[Fix] sops multi recipient for age encryption #966
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I would love to get some traction on this by the new maintainer @rforsythe / @ajvb |
ajvb
reviewed
Mar 18, 2022
ajvb
reviewed
Mar 18, 2022
…ipients
I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.
I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.
However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:
```yaml
creation_rules:
- encrypted_regex: '^(data|stringData|spec)$'
age: 'agePubKey1,agePubKey2'
```
However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.
After digging a bit trough the code, I think this should fix it.
I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
In [this](#966 (comment)) comment it was proposed to make `masterKeyFromRecipient` private to avoid reintroducing this bug in the future. Since I agree with the Idea, this change will make the mehtod private and update all unit-tests to use the `MasterKeysFromRecipients` method instead. Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
ajvb
reviewed
Mar 21, 2022
Adding tests to verify we do not break the usage of a single AGE key Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
ajvb
approved these changes
Mar 22, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes a bug with age encryption when specifying multiple age recipients
I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.
I tried running
sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yamlwhich produced an appropriate file with two entries in the
/sops/age/-part of the encrypted yaml file.
However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:
However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.
After digging a bit trough the code, I think this should fix it.
I verified the fix locally on my machine and got it working.
Signed-off-by: Cedric Kienzler github@cedric-kienzler.de