GPG encryption/decryption and recipient resolution.
Types
GpgConfig = object recipient*: string root*: string ## When non-empty, paths are relative to this dir (not ~/...)
Procs
proc gpgDecrypt(inPath, outPath: string; verifySig = false) {. ...raises: [OSError, IOError, ValueError], tags: [ExecIOEffect, ReadEnvEffect, RootEffect, ReadIOEffect, TimeEffect, WriteIOEffect], forbids: [].}
- Decrypt a GPG-encrypted file to a target path. When verifySig is true, fails on bad or missing signatures (fail-closed).
proc gpgDecryptToString(inPath: string; verifySig = false): string {. ...raises: [OSError, IOError, ValueError], tags: [ExecIOEffect, ReadEnvEffect, RootEffect, ReadIOEffect, TimeEffect, WriteIOEffect], forbids: [].}
- Decrypt a GPG-encrypted file and return contents as a string. Reads stdout for content and stderr for signature status. Pipe-safe for typical vault entries (< 64KB).
proc gpgEncrypt(cfg: GpgConfig; inPath, outPath: string) {. ...raises: [OSError, IOError, ValueError], tags: [ExecIOEffect, ReadEnvEffect, RootEffect, ReadIOEffect, TimeEffect, WriteIOEffect], forbids: [].}
- Encrypt and sign a file using GPG with the configured recipient. Uses direct process invocation (no shell) to prevent command injection.
proc initGpgConfig(cliRecipient: string; repo: string): GpgConfig {. ...raises: [IOError], tags: [ReadDirEffect, ReadIOEffect, ReadEnvEffect, WriteIOEffect], forbids: [].}
- Build a GpgConfig by resolving recipient and root from the 3-tier chain.
proc resolveRecipient(cli, env, configRecipient: string): string {. ...raises: [IOError], tags: [ReadEnvEffect, WriteIOEffect], forbids: [].}
-
3-tier recipient lookup:
- CLI --recipient flag
- NIMVAULT_GPG_RECIPIENT env var
- value from .vault/config
proc sha256sum(path: string): string {....raises: [OSError, IOError, ValueError], tags: [ ExecIOEffect, ReadEnvEffect, RootEffect, ReadIOEffect, TimeEffect, WriteIOEffect], forbids: [].}
- Returns hex SHA-256 digest of a file.