Skip to content

Instantly share code, notes, and snippets.

@tyrcho

tyrcho/howto.md

Last active November 22, 2023 02:04
Show Gist options
  • Star 15 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save tyrcho/651fdf93de5df49e8c2e10685562206f to your computer and use it in GitHub Desktop.
Save tyrcho/651fdf93de5df49e8c2e10685562206f to your computer and use it in GitHub Desktop.
Download ZIP
Git secret and CI
Raw
howto.md

We use git-secret to encrypt/decrypt sensitive information like production passwords.

GPG keys

Each developper needs to generate a pair of private/public key.

https://help.github.com/articles/generating-a-new-gpg-key/

gpg --full-generate-key
gpg --list-secret-keys
gpg --list-keys

To export and share public key:

gpg --armor --export verylongkeyid > publicKey.txt

To backup the private key elsewhere

gpg --armor --export-secret-keys verylongkeyid > mySecret.txt

To delete a local private key

gpg --delete-secret-keys verylongkeyid

To delete public key (private key must be delete first)

gpg --delete-keys verylongkeyid

To import a public or private key

gpg --import myKey.txt

Git-secret

To add someone to the list of trusted developpers

You need his public key, and to have access yourself.

gpg --armor --export verylongkeyid > publicKey.txt

He shares the file with you

gpg --import publicKey.txt
git secret tell new@email

You then need to reencrypt the file with git secret hide.

To revoke access

For example when a developer leaves the company

git secret killperson some@emails

It is required to reencrypt once again with the updated keyring:

git secret hide

To add a file

The file MUST be in .gitignore to avoid sharing the clear version.

git secret add file

Encrypting all added files (to .secret versions, which will be commited)

git secret hide

To reveal encrypted files (eg when you received the .secret version from a git pull)

git secret reveal

Using it on CI system

Of course, you need to have told the secret to a technical user linked to your CI. Here we pass the private key to GITLAB in the secret variable GITLAB_PRIVATE_KEY.

Install git-secret

echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | tee -a /etc/apt/sources.list
wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | apt-key add -
apt-get update && apt-get install -y gawk git-secret

Import the private key

gpg --import  <(echo "$GITLAB_PRIVATE_KEY")

Secret files can now be decrypted with:

 git secret reveal

Testing Gitlab CI

 gitlab-runner exec  docker "sbt test" --env GITLAB_PGP_PRIVATE_KEY="$(gpg --armor --export-secret-keys  6A0AE17A64C4B47A304785EEE9941103535E8D83)"
@herrnesto
Copy link

Thank you , very usefull!! I propose this additional command, if you have multiple files but only want to encrypt the one that changed:
git secret hide -m

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment