unlock: base64 arg by default and no file input

 - Remove the syntax that was allowing to provide the key from a file.
 - Make the default syntax be for passing the key as base64 directly as argument (without requiring the `base64:` prefix for that case anymore.

Rationale:

It was never a good idea to provide a built-in way to read the binary key from a file IMHO, because that would suggest that having the key laying around in a random file on disk was a good idea to begin with (which can be OK… as long as the key file is properly protected). For example, we wouldn't want to incite people to write the key in a file just to be able to `git-conceal unlock` with it… and then accidentally commit that key file.

Reading from a file is still possible using `-` as the argument to read from `stdin`, then using shell redirection syntax `<file` to feed the content of the file as stdin. So even in the unlikely case that someone would want to provide the key via a file, they can still do that.

And since having the base64 key directly will be the most common use case for `unlock` on local machines (when developers get the key from the secret store and copy/paste it to the `unlock` command), that feels more fitting for this to be the default command / most basic syntax (i.e. without requiring a `base64:` prefix for it)

Author: AliSoftware

README.md

@@ -141,24 +141,23 @@ This will show the raw content as stored in the repository. So even if `cat my-s
 After you freshly clone a repository which contains files which have been encrypted by `git-conceal`, you need to provide the symmetric key that your coworkers would have shared with you to decrypt it:
 
 ```bash
-# Option 1: Provide the key via an environment variable (base64 encoded).
-# Recommended on CI, where secret values like the key are usually exposed to jobs as env vars.
-$ git-conceal unlock env:GIT_CONCEAL_SECRET_KEY
-
-# Option 2: Provide the Base64-encoded key as command line argument.
+# Option 1: Provide the Base64-encoded key directly as command line argument.
 # Only use locally, as on CI this could leak the key in logs.
 # Tip: start your command with a space to avoid it (and thus the key) being added to your shell's history
-$  git-conceal unlock "base64:c3VwcG9zZWRseS15b3VyLWJpbmFyeS1zZWNyZXRrZXk="
+$  git-conceal unlock "c3VwcG9zZWRseS15b3VyLWJpbmFyeS1zZWNyZXRrZXk="
 
-# Option 3: Provide a path to a from file containing the raw binary, 32 bytes key.
-$ git-conceal unlock /path/to/key.bin
+# Option 2: Provide the key via an environment variable (base64 encoded), by using the `env:` prefix.
+# Recommended on CI, where secret values like the key are usually exposed to jobs as env vars.
+# Prefer this over `git-conceal unlock $GIT_CONCEAL_SECRET_KEY` to reduce the risk of accidentally leaking
+# the key e.g. in CI logs (which might resolve `$VAR` env vars before printing the resolved command in logs)
+$ git-conceal unlock env:GIT_CONCEAL_SECRET_KEY
 
-# Option 4: Provide it via stdin (expects raw binary, 32 bytes as input)
-$ cat /path/to/key.bin | git-conceal unlock -
-# Or convert from base64.
-# Only use locally, as on CI this could leak the key in logs.
-# Tip: start your command with a space to avoid it (and thus the key) being added to your shell's history
-$  echo "c3VwcG9zZWRseS15b3VyLWJpbmFyeS1zZWNyZXRrZXk=" | base64 -d | git-conceal unlock -
+# Option 3: Provide it via stdin (expects raw binary, 32 bytes as input)
+# For example, if you have the binary key in a file (which you would hopefully have protected properly!)
+$ git-conceal unlock - </path/to/keyfile.bin
+# Or if you have the base64-encoded key in your clipboard, you could do:
+$ pbpaste | base64 -d | git-conceal unlock -
+# (Though in that case `git-conceal unlock $(pbpaste)` would achieve the same thing)
 ```
 
 This will:

src/commands/init.rs

@@ -43,15 +43,14 @@ fn init_instructions(key_b64: &str) -> String {
             {key_b64}
 
             Once you share this key with users you trust, they can unlock their working copy using one of these methods:
+              - From base64-encoded key passed directly as argument:
+                {bin_name} unlock "{key_b64}"
               - From environment variable (base64):
-                export GIT_SECRETS_KEY='{key_b64}'
-                {bin_name} unlock env:GIT_SECRETS_KEY
-              - From base64-encoded key in the command line:
-                {bin_name} unlock "base64:{key_b64}"
-              - From file (raw binary, 32 bytes):
-                {bin_name} unlock /path/to/key.bin
+                export GIT_CONCEAL_SECRET_KEY='{key_b64}'
+                {bin_name} unlock env:GIT_CONCEAL_SECRET_KEY
               - From stdin (raw binary, 32 bytes):
                 echo '{key_b64}' | base64 -d | {bin_name} unlock -
+                {bin_name} unlock - < /path/to/raw-binary-key.bin
 
             To start adding files to be encrypted in this repository:
               - List files (or file patterns) you want to encrypt in your `.gitattributes` file, like this:

src/key.rs

@@ -72,10 +72,9 @@ impl Key {
     /// Read encryption key from various sources
     ///
     /// Supports:
-    /// - `"-"` for reading from stdin (raw binary format, 32 bytes)
+    /// - Base64-encoded key string (passed directly as argument)
     /// - `"env:VARNAME"` for reading from environment variable (base64 encoded)
-    /// - `"base64:BASE64_KEY"` for reading from base64-encoded key
-    /// - File path for reading from a file (raw binary format, 32 bytes)
+    /// - `"-"` for reading from stdin (raw binary format, 32 bytes)
     ///
     /// Returns the encryption key.
     pub fn read_from_source(key_source: &str) -> Result<Self> {
@@ -95,11 +94,9 @@ impl Key {
                 format!("Failed to read key from environment variable {}", env_var)
             })?;
             Self::from_base64(&key_b64)
-        } else if let Some(base64_key) = key_source.strip_prefix("base64:") {
-            Self::from_base64(base64_key)
         } else {
-            // Read from file (raw binary format)
-            Self::from_file(Path::new(key_source))
+            // Treat as base64-encoded key (unprefixed)
+            Self::from_base64(key_source)
         }
     }
 }
@@ -301,18 +298,6 @@ mod tests {
         assert!(result.unwrap_err().to_string().contains("Invalid key size"));
     }
 
-    #[test]
-    fn test_read_from_source_file() {
-        let temp_dir = TempDir::new().unwrap();
-        let key_file = temp_dir.path().join("test.key");
-
-        let key = test_key();
-        fs::write(&key_file, key.as_bytes()).unwrap();
-
-        let loaded_key = Key::read_from_source(key_file.to_str().unwrap()).unwrap();
-        assert_eq!(loaded_key.as_bytes(), key.as_bytes());
-    }
-
     /// This test must run serially (not in parallel with other tests) because it modifies
     /// environment variables. Environment variable modification is not thread-safe and can
     /// cause race conditions when tests run in parallel.
@@ -398,18 +383,23 @@ mod tests {
     fn test_read_from_source_base64() {
         let key = test_key();
         let b64 = key.to_base64();
-        let loaded_key = Key::read_from_source(&format!("base64:{}", b64)).unwrap();
+        let loaded_key = Key::read_from_source(&b64).unwrap();
         assert_eq!(loaded_key.as_bytes(), key.as_bytes());
     }
 
     // Note: Testing stdin reading is complex in unit tests as it requires
     // mocking stdin or using a separate process. This would be better suited
-    // for integration tests. The file and env var cases are tested above.
+    // for integration tests. The env var and base64 cases are tested above.
 
     #[test]
-    fn test_read_from_source_invalid_source() {
-        let result = Key::read_from_source("/nonexistent/path/key.bin");
+    fn test_read_from_source_invalid_base64() {
+        // A user accidentally passing a file path should be treated as base64 key and fail to decode
+        let result = Key::read_from_source("path/to/secret-symmetric-key.bin");
         assert!(result.is_err());
+        assert!(result
+            .unwrap_err()
+            .to_string()
+            .contains("Failed to decode base64 key"));
     }
 
     #[test]

src/main.rs

@@ -50,11 +50,10 @@ enum Commands {
     Unlock {
         /// Key source
         #[arg(
-            value_name = "KEY_SOURCE",
-            long_help = "- 'env:VARNAME': base64-encoded key in environment variable (recommended on CI)\n\
-                         - 'base64:BASE64_KEY': base64-encoded key\n\
-                         - '-': raw binary key from stdin\n\
-                         - <PATH>: raw binary key from file"
+            value_name = "KEY",
+            long_help = "- 'BASE64KEY': the base64-encoded key passed directly as argument\n\
+                         - 'env:VARNAME': read the base64-encoded key from the given environment variable (recommended on CI)\n\
+                         - '-': read the raw binary key from stdin (expects raw binary, 32 bytes as input)"
         )]
         key_source: String,
     },