-
Notifications
You must be signed in to change notification settings - Fork 889
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pgp: modernize and improve, and add tests #1054
Conversation
@ajvb please have a look. As you can see, introduction of configuration of the If I can get a sense of the general direction we wanted to head at, the other implementations could follow quickly. Thanks ✨ |
@hiddeco can you describe what changes this makes for the user after this is merged? e.g.
Actually, I'm not really sure I know the answers for the current version 😞 my guesses:
|
The PGP look-up via a server is no longer possible, so the key is indeed expected to exist in the user their key ring. However, this can be re-added. Our implementation does not require it, so I did not include it while writing it based on SOPS' own. Besides this, it changes very little for a CLI user:
The strength in this PR is mostly in the fact that:
You can see an example of the latter here. As we are running decryption operations for multiple tenants in the same process, we can't rely on the Implementing this would help us (and potentially quite some others) in not having to write their forked key service implementations to control the decryption process using a local server. |
Thanks for the clarification! So no change to user experience beyond enforcing the previously announced deprecation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few comments but this is looking great to me!
This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
// SopsGpgExecEnv to the absolute path of the replacement binary. | ||
func gpgBinary() string { | ||
binary := "gpg" | ||
if envBinary := os.Getenv(SopsGpgExecEnv); envBinary != "" && filepath.IsAbs(envBinary) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ajvb did a last comparison round, and we introduced this stricter behavior on the environment variable to ensure nothing magical is injected. Any concerns this may break things for people?
This has now tests added for OpenPGP as well, plus some coverage around the fallback behavior, etc. If there are no other concerns, it should be OK to merge. |
Signed-off-by: Hidde Beydals <hello@hidde.co>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exciting! Merging in here shortly. I'll do some additional functional testing prior to our next release.
@hiddeco looks like this added Will try and followup with them; but I think you'll have a few people coming in with various confusing error messages. |
This replaces the current PGP keysource implementation with a modernized
version the Flux project has been using.
It includes utilities to configure the MasterKey via other means than
environment variables, to allow SDK users to have extensive control
over what things are decrypted with. This can for example be combined
with an own keyserver implementation.
To be able to contribute it back upstream while keeping it backwards
compatible with SOPS, a couple of changes have been made compared to
Flux:
GnuPG, it can now be disabled.
on this in-code, as I am not quite sure to what extend it is used
at the moment, as it will not work on most setups (GnuPG <2.1 was
released in 2017.)
by SDK users. This would add more reason to keep OpenPGP around, if
they are able to produce the keyring files themselves via other means
than GnuPG.
to account for GnuPG >=2.1 merging the sec keyring into pub keyring.
added back if we need to keep it around for a little longer.
The Flux version of this has compatibility tests with current SOPS: