Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fix] sops multi recipient for age encryption #966

Merged
merged 3 commits into from
Mar 22, 2022
Merged

[Fix] sops multi recipient for age encryption #966

merged 3 commits into from
Mar 22, 2022

Conversation

cedi
Copy link
Contributor

@cedi cedi commented Dec 12, 2021

This fixes a bug with age encryption when specifying multiple age recipients

I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.

I tried running sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml
which produced an appropriate file with two entries in the /sops/age/-
part of the encrypted yaml file.

However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:

creation_rules:
  - encrypted_regex: '^(data|stringData|spec)$'
    age: 'agePubKey1,agePubKey2'

However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.

After digging a bit trough the code, I think this should fix it.

I verified the fix locally on my machine and got it working.

Signed-off-by: Cedric Kienzler [email protected]

@cedi
Copy link
Contributor Author

cedi commented Mar 15, 2022

I would love to get some traction on this by the new maintainer @rforsythe / @ajvb

@ajvb ajvb changed the base branch from master to develop March 18, 2022 19:07
@ajvb ajvb self-requested a review March 18, 2022 19:07
README.rst Outdated Show resolved Hide resolved
age/keysource_test.go Outdated Show resolved Hide resolved
@cedi cedi changed the base branch from develop to master March 20, 2022 21:42
cedi added 2 commits March 20, 2022 22:49
…ipients

I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.

I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.

However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:

```yaml
creation_rules:
  - encrypted_regex: '^(data|stringData|spec)$'
    age: 'agePubKey1,agePubKey2'
```

However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.

After digging a bit trough the code, I think this should fix it.

I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`

Signed-off-by: Cedric Kienzler <[email protected]>
In [this](#966 (comment)) comment
it was proposed to make `masterKeyFromRecipient` private to avoid
reintroducing this bug in the future.
Since I agree with the Idea, this change will make the mehtod private
and update all unit-tests to use the `MasterKeysFromRecipients` method
instead.

Signed-off-by: Cedric Kienzler <[email protected]>
@ajvb ajvb changed the base branch from master to develop March 21, 2022 20:02
Adding tests to verify we do not break the usage of a single AGE key

Signed-off-by: Cedric Kienzler <[email protected]>
@ajvb ajvb merged commit 66090e7 into getsops:develop Mar 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants