Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sopssecretgenerator can't decrypt files encrypted with sops v3.6.0 #12

Closed
davidcaste opened this issue Aug 3, 2020 · 9 comments
Closed

Comments

@davidcaste
Copy link

I think it's related with #10 , but this time with sops v3.6.0.

I created a minimal kustomize project using sopssecretsgenerator like the following:

➜ cat <<EOF > kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

generators:
- secret_generator.yaml
EOF

➜ cat <<EOF > secret_generator.yaml 
apiVersion: goabout.com/v1beta1
kind: SopsSecretGenerator
disableNameSuffixHash: false
metadata:
  name: foo
  namespace: default
envs:
  - secrets.env
EOF

➜ cat <<EOF > secrets.env       
FOO=bar
EOF

➜ cat <<EOF > .sops.yaml 
creation_rules:
  - path_regex: secrets.env
    pgp: '<REDACTED>'
EOF

If I encrypt the secret using sops v3.5.0 it just works:

➜ sops --version
sops 3.5.0
[info] sops 3.6.0 is available, update with `go get -u go.mozilla.org/sops/v3/cmd/sops`
➜ sops -e -i secrets.env
➜ kustomize build --enable_alpha_plugins .
apiVersion: v1
data:
  FOO: J2Jhcic=
kind: Secret
metadata:
  name: foo-k775dmfktf
  namespace: default

But if I try the same with sops v3.6.0 it fails:

➜ sops --version
sops 3.6.0 (latest)
➜ sops -e -i secrets.env
➜ kustomize build --enable_alpha_plugins .
Error: env source "secrets.env": sops could not decrypt: parsing time "'2020-08-03T09:57:03Z'" as "2006-01-02T15:04:05Z07:00": cannot parse "'2020-08-03T09:57:03Z'" as "2006"
Error: failure in plugin configured via /tmp/kust-plugin-config-485675452; exit status 2: exit status 2

If I you need any more information to reproduce this bug, please let me know!

Thank you very much for you project, I really love it!

@davidcaste
Copy link
Author

I generated some encrypted files using different sops versions, and I found the following:

sops v3.4.0:

sops_lastmodified=2020-08-03T10:22:11Z
sops_mac=ENC[AES256_GCM,data:3bSn696bvmrYw74zsRXqH1Mcq/NnsHbpT4k/0kJcBP4d9VWBjwv2M2awPklSmkwAi+qMzoe/Iusaaydn2v957Mp9lN63rYNnbBNW7Ua2Zf7bojqZpAjgGyNM/bpSzFnt+LFCNdI8S5mDsoMpaN8pQD8cwKMPcvsSWD4KC+0QsP8=,iv:ma/+KNlaiqLica0XaqSOusOYJ0ZqoA9ZZVeDYYc9XDE=,tag:naAdMi37u8+yKA+Rd5VVPQ==,type:str]
sops_pgp__list_0__map_created_at=2020-08-03T10:22:10Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMAzZOKXOUxSLGAQ/9EUO4IA7EAlwixPxavxrdHxUlB+hvHEIOtOGDCPUVIQrs\n7M5WxkyWGqOMj8CNIB0ywtXgnNtRXmUFigJvM5Zq2Gb1u5En8V+U1/XfI2PQ6jcc\nn93NlrIH1tt6L+UFgdMIHpcfKh2i8hT6IT3jf5xFhZE49QFsppRlUey4rxw1b2ld\nC2VRcOdi086c9MHQzzvmsJSwb3ZpPDWMne3j/d5NwAm2Q01inQpQ00kNUqCovXVo\nn5UW+R20Q51yPwbwYeTiRQI5sl6Hf88AEZoQ/h/B3DZVuXBbclrmKncDsHSo9U15\n/Qlm4eTp5qS0KRe1txk5Pe1l8fv2hFq4XOldTkILz8R1pZ1giwxja3c7ANkqp9TH\nQ7Y+E8ERMHsr42GPyM+J/vhdlfBIYLocGTtZHDeI0irFjnvml0eQNVsW98OT1GnD\nqxisDpLwAcU3Vdez11Uve65x70DxcSz1eEbKpgBWCmG3LSwu9Z1/sAKVS1C26RJ8\nOjrk8RMbWBanvhlWr1a3IAi1oBdSlhRw/Qv1hIx+zRFE+BP3QrWnB/UVLL6Q6rCO\nm1oR1C/D1klCYQ7CWpaRLxx7KGasfznXpgc06jTmTkzjlvEratRZ/4NamjNbEgx6\njZeWBBP8m/pg0faBPt4QSaGXqBvEX2kCCY6r41pm8MujvL1CjPqCBxOwhn5XXgnS\nXgH8eW0gcyJE4wS/qepCWIbDzGHYOx17XvgEUnTaUruXt33gUGmT66I8+VXrhUr8\nRdKUIB2VdXgUNUEXN4/8jbSzJqD6C6B8AKdZI3dHtTFPyUze8NBZRi0/H2z5EVc=\n=AdtU\n-----END PGP MESSAGE-----\n
sops_pgp__list_0__map_fp=8924FB635B1F2DA579F11D31D099648AA823F4AE
sops_unencrypted_suffix=_unencrypted
sops_version=3.4.0

sops v3.5.0:

sops_lastmodified=2020-08-03T10:21:29Z
sops_mac=ENC[AES256_GCM,data:fzRjTy0Wi179l6CR6iK2zc1zqPlikkodFCVsiQs99n+qdRAWWhQ655KHt1Eq3PcsjhMKppmoRpDTHTELdKW+9ugn+YdmxENorIysIrtPQI3iQfY/v1Np8A6/WcP8i31a2wLcSV6IYVsxoMrDjGOSlZX/RCamfiVliOpJ1CWw56o=,iv:gy8A9Rf8bcOcFog49ooLrmjlXoC/StQYY6kvVM0V6Nc=,tag:1UnOaYTmEanwTGnNG0QNIQ==,type:str]
sops_pgp__list_0__map_created_at=2020-08-03T10:21:28Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMAzZOKXOUxSLGAQ//f17TYkt4/Ul4Hd7EkDtUNq5pwjg4bwk970xeyXP0XpkC\nwoAA3V4djai3z1PJb3uouILHs1et6Wg+1U+s0QPjLHdpYz2IPRoPDuPYmFKl0L2k\nypcR5QvAL+GKaGduDqmhoM8lVdckfHhAfxqRqHt0+0MdDzyYRkCnyU9TN/CSC9wq\nEZZjjbJ6S8M1B5ypVYBtJTIvUaGulcOzd+YDKnlAArEsXvKiarjHOr9jnUz6Mz92\nPnpVr3NEGS5yKllL0vCMruQH2orlaBjugL7U33HO8k7el6VtSDoepBXgZAaD67XD\nLt22brQNJI1TE4mDSA3g8ywa9Jyx5VbfdpqGcslHrb2atmY7EZyzHsqmBUqgFMeG\n1O3wmn7bdYk7DsxeMAojfazvSgLwfDHfRmr2vFwvI5O8oCyN5jyr14/dO8ValXNP\nZwZ0GKQjWFDvlstCVjWKcvM5A9OAuGEQAL55z6mZQRZkW+SXY1zpa/lqSBqjjsiP\n533GtG4FpLy+VywiRaEEwLmOmJod1+PFyCQmQVwfuF3a22NSkpm/hDkYALNfG+3I\nAP8YWjI9RqbibMHLo1RKg+LgE9d9SA68/BNEuaj/ZF0lkzHS6xDBbw4iJ2SOjb5d\n0Fc1oaUqmHQDFCOqxokbXOTJb18Nm3K+kObe4p2bTHa5RH9fBTkk6urRRhY5gATS\nXAG6n15MVUbTF5AMy8Mbkrtzk57FcW6z9OojYPtPmfpNqYzAdQYVUAoa9LNG0YX/\ngsJwq5Ox8pbwGOjAkHz1o+ATK8ABVGyURv51VDiwQHPaBzo/G9utUlOh7LMw\n=At++\n-----END PGP MESSAGE-----\n
sops_pgp__list_0__map_fp=8924FB635B1F2DA579F11D31D099648AA823F4AE
sops_unencrypted_suffix=_unencrypted
sops_version=3.5.0

sops v3.6.0:

sops_lastmodified='2020-08-03T10:21:18Z'
sops_mac='ENC[AES256_GCM,data:H0CZVB6x4HKNU0nH0Er4DCaHqH36cx9Mb/TBNSYgnSCyFS8NwXGFw1MvvrMhHzuSraTzxsKtoCZh1aiQh8XJZ4kIDw9An3VUar6kVuDq170yWnggHV+TeRZi+QtJaBIpOoOyF3R4Dtin8c6DpYVcc2QiCMZPORmKmG6Tjku/jyA=,iv:XlPryWbyi9piCsnM4sIryGw2lb3fmMI5+TCTev/FBSQ=,tag:Z4S02UVY1+9whfM6L6DQ1A==,type:str]'
sops_pgp__list_0__map_created_at='2020-08-03T10:21:17Z'
sops_pgp__list_0__map_enc='-----BEGIN PGP MESSAGE-----\n\nhQIMAzZOKXOUxSLGAQ/+ORWLzy4Yuiakip1c0lybgVbhne/6tD78YVmV2uN6kabh\nZ0FPlHZDKNeeykVa4ItbP77qtd2It+RKI3pCsX+KRIX/jZc7Gzol65BvpMeUsaJL\np0c2ZcLujKj77a/u+UO8oBo9QyZQd093G//7gLi3b2rZoxWBgYvpg2GiO1ssIt1q\nlDI1errU7U/XeG6wXvXb9BdTxaKHOoRhDXZhiS6+CMojk9zVmU6rmNRqoIDjwHzy\nkDhp4c8wxVpMaPsPmILohD3h4+m1Iorr6HCXEtnXTA3Y4i6zCmn9aHHnDt4CNtaV\n3cVzIjZ9nUBCNMF53Ff12SWhhpckD0/WrvpvPyAx21EaTmKMmWLyxV3CQYIAGeCT\n5+DZOuKOnpQetKzU1mxDD08GChQ5a/gClChM1vp65obva+QfZSPp1bZYCNxnHRTW\nwVwPNx/8PLx8EVZlgDIUeqmgppTax7qzkG/1HZBWgDFC6Vhgw+sHQ0sWwOdmZhgF\n7ZFFegxChmUiNFaycTc22E4uQ0/KK7t6kbKPPC6YCxDhDQV1//w/1pWWFft9Uoh9\nvyw2BsbWSJcX5ibZ+rp123iN8jsFq0Gb9HlIsCGMhJsez0Wt3U7drTGs1dUSHRXM\nAly3M6VYcpjZ8lCGGxl5xI5tyzYpjtxy/f38q9aJMZ6LQExOqwdg9uNkO4DtIWLS\nXgGe7Wn7ZG34bEQDwA2QyVj4A2TSQ5mKepaAKHurQJ0U0CicByqcxuzBC7MXocUO\neSROm6b6W6YCeuDDtlH52pi7hEdrPpJU0fcE+dglM88JZYsZ2xpNcJUxr59wa2M=\n=iK7Y\n-----END PGP MESSAGE-----\n'
sops_pgp__list_0__map_fp='8924FB635B1F2DA579F11D31D099648AA823F4AE'
sops_unencrypted_suffix='_unencrypted'
sops_version='3.6.0'

At least in my case, sops v3.4.0 and v3.5.0 doesn't produce the single quotes, which v3.6.0 does. After reading #10 it seems the problem is still the same, the single quotes. It seems to me this MR in sops repository (getsops/sops#622) is related to this problem.

HTH!

@jcassee
Copy link
Contributor

jcassee commented Aug 4, 2020

Thanks for the extensive research, @davidcaste. It's probably just a matter of updating the sops dependency. I'll look into it soon.

@jcassee
Copy link
Contributor

jcassee commented Aug 4, 2020

Should be fixed in fd68b7a. I'll release as 1.3.1 shortly.

@jcassee
Copy link
Contributor

jcassee commented Aug 4, 2020

Should be fixed in version 1.3.1. Thanks again @davidcaste

@jcassee jcassee closed this as completed Aug 4, 2020
@jcassee
Copy link
Contributor

jcassee commented Aug 4, 2020

I just found out that the quoting behavior creates problems for other users of sops, and will be reverted: getsops/sops#706

They are going to pretend 3.6.0 never existed. If that happens I will revert fd68b7a.

@davidcaste
Copy link
Author

What you propose makes a lot of sense. Let's just wait for sops to release v3.6.1!!

Thank you very much @jcassee !

@bburky
Copy link

bburky commented Sep 14, 2020

Sops v3.6.1 has been released now: https://github.com/mozilla/sops/releases/tag/v3.6.1

@jcassee
Copy link
Contributor

jcassee commented Sep 15, 2020

@bburky @davidcaste The fix is in commit 03051c6. I'll release a new version shortly.

@jcassee
Copy link
Contributor

jcassee commented Sep 15, 2020

Released as 1.3.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants