M README → README

@@ -4,16 +4,18 @@ 
   features
     - encryption implemented using age[1]
     - automatic key generation
+    - automatic git tracking
     - multiple identity/recipient support
     - written in portable posix shell
     - simple to extend
-    - only ~130 lines of code
+    - only ~160 lines of code
     - pronounced "pah" - as in "papa"
 
 
   dependencies
     - age
     - age-keygen
+    - git (optional)
 
 
   usage
@@ -31,6 +33,7 @@ env vars:
       Password length:   export PA_LENGTH=50
       Password pattern:  export PA_PATTERN=_A-Z-a-z-0-9
       Password dir:      export PA_DIR=~/.local/share/pa/passwords
+      Disable tracking:  export PA_NOGIT=
 
 
   command examples

M pa → pa

@@ -28,10 +28,13 @@ #
     # Heredocs are sometimes implemented via temporary files,
     # however this is typically done using 'mkstemp()' which
     # is more secure than a leak in '/proc'.
-    age --encrypt -R "$recipients_file" -o "$name.age" <<-EOF &&
+    age --encrypt -R "$recipients_file" -o "$name.age" <<-EOF ||
 		$pass
 	EOF
-        printf '%s\n' "Saved '$name' to the store."
+        die "Couldn't encrypt $name.age"
+
+    git_add_and_commit "$name.age" "add '$name'"
+    printf '%s\n' "Saved '$name' to the store."
 }
 
 pw_edit() {
@@ -68,6 +71,8 @@ "${EDITOR:-vi}" "$tmpfile"
 
     age --encrypt -R "$recipients_file" -o "$name.age" "$tmpfile" ||
         die "Couldn't encrypt $name.age"
+
+    git_add_and_commit "$name.age" "edit '$name'"
 }
 
 pw_del() {
@@ -78,6 +83,8 @@ # Remove empty parent directories of a password
         # entry. It's fine if this fails as it means that
         # another entry also lives in the same directory.
         rmdir -p "./${1%/*}" 2>/dev/null || :
+
+        git_add_and_commit "$1.age" "delete '$1'"
     }
 }
 
@@ -90,6 +97,10 @@ pw_list() {
     find . -type f -name \*.age | sed 's/..//;s/\.age$//' | sort
 }
 
+git_add_and_commit() {
+    if $git_enabled; then git add "$1" && git commit -qm "$2"; fi
+}
+
 rand_chars() {
     # Generate random characters by reading '/dev/urandom' with the
     # 'tr' command to translate the random bytes into a
@@ -177,6 +188,7 @@ env vars:
     Password length:   export PA_LENGTH=50
     Password pattern:  export PA_PATTERN=_A-Z-a-z-0-9
     Password dir:      export PA_DIR=~/.local/share/pa/passwords
+    Disable tracking:  export PA_NOGIT=
 "
     exit 0
 }
@@ -200,6 +212,31 @@ 
     # Ensure that globbing is disabled
     # to avoid insecurities with word-splitting.
     set -f
+
+    if [ -z "${PA_NOGIT+x}" ] && command -v git >/dev/null 2>&1; then
+        git_enabled=true
+    else
+        git_enabled=false
+    fi
+
+    $git_enabled && [ ! -d .git ] && {
+        git init
+
+        # Put something in user config if it's not set globally,
+        # because git doesn't allow to commit without it.
+        git config user.name >/dev/null || git config user.name pa
+        git config user.email >/dev/null || git config user.email ""
+
+        # Configure diff driver for age encrypted files that treats them as
+        # binary and decrypts them when a human-readable diff is requested.
+        git config diff.age.binary true
+        git config diff.age.textconv "age --decrypt -i \"$identities_file\""
+
+        # Assign this diff driver to all passwords.
+        printf '%s\n' '*.age diff=age' >.gitattributes
+
+        git_add_and_commit . "initial commit"
+    }
 
     command -v age >/dev/null 2>&1 ||
         die "age not found, install per https://github.com/FiloSottile/age"