Philip Oakley <> writes:

Not sure if I understood what you are saying. My impression is that you have an existing repo, cloned from a server (with clone on a server;-), and you now want to have the in-repository file blobs be stored in an encrypted manner.

It sounds as if you have two problems.

1. your starting point is with the coin upside down. You want your existing repos (local and server) to actually contain encrypted data, and then on checkout they will be filters to be un-encrypted (plain text). - this would explain the sudden appearance of the diff at the point where you start storing encrypted blobs.

2. the smudge/clean filters, at least to me, are described in the manuals in the opposite manner than expected. you may have the same problem, and it may be the cause of the 'wrong way around' perceived diffs (assuming 1. wasn't the problem).

I didn't have time to actually check stuff, but those are the issues I would consider clarifying.

As the shell sessions show I have, at the start, a folder, `age-0`, containing two files

1. `foo.secret` with sensitive data, and
2. `bar.txt` with non-sensitive data.

Both are in clear-text at this point.

I then turn the folder into a git workspace using `git init` and configure a clean/smudge filter called "age", and tell git to use the filter on files matching `*.secret`:

--------------------------------------------- ❯ cat .gitattributes *.secret filter=age ❯ git config -l --local|grep filter.age filter.age.smudge=age --decrypt -i ~/.ssh/id_ed25519 - filter.age.clean=age --encrypt -R ~/.ssh/ - --------------------------------------------- I add the three files, `.gitattributes`, `foo.secret`, and `bar.txt`, and then commit them. At this point I can see that the filter has worked as intended in the repo itself. I can also verify that the local file `foo.secret` still is in clear-text.

I then create a clone of the repo, named `age-1`, still local, and as I haven't had a chance to configure the filter I can again verify that the file with sensitive data, `foo.secret` is indeed encrypted. Then I configure the filter also in this workspace, and to get a clear-text version of `foo.secet` I remove it using `rm foo.secret` and then recreate it using `git reset --hard HEAD`. At this point `foo.secret` is in clear-text, just as I want.

I haven't made any changes to the files in `age-1` compared to in `age-0`, in particular the contents of `foo.secret` are identical as my running of `md5sum` shows

--------------------------------------------- ❯ md5sum foo.secret ../age-0/foo.secret 6046316bf834dbdf83a5be74be6fd2ac foo.secret 6046316bf834dbdf83a5be74be6fd2ac ../age-0/foo.secret --------------------------------------------- Despite this git claims, very surprisingly, that `foo.secret` has been changed in `age-1`!

--------------------------------------------- ❯ git diff diff --git a/foo.secret b/foo.secret index 2de33ca..18e4331 100644 Binary files a/foo.secret and b/foo.secret differ --------------------------------------------- That is, AFAICS, the filter works exactly as I want, the file `foo.secret` is encrypted in the repo and in clear-text in the workspaces, but git claims that the file is changed despite containing the exact same (clear-text) data. Why is that, and how do I get git to realise that the contents are the same?


Philip On Friday, June 9, 2023 at 3:49:18 PM UTC+1 wrote:

I'm trying out age[1] as a filter for encrypting files in a git repo but I must be missing something because every new clone thinks the encrypted file has changed, and if I commit that change then every other clone sees a diff after pulling in the change. The main reason I want to try out age is that it can make use of SSH keys for encryption, which makes it a bit nicer than something like git-crypt. I'm setting it up like this: --------------------------------------------- ❯ cat .gitattributes *.secret filter=age ❯ git config -l --local|grep filter.age filter.age.smudge=age --decrypt -i ~/.ssh/id_ed25519 - filter.age.clean=age --encrypt -R ~/.ssh/ - --------------------------------------------- Here's a sequence setting up a first repo: --------------------------------------------- ❯ git init Initialized empty Git repository in /home/user/tmp/age-0/.git/ ❯ echo '*.secret filter=age' > .gitattributes ❯ git config --local --add filter.age.smudge "age --decrypt -i ~/.ssh/id_ed25519 -" ❯ git config --local --add filter.age.clean "age --encrypt -R ~/.ssh/ -" ❯ echo "a secret" > foo.secret ❯ echo "not a secret" > bar.txt ❯ git add .gitattributes bar.txt foo.secret ❯ git commit -m 'The first commit' [main (root-commit) ae75577] The first commit 3 files changed, 2 insertions(+) create mode 100644 .gitattributes create mode 100644 bar.txt create mode 100644 foo.secret --------------------------------------------- Now I can make a clone: --------------------------------------------- ❯ cd .. ❯ git clone age-0 age-1 Cloning into 'age-1'... done. ❯ cd age-1 ❯ git ls-files .gitattributes bar.txt foo.secret ❯ cat foo.secret -> ssh-ed25519 ozAWLA ReSnu8CTgPgnuKUMvG8PWTcc7Lr5IHkKaWc6k4Hfsms dHsdERPHdsdOQluzyeeRamfjIrmsc2pQ+lhwLlt/0no --- aHijNp3L2/0MeE/EXWwVhVwyv1uBYW1Ake055jico5M WF}`YqBO7Ԏwߨ% --------------------------------------------- So far so good. The file is encrypted. Now I configure the filter the same way and make sure the file is decrypted: --------------------------------------------- ❯ git config --local --add filter.age.smudge "age --decrypt -i ~/.ssh/id_ed25519 -" age-1 on  main ❯ git config --local --add filter.age.clean "age --encrypt -R ~/.ssh/ -" ❯ rm foo.secret ❯ git reset --hard HEAD HEAD is now at ae75577 The first commit ❯ cat foo.secret a secret --------------------------------------------- Now comes the problem, git thinks the file with secrets has been changed when it really hasn't: --------------------------------------------- ❯ git status On branch main Your branch is up to date with 'origin/main'. Changes not staged for commit: (use "git add <file>..." to update what will be committed) (use "git restore <file>..." to discard changes in working directory) modified: foo.secret no changes added to commit (use "git add" and/or "git commit -a") ❯ git diff diff --git a/foo.secret b/foo.secret index 2de33ca..18e4331 100644 Binary files a/foo.secret and b/foo.secret differ ❯ md5sum foo.secret ../age-0/foo.secret 6046316bf834dbdf83a5be74be6fd2ac foo.secret 6046316bf834dbdf83a5be74be6fd2ac ../age-0/foo.secret --------------------------------------------- This isn't what I expected. What's wrong with my setup, what am I missing? /M [1]: -- Magnus Therning OpenPGP: 0x927912051716CE39 email: "He dropped his voice still lower. In the stillness, a fly would not have dared clear its throat."

Magnus Therning                   OpenPGP: 0x927912051716CE39

`If there's anything more important than my ego around, I want it
caught and shot now.'

— Zaphod.

You received this message because you are subscribed to the Google Groups "Git for 
human beings" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit

Reply via email to