featture request: blackbox_edit shouldn't re-encrypt a file if no changes were made

[sudomain]

Sorry if this has veen discussed before, but I think if a file, testfile.gpg, is opened with blackbox_edit but no changes are made to the file, then the original testfile.gpg should be left alone rather than be overwritten by a newly encrypted version of the same file. Perhaps checking modification time or checksum the contents of a file when decrypting, then check it against the decrypted file when deciding to re-encrypt?

[TomOnTime]

I agree that it would be better if it didn't re-encrypt when the file hasn't changed.

Sadly gpg doesn't maintain timestamps in a way that makes this easy. When testfile.gpg is decrypted to testfile, the timestamp of testfile is when the decryption happened. Thus testfile is always "newer" than testfile.gpg, which is indistinguishable from when its been edited.

A way to make it work would be to take the hash of the file when decrypted, or decrypt to a temporary file to see if the file has changed right before deciding if it changed. However one would also have to take into account if files-admins.txt has changed.

Doing that in Bash seems difficult but the new Go version (which needs beta tests) should make that easier.

Tom

[sudomain]

However one would also have to take into account if files-admins.txt has changed.

Pardon my ignorance, but do you mean blackbox-admins.txt? I couldn't find info on "files-admins" during a GH search.'

Doing that in Bash seems difficult but the new Go version (which needs beta tests) should make that easier.

Having only superficially read the bash code, my naive approach would to take the decrypting functions such as

blackbox/bin/_blackbox_common.sh

Line 267 in a413aff

$GPG --use-agent -q --decrypt -o "$unencrypted" "$encrypted" >&2

and

blackbox/bin/_blackbox_common.sh

Line 289 in a413aff

$GPG --use-agent --yes -q --decrypt -o "$unencrypted" "$encrypted" >&2

And change it to something like (some options omitted for clarity):
filesig="$(gpg -d testfile.gpg | tee tempfile | sha1sum)"

This removes the --output option from gpg since tee will be writing the decrypted content. When deciding to re-encrypt or discard the file, we'll just check if the sha1sum matches $filesig

This approach ignores your comment on files-admin.txt (sorry) because I couldn't find info on it.

[TomOnTime]

Ah, yes, I did mean blackbox-admins.txt. If that file changes, then everything needs to be re-encrypted. Though, you could just depend on people using the blackbox_update_all_files

Sounds like you have some really smart ideas about how to fix this in Bash. If you'd like to give it a try, I'd love to get a PR!

[sudomain]

Does this project assume GNU coreutils is installed? (Needed for tee and sha1sum)

Any preference among md5sum, sha1sum, ... ?

[TomOnTime]

coreutils: Yes, assume that tee is installed.

hash algorithm: I don't have a preference as long as it is supported on macOS, Linux, FreeBSD and Windows.

Some background:

• BSD-based Unixes like MacOS use a different command name than Linux-based systems. There's a function in bin/_blackbox_common.sh called md5sum_file that does the right thing for any given operating system.
• decrypt_file_overwrite uses md5 to determine if there were changes in a file. However it just uses it to decide if an information message will be output. If md5 isn't secure enough, it isn't the end of the world.

Let me know how I can help!