彻底删除git仓库中的包含敏感信息的文件

大家在项目开发中,可能在前期对安全这块的意识不太强,往往在工程项目文件中会包含一些敏感信息文件,比如:数据库用户名密码、安卓用于打release包的证书文件等。然后过了几年,公司的安全部门同事发现了这个安全风险,于是找到你们需要把那些敏感信息文件从git仓库中删除,要不然就让你上公司的安全通告,扣安全分数。你呵呵一笑,这还不简单,把文件删除然后commit push不就好了,如果再仔细想想,我还有很多branch和tags,恩,那我就把每个branch和tag checkout下来删除敏感文件,commit push就好了, 无非就多些重复劳动。等你花上几个小时把几十个branch和tag修改好后,一个人静静的走到吸烟区,默默的点上一支烟,静静的享受刚才的劳动成功时,这时候你情不自禁心里大叫一声:“我操,我刚才做的没用呀,任何一个人只要把checkout我删除文件对应的revision之前的revison的话,敏感文件不就又出来了。”,这时你赶紧掐掉烟蒂,赶紧回到电脑旁,打开Google,经过10来分钟的搜索,你终于发现原来需要使用git filter-branch这种高级命令来处理。OK,说干就干。

这里拿一个简单的工程作为例子,我们需要删除项目中的denny.jks签名文件,公司的那个项目差不多快5年了,接近2万个commit,快1000个分支(很多feature branch没有删),当时花了接近2个小时。

1. 搞一份新的工程,到本地

Dennys-MacBook-Pro:tmp denny$ git clone https://git.oschina.net/dengyin2000/YoukuSc2Videos.git
Cloning into 'YoukuSc2Videos'...
remote: Counting objects: 1423, done.
remote: Compressing objects: 100% (1098/1098), done.
remote: Total 1423 (delta 599), reused 355 (delta 101)
Receiving objects: 100% (1423/1423), 17.27 MiB | 240.00 KiB/s, done.
Resolving deltas: 100% (599/599), done.

2. 进入项目工程目录

Dennys-MacBook-Pro:tmp denny$ cd YoukuSc2Videos/

3. 执行以下命令

命令中的denny.jks需要你替换成你的删除的文件路径,比如你有一个路径为app/secret.keystore文件需要删除,你需要把这个命令中的denny.jks替换成app/secret.keystore。注意所有的commit历史纪录都会比改写。

Dennys-MacBook-Pro:YoukuSc2Videos denny$ git filter-branch --force --index-filter \
> 'git rm --cached --ignore-unmatch denny.jks' \
> --prune-empty --tag-name-filter cat -- --all
Rewrite b31fceb5f31a3304b9be785a6c26b4aab5b94a1c (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 2650d220c6a32ca9a8e6339af7d73f74c1b2bb31 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite e8e75cef425cdaef8e817dff67f8bbf0074d5210 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 10c7b2a62c89eb4715d5a441c284da072fe4eb66 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 91e08684de3a8a473a53d8aec5c581e25e7c310c (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite f72c73c78d0085935d6c1eb7184c5d4cf7419fde (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite a500ea50fb23253c8bff343665bc6e7a0b58e18d (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 13998d5faba90120f968bb52600594b734fa922c (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 846742285ddbe80aef2d3361685b4cef67bbeed9 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 75622643481d3ad53fc1a907053f0422216b9183 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite b099ccc48aa41971f2cbad613ce92be294d73f37 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite edce31b34cda86fc4f12982ce2dea2073afb0d0b (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 679adc119f2128da80c27359620f36cd3235ee69 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 6a819ca0c9d929a1ea976be4ff2d03d7efa74d1c (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 41b08a7a3817d136729a648a84ced6061f3705e7 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 56785a5511adef455cc7d9a0966ec18ccfdf7028 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 49368b04e033ac2ec4538be3088adf2826edb6b3 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite dd504c9b061c4cedc29d16ad20bcf0b254e56cb6 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 6a46d86829e8f87b288ff85dbdfab8008e809c03 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 671cec28c7b7c4e14ebba942fb0f3fff3248debd (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 0e7ed086864af0763b6bbdb7b6f184e854e9b899 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite a4c14502351f2b114d144f13eacff4c942c15159 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 2af54a12e1ba627f846e8ef1fe6e2b988d8cc7e0 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 29bdec57dfb6ac1d6f8a46922f542a0402d9678a (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 3401d2c10250ad15bf7ede6ddf34d8d8134e45c8 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 7a8994e039abd97f090afd1f36a1e352ba3c18bd (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite ef83df70dbee85296eead5528bbfaf7acadd63ab (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 0f1788c4c653656e6a9908c8ee0900f9dd5a39b0 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite ff4f95ef246422398be2118e4ee2019706d25931 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 8f751ee11649ab0bd018c3760e2e5ba895427afd (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite cd11fed06f0b89fed349107a1830d71c979f94d9 (59/59) (3 seconds passed, remaining 0 predicted)    rm 'denny.jks'

Ref 'refs/heads/master' was rewritten
Ref 'refs/remotes/origin/master' was rewritten
WARNING: Ref 'refs/remotes/origin/master' is unchanged
Ref 'refs/remotes/origin/waps' was rewritten
Ref 'refs/remotes/origin/waps_baiduad' was rewritten

4. 把denny.jks加到.gitignore以防以后又误操作添加这个文件。

Dennys-MacBook-Pro:YoukuSc2Videos denny$ echo "denny.jks"  >> .gitignore
Dennys-MacBook-Pro:YoukuSc2Videos denny$ git add .gitignore 
Dennys-MacBook-Pro:YoukuSc2Videos denny$ git commit -m "add denny.jks to .gitignore"
[master aa4b3fd] add denny.jks to .gitignore
 1 file changed, 1 insertion(+)

5. 切到每个分支和tag,确保都已经成功清除denny.jks

6. 强制把本地的更改push到git server

Dennys-MacBook-Pro:YoukuSc2Videos denny$ git push origin --force --all
Counting objects: 361, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (202/202), done.
Writing objects: 100% (361/361), 11.22 MiB | 47.00 KiB/s, done.
Total 361 (delta 172), reused 251 (delta 98)
To https://git.oschina.net/dengyin2000/YoukuSc2Videos.git
 + 0f1788c...aa4b3fd master -> master (forced update)

7. 强制push tags

这里我这个sample工程并没有tags,所有并没有出现push。

Dennys-MacBook-Pro:YoukuSc2Videos denny$ git push origin --force --tags
Everything up-to-date

8. 最后告诉你的同事使用rebase而不是使用merge来更新他们分支。如果使用merge可能会覆盖你之前做的清理工具。

9. 大家还可以使用BFG Repo-Cleaner这个工具来清除git仓库中的敏感信息文件,使用这个工具会比用git filter-branch命令更快,但是灵活性差一点。

Reference:Removing sensitive data from a repository

你可能感兴趣的:(彻底删除git仓库中的包含敏感信息的文件)