Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v3.7.3 #1056

Merged
merged 36 commits into from
May 9, 2022
Merged

v3.7.3 #1056

merged 36 commits into from
May 9, 2022

Conversation

ajvb
Copy link
Contributor

@ajvb ajvb commented May 9, 2022

No description provided.

ikedam and others added 30 commits July 24, 2021 15:29
Previous setup relied implicitly of the correct file to be there. Introduction of arm64 builds broke that implicit assumption.
Explicitly build linux amd64 binary
Remove duplicated stage from Dockerfile.alpine
…ipients

I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.

I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.

However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:

```yaml
creation_rules:
  - encrypted_regex: '^(data|stringData|spec)$'
    age: 'agePubKey1,agePubKey2'
```

However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.

After digging a bit trough the code, I think this should fix it.

I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`

Signed-off-by: Cedric Kienzler <[email protected]>
In [this](#966 (comment)) comment
it was proposed to make `masterKeyFromRecipient` private to avoid
reintroducing this bug in the future.
Since I agree with the Idea, this change will make the mehtod private
and update all unit-tests to use the `MasterKeysFromRecipients` method
instead.

Signed-off-by: Cedric Kienzler <[email protected]>
Adding tests to verify we do not break the usage of a single AGE key

Signed-off-by: Cedric Kienzler <[email protected]>
[Fix] sops multi recipient for age encryption
Use latest dockerd in CI to allow build alpine image (#870)
This allows for easier injection of your own (local) key service server
implementation, in situations where e.g. you do not want to rely on
environment variables or other runtime defaults.

It is not of impact to end-users, but improves the experience of
developers making use of SOPS as an SDK to e.g. provide decryption
services to users. As they will now in many cases end up copying this
bit of code to make this precise change.

Signed-off-by: Hidde Beydals <[email protected]>
Limit role session name length to 64 characters.
keyservice: accept KeyServiceServer in LocalClient
Version past CVE-2022-27191.

Signed-off-by: Hidde Beydals <[email protected]>
Latest API clients are (most) often greatest.

Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
As `golang.org/x/crypto/openpgp` has been deprecated (see
golang/go#44226 for details).

Signed-off-by: Hidde Beydals <[email protected]>
@ajvb ajvb merged commit e1edc05 into master May 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants