=99 make packages-deb
+	@echo ITEMS TO BE PACKAGED:
+	find ~/debbuild-$(PKGNAME)/installroot -type f
+	@echo ITEMS ACTUALLY IN PACKAGE:
+	@dpkg --contents $$(cat ~/debbuild-$(PKGNAME)/bin-packages.txt)
+
+local-deb:
+	@PKGRELEASE=1 make packages
+	-@sudo dpkg -e $(PKGNAME)
+	sudo dpkg -i $$(cat ~/rpmbuild-$(PKGNAME)/bin-packages.txt)
+
 # Add other package types here.
 
 #
 # System Test:
 #
-
 confidence:
-	@if [[ -e ~/.gnupg ]]; then echo ERROR: '~/.gnupg should not exist. If it does, bugs may polute your .gnupg configuration. If the code has no bugs everything will be fine. Do you feel lucky?'; false ; fi
+	@if [ -e ~/.gnupg ]; then echo ERROR: '~/.gnupg should not exist. If it does, bugs may polute your .gnupg configuration. If the code has no bugs everything will be fine. Do you feel lucky?'; false ; fi
 	@if which >/dev/null gpg-agent ; then pkill gpg-agent ; rm -rf /tmp/tmp.* ; fi
-	@export PATH=~/gitwork/blackbox/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin ; 
+	@export PATH=~/gitwork/blackbox/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/local/bin ; tools/confidence_test.sh
 		cd ~/gitwork/blackbox && tools/confidence_test.sh
 	@if which >/dev/null gpg-agent ; then pkill gpg-agent ; fi
-	@if [[ -e ~/.gnupg ]]; then echo ERROR: '~/.gnupg was created which means the scripts might be poluting GnuPG configuration.  Fix this bug.'; false ; fi
+	@if [ -e ~/.gnupg ]; then echo ERROR: '~/.gnupg was created which means the scripts might be poluting GnuPG configuration.  Fix this bug.'; false ; fi

README.md

@@ -74,6 +74,34 @@ exception of a few specific files, is key to the kind of
 collaboration that DevOps and modern IT practitioniers
 need to do.
 
+Installation Instructions:
+==========================
+
+  * *The RPM way*: `make packages-rpm` and now you have an RPM you can install.
+  * *The MacPorts Way*: `sudo port install vcs_blackbox`
+  * *The hard way*: Copy all the files in "bin" to your "bin".
+  * *The Antigen Way*: Add `antigen bundle StackExchange/blackbox` to your .zshrc
+  * *The Zgen Way*: Add `zgen load StackExchange/blackbox` to your .zshrc where you're loading your other plugins.
+
+
+Commands:
+============================
+
+
+| Name: | Description: |
+| --- | --- |
+| `blackbox_addadmin` | Add someone to the list of people that can encrypt/decrypt secrets |
+| `blackbox_cat` | Decrypt and view the contents of a file |
+| `blackbox_edit` | Decrypt, run $EDITOR, re-encrypt a file |
+| `blackbox_edit_start` | Decrypt a file so it can be updated |
+| `blackbox_edit_end` | Encrypt a file after blackbox_edit_start was used |
+| `blackbox_initialize` | Enable blackbox for a GIT or HG repo |
+| `blackbox_postdeploy` | Decrypt all managed files |
+| `blackbox_register_new_file` | Encrypt a file for the first time |
+| `blackbox_removeadmin` | Remove someone from the list of people that can encrypt/decrypt secrets |
+| `blackbox_shred_all_files` | Safely delete any decrypted files |
+| `blackbox_update_all_files` | Decrypt then re-encrypt all files. Useful after keys are changed |
+
 Compatibility:
 ============================
 
@@ -87,7 +115,7 @@ It has been tested to work with many operating systems.
   * `hg` -- Mercurial
   * `svn` -- SubVersion (Thanks, Ben Drasin!)
 * Operating system
-  * CentOS
+  * CentOS / RedHat
   * MacOS X
   * Cygwin (Thanks, Ben Drasin!)
 

RELEASE_ENGINEERING.TXT

@@ -0,0 +1,119 @@
+# Branches and Tags:
+
+There are 3 branches/tags:
+
+* **HEAD:** The cutting edge of development.
+* **tag stable:** Stable enough for use by most people.
+* **tag production:** Burned in long enough that we are confident it can be widely adopted.
+
+If you are packaging Blackbox for distribution, you should track the *tag production*.  You might also want to provide a separate package that tracks *tag stable:* for early adopters.
+
+# Build Tasks
+
+# Stable Releases
+
+Marking the software to be "stable":
+
+Step 1. Tag it.
+
+```
+git pull
+git tag -d stable
+git push origin :stable
+git tag stable
+git push origin tag stable
+```
+
+Step 2. Mark your calendar 1 week from today to check
+to see if this should be promoted to production.
+
+
+# Production Releases
+
+If no bugs have been reported a full week after a stable tag has been pushed, mark the release to be "production".
+
+```
+git fetch
+git checkout stable
+git tag -d production
+git push origin :production
+git tag production
+git push origin tag production
+R="v1.$(date +%Y%m%d)"
+git tag "$R"
+git push origin tag "$R"
+```
+
+# Updating MacPorts (automatic)
+
+Step 1: Generate the Portfile
+
+```
+tools/macports_report_upgrade.sh  1.20150222
+```
+
+This script will generate a file called `Portfile-vcs_blackbox.diff` and instructions on how to submit it as a update request.
+
+Step 2: Submit the update request.
+
+Submit the diff file as a bug as instructed. The instructions should look like this:
+
+* PLEASE OPEN A TICKET WITH THIS INFORMATION:
+    https://trac.macports.org/newticket
+* Summary: `vcs_blackbox @1.20150222 Update to latest upstream`
+* Description: ```New upstream of vcs_blackbox.
+github.setup and checksums updated.```
+* Type: `update`
+* Component: `ports`
+* Port: `vcs_blackbox`
+* Keywords: `maintainer`
+* Attach this file: `Portfile-vcs_blackbox.diff`
+
+Step 3: Watch for the update to happen.
+
+# Updating MacPorts (manual)
+
+This is the old, manual, procedure.  If the automated procedure work, these notes may or may not be helpful.
+
+The ultimate result of the script should be a `diff -u Portfile.orig Portfile`.  The new `Portfile` should have these changes:
+
+1. The `github.setup` line should have a new version number.
+2. The `checksums` line(s) should have updated checksums.
+
+How to generate the checksums?
+
+The easiest way is to to make a Portfile with incorrect checksums, then run `sudo port -v checksum vcs_blackbox` to see what they should have been.  Fix the file, and try again.
+
+When the the checksum command works, run `port lint vcs_blackbox` and make sure it has no errors.
+
+Some useful commands:
+
+Change repos in sources.conf:
+```
+sudo vi /opt/local/etc/macports/sources.conf
+  Add this line early in the file:
+  file:///var/tmp/ports
+```
+
+Add a local repo in an automated manner:
+```
+fgrep >/dev/null -x 'file:///var/tmp/ports' /opt/local/etc/macports/sources.conf || sudo sed -i -e '1s@^@file:///var/tmp/ports\'$'\n@' /opt/local/etc/macports/sources.conf
+```
+
+Remove the local repo in an automated manner:
+```
+sudo sed -i -e '\@^file:///var/tmp/ports@d' /opt/local/etc/macports/sources.conf
+```
+
+Test a Portfile:
+``` 
+sudo port uninstall vcs_blackbox
+sudo port clean --all vcs_blackbox
+rm -rf ~/.macports/opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/vcs_blackbox/
+rm -rf /var/tmp/ports
+mkdir -p /var/tmp/ports/security/vcs_blackbox
+cp Portfile /var/tmp/ports/security/vcs_blackbox
+cd /var/tmp/ports && portindex
+sudo port -v checksum vcs_blackbox
+sudo port install vcs_blackbox
+```

bin/_blackbox_common.sh

@@ -10,7 +10,12 @@
 #   . _blackbox_common.sh
 
 # Where in the VCS repo should the blackbox data be found?
-: ${BLACKBOXDATA:=keyrings/live} ;   # If BLACKBOXDATA not set, set it.
+: "${BLACKBOXDATA:=keyrings/live}" ;   # If BLACKBOXDATA not set, set it.
+
+
+# If $EDITOR is not set, set it to "vi":
+: "${EDITOR:=vi}" ;
+
 
 # Outputs a string that is the base directory of this VCS repo.
 # By side-effect, sets the variable VCS_TYPE to either 'git', 'hg',
@@ -22,19 +27,19 @@ function _determine_vcs_base_and_type() {
     #find topmost dir with .svn sub-dir
     parent=""
     grandparent="."
-    mydir=`pwd`
+    mydir=$(pwd)
     while [ -d "$grandparent/.svn" ]; do
       parent=$grandparent
       grandparent="$parent/.."
     done
 
     if [ ! -z "$parent" ]; then
-      cd $parent
-      echo `pwd`
+      cd "$parent"
+      echo "$(pwd)"
     else
       exit 1
     fi
-    cd $mydir
+    cd "$mydir"
     VCS_TYPE=svn
   elif hg root 2>/dev/null ; then
     # NOTE: hg has to be tested last because it always "succeeds".
@@ -56,7 +61,8 @@ BB_FILES_FILE="blackbox-files.txt"
 BB_FILES="${KEYRINGDIR}/${BB_FILES_FILE}"
 SECRING="${KEYRINGDIR}/secring.gpg"
 PUBRING="${KEYRINGDIR}/pubring.gpg"
-: ${DECRYPT_UMASK:=o=} ;
+: "${DECRYPT_UMASK:=0022}" ;
+# : ${DECRYPT_UMASK:=o=} ;
 
 # Return error if not on cryptlist.
 function is_on_cryptlist() {
@@ -178,9 +184,9 @@ function decrypt_file() {
   echo "========== EXTRACTING $unencrypted"
 
   old_umask=$(umask)
-  umask $DECRYPT_UMASK
+  umask "$DECRYPT_UMASK"
   gpg -q --decrypt -o "$unencrypted" "$encrypted"
-  umask $old_umask
+  umask "$old_umask"
 }
 
 # Decrypt .gpg file, overwriting unencrypted file if it exists.
@@ -200,12 +206,12 @@ function decrypt_file_overwrite() {
   fi
 
   old_umask=$(umask)
-  umask $DECRYPT_UMASK
+  umask "$DECRYPT_UMASK"
   gpg --yes -q --decrypt -o "$unencrypted" "$encrypted"
-  umask $old_umask
+  umask "$old_umask"
 
   new_hash=$(md5sum_file "$unencrypted")
-  if [[ $old_hash != $new_hash ]]; then
+  if [[ "$old_hash" != "$new_hash" ]]; then
     echo "========== EXTRACTED $unencrypted"
   fi
 }
@@ -244,8 +250,8 @@ function enumerate_subdirs() {
   while read filename; do
     dir=$(dirname "$filename")
     while [[ $dir != '.' && $dir != '/' ]]; do
-      echo $dir
-      dir=$(dirname $dir)
+      echo "$dir"
+      dir=$(dirname "$dir")
     done
   done <"$listfile" | sort -u
 }
@@ -254,7 +260,7 @@ function enumerate_subdirs() {
 function vcs_relative_path() {
   # Usage: vcs_relative_path file
   local name="$1"
-  python -c 'import os ; print(os.path.relpath("'$(pwd -P)'/'"$name"'", "'"$REPOBASE"'"))'
+  python -c 'import os ; print(os.path.relpath("'"$(pwd -P)"'/'"$name"'", "'"$REPOBASE"'"))'
 }
 
 #

bin/_stack_lib.sh

@@ -79,7 +79,7 @@ function make_tempdir() {
 
   case $(uname -s) in
     Darwin )
-      : ${TMPDIR:=/tmp} ;
+      : "${TMPDIR:=/tmp}" ;
       name=$(mktemp -d -t _stacklib_ )
       ;;
     Linux )

bin/blackbox_addadmin

@@ -16,17 +16,7 @@ source ${blackbox_home}/_stack_lib.sh
 fail_if_not_in_repo
 
 KEYNAME="$1"
-: ${KEYNAME:?ERROR: First argument must be a keyname (email address)} ;
-
-# The second argument, if present, is the directory to find the GPG keys to be imported.
-if [[ "$2" == "" ]]; then
-  GPGEXPORTOPTIONS=""
-else
-  GPGEXPORTOPTIONS=--homedir="${2}"
-fi
-# TODO(tlim): This could probably be done with GNUPGHOME
-# but that affects all commands; we just want it to affect the key export.
-
+: "${KEYNAME:?ERROR: First argument must be a keyname (email address)}" ;
 
 # Add the email address to the BB_ADMINS file.  Remove any duplicates.
 # The file must exist for sort to act as we expect.
@@ -38,7 +28,16 @@ sort  -fdu -o "$BB_ADMINS" <(echo "$1") "$BB_ADMINS"
 
 # Extract it:
 make_self_deleting_tempfile pubkeyfile
-gpg $GPGEXPORTOPTIONS --export -a "$KEYNAME" >"$pubkeyfile"
+
+# The second argument, if present, is the directory to find the GPG keys to be imported.
+if [[ -z $2 ]]; then
+  gpg --export -a "$KEYNAME" >"$pubkeyfile"
+else
+  # TODO(tlim): This could probably be done with GNUPGHOME
+  # but that affects all commands; we just want it to affect the key export.
+  gpg --homedir="$2" --export -a "$KEYNAME" >"$pubkeyfile"
+fi
+
 if [[ $(wc -l < "$pubkeyfile") = 0 ]]; then
   fail_out "GPG key '$KEYNAME' not found.  Please create it with: gpg --gen-key"
   exit 1

bin/blackbox_cat

@@ -5,7 +5,7 @@
 #
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 for param in """$@""" ; do
   shreddable=0

bin/blackbox_edit

@@ -5,7 +5,7 @@
 #
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 for param in """$@""" ; do
   unencrypted_file=$(get_unencrypted_filename "$param")
@@ -22,6 +22,6 @@ for param in """$@""" ; do
     esac
   fi
   blackbox_edit_start "$param"
-  $EDITOR $(get_unencrypted_filename $param)
+  "$EDITOR" "$(get_unencrypted_filename "$param")"
   blackbox_edit_end "$param"
 done

bin/blackbox_edit_end

@@ -6,7 +6,7 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 unencrypted_file=$(get_unencrypted_filename "$1")
 encrypted_file=$(get_encrypted_filename "$1")

bin/blackbox_edit_start

@@ -6,7 +6,7 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 for param in """$@""" ; do
   unencrypted_file=$(get_unencrypted_filename "$param")

bin/blackbox_initialize

@@ -10,7 +10,7 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 _determine_vcs_base_and_type  # Sets VCS_TYPE
 

bin/blackbox_list_files

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+#
+# blackbox_list_files.sh -- List files that black box is tracking
+#
+set -e
+blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source "${blackbox_home}/_blackbox_common.sh"
+cat "$BB_FILES"

bin/blackbox_postdeploy

@@ -15,7 +15,7 @@ export PATH=/usr/bin:/bin:"$PATH"
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 if [[ "$1" == "" ]]; then
   FILE_GROUP=""
@@ -33,7 +33,7 @@ while IFS= read <&99 -r unencrypted_file; do
   decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
   chmod g+r "$unencrypted_file"
   if [[ ! -z "$FILE_GROUP" ]]; then
-    chgrp $FILE_GROUP "$unencrypted_file"
+    chgrp "$FILE_GROUP" "$unencrypted_file"
   fi
 done 99<"$BB_FILES"
 echo '========== Decrypting new/changed files: DONE'

bin/blackbox_register_new_file

@@ -12,13 +12,13 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 _determine_vcs_base_and_type
 
 unencrypted_file=$(get_unencrypted_filename "$1")
 encrypted_file=$(get_encrypted_filename "$1")
 
-if [[ $1 == $encrypted_file ]]; then
+if [[ "$1" == "$encrypted_file" ]]; then
   echo ERROR: Please only register unencrypted files.
   exit 1
 fi
@@ -34,18 +34,20 @@ encrypt_file "$unencrypted_file" "$encrypted_file"
 add_filename_to_cryptlist "$unencrypted_file"
 
 # Is the unencrypted file already in HG? (ie. are we correcting a bad situation)
-SECRETSEXPOSED=$(is_in_vcs ${unencrypted_file})
+SECRETSEXPOSED=$(is_in_vcs "${unencrypted_file}")
 echo "========== CREATED: ${encrypted_file}"
 echo "========== UPDATING REPO:"
 shred_file "$unencrypted_file"
 
 VCSCMD=$(which_vcs)
-if $SECRETSEXPOSED ; then
+if "$SECRETSEXPOSED" ; then
   vcs_remove "$unencrypted_file"
   vcs_add "$encrypted_file"
   COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"
 else
   COMMIT_FILES="$BB_FILES $encrypted_file"
+  # FIXME(tal): This should be an array so that filenames with
+  # spaces aren't a problem.
 fi
 
 # TODO(tlim): This should be moved to _blackbox_common.sh in a
@@ -61,7 +63,7 @@ if [[ $VCS_TYPE = 'git' ]]; then
 fi
 
 echo 'NOTE: "already tracked!" messages are safe to ignore.'
-vcs_add $BB_FILES $encrypted_file
+vcs_add "$BB_FILES" $encrypted_file
 vcs_commit "registered in blackbox: ${unencrypted_file}" $COMMIT_FILES
 echo "========== UPDATING VCS: DONE"
 echo "Local repo updated.  Please push when ready."

bin/blackbox_removeadmin

@@ -11,13 +11,13 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
-source ${blackbox_home}/_stack_lib.sh
+source "${blackbox_home}/_blackbox_common.sh"
+source "${blackbox_home}/_stack_lib.sh"
 
 fail_if_not_in_repo
 
 KEYNAME="$1"
-: ${KEYNAME:?ERROR: First argument must be a keyname (email address)} ;
+: "${KEYNAME:?ERROR: First argument must be a keyname (email address)}" ;
 
 # Remove the email address from the BB_ADMINS file.
 make_self_deleting_tempfile bbtemp

bin/blackbox_shred_all_files

@@ -17,12 +17,12 @@
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 change_to_root
 
 echo '========== FILES BEING SHREDDED:'
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   if [[ -f "$unencrypted_file" ]]; then

bin/blackbox_update_all_files

@@ -1,12 +1,12 @@
 #!/usr/bin/env bash
 
 #
-# blackbox_update_all_files -- Re-encrypt file after edits.
+# blackbox_update_all_files -- Decrypt then re-encrypt all files. Useful after keys are changed.
 #
 
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-source ${blackbox_home}/_blackbox_common.sh
+source "${blackbox_home}/_blackbox_common.sh"
 
 if [[ -z $GPG_AGENT_INFO ]]; then
   echo 'WARNING: You probably want to run gpg-agent as'
@@ -23,7 +23,7 @@ awk <"$BB_FILES" '{ print "    " $1 ".gpg" }'
 
 echo '========== FILES IN THE WAY:'
 need_warning=false
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   if [[ -f "$unencrypted_file" ]]; then
@@ -31,7 +31,7 @@ for i in $(<$BB_FILES) ; do
     echo "    $unencrypted_file"
   fi
 done
-if $need_warning ; then
+if "$need_warning" ; then
   echo
   echo 'WARNING: This will overwrite any unencrypted files laying about.'
   read -r -p 'Press CTRL-C now to stop. ENTER to continue: '
@@ -40,7 +40,7 @@ else
 fi
 
 echo '========== RE-ENCRYPTING FILES:'
-for i in $(<$BB_FILES) ; do
+for i in $(<"$BB_FILES") ; do
   unencrypted_file=$(get_unencrypted_filename "$i")
   encrypted_file=$(get_encrypted_filename "$i")
   echo ========== PROCESSING "$unencrypted_file"
@@ -53,7 +53,7 @@ done
 fail_if_keychain_has_secrets
 
 echo '========== COMMITING TO VCS:'
-vcs_commit 'Re-encrypted keys' $(awk <$BB_FILES '{ print $1 ".gpg" }' )
+vcs_commit 'Re-encrypted keys' $(awk <"$BB_FILES" '{ print $1 ".gpg" }' )
 
 VCSCMD=$(which_vcs)
 echo '========== DONE.'

tools/Portfile.template

@@ -0,0 +1,31 @@
+# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
+# $Id: Portfile 132962 2015-02-16 10:33:02Z ryandesign@macports.org $
+
+PortSystem          1.0
+PortGroup           github 1.0
+
+github.setup        StackExchange blackbox @@VERSION@@ v
+name                vcs_blackbox
+categories          security
+platforms           darwin
+maintainers         whatexit.org:tal openmaintainer
+license             BSD
+supported_archs     noarch
+
+description         Safely store secrets in git/hg/svn repos using GPG encryption
+
+long_description    Storing secrets such as passwords, certificates and private keys \
+                    in Git/Mercurial/SubVersion is dangerous. Blackbox makes it easy \
+                    to store secrets safely using GPG encryption. They can be easily \
+                    decrypted for editing or use in production.
+
+checksums           rmd160  @@RMD160@@ \
+                    sha256  @@SHA256@@
+
+use_configure       no
+
+build               {}
+
+# This project's Makefile uses DESTDIR incorrectly.
+destroot.destdir    DESTDIR=${destroot}${prefix}
+destroot.target     packages-macports

tools/confidence_test.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/../bin
-export PATH=${blackbox_home}:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin
+export PATH="${blackbox_home}:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/local/bin"
 
 . _stack_lib.sh
 
@@ -15,6 +15,25 @@ function PHASE() {
   echo '********************'
 }
 
+function md5sum_file() {
+  # Portably generate the MD5 hash of file $1.
+  case $(uname -s) in
+    Darwin )
+      md5 -r "$1" | awk '{ print $1 }'
+      ;;
+    Linux )
+      md5sum "$1" | awk '{ print $1 }'
+      ;;
+    CYGWIN* )
+      md5sum "$1" | awk '{ print $1 }'
+      ;;
+    * )
+      echo 'ERROR: Unknown OS. Exiting.'
+      exit 1
+      ;;
+  esac
+}
+
 function assert_file_missing() {
   if [[ -e "$1" ]]; then
     echo "ASSERT FAILED: ${1} should not exist."
@@ -36,7 +55,7 @@ function assert_file_md5hash() {
   local file="$1"
   local wanted="$2"
   assert_file_exists "$file"
-  local found=$(md5sum <"$file" | cut -d' ' -f1 )
+  local found=$(md5sum_file "$file")
   if [[ "$wanted" != "$found" ]]; then
     echo "ASSERT FAILED: $file hash wanted=$wanted found=$found"
     exit 1
@@ -54,7 +73,7 @@ function assert_file_group() {
       ;;
   esac
 
-  local found=$(ls -l "$file" | awk '{ print $4 }')
+  local found=$(ls -lg "$file" | awk '{ print $3 }')
   # NB(tlim): We could do this with 'stat' but it would break on BSD-style OSs.
   if [[ "$wanted" != "$found" ]]; then
     echo "ASSERT FAILED: $file chgrp wanted=$wanted found=$found"
@@ -96,7 +115,7 @@ eval $(gpg-agent --homedir "$fake_alice_home" --daemon)
 GPG_AGENT_INFO_ALICE="$GPG_AGENT_INFO"
 
 export GNUPGHOME="$fake_bob_home"
-eval $(gpg-agent --homedir "$fake_alice_home" --daemon)
+eval $(gpg-agent --homedir "$fake_bob_home" --daemon)
 GPG_AGENT_INFO_BOB="$GPG_AGENT_INFO"
 
 function become_alice() {
@@ -108,8 +127,8 @@ function become_alice() {
 }
 
 function become_bob() {
-  export GNUPGHOME="$fake_alice_home"
-  export GPG_AGENT_INFO="$GPG_AGENT_INFO_ALICE"
+  export GNUPGHOME="$fake_bob_home"
+  export GPG_AGENT_INFO="$GPG_AGENT_INFO_BOB"
   git config --global user.name "Bob Example"
   git config --global user.email bob@example.com
 }
@@ -217,12 +236,14 @@ PHASE 'Bob makes sure he has all new keys.'
 gpg --import keyrings/live/pubring.gpg
 
 # Pick a GID to use:
+# This users's default group:
+DEFAULT_GID_NAME=$(id -gn)
+# Pick a group that is not the default group:
 TEST_GID_NUM=$(id -G | fmt -1 | tail -n +2 | grep -xv $(id -u) | head -n 1)
-TEST_GID_NAME=$(getent group "$TEST_GID_NUM" | cut -d: -f1)
-DEFAULT_GID_NAME=$(getent group $(id -u) | cut -d: -f1)
+TEST_GID_NAME=$(python -c 'import grp; print grp.getgrgid('"$TEST_GID_NUM"').gr_name')
+echo DEFAULT_GID_NAME=$DEFAULT_GID_NAME
 echo TEST_GID_NUM=$TEST_GID_NUM
 echo TEST_GID_NAME=$TEST_GID_NAME
-echo DEFAULT_GID_NAME=$DEFAULT_GID_NAME
 
 PHASE 'Bob postdeploys... default.'
 blackbox_postdeploy

tools/macports_report_upgrade.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+# Turn the Portfile.template into a Portfile.
+# Usage:
+#   mk_portfile.sh TEMPLATE OUTPUTFILE VERSION
+
+set -e
+blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${blackbox_home}/../bin/_stack_lib.sh
+
+TEMPLATEFILE=tools/Portfile.template
+OUTPUTFILE=Portfile
+PORTVERSION=${1?"Arg 1 must be a version number like 1.20150222 (with no v)"} ; shift
+
+# Add the version number to the template.
+sed <"$TEMPLATEFILE" >"$OUTPUTFILE" -e 's/@@VERSION@@/'"$PORTVERSION"'/g'
+
+# Test it. Record the failure in $checksumout
+fgrep >/dev/null -x 'file:///var/tmp/ports' /opt/local/etc/macports/sources.conf || sudo sed -i -e '1s@^@file:///var/tmp/ports\'$'\n@' /opt/local/etc/macports/sources.conf
+rm -rf /var/tmp/ports
+mkdir -p /var/tmp/ports/security/vcs_blackbox
+cp Portfile /var/tmp/ports/security/vcs_blackbox
+( cd /var/tmp/ports && sudo portindex )
+make_self_deleting_tempfile checksumout
+set +e
+sudo port -v checksum vcs_blackbox > "$checksumout" 2>/dev/null
+ret=$?
+
+# If it failed, grab the checksums. Then re-process the template with them.
+if [[ $ret != 0 ]]; then
+  RMD160=$(awk <"$checksumout" '/^Distfile checksum: .*rmd160/ { print $NF }')
+  SHA256=$(awk <"$checksumout" '/^Distfile checksum: .*sha256/ { print $NF }')
+  echo RMD160=$RMD160
+  echo SHA256=$SHA256
+  echo
+  if [[ $RMD160 != '' && $SHA256 != '' ]]; then
+    sed <"$TEMPLATEFILE" >"$OUTPUTFILE" -e 's/@@VERSION@@/'"$PORTVERSION"'/g' -e 's/@@RMD160@@/'"$RMD160"'/g' -e 's/@@SHA256@@/'"$SHA256"'/g'
+    cp Portfile /var/tmp/ports/security/vcs_blackbox
+    ( cd /var/tmp/ports && sudo portindex )
+    sudo port -v checksum vcs_blackbox
+  fi
+fi
+
+# Generate the diff
+cp /opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/security/vcs_blackbox/Portfile /var/tmp/ports/security/vcs_blackbox/Portfile.orig
+( cd /var/tmp/ports/security/vcs_blackbox && diff -u Portfile.orig Portfile ) > Portfile-vcs_blackbox.diff
+open -R Portfile-vcs_blackbox.diff
+
+echo
+echo 'portfile is in:'
+echo '                /var/tmp/ports/security/vcs_blackbox/Portfile'
+echo 'cleanup:'
+echo '                sudo vi /opt/local/etc/macports/sources.conf'
+
+echo "
+PLEASE OPEN A TICKET WITH THIS INFORMATION:
+    https://trac.macports.org/newticket
+    Summary: vcs_blackbox @$PORTVERSION Update to latest upstream
+    Description: 
+New upstream of vcs_blackbox.
+github.setup and checksums updated.
+    Type: update
+    Component: ports
+    Port: vcs_blackbox
+    Keywords: maintainer
+"
+echo 'Attach: Portfile-vcs_blackbox.diff'

tools/mk_deb_fpmdir

@@ -0,0 +1,76 @@
+#! /usr/bin/env bash
+
+# Use fpm to package up files into a DEB .
+
+# Usage:
+#   mk_deb_fpmdir PACKAGENAME MANIFEST1 MANIFEST2 ...
+
+# Example:
+#   Make a package foopkg manifest.txt
+# Where "manifest.txt" contains:
+#   exec /usr/bin/stack_makefqdn  misc/stack_makefqdn.py
+#   exec /usr/bin/bar             bar/bar.sh
+#   read /usr/man/man1/bar.1      bar/bar.1.man
+#   0444 /etc/foo.conf            bar/foo.conf
+
+set -e
+
+# Parameters for this DEB:
+PACKAGENAME=${1?"First arg must be the package name."}
+shift
+
+# Defaults that can be overridden:
+# All packages are 1.0 unless otherwise specifed:
+: ${PKGVERSION:=1.0} ;
+# If there is no iteration setting, assume "1":
+: ${PKGRELEASE:=1}
+# If there is no epoch, assume 0
+: ${PKGEPOCH:=0}
+
+# The DEB is output here: (should be a place that can be wiped)
+OUTPUTDIR="${HOME}/debbuild-$PACKAGENAME"
+# The TeamCity templates expect to find the list of artifacts here:
+DEB_BIN_LIST="${OUTPUTDIR}/bin-packages.txt"
+
+# -- Now the real work can be done.
+
+# Clean the output dir.
+rm -rf "$OUTPUTDIR"
+mkdir -p "$OUTPUTDIR/installroot"
+
+# Copy the files into place:
+set -o pipefail  # Error out if any manifest is not found.
+cat """$@""" | while read -a arr ; do
+  PERM="${arr[0]}"
+  case $PERM in
+    \#*)  continue ;;   # Skip comments.
+    exec) PERM=0755 ;;
+    read) PERM=0744 ;;
+    *) ;;
+  esac
+  DST="$OUTPUTDIR/installroot/${arr[1]}"
+  SRC="${arr[2]}"
+  if [[ $SRC == "cmd/"* || $SRC == *"/cmd/"* ]]; then
+    ( cd $(dirname "$SRC" ) && go build -a -v ) 
+  fi
+  install -D -T -b -m "$PERM" -T "$SRC" "$DST"
+done
+
+# Build the DEB:
+cd "$OUTPUTDIR" && fpm -s dir -t deb \
+  -a x86_64 \
+  -n "${PACKAGENAME}" \
+  --epoch "${PKGEPOCH}" \
+  --version "${PKGVERSION}" \
+  --iteration "${PKGRELEASE}" \
+  ${PKGDESCRIPTION:+ --description="${PKGDESCRIPTION}"} \
+  ${PKGVENDOR:+ --vendor="${PKGVENDOR}"} \
+  -C "$OUTPUTDIR/installroot" \
+  .
+
+# TeamCity templates for DEBS expect to find
+# the list of all packages created in bin-packages.txt.
+# Generate that list:
+find "$OUTPUTDIR" -maxdepth 1 -name '*.deb' >"$DEB_BIN_LIST"
+# Output it for debugging purposes:
+cat "$DEB_BIN_LIST"

tools/mk_deb_fpmdir.stack_blackbox.txt

@@ -0,0 +1,14 @@
+exec /usr/bin/_blackbox_common.sh       ../bin/_blackbox_common.sh
+exec /usr/bin/_stack_lib.sh             ../bin/_stack_lib.sh
+exec /usr/bin/blackbox_addadmin         ../bin/blackbox_addadmin
+exec /usr/bin/blackbox_cat              ../bin/blackbox_cat
+exec /usr/bin/blackbox_edit             ../bin/blackbox_edit
+exec /usr/bin/blackbox_edit_end         ../bin/blackbox_edit_end
+exec /usr/bin/blackbox_edit_start       ../bin/blackbox_edit_start
+exec /usr/bin/blackbox_initialize       ../bin/blackbox_initialize
+exec /usr/bin/blackbox_postdeploy       ../bin/blackbox_postdeploy
+exec /usr/bin/blackbox_register_new_file ../bin/blackbox_register_new_file
+exec /usr/bin/blackbox_removeadmin      ../bin/blackbox_removeadmin
+exec /usr/bin/blackbox_shred_all_files  ../bin/blackbox_shred_all_files
+exec /usr/bin/blackbox_update_all_files ../bin/blackbox_update_all_files
+exec /usr/bin/blackbox_list_files       ../bin/blackbox_list_files

tools/mk_macports

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Install files into MacPorts DESTDIR
+
+# Usage:
+#   mk_macports MANIFEST MANIFEST1 ...
+
+# Where "manifest.txt" contains:
+#   exec /usr/bin/stack_makefqdn  misc/stack_makefqdn.py
+#   exec /usr/bin/bar             bar/bar.sh
+#   read /usr/man/man1/bar.1      bar/bar.1.man
+#   0444 /etc/foo.conf            bar/foo.conf
+# (NOTE: "exec" means 0755; "read" means 0744)
+
+set -e
+
+# Fail if DESTDIR is not set.
+DESTDIR="${DESTDIR?"Envvar DESTDIR must be set to destination dir."}"
+
+# Copy the files into place:
+cat """$@""" | while read -a arr ; do
+  PERM="${arr[0]}"
+  case $PERM in
+    \#*)  continue ;;   # Skip comments.
+    exec) PERM=0755 ;;
+    read) PERM=0744 ;;
+    *) ;;
+  esac
+  DST="$DESTDIR/${arr[1]}"
+  SRC="${arr[2]}"
+  install -m "$PERM" "$SRC" "$DST"
+done

tools/mk_macports.vcs_blackbox.txt

@@ -0,0 +1,14 @@
+exec bin/_blackbox_common.sh       ../bin/_blackbox_common.sh
+exec bin/_stack_lib.sh             ../bin/_stack_lib.sh
+exec bin/blackbox_addadmin         ../bin/blackbox_addadmin
+exec bin/blackbox_cat              ../bin/blackbox_cat
+exec bin/blackbox_edit             ../bin/blackbox_edit
+exec bin/blackbox_edit_end         ../bin/blackbox_edit_end
+exec bin/blackbox_edit_start       ../bin/blackbox_edit_start
+exec bin/blackbox_initialize       ../bin/blackbox_initialize
+exec bin/blackbox_postdeploy       ../bin/blackbox_postdeploy
+exec bin/blackbox_register_new_file ../bin/blackbox_register_new_file
+exec bin/blackbox_removeadmin      ../bin/blackbox_removeadmin
+exec bin/blackbox_shred_all_files  ../bin/blackbox_shred_all_files
+exec bin/blackbox_update_all_files ../bin/blackbox_update_all_files
+exec bin/blackbox_list_files       ../bin/blackbox_list_files

tools/mk_rpm_fpmdir

@@ -1,21 +1,17 @@
-#!/bin/bash
+#! /usr/bin/env bash
 
-# build_rpm.sh - Build an RPM of these files.  (uses FPM)
+# Use fpm to package up files into an RPM.
 
 # Usage:
-#   make_rpm.sh PACKAGENAME MANIFEST1 MANIFEST2 ...
+#   mk_rpm_fpmdir PACKAGENAME MANIFEST1 MANIFEST2 ...
 
 # Example:
 #   Make a package foopkg manifest.txt
 # Where "manifest.txt" contains:
-#   exec /usr/bin/foo        foo/foo
+#   exec /usr/bin/stack_makefqdn  misc/stack_makefqdn.py
 #   exec /usr/bin/bar             bar/bar.sh
 #   read /usr/man/man1/bar.1      bar/bar.1.man
 #   0444 /etc/foo.conf            bar/foo.conf
-#
-# Col1  chmod-style permissions or "exec" for 0755, "read" for 0744.
-# Col2  Installation location.
-# Col3  Source of the file.
 
 set -e
 
@@ -23,15 +19,17 @@ set -e
 PACKAGENAME=${1?"First arg must be the package name."}
 shift
 
-# Defaults that can be overridden via env variables:
+# Defaults that can be overridden:
 # All packages are 1.0 unless otherwise specifed:
 : ${PKGVERSION:=1.0} ;
 # If there is no iteration setting, assume "1":
 : ${PKGRELEASE:=1}
+# If there is no epoch, assume 0
+: ${PKGEPOCH:=0}
 
 # The RPM is output here: (should be a place that can be wiped)
 OUTPUTDIR="${HOME}/rpmbuild-$PACKAGENAME"
-# Our build system expects to find the list of artifacts here:
+# The TeamCity templates expect to find the list of artifacts here:
 RPM_BIN_LIST="${OUTPUTDIR}/bin-packages.txt"
 
 # -- Now the real work can be done.
@@ -41,35 +39,38 @@ rm -rf "$OUTPUTDIR"
 mkdir -p "$OUTPUTDIR/installroot"
 
 # Copy the files into place:
-cat """$@""" | grep -v '^$' | while read -a arr ; do
+set -o pipefail  # Error out if any manifest is not found.
+cat """$@""" | while read -a arr ; do
   PERM="${arr[0]}"
-  DEST="${arr[1]}"
-  SRC="${arr[2]}"
-  echo ========== "$PERM $DEST"
   case $PERM in
     \#*)  continue ;;   # Skip comments.
     exec) PERM=0755 ;;
     read) PERM=0744 ;;
     *) ;;
   esac
-  FULLDEST="$OUTPUTDIR/installroot/${arr[1]}"
-  install -D -T -b -m "$PERM" -T "$SRC" "$FULLDEST"
+  DST="$OUTPUTDIR/installroot/${arr[1]}"
+  SRC="${arr[2]}"
+  if [[ $SRC == "cmd/"* || $SRC == *"/cmd/"* ]]; then
+    ( cd $(dirname "$SRC" ) && go build -a -v ) 
+  fi
+  install -D -T -b -m "$PERM" -T "$SRC" "$DST"
 done
 
 # Build the RPM:
 cd "$OUTPUTDIR" && fpm -s dir -t rpm \
   -a x86_64 \
-  --epoch '0' \
   -n "${PACKAGENAME}" \
+  --epoch "${PKGEPOCH}" \
   --version "${PKGVERSION}" \
   --iteration "${PKGRELEASE}" \
-  --description 'Safely store secrets in Git/Hg repos using GPG encryption' \
+  ${PKGDESCRIPTION:+ --description="${PKGDESCRIPTION}"} \
+  ${PKGVENDOR:+ --vendor="${PKGVENDOR}"} \
   -C "$OUTPUTDIR/installroot" \
   .
 
-# Our build system expects to find the list of all packages created
-# in bin-packages.txt.  Generate that list:
+# TeamCity templates for RPMS expect to find
+# the list of all packages created in bin-packages.txt.
+# Generate that list:
 find "$OUTPUTDIR" -maxdepth 1 -name '*.rpm' >"$RPM_BIN_LIST"
-# Output the list for debugging purposes:
-echo ========== "$RPM_BIN_LIST"
+# Output it for debugging purposes:
 cat "$RPM_BIN_LIST"

tools/mk_rpm_fpmdir.stack_blackbox.txt

@@ -0,0 +1,15 @@
+read /etc/profile.d/usrblackbox.sh               profile.d-usrblackbox.sh
+exec /usr/blackbox/bin/_blackbox_common.sh       ../bin/_blackbox_common.sh
+exec /usr/blackbox/bin/_stack_lib.sh             ../bin/_stack_lib.sh
+exec /usr/blackbox/bin/blackbox_addadmin         ../bin/blackbox_addadmin
+exec /usr/blackbox/bin/blackbox_cat              ../bin/blackbox_cat
+exec /usr/blackbox/bin/blackbox_edit             ../bin/blackbox_edit
+exec /usr/blackbox/bin/blackbox_edit_end         ../bin/blackbox_edit_end
+exec /usr/blackbox/bin/blackbox_edit_start       ../bin/blackbox_edit_start
+exec /usr/blackbox/bin/blackbox_initialize       ../bin/blackbox_initialize
+exec /usr/blackbox/bin/blackbox_postdeploy       ../bin/blackbox_postdeploy
+exec /usr/blackbox/bin/blackbox_register_new_file ../bin/blackbox_register_new_file
+exec /usr/blackbox/bin/blackbox_removeadmin      ../bin/blackbox_removeadmin
+exec /usr/blackbox/bin/blackbox_shred_all_files  ../bin/blackbox_shred_all_files
+exec /usr/blackbox/bin/blackbox_update_all_files ../bin/blackbox_update_all_files
+exec /usr/blackbox/bin/blackbox_list_files       ../bin/blackbox_list_files

tools/rpm_filelist.txt

@@ -1,14 +0,0 @@
-read /etc/profile.d/usrblackbox.sh                tools/profile.d-usrblackbox.sh
-exec /usr/blackbox/bin/_blackbox_common.sh        bin/_blackbox_common.sh
-exec /usr/blackbox/bin/_stack_lib.sh              bin/_stack_lib.sh
-exec /usr/blackbox/bin/blackbox_addadmin          bin/blackbox_addadmin
-exec /usr/blackbox/bin/blackbox_cat             bin/blackbox_cat
-exec /usr/blackbox/bin/blackbox_edit              bin/blackbox_edit
-exec /usr/blackbox/bin/blackbox_edit_end          bin/blackbox_edit_end
-exec /usr/blackbox/bin/blackbox_edit_start        bin/blackbox_edit_start
-exec /usr/blackbox/bin/blackbox_initialize        bin/blackbox_initialize
-exec /usr/blackbox/bin/blackbox_postdeploy        bin/blackbox_postdeploy
-exec /usr/blackbox/bin/blackbox_register_new_file bin/blackbox_register_new_file
-exec /usr/blackbox/bin/blackbox_removeadmin       bin/blackbox_removeadmin
-exec /usr/blackbox/bin/blackbox_shred_all_files   bin/blackbox_shred_all_files
-exec /usr/blackbox/bin/blackbox_update_all_files  bin/blackbox_update_all_files