Version 2.2.0 is not compatible with MacOS Ventura's /usr/bin/openssl
#147
Comments
jmurty
changed the title
/usr/bin/openssl
…ra (#148 #147) Detect OpenSSL major version 3 or later which requires a compatibility work-around to include the prefix 'Salted__' and salt value when encrypting, without applying this work-around to the LibreSSL project's version of the `openssl` command which does NOT require this work-around for major version 3.
|
This should be fixed on the |
|
Same issue here. We installed the main branch instead which contains the merged branch. |
|
Still failing even doing the workaround above. |
|
Hi @alb777 can you describe how the latest And are you sure you have installed/upgraded to the in-progress version? E.g: repo$ ./.git/crypt/transcrypt --version
transcrypt 2.3.0-preI'd like to release an official 2.2.1 version soon with the MacOS 13 Ventura fix, but I'd also like to be sure the latest version on |
|
Hi @jmurty Sure, follows my current transcrypt state that fails during decrypt/git push to stash: My workaround to fix were change
Guess that shouldn't be the definitive solution since default packaging combination may cause the same issue. |
|
Same problem here on Ventura :( I tried the version on Makes team work nearly impossible. Let me know if you need more info or help. |
|
Hi @ronangaillard sorry you're having trouble. I've done some more testing of the latest version from I'd appreciate your help in testing this and pinning down the issue. Can you try each of the following things and let me know for each whether or not it worked properly?
Finding out which of these steps helps, if any, might help narrow down the issue. FWIW I am now running and testing against Ventura version 13.0.1 (22A400) though I don't think the included openssl command version has changed since the initial 13 MacOS release. |
|
FYI, to downgrade brew installation of transcrypt, use the following: brew tap-new $USER/local-transcrypt
brew extract --version=2.1.0 transcrypt $USER/local-transcrypt
brew uninstall transcrypt
brew install [email protected]Make sure to have a clean repo without transcrypt v2.2.0 configured, otherwise uninstall transcrypt configuration with |
|
Hello, Me and my coworker are having the exact same issue. I'm using Ventura and he is using an older version of MacOS. When doing Although the only way to make it work is doing @alb777 said and manually setting the git config file to |
|
Thanks for the feedback @joaooliveiramc I have been having trouble isolating the exact problem so this info is useful. Did you try using the version of Transcrypt on the I ask because that branch has a change which I think fixes compatibility with the By the way, the reason you need to override the path to the openssl binary using |
|
Hey, So I just installed the After cloning our work and configuring it with transcript now I'm having all sort of a weird string looking like a random generated password, which before was not happening. |
|
Ugh, so it's definitely not working for you. Thanks for trying, and sorry about that. I will need to get to the bottom of this and find a proper fix. In the meantime your best options are probably to go back to using the Homebrew openssl path, or downgrading from 2.2.0 |
…ra (#148 #147) Detect OpenSSL major version 3 or later which requires a compatibility work-around to include the prefix 'Salted__' and salt value when encrypting, without applying this work-around to the LibreSSL project's version of the `openssl` command which does NOT require this work-around for major version 3. # Conflicts: # CHANGELOG.md # transcrypt
|
Hi, could those of you experiencing incompatibility with MacOS Venture please help me to isolate the ongoing bug by running some tests on your Mac, ideally on both MacOS 13 (Ventura) and prior versions like 12? I have pushed a new version of the transcrypt script in bea1847 with nothing but the released version I'd very much appreciate feedback on your results of running some low-level encrypt and decrypt commands to test what results you get using this version of the script with the different versions of OpenSSL and LibreSSL you have on your system. To get ready to run the tests:
Once the testing directory is set up, run these commands to test encrypting and decrypting the example file:
Repeat the above commands, but substitute the path to
If the script is working correctly you should get exactly the same outputs each time for the If you see anything different, such as a different encrypted text blob or garbage characters after the round-trip, that could give me a vital clue to figure out what problems remain. Any anomalies you can report would be much appreciated, I need the help to figure this out! For what it's worth, when I run the test commands on my system (Ventura 13.1) I get the same results for all versions of OpenSSL and LibreSSL |
|
For advanced testing, you can run the low-level encrypt ( If there is any difference between the encrypted data stored in git versus the output of your test As an example, if you're in a repo with transcrypt installed (2.1.0 or later) and your file The encrypted version generated by this command should exactly match the encrypted data stored in git, which you can print with: |
|
Hi @jmurty, thanks to the above instructions I was able to fix the issue. |
|
Hello @jmurty, thanks a lot you saved my day :) |
|
Using these two packages on OSX 13.1: $ openssl version
LibreSSL 3.3.6
$ /opt/homebrew/opt/[email protected]/bin/openssl version
OpenSSL 1.1.1t 7 Feb 2023Test steps execute exactly as described: encrypted and decrypted content match the examples. Thank you!! |
…efixes due to #147 If someone has committed and encrypted a file using Transcrypt version 2.2.0 on a MacOS 13 Ventura system and using the system- provided version of `openssl`, the encrypted file will mistakenly include a doubled "Salted" prefix. The prefix doubling was caused by Transcrypt applying a work-around for the OpenSSL project's breaking change (#133) when it didn't need to, because the LibreSSL project's version 3+ of `openssl` does not have the same breaking change. This fix checks for a doubled prefix during decryption (smudge) operations, and when it finds the mistake will strip out the first of the doubled prefixes before decrypting. A proper fix for the issue is to commit a new version of the file to remove the faulty doubled prefix, but it will be difficult for users to commit a new version if they only have a faulty decrypted file to work with. As an example, a faulty version of this repository's _sensitive_file_ with the doubled prefix would be decrypted like this: ��2p͙��g�c�^?Dj6����`�32��\rs to love You know the rules and so do I A full commitment's what I'm thinking of With the fix applied in this commit, the decrypted copy becomes: We're no strangers to love You know the rules and so do I A full commitment's what I'm thinking of
…efixes due to #147 If someone has committed and encrypted a file using Transcrypt version 2.2.0 on a MacOS 13 Ventura system and using the system- provided version of `openssl`, the encrypted file will mistakenly include a doubled "Salted" prefix. The prefix doubling was caused by Transcrypt applying a work-around for the OpenSSL project's breaking change (#133) when it didn't need to, because the LibreSSL project's version 3+ of `openssl` does not have the same breaking change. This fix checks for a doubled prefix during decryption (smudge) operations, and when it finds the mistake will strip out the first of the doubled prefixes before decrypting. A proper fix for the issue is to commit a new version of the file to remove the faulty doubled prefix, but it will be difficult for users to commit a new version if they only have a faulty decrypted file to work with. As an example, a faulty version of this repository's _sensitive_file_ with the doubled prefix would be decrypted like this: ��2p͙��g�c�^?Dj6����`�32��\rs to love You know the rules and so do I A full commitment's what I'm thinking of With the fix applied in this commit, the decrypted copy becomes: We're no strangers to love You know the rules and so do I A full commitment's what I'm thinking of
|
Thanks very much for your feedback @Fausto95 @Z7oussem @emcniece, it gives me more confidence I've finally fixed the bug using the LibreSSL 3+ flavour of the I have released a new version 2.2.1 of transcrypt with a fix for the original bug. I also added a work-around which should properly decrypt files committed on systems that were affected by the bug, so these should now give you the original content instead of showing binary junk at the top of the file. See details in b380f2c Please grab the 2.2.1 version of transcrypt, make sure it's updated on all systems by running |
|
How do I catch the 2.2.1? doing upgrade is only trying to upgrade to 2.2.0 |
|
Hi @joaooliveiramc it may take a while for the latest version to be made available by package managers. In the meantime, transcrypt itself is just a bash shell script so you can download version # Download transcrypt script at version/tag 2.2.1
wget https://raw.githubusercontent.com/elasticdog/transcrypt/v2.2.1/transcrypt
# Make it executable
chmod u+x transcrypt
# Confirm the version, and upgrade it in the repository
./transcrypt --version
./transcrypt --upgradeFWIW, I like to keep a copy of the transcrypt script in shared repositories that use it, at a path like bin/transcrypt. That way anyone using the repo can always run the latest version without relying on package managers to be up-to-date. |
…d" prefix due to #147 Improve the work-around for files incorrectly encrypted with doubled "Salted" prefixes due to #147 to avoid null byte warnings – and possibly errors – by checking prefix data as hex-encoded values instead of raw bytes which could contain null characters that are not well handled in bash scripts. This should avoid warnings like the following during decryption: warning: command substitution: ignored null byte in input Unfortunately the need for hex-encoding of bytes adds a new requirement for the `hexdump` command.
…d" prefix due to #147 Improve the work-around for files incorrectly encrypted with doubled "Salted" prefixes due to #147 to avoid null byte warnings – and possibly errors – by checking prefix data as hex-encoded values instead of raw bytes which could contain null characters that are not well handled in bash scripts. This should avoid warnings like the following during decryption: warning: command substitution: ignored null byte in input Unfortunately the need for hex-encoding of bytes adds a new requirement for the `hexdump` command.
In release 2.2.0 we included a fix for #133 to work around a compatibility problem with OpenSSL versions 3+, which changed how salt values are included in encrypted output (they aren't)
Unfortunately our work-around relied on a check of the
opensslversion's major version: if the major version is3or greater it forcibly includes the salt values in the encrypted output.The recent release of MacOS Ventura includes the LibreSSL project's
opensslcommand which also reports a major version of3, but our work around is not necessary for the LibreSSL project'sopensslbecause that project didn't make the breaking change to remove salt values from encrypted output.The upshot of all this is transcrypt release 2.2.0 is currently broken on MacOS Ventura when using the default built-in
/usr/bin/opensslbinary, because our work-around will end up prefixing the salt value unnecessarily.The text was updated successfully, but these errors were encountered: