大家在項(xiàng)目開(kāi)發(fā)中，可能在前期對(duì)安全這塊的意識(shí)不太強(qiáng)，往往在工程項(xiàng)目文件中會(huì)包含一些敏感信息文件吕粗，比如：數(shù)據(jù)庫(kù)用戶名密碼、安卓用于打release包的證書(shū)文件等旭愧。然后過(guò)了幾年颅筋，公司的安全部門同事發(fā)現(xiàn)了這個(gè)安全風(fēng)險(xiǎn)，于是找到你們需要把那些敏感信息文件從git倉(cāng)庫(kù)中刪除输枯，要不然就讓你上公司的安全通告议泵，扣安全分?jǐn)?shù)。你呵呵一笑桃熄，這還不簡(jiǎn)單先口，把文件刪除然后commit push不就好了，如果再仔細(xì)想想瞳收，我還有很多branch和tags碉京，恩，那我就把每個(gè)branch和tag checkout下來(lái)刪除敏感文件螟深，commit push就好了谐宙， 無(wú)非就多些重復(fù)勞動(dòng)。等你花上幾個(gè)小時(shí)把幾十個(gè)branch和tag修改好后界弧，一個(gè)人靜靜的走到吸煙區(qū)凡蜻，默默的點(diǎn)上一支煙搭综，靜靜的享受剛才的勞動(dòng)成功時(shí)，這時(shí)候你情不自禁心里大叫一聲：“我操划栓，我剛才做的沒(méi)用呀设凹，任何一個(gè)人只要把checkout我刪除文件對(duì)應(yīng)的revision之前的revison的話，敏感文件不就又出來(lái)了茅姜∩林欤”，這時(shí)你趕緊掐掉煙蒂钻洒，趕緊回到電腦旁奋姿，打開(kāi)Google，經(jīng)過(guò)10來(lái)分鐘的搜索素标，你終于發(fā)現(xiàn)原來(lái)需要使用git filter-branch這種高級(jí)命令來(lái)處理称诗。OK，說(shuō)干就干头遭。

這里拿一個(gè)簡(jiǎn)單的工程作為例子寓免，我們需要?jiǎng)h除項(xiàng)目中的denny.jks簽名文件，公司的那個(gè)項(xiàng)目差不多快5年了计维，接近2萬(wàn)個(gè)commit袜香，快1000個(gè)分支（很多feature branch沒(méi)有刪），當(dāng)時(shí)花了接近2個(gè)小時(shí)鲫惶。

1. 搞一份新的工程蜈首，到本地

Dennys-MacBook-Pro:tmp denny$ git clone https://git.oschina.net/dengyin2000/YoukuSc2Videos.git
Cloning into 'YoukuSc2Videos'...
remote: Counting objects: 1423, done.
remote: Compressing objects: 100% (1098/1098), done.
remote: Total 1423 (delta 599), reused 355 (delta 101)
Receiving objects: 100% (1423/1423), 17.27 MiB | 240.00 KiB/s, done.
Resolving deltas: 100% (599/599), done.

2. 進(jìn)入項(xiàng)目工程目錄

Dennys-MacBook-Pro:tmp denny$ cd YoukuSc2Videos/

3. 執(zhí)行以下命令

命令中的denny.jks需要你替換成你的刪除的文件路徑，比如你有一個(gè)路徑為app/secret.keystore文件需要?jiǎng)h除欠母，你需要把這個(gè)命令中的denny.jks替換成app/secret.keystore欢策。注意所有的commit歷史紀(jì)錄都會(huì)比改寫(xiě)。

Dennys-MacBook-Pro:YoukuSc2Videos denny$ git filter-branch --force --index-filter \
> 'git rm --cached --ignore-unmatch denny.jks' \
> --prune-empty --tag-name-filter cat -- --all
Rewrite b31fceb5f31a3304b9be785a6c26b4aab5b94a1c (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 2650d220c6a32ca9a8e6339af7d73f74c1b2bb31 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite e8e75cef425cdaef8e817dff67f8bbf0074d5210 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 10c7b2a62c89eb4715d5a441c284da072fe4eb66 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 91e08684de3a8a473a53d8aec5c581e25e7c310c (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite f72c73c78d0085935d6c1eb7184c5d4cf7419fde (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite a500ea50fb23253c8bff343665bc6e7a0b58e18d (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 13998d5faba90120f968bb52600594b734fa922c (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 846742285ddbe80aef2d3361685b4cef67bbeed9 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite 75622643481d3ad53fc1a907053f0422216b9183 (19/59) (1 seconds passed, remaining 2 predicted)    rm 'denny.jks'
Rewrite b099ccc48aa41971f2cbad613ce92be294d73f37 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite edce31b34cda86fc4f12982ce2dea2073afb0d0b (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 679adc119f2128da80c27359620f36cd3235ee69 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 6a819ca0c9d929a1ea976be4ff2d03d7efa74d1c (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 41b08a7a3817d136729a648a84ced6061f3705e7 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 56785a5511adef455cc7d9a0966ec18ccfdf7028 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 49368b04e033ac2ec4538be3088adf2826edb6b3 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite dd504c9b061c4cedc29d16ad20bcf0b254e56cb6 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 6a46d86829e8f87b288ff85dbdfab8008e809c03 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 671cec28c7b7c4e14ebba942fb0f3fff3248debd (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 0e7ed086864af0763b6bbdb7b6f184e854e9b899 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite a4c14502351f2b114d144f13eacff4c942c15159 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 2af54a12e1ba627f846e8ef1fe6e2b988d8cc7e0 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 29bdec57dfb6ac1d6f8a46922f542a0402d9678a (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 3401d2c10250ad15bf7ede6ddf34d8d8134e45c8 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 7a8994e039abd97f090afd1f36a1e352ba3c18bd (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite ef83df70dbee85296eead5528bbfaf7acadd63ab (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 0f1788c4c653656e6a9908c8ee0900f9dd5a39b0 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite ff4f95ef246422398be2118e4ee2019706d25931 (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite 8f751ee11649ab0bd018c3760e2e5ba895427afd (39/59) (2 seconds passed, remaining 1 predicted)    rm 'denny.jks'
Rewrite cd11fed06f0b89fed349107a1830d71c979f94d9 (59/59) (3 seconds passed, remaining 0 predicted)    rm 'denny.jks'

Ref 'refs/heads/master' was rewritten
Ref 'refs/remotes/origin/master' was rewritten
WARNING: Ref 'refs/remotes/origin/master' is unchanged
Ref 'refs/remotes/origin/waps' was rewritten
Ref 'refs/remotes/origin/waps_baiduad' was rewritten

4. 把denny.jks加到.gitignore以防以后又誤操作添加這個(gè)文件赏淌。

Dennys-MacBook-Pro:YoukuSc2Videos denny$ echo "denny.jks"  >> .gitignore
Dennys-MacBook-Pro:YoukuSc2Videos denny$ git add .gitignore 
Dennys-MacBook-Pro:YoukuSc2Videos denny$ git commit -m "add denny.jks to .gitignore"
[master aa4b3fd] add denny.jks to .gitignore
 1 file changed, 1 insertion(+)

5. 切到每個(gè)分支和tag踩寇，確保都已經(jīng)成功清除denny.jks

6. 強(qiáng)制把本地的更改push到git server

Dennys-MacBook-Pro:YoukuSc2Videos denny$ git push origin --force --all
Counting objects: 361, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (202/202), done.
Writing objects: 100% (361/361), 11.22 MiB | 47.00 KiB/s, done.
Total 361 (delta 172), reused 251 (delta 98)
To https://git.oschina.net/dengyin2000/YoukuSc2Videos.git
 + 0f1788c...aa4b3fd master -> master (forced update)

7. 強(qiáng)制push tags

這里我這個(gè)sample工程并沒(méi)有tags，所有并沒(méi)有出現(xiàn)push六水。

Dennys-MacBook-Pro:YoukuSc2Videos denny$ git push origin --force --tags
Everything up-to-date

8. 最后告訴你的同事使用rebase而不是使用merge來(lái)更新他們分支俺孙。如果使用merge可能會(huì)覆蓋你之前做的清理工具。

9. 大家還可以使用BFG Repo-Cleaner這個(gè)工具來(lái)清除git倉(cāng)庫(kù)中的敏感信息文件缩擂，使用這個(gè)工具會(huì)比用git filter-branch命令更快鼠冕，但是靈活性差一點(diǎn)。

Reference：Removing sensitive data from a repository