Pull in 4 years of changes from upstream repo #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds support for publishing to vault using KV v1 and a different mount name (or multiple).
…s to a child process (#504) * first pass: add --exec flag * fix spacing * subcommand for exec as well as other bits n bobs --placeholder to pass files to child procs (similar to `find(1)`'s -exec flag) --background to background processes if you don't need them to be interactive * break the 2 execs into 2 subcommands * add a non-fifo option for people who like files instead * added a setuid flag just in case * oups, used the wrong functions * Update README.rst * typo
* Changes to travis config and docs for using develop (#462) * Fixes integration tests in travis to not run on PR's (they will now run on merges into `develop` and `master`) * Change README.rst and CONTRIBUTING.md to reflect the use of `develop` as the primary development branch * use golang 1.12 for building sops * pgp/keysource: Check size of key fingerprint Make sure the key fingerprint is longer than 16 characters before slicing it. Closes #463 * Allow set "json value" to be a string. (#468) * Allow set "json value" to be a string. Adds back support for string values in --set, while retaining support for yaml multidoc that caused this bug. Fixes #461 * Add functional test for --set'ing strings * Vendoring update (#472) It's been around 9 months since our last vendor update. This is also needed for some new features being worked on for sops workspace. Additionally, this PR regenerates the kms mocks. * Remove duplicate sentence from readme (#475) * 3.3.1 bump and release notes (#477)
3.4.0 (develop -> master)
Merge typo and release build fix for 3.4.0
Revert exec command for 3.4.0 release
fix --encrypted-regex documentation
* first pass: add --exec flag * fix spacing * subcommand for exec as well as other bits n bobs --placeholder to pass files to child procs (similar to `find(1)`'s -exec flag) --background to background processes if you don't need them to be interactive * break the 2 execs into 2 subcommands * add a non-fifo option for people who like files instead * added a setuid flag just in case * oups, used the wrong functions * Update README.rst * typo * first attempt at separating out windows/unix functionality * add the caveat about windows * windows: make sure --no-fifo is being used and warn when it's not * stray fixes * switch to logrus, break out the command builder, and remove /tmp/ default
Document how to operate on stdin
Add note about mandatory keys rotation when using --add-* options.
document updatekeys command
fix for #548 - handle .ini files in `decrypt.Data`, add other helper
* Sanitize hostname used for AWS STS role session name From official docs for --role-session-name (https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html): > The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@- This fixes #441, which occurs when the hostname includes spaces and parentheses * pr notes: wrap STS role session name regex compilation error
Previous setup relied implicitly of the correct file to be there. Introduction of arm64 builds broke that implicit assumption.
Explicitly build linux amd64 binary
Remove duplicated stage from Dockerfile.alpine
…ipients
I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.
I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.
However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:
```yaml
creation_rules:
- encrypted_regex: '^(data|stringData|spec)$'
age: 'agePubKey1,agePubKey2'
```
However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.
After digging a bit trough the code, I think this should fix it.
I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
In [this](#966 (comment)) comment it was proposed to make `masterKeyFromRecipient` private to avoid reintroducing this bug in the future. Since I agree with the Idea, this change will make the mehtod private and update all unit-tests to use the `MasterKeysFromRecipients` method instead. Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
Adding tests to verify we do not break the usage of a single AGE key Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
[Fix] sops multi recipient for age encryption
Allow empty maps for yaml (#907)
Build alpine container in CI (#870)
Use latest dockerd in CI to allow build alpine image (#870)
This allows for easier injection of your own (local) key service server implementation, in situations where e.g. you do not want to rely on environment variables or other runtime defaults. It is not of impact to end-users, but improves the experience of developers making use of SOPS as an SDK to e.g. provide decryption services to users. As they will now in many cases end up copying this bit of code to make this precise change. Signed-off-by: Hidde Beydals <hello@hidde.co>
Originally fixed by @SinisterMinister Fixes #741
Limit role session name length to 64 characters.
keyservice: accept KeyServiceServer in LocalClient
Version past CVE-2022-27191. Signed-off-by: Hidde Beydals <hello@hidde.co>
Latest API clients are (most) often greatest. Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
As `golang.org/x/crypto/openpgp` has been deprecated (see golang/go#44226 for details). Signed-off-by: Hidde Beydals <hello@hidde.co>
Solve CVE-2022-27191 and replace x/crypto/openpgp
Support for GCP Service Account as JSON or Path in Default Application Credentials
prep for v3.7.3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull in all the new changes from the parent repo