Add documentation for git-crypt encrypted .authinfo file

[Copilot]

• Understand the current .authinfo encryption setup
• Document how to decrypt the .authinfo file using git-crypt
• Create a README.md in the authinfo directory with instructions
• Add encrypted files section to main README.md
• Verify the documentation is accurate and helpful
• Address code review feedback
• Run security checks (no code changes detected)
• Document security considerations for forking and modifying encrypted files
• Correct authinfo file format to follow netrc(5) standard without port field
• Resolve merge conflicts with main branch (README.md → readme.org migration)
• Resolve additional merge conflicts in readme.org (kept link to detailed authinfo documentation)
• Merge latest main branch changes (nixos host metadata improvements)
• Clarify GPG key import workflow for adding collaborators

Original prompt

On .authinfo, can you decode this?

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[eapolinario]

@copilot if someone forks this repo can they modify the list of encrypted files?

[Copilot]

@copilot if someone forks this repo can they modify the list of encrypted files?

Yes, someone who forks the repo can modify .gitattributes to change which files are encrypted. However, they cannot decrypt the existing .authinfo file without the original GPG private key. I've added documentation explaining the security model for forks in commit 6554196.

[eapolinario]

@copilot that format for the authinfo file is not correct, there's no port. Can you find the RFC that describes the format used in authinfo?

[Copilot]

@copilot that format for the authinfo file is not correct, there's no port. Can you find the RFC that describes the format used in authinfo?

Corrected in commit 4fa5eac. The format now follows the .netrc standard documented in the netrc(5) manual page, with machine, login, and password fields. The port field was removed as it's not part of the standard format (though some tools support it as an extension).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.gnu.org
  • Triggering command: /usr/bin/curl curl -s REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[eapolinario]

@copilot , update this

[Copilot]

@copilot , update this

Could you clarify what you'd like me to update? The documentation currently covers git-crypt setup, the .netrc format for .authinfo, and security considerations for forking. Please let me know what specific information needs to be updated or added.

[eapolinario]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in commit c72573a. The merge conflicts have been fixed:

• README.md removed (replaced with readme.org in main branch)
• authinfo/README.md moved to common/authinfo/README.md to match the new repository structure
• readme.org updated to link to the detailed authinfo documentation
• All path references updated to reflect the new structure

[eapolinario]

@copilot resolve the merge conflicts in this pull request

[eapolinario]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in commit ef7b56e. Successfully merged origin/main into the branch, resolving the conflict in readme.org by keeping the link to the detailed authinfo documentation.

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in commit 494349a. Merged the latest changes from origin/main (commits up to 557b4b1) into the branch. The merge completed successfully with no conflicts.

[Copilot]

Pull request overview

Adds/links documentation describing how to work with the git-crypt–encrypted common/authinfo/.authinfo secrets file, aligning with the repo’s readme.org-based top-level documentation.

Changes:

• Add common/authinfo/README.md documenting git-crypt install/unlock usage, .netrc-style .authinfo format, and fork/security considerations.
• Link the new authinfo documentation from the * Secrets section in readme.org.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
readme.org	Adds a pointer from the Secrets section to the detailed authinfo/git-crypt documentation.
common/authinfo/README.md	Introduces a dedicated authinfo README covering decryption workflow and security guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The “Export their GPG public key” phrasing is misleading here: to run git-crypt add-gpg-user, the collaborator’s public key typically needs to be obtained from them and imported into the maintainer’s GPG keyring first. Consider rewording this comment to reflect “obtain + import their public key”, and (optionally) mention that GPG_KEY_ID can be a fingerprint/email of an imported key.

Suggested change

	# Export their GPG public key and add them
	# Obtain and import their GPG public key, then add them
	# GPG_KEY_ID can be the fingerprint or email of an imported key

[eapolinario]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied in commit abfb014. Updated the comment to clarify that the collaborator's public key must be obtained and imported before running git-crypt add-gpg-user, and added a note that GPG_KEY_ID can be a fingerprint or email of an imported key.