getsops/sops
1
0
Fork 0
mirror of https://github.com/getsops/sops.git synced 2026-02-05 12:45:21 +01:00
Code Issues Activity
Files
28cf425c24e035ba9c946e92c5922b507eaf19a5
sops/pgp/keysource.go

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

685 lines
21 KiB
Go
Raw Normal View History

Add documentation to all main packages
2017-09-12 20:01:12 -07:00
/*
Rename Go module to `github.com/getsops/sops/v3` This commit renames the Go module from `go.mozilla.org/sops/v3` to `github.com/getsops/sops/v3` without a major version bump, to align with new stewardship. For more information around this change, refer to https://github.com/getsops/sops/issues/1246. For a one-liner to change the `go.mod` and any import paths in your Go project making use of this module, run: ``` find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \; find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \; ``` Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-07-11 21:09:23 +02:00
Package pgp contains an implementation of the github.com/getsops/sops/v3.MasterKey
pgp: add Cleanup util func to GnuPGHome Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-25 23:09:59 +02:00
interface that encrypts and decrypts the data key by first trying with the
github.com/ProtonMail/go-crypto/openpgp package and if that fails, by calling
the "gpg" binary.
Merge branch 'master' into logging
2017-09-16 17:52:14 -07:00
*/
Sort masterkeys according to decryption-order Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
2023-11-07 19:28:34 +02:00
package pgp // import "github.com/getsops/sops/v3/pgp"
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
import (
"bytes"
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
"context"
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
"encoding/hex"
pgp: better error reporting for missing GPG binary The error returned by `gpgExec` has just been swallowed. Now it is stringified and returned together with any output to stderr. Signed-off-by: Max Jonas Werner <mail@makk.es>
2023-09-15 16:10:06 +02:00
"errors"
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
"fmt"
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
"io"
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
"os"
Replace x/crypto/openpgp with ProtonMail/go-crypto As `golang.org/x/crypto/openpgp` has been deprecated (see golang/go#44226 for details). Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-04-20 20:08:58 +02:00
"os/exec"
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
"os/user"
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
"path/filepath"
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
"strings"
"time"
return lists of pointers to avoid repackaging
2016-10-28 10:04:18 -07:00
Replace x/crypto/openpgp with ProtonMail/go-crypto As `golang.org/x/crypto/openpgp` has been deprecated (see golang/go#44226 for details). Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-04-20 20:08:58 +02:00
"github.com/ProtonMail/go-crypto/openpgp"
"github.com/ProtonMail/go-crypto/openpgp/armor"
pgp: remove `DisableAgent` option This option actually gives a false impression, as disabling the agent is no longer possible since GnuPG 2.x. ``` --use-agent --no-use-agent This is dummy option. gpg always requires the agent. ``` xref: https://www.gnupg.org/documentation/manuals/gnupg24/gpg.1.html Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-13 00:04:30 +02:00
gpgagent "github.com/getsops/gopgagent"
Move all loggers to logrus
2017-09-06 17:36:39 -07:00
"github.com/sirupsen/logrus"
Replace deprecated gopass package with term
2022-08-20 15:56:07 +02:00
"golang.org/x/term"
Sort masterkeys according to decryption-order Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
2023-11-07 19:28:34 +02:00
"github.com/getsops/sops/v3/logging"
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
)
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
const (
Sort masterkeys according to decryption-order Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
2023-11-07 19:28:34 +02:00
// KeyTypeIdentifier is the string used to identify a PGP MasterKey.
KeyTypeIdentifier = "pgp"
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// SopsGpgExecEnv can be set as an environment variable to overwrite the
// GnuPG binary used.
SopsGpgExecEnv = "SOPS_GPG_EXEC"
)
var (
// pgpTTL is the duration after which a MasterKey requires rotation.
pgpTTL = time.Hour * 24 * 30 * 6
// defaultPubRing is the relative path to the pubring in the GnuPG
// home.
// NB: This format is no longer in use since GnuPG >=2.1, which switched
// to .kbx for new installations, and merged secring.gpg into pubring.gpg.
defaultPubRing = "pubring.gpg"
// defaultSecRing is the relative path to the secring in the GnuPG
// home.
// NB: GnuPG >= 2.1 merged this together with pubring.gpg, see
// defaultPubRing.
defaultSecRing = "secring.gpg"
)
// log is the global logger for any PGP MasterKey.
// TODO(hidde): this is not-so-nice for any implementation other than the CLI,
*: address various simple `staticcheck` warnings Deprecation of `io/ioutil`, removal of unused functions, possible nil pointer dereference, and other tiny nits. There are (many) more, but these would require their own (commit) context. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-08-14 23:35:54 +02:00
// as it becomes difficult to sugar the logger with data for e.g. individual
// processes.
Move all loggers to logrus
2017-09-06 17:36:39 -07:00
var log *logrus.Logger
func init() {
Use logrus features for better logging
2017-09-07 10:49:27 -07:00
log = logging.NewLogger("PGP")
Move all loggers to logrus
2017-09-06 17:36:39 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// MasterKey is a PGP key used to securely store SOPS' data key by
// encrypting it and decrypting it.
Renamed GPGMasterKey and KMSMasterKey to MasterKey
2016-08-23 13:28:56 -07:00
type MasterKey struct {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// Fingerprint contains the fingerprint of the PGP key used to Encrypt
// or Decrypt the data key with.
Fingerprint string
// EncryptedKey contains the SOPS data key encrypted with PGP.
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
EncryptedKey string
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// CreationDate of the MasterKey, used to determine if the EncryptedKey
// needs rotation.
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
CreationDate time.Time
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// gnuPGHomeDir contains the absolute path to a GnuPG home directory.
// It can be injected by a (local) keyservice.KeyServiceServer using
// GnuPGHome.ApplyToMasterKey().
gnuPGHomeDir string
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
// disableOpenPGP instructs the MasterKey to skip attempting to open any
// pubRing or secRing using OpenPGP.
disableOpenPGP bool
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// pubRing contains the absolute path to a public keyring used by OpenPGP.
// When empty, defaultPubRing relative to GnuPG home is assumed.
pubRing string
// secRing contains the absolute path to a sec keyring used by OpenPGP.
// When empty, defaultSecRing relative to GnuPG home is assumed.
secRing string
Use KeyService for all encrypt and decrypt operations
2017-08-17 09:36:22 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// NewMasterKeyFromFingerprint takes a PGP fingerprint and returns a new
// MasterKey with that fingerprint.
func NewMasterKeyFromFingerprint(fingerprint string) *MasterKey {
return &MasterKey{
Fingerprint: strings.Replace(fingerprint, " ", "", -1),
CreationDate: time.Now().UTC(),
}
Use KeyService for all encrypt and decrypt operations
2017-08-17 09:36:22 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// MasterKeysFromFingerprintString takes a comma separated list of PGP
// fingerprints and returns a slice of new MasterKeys with those fingerprints.
func MasterKeysFromFingerprintString(fingerprint string) []*MasterKey {
var keys []*MasterKey
if fingerprint == "" {
return keys
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
for _, s := range strings.Split(fingerprint, ",") {
keys = append(keys, NewMasterKeyFromFingerprint(s))
}
return keys
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// GnuPGHome is the absolute path to a GnuPG home directory.
// A new keyring can be constructed by combining the use of NewGnuPGHome() and
// Import() or ImportFile().
type GnuPGHome string
// NewGnuPGHome initializes a new GnuPGHome in a temporary directory.
// The caller is expected to handle the garbage collection of the created
// directory.
func NewGnuPGHome() (GnuPGHome, error) {
tmpDir, err := os.MkdirTemp("", "sops-gnupghome-")
if err != nil {
return "", fmt.Errorf("failed to create new GnuPG home: %w", err)
pgp/keysource: Check size of key fingerprint Make sure the key fingerprint is longer than 16 characters before slicing it. Closes #463
2019-05-22 14:32:32 +02:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return GnuPGHome(tmpDir), nil
}
// Import attempts to import the armored key bytes into the GnuPGHome keyring.
// It returns an error if the GnuPGHome does not pass Validate, or if the
// import failed.
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
//
// Consider using ImportContext instead.
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
func (d GnuPGHome) Import(armoredKey []byte) error {
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
return d.ImportContext(context.Background(), armoredKey)
}
// ImportContext attempts to import the armored key bytes into the GnuPGHome keyring.
// It returns an error if the GnuPGHome does not pass Validate, or if the
// import failed.
func (d GnuPGHome) ImportContext(ctx context.Context, armoredKey []byte) error {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
if err := d.Validate(); err != nil {
return fmt.Errorf("cannot import armored key data into GnuPG keyring: %w", err)
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
args := []string{"--batch", "--import"}
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
_, stderr, err := gpgExec(ctx, d.String(), args, bytes.NewReader(armoredKey))
Add support for GPG binary
2017-08-23 14:27:11 -07:00
if err != nil {
pgp: further improve import error format Looking more at this, it would actually be great if we would detect multi-line errors from GnuPG in `Import()`, `Decrypt()` and `Encrypt()` so that we can slightly improve the formatting of the errors with a newline seperator before the `gpg: ...\ngpg: ...` output. As this would likely increase readability. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-10-10 00:43:08 +02:00
stderrStr := strings.TrimSpace(stderr.String())
pgp: better error reporting for missing GPG binary The error returned by `gpgExec` has just been swallowed. Now it is stringified and returned together with any output to stderr. Signed-off-by: Max Jonas Werner <mail@makk.es>
2023-09-15 16:10:06 +02:00
errStr := err.Error()
var sb strings.Builder
sb.WriteString("failed to import armored key data into GnuPG keyring")
pgp: further improve import error format Looking more at this, it would actually be great if we would detect multi-line errors from GnuPG in `Import()`, `Decrypt()` and `Encrypt()` so that we can slightly improve the formatting of the errors with a newline seperator before the `gpg: ...\ngpg: ...` output. As this would likely increase readability. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-10-10 00:43:08 +02:00
if len(stderrStr) > 0 {
pgp: better error reporting for missing GPG binary The error returned by `gpgExec` has just been swallowed. Now it is stringified and returned together with any output to stderr. Signed-off-by: Max Jonas Werner <mail@makk.es>
2023-09-15 16:10:06 +02:00
if len(errStr) > 0 {
pgp: further improve import error format Looking more at this, it would actually be great if we would detect multi-line errors from GnuPG in `Import()`, `Decrypt()` and `Encrypt()` so that we can slightly improve the formatting of the errors with a newline seperator before the `gpg: ...\ngpg: ...` output. As this would likely increase readability. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-10-10 00:43:08 +02:00
fmt.Fprintf(&sb, " (%s)", errStr)
pgp: better error reporting for missing GPG binary The error returned by `gpgExec` has just been swallowed. Now it is stringified and returned together with any output to stderr. Signed-off-by: Max Jonas Werner <mail@makk.es>
2023-09-15 16:10:06 +02:00
}
pgp: further improve import error format Looking more at this, it would actually be great if we would detect multi-line errors from GnuPG in `Import()`, `Decrypt()` and `Encrypt()` so that we can slightly improve the formatting of the errors with a newline seperator before the `gpg: ...\ngpg: ...` output. As this would likely increase readability. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-10-10 00:43:08 +02:00
fmt.Fprintf(&sb, ": %s", stderrStr)
pgp: better error reporting for missing GPG binary The error returned by `gpgExec` has just been swallowed. Now it is stringified and returned together with any output to stderr. Signed-off-by: Max Jonas Werner <mail@makk.es>
2023-09-15 16:10:06 +02:00
} else if len(errStr) > 0 {
fmt.Fprintf(&sb, ": %s", errStr)
}
return errors.New(sb.String())
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
return nil
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// ImportFile attempts to import the armored key file into the GnuPGHome
// keyring.
// It returns an error if the GnuPGHome does not pass Validate, or if the
// import failed.
func (d GnuPGHome) ImportFile(path string) error {
b, err := os.ReadFile(path)
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
if err != nil {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return fmt.Errorf("cannot read armored key data from file: %w", err)
}
return d.Import(b)
}
pgp: add Cleanup util func to GnuPGHome Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-25 23:09:59 +02:00
// Cleanup deletes the GnuPGHome if it passes Validate.
// It returns an error if the GnuPGHome does not pass Validate, or if the
// removal failed.
func (d GnuPGHome) Cleanup() error {
if err := d.Validate(); err != nil {
return err
}
return os.RemoveAll(d.String())
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// Validate ensures the GnuPGHome is a valid GnuPG home directory path.
// When validation fails, it returns a descriptive reason as error.
func (d GnuPGHome) Validate() error {
if d == "" {
return fmt.Errorf("empty GNUPGHOME path")
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
if !filepath.IsAbs(d.String()) {
return fmt.Errorf("GNUPGHOME must be an absolute path")
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
fi, err := os.Lstat(d.String())
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
if err != nil {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
if os.IsNotExist(err) {
return fmt.Errorf("GNUPGHOME does not exist")
}
return fmt.Errorf("cannot stat GNUPGHOME: %w", err)
}
if !fi.IsDir() {
return fmt.Errorf("GNUGPHOME is not a directory")
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
if perm := fi.Mode().Perm(); perm != 0o700 {
return fmt.Errorf("GNUPGHOME has invalid permissions: got %#o wanted %#o", perm, 0o700)
}
return nil
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// String returns the GnuPGHome as a string. It does not Validate.
func (d GnuPGHome) String() string {
return string(d)
}
// ApplyToMasterKey configures the GnuPGHome on the provided key if it passes
// Validate.
func (d GnuPGHome) ApplyToMasterKey(key *MasterKey) {
if err := d.Validate(); err == nil {
key.gnuPGHomeDir = d.String()
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
// DisableOpenPGP disables encrypt and decrypt operations using OpenPGP.
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
type DisableOpenPGP struct{}
// ApplyToMasterKey configures the provided key to not use OpenPGP.
func (d DisableOpenPGP) ApplyToMasterKey(key *MasterKey) {
key.disableOpenPGP = true
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// PubRing can be used to configure the absolute path to a public keyring
// used by OpenPGP.
type PubRing string
// ApplyToMasterKey configures the provided key to not use the GnuPG agent.
func (r PubRing) ApplyToMasterKey(key *MasterKey) {
key.pubRing = string(r)
}
// SecRing can be used to configure the absolute path to a sec keyring
// used by OpenPGP.
type SecRing string
// ApplyToMasterKey configures the provided key to not use the GnuPG agent.
func (r SecRing) ApplyToMasterKey(key *MasterKey) {
key.secRing = string(r)
}
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
// errSet is a collection of captured errors.
type errSet []error
Fix typos. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-11-02 22:23:10 +01:00
// Error joins the errors into a "; " separated string.
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
func (e errSet) Error() string {
str := make([]string, len(e))
for i, err := range e {
str[i] = err.Error()
}
return strings.Join(str, "; ")
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// Encrypt encrypts the data key with the PGP key with the same
// fingerprint as the MasterKey.
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
//
// Consider using EncryptContext instead.
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
func (key *MasterKey) Encrypt(dataKey []byte) error {
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
return key.EncryptContext(context.Background(), dataKey)
}
// EncryptContext encrypts the data key with the PGP key with the same
// fingerprint as the MasterKey.
func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
var errs errSet
if !key.disableOpenPGP {
openpgpErr := key.encryptWithOpenPGP(dataKey)
if openpgpErr == nil {
log.WithField("fingerprint", key.Fingerprint).Info("Encryption succeeded")
return nil
}
errs = append(errs, fmt.Errorf("github.com/ProtonMail/go-crypto/openpgp error: %w", openpgpErr))
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
binaryErr := key.encryptWithGnuPG(ctx, dataKey)
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
if binaryErr == nil {
log.WithField("fingerprint", key.Fingerprint).Info("Encryption succeeded")
return nil
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
errs = append(errs, fmt.Errorf("GnuPG binary error: %w", binaryErr))
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
keyservices: address logging regression Replace the logging of failed encryption and decryption attempts from error to info level. This to address a regression in which an encryption or decryption attempt with a series of keys would result in a list of failed attempts logged to stderr even when the operation itself eventually succeeded. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-12 23:55:49 +02:00
log.WithField("fingerprint", key.Fingerprint).Info("Encryption failed")
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
return fmt.Errorf("could not encrypt data key with PGP key: %w", errs)
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// encryptWithOpenPGP attempts to encrypt the data key using OpenPGP with the
// PGP key that belongs to Fingerprint. It sets EncryptedDataKey, or returns
// an error.
func (key *MasterKey) encryptWithOpenPGP(dataKey []byte) error {
entity, err := key.retrievePubKey()
Support retrieving PGP keys from keyservers
2017-10-05 13:23:58 -07:00
if err != nil {
return err
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
encBuf := new(bytes.Buffer)
armorBuf, err := armor.Encode(encBuf, "PGP MESSAGE", nil)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if err != nil {
return err
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
plainBuf, err := openpgp.Encrypt(armorBuf, []*openpgp.Entity{&entity}, nil, &openpgp.FileHints{IsBinary: true}, nil)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if err != nil {
return err
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
_, err = plainBuf.Write(dataKey)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if err != nil {
return err
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
err = plainBuf.Close()
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if err != nil {
return err
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
err = armorBuf.Close()
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if err != nil {
return err
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
b, err := io.ReadAll(encBuf)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if err != nil {
return err
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
key.SetEncryptedDataKey(b)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
return nil
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// encryptWithOpenPGP attempts to encrypt the data key using GnuPG with the
// PGP key that belongs to Fingerprint. It sets EncryptedDataKey, or returns
// an error.
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
func (key *MasterKey) encryptWithGnuPG(ctx context.Context, dataKey []byte) error {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
fingerprint := shortenFingerprint(key.Fingerprint)
args := []string{
"--no-default-recipient",
"--yes",
"--encrypt",
"-a",
"-r",
key.Fingerprint,
"--trusted-key",
fingerprint,
"--no-encrypt-to",
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
stdout, stderr, err := gpgExec(ctx, key.gnuPGHomeDir, args, bytes.NewReader(dataKey))
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
if err != nil {
return fmt.Errorf("failed to encrypt sops data key with pgp: %s", strings.TrimSpace(stderr.String()))
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
key.SetEncryptedDataKey(bytes.TrimSpace(stdout.Bytes()))
return nil
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// EncryptIfNeeded encrypts the data key with PGP only if it's needed,
// that is, if it hasn't been encrypted already.
Renamed GPGMasterKey and KMSMasterKey to MasterKey
2016-08-23 13:28:56 -07:00
func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error {
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if key.EncryptedKey == "" {
return key.Encrypt(dataKey)
}
return nil
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// EncryptedDataKey returns the encrypted data key this master key holds.
func (key *MasterKey) EncryptedDataKey() []byte {
return []byte(key.EncryptedKey)
}
// SetEncryptedDataKey sets the encrypted data key for this master key.
func (key *MasterKey) SetEncryptedDataKey(enc []byte) {
key.EncryptedKey = string(enc)
}
// Decrypt first attempts to obtain the data key from the EncryptedKey
// stored in the MasterKey using OpenPGP, before falling back to GnuPG.
// When both attempts fail, an error is returned.
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
//
// Consider using DecryptContext instead.
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
func (key *MasterKey) Decrypt() ([]byte, error) {
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
return key.DecryptContext(context.Background())
}
// DecryptContext first attempts to obtain the data key from the EncryptedKey
// stored in the MasterKey using OpenPGP, before falling back to GnuPG.
// When both attempts fail, an error is returned.
func (key *MasterKey) DecryptContext(ctx context.Context) ([]byte, error) {
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
var errs errSet
if !key.disableOpenPGP {
dataKey, openpgpErr := key.decryptWithOpenPGP()
if openpgpErr == nil {
log.WithField("fingerprint", key.Fingerprint).Info("Decryption succeeded")
return dataKey, nil
}
errs = append(errs, fmt.Errorf("github.com/ProtonMail/go-crypto/openpgp error: %w", openpgpErr))
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
dataKey, binaryErr := key.decryptWithGnuPG(ctx)
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
if binaryErr == nil {
log.WithField("fingerprint", key.Fingerprint).Info("Decryption succeeded")
return dataKey, nil
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
errs = append(errs, fmt.Errorf("GnuPG binary error: %w", binaryErr))
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
keyservices: address logging regression Replace the logging of failed encryption and decryption attempts from error to info level. This to address a regression in which an encryption or decryption attempt with a series of keys would result in a list of failed attempts logged to stderr even when the operation itself eventually succeeded. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-12 23:55:49 +02:00
log.WithField("fingerprint", key.Fingerprint).Info("Decryption failed")
pgp: allow disabling OpenPGP capabilities Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 00:05:41 +02:00
return nil, fmt.Errorf("could not decrypt data key with PGP key: %w", errs)
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// decryptWithOpenPGP attempts to obtain the data key from the EncryptedKey
// using OpenPGP and returns the result.
//
// Note: the current development of OpenPGP vs GnuPG has moved in separate
// directions. This means that e.g. GnuPG >=2.1 works with a .kbx format which
// can not be read by OpenPGP. Given the further assumptions around the
// placement of the files, and the generic fallback Decrypt uses, this raises
// the question of how widely utilized this method still is.
func (key *MasterKey) decryptWithOpenPGP() ([]byte, error) {
ring, err := key.getSecRing()
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if err != nil {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return nil, fmt.Errorf("could not load secring: %s", err)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
block, err := armor.Decode(strings.NewReader(key.EncryptedKey))
if err != nil {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return nil, fmt.Errorf("armor decoding failed: %s", err)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
Fix endless loop in x/crypto/openpgp func ReadMessage (#690) * Fix tests * Fix endless loop in x/crypto/openpgp func ReadMessage This fixes https://github.com/mozilla/sops/issues/665 See also https://github.com/golang/go/issues/28786 In some strange situations it can happen, that openpgp.ReadMessage() runs into a endless loop. This seems to be triggered by a slightly inconsistency in key settings. It happened to me, but I wasn't able to reproduce it with a fresh key. A proposed solution from the x/crypto community was, to break this loop in the callback passphrasePrompt. * Revert "Fix tests" This reverts commit 285f4dc8a1bf5e2c774fe48ae0daee2ac1511e6d. * Improve error description https://github.com/mozilla/sops/pull/690#discussion_r451630193
2020-07-14 21:25:06 +02:00
md, err := openpgp.ReadMessage(block.Body, ring, key.passphrasePrompt(), nil)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
if err != nil {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return nil, fmt.Errorf("reading PGP message failed: %s", err)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
if b, err := io.ReadAll(md.UnverifiedBody); err == nil {
aes decryptor now takes []byte keys
2016-08-23 12:49:18 -07:00
return b, nil
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return nil, fmt.Errorf("the key could not be decrypted with any of the PGP entries")
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// decryptWithGnuPG attempts to obtain the data key from the EncryptedKey using
// GnuPG and returns the result. If DisableAgent is configured on the MasterKey,
// the GnuPG agent is not enabled. When the decryption command fails, it returns
// the error from stdout.
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
func (key *MasterKey) decryptWithGnuPG(ctx context.Context) ([]byte, error) {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
args := []string{
"-d",
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
stdout, stderr, err := gpgExec(ctx, key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey))
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
if err != nil {
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s",
strings.TrimSpace(stderr.String()))
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
}
Check GnuPG decryption result for non-empty size. Signed-off-by: Felix Fontein <felix@fontein.de>
2025-02-27 21:25:02 +01:00
result := stdout.Bytes()
if len(result) == 0 {
// This can happen if an older GnuPG version is used to decrypt a key encrypted with a
// newer GnuPG version that used an AEAD cipher, which the old version does not support.
// Apparently some GnuPG versions drop the unspuported packets, which results in a decrypted
// data of 0 bytes, and returns nothing with exit code 0.
//
// (See https://github.com/getsops/sops/issues/896#issuecomment-2688079300 for more infos.)
return nil, fmt.Errorf("failed to decrypt sops data key with pgp: zero bytes returned")
}
return result, nil
Add support for GPG binary
2017-08-23 14:27:11 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// NeedsRotation returns whether the data key needs to be rotated
// or not.
Renamed GPGMasterKey and KMSMasterKey to MasterKey
2016-08-23 13:28:56 -07:00
func (key *MasterKey) NeedsRotation() bool {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return time.Since(key.CreationDate) > (pgpTTL)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// ToString returns the string representation of the key, i.e. its
// fingerprint.
Renamed GPGMasterKey and KMSMasterKey to MasterKey
2016-08-23 13:28:56 -07:00
func (key *MasterKey) ToString() string {
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
return key.Fingerprint
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// ToMap converts the MasterKey into a map for serialization purposes.
func (key MasterKey) ToMap() map[string]interface{} {
out := make(map[string]interface{})
out["fp"] = key.Fingerprint
out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339)
out["enc"] = key.EncryptedKey
return out
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
Sort masterkeys according to decryption-order Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
2023-11-07 19:28:34 +02:00
// TypeToIdentifier returns the string identifier for the MasterKey type.
func (key *MasterKey) TypeToIdentifier() string {
return KeyTypeIdentifier
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// retrievePubKey attempts to retrieve the public key from the public keyring
// by Fingerprint.
func (key *MasterKey) retrievePubKey() (openpgp.Entity, error) {
ring, err := key.getPubRing()
if err == nil {
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
fingerprints := fingerprintIndex(ring)
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
entity, ok := fingerprints[key.Fingerprint]
if ok {
return entity, nil
}
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return openpgp.Entity{},
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
fmt.Errorf("key with fingerprint '%s' is not available "+
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
"in keyring", key.Fingerprint)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// getPubRing loads the public keyring from the configured path, or falls back
// to defaultPubRing relative to the GnuPG home. It returns an openpgp.EntityList
// read from the keyring, or an error.
func (key *MasterKey) getPubRing() (openpgp.EntityList, error) {
path := key.pubRing
if path == "" {
pgp: improve handling of GnuPG home dir There have been reports about the new logic breaking certain GnuPG shims (#1294). As this behavior is only really required when SDK users are making use of the GnuPG using SOPS as an SDK. Prefer any runtime configuration when no custom GnuPG home is configured on the key source, instead of providing an absolute `--homedir` to `gpg`. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-19 22:41:31 +02:00
path = filepath.Join(gnuPGHome(key.gnuPGHomeDir), defaultPubRing)
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
return loadRing(path)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// getSecRing loads the sec keyring from the configured path, or falls back
// to defaultSecRing relative to the GnuPG home. It returns an openpgp.EntityList
// read from the keyring, or an error.
func (key *MasterKey) getSecRing() (openpgp.EntityList, error) {
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
path := key.secRing
if path == "" {
pgp: improve handling of GnuPG home dir There have been reports about the new logic breaking certain GnuPG shims (#1294). As this behavior is only really required when SDK users are making use of the GnuPG using SOPS as an SDK. Prefer any runtime configuration when no custom GnuPG home is configured on the key source, instead of providing an absolute `--homedir` to `gpg`. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-19 22:41:31 +02:00
path = filepath.Join(gnuPGHome(key.gnuPGHomeDir), defaultSecRing)
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
if _, err := os.Lstat(path); err != nil {
if !os.IsNotExist(err) {
return nil, err
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
return key.getPubRing()
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
return loadRing(path)
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// passphrasePrompt prompts the user for a passphrase when this is required for
// encryption or decryption.
Fix endless loop in x/crypto/openpgp func ReadMessage (#690) * Fix tests * Fix endless loop in x/crypto/openpgp func ReadMessage This fixes https://github.com/mozilla/sops/issues/665 See also https://github.com/golang/go/issues/28786 In some strange situations it can happen, that openpgp.ReadMessage() runs into a endless loop. This seems to be triggered by a slightly inconsistency in key settings. It happened to me, but I wasn't able to reproduce it with a fresh key. A proposed solution from the x/crypto community was, to break this loop in the callback passphrasePrompt. * Revert "Fix tests" This reverts commit 285f4dc8a1bf5e2c774fe48ae0daee2ac1511e6d. * Improve error description https://github.com/mozilla/sops/pull/690#discussion_r451630193
2020-07-14 21:25:06 +02:00
func (key *MasterKey) passphrasePrompt() func(keys []openpgp.Key, symmetric bool) ([]byte, error) {
callCounter := 0
maxCalls := 3
return func(keys []openpgp.Key, symmetric bool) ([]byte, error) {
if callCounter >= maxCalls {
return nil, fmt.Errorf("function passphrasePrompt called too many times")
Added GPG agent support
2016-08-17 10:17:36 -07:00
}
Fix endless loop in x/crypto/openpgp func ReadMessage (#690) * Fix tests * Fix endless loop in x/crypto/openpgp func ReadMessage This fixes https://github.com/mozilla/sops/issues/665 See also https://github.com/golang/go/issues/28786 In some strange situations it can happen, that openpgp.ReadMessage() runs into a endless loop. This seems to be triggered by a slightly inconsistency in key settings. It happened to me, but I wasn't able to reproduce it with a fresh key. A proposed solution from the x/crypto community was, to break this loop in the callback passphrasePrompt. * Revert "Fix tests" This reverts commit 285f4dc8a1bf5e2c774fe48ae0daee2ac1511e6d. * Improve error description https://github.com/mozilla/sops/pull/690#discussion_r451630193
2020-07-14 21:25:06 +02:00
callCounter++
conn, err := gpgagent.NewConn()
if err == gpgagent.ErrNoAgent {
log.Infof("gpg-agent not found, continuing with manual passphrase " +
"input...")
fmt.Print("Enter PGP key passphrase: ")
Replace deprecated gopass package with term
2022-08-20 15:56:07 +02:00
pass, err := term.ReadPassword(int(os.Stdin.Fd()))
Fix endless loop in x/crypto/openpgp func ReadMessage (#690) * Fix tests * Fix endless loop in x/crypto/openpgp func ReadMessage This fixes https://github.com/mozilla/sops/issues/665 See also https://github.com/golang/go/issues/28786 In some strange situations it can happen, that openpgp.ReadMessage() runs into a endless loop. This seems to be triggered by a slightly inconsistency in key settings. It happened to me, but I wasn't able to reproduce it with a fresh key. A proposed solution from the x/crypto community was, to break this loop in the callback passphrasePrompt. * Revert "Fix tests" This reverts commit 285f4dc8a1bf5e2c774fe48ae0daee2ac1511e6d. * Improve error description https://github.com/mozilla/sops/pull/690#discussion_r451630193
2020-07-14 21:25:06 +02:00
if err != nil {
return nil, err
}
for _, k := range keys {
k.PrivateKey.Decrypt(pass)
}
return pass, err
Added GPG agent support
2016-08-17 10:17:36 -07:00
}
if err != nil {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return nil, fmt.Errorf("could not establish connection with gpg-agent: %s", err)
Fix endless loop in x/crypto/openpgp func ReadMessage (#690) * Fix tests * Fix endless loop in x/crypto/openpgp func ReadMessage This fixes https://github.com/mozilla/sops/issues/665 See also https://github.com/golang/go/issues/28786 In some strange situations it can happen, that openpgp.ReadMessage() runs into a endless loop. This seems to be triggered by a slightly inconsistency in key settings. It happened to me, but I wasn't able to reproduce it with a fresh key. A proposed solution from the x/crypto community was, to break this loop in the callback passphrasePrompt. * Revert "Fix tests" This reverts commit 285f4dc8a1bf5e2c774fe48ae0daee2ac1511e6d. * Improve error description https://github.com/mozilla/sops/pull/690#discussion_r451630193
2020-07-14 21:25:06 +02:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
defer func(conn *gpgagent.Conn) {
if err := conn.Close(); err != nil {
log.Errorf("failed to close connection with gpg-agent: %s", err)
}
}(conn)
Fix endless loop in x/crypto/openpgp func ReadMessage (#690) * Fix tests * Fix endless loop in x/crypto/openpgp func ReadMessage This fixes https://github.com/mozilla/sops/issues/665 See also https://github.com/golang/go/issues/28786 In some strange situations it can happen, that openpgp.ReadMessage() runs into a endless loop. This seems to be triggered by a slightly inconsistency in key settings. It happened to me, but I wasn't able to reproduce it with a fresh key. A proposed solution from the x/crypto community was, to break this loop in the callback passphrasePrompt. * Revert "Fix tests" This reverts commit 285f4dc8a1bf5e2c774fe48ae0daee2ac1511e6d. * Improve error description https://github.com/mozilla/sops/pull/690#discussion_r451630193
2020-07-14 21:25:06 +02:00
for _, k := range keys {
req := gpgagent.PassphraseRequest{
CacheKey: k.PublicKey.KeyIdShortString(),
Prompt: "Passphrase",
Desc: fmt.Sprintf("Unlock key %s to decrypt sops's key", k.PublicKey.KeyIdShortString()),
}
pass, err := conn.GetPassphrase(&req)
if err != nil {
return nil, fmt.Errorf("gpg-agent passphrase request errored: %s", err)
}
k.PrivateKey.Decrypt([]byte(pass))
return []byte(pass), nil
Added GPG agent support
2016-08-17 10:17:36 -07:00
}
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
return nil, fmt.Errorf("no key to unlock")
Refactored PGP and KMS into their own packages
2016-08-11 11:44:00 -07:00
}
}
Added YAML encryption
2016-08-18 15:49:27 -07:00
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
// loadRing attempts to load the keyring from the provided path.
// Unsupported keys are ignored as long as at least a single valid key is
// found.
func loadRing(path string) (openpgp.EntityList, error) {
f, err := os.Open(path)
if err != nil {
return nil, err
}
defer f.Close()
keyring, err := openpgp.ReadKeyRing(f)
if err != nil {
return nil, err
}
return keyring, nil
}
// fingerprintIndex indexes the openpgp.Entity objects from the given ring
// by their fingerprint, and returns the result.
func fingerprintIndex(ring openpgp.EntityList) map[string]openpgp.Entity {
fps := make(map[string]openpgp.Entity)
for _, entity := range ring {
if entity != nil {
*: address various simple `staticcheck` warnings Deprecation of `io/ioutil`, removal of unused functions, possible nil pointer dereference, and other tiny nits. There are (many) more, but these would require their own (commit) context. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-08-14 23:35:54 +02:00
fp := strings.ToUpper(hex.EncodeToString(entity.PrimaryKey.Fingerprint[:]))
pgp: extend test coverage OpenPGP Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-26 10:58:51 +02:00
fps[fp] = *entity
}
}
return fps
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// gpgExec runs the provided args with the gpgBinary, while restricting it to
pgp: remove `--no-default-keyring` argument This argument was confusing and/or misleading, as we do specify a home directory as the next argument. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-19 22:55:03 +02:00
// homeDir when provided. Stdout and stderr can be read from the returned
// buffers. When the command fails, an error is returned.
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
func gpgExec(ctx context.Context, homeDir string, args []string, stdin io.Reader) (stdout bytes.Buffer, stderr bytes.Buffer, err error) {
pgp: remove `--no-default-keyring` argument This argument was confusing and/or misleading, as we do specify a home directory as the next argument. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-19 22:55:03 +02:00
if homeDir != "" {
args = append([]string{"--homedir", homeDir}, args...)
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
}
Introduce EncryptContext and DecryptContext for AWS, Azure, GCP, PGP and HashiCorp Vault Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2025-05-03 13:07:20 +01:00
cmd := exec.CommandContext(ctx, gpgBinary(), args...)
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
cmd.Stdin = stdin
cmd.Stdout = &stdout
cmd.Stderr = &stderr
err = cmd.Run()
return
}
// gpgBinary returns the GnuPG binary which must be used.
pgp: do not require abs path for SopsGpgExecEnv Signed-off-by: Martin Holst Swende <martin@swende.se>
2023-09-29 10:12:12 +02:00
// It allows for runtime modifications by setting the replacement binary
// via the environment variable SopsGpgExecEnv.
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
func gpgBinary() string {
pgp: do not require abs path for SopsGpgExecEnv Signed-off-by: Martin Holst Swende <martin@swende.se>
2023-09-29 10:12:12 +02:00
if envBinary := os.Getenv(SopsGpgExecEnv); envBinary != "" {
return envBinary
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
}
pgp: do not require abs path for SopsGpgExecEnv Signed-off-by: Martin Holst Swende <martin@swende.se>
2023-09-29 10:12:12 +02:00
return "gpg"
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
}
pgp: improve handling of GnuPG home dir There have been reports about the new logic breaking certain GnuPG shims (#1294). As this behavior is only really required when SDK users are making use of the GnuPG using SOPS as an SDK. Prefer any runtime configuration when no custom GnuPG home is configured on the key source, instead of providing an absolute `--homedir` to `gpg`. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-19 22:41:31 +02:00
// gnuPGHome determines the GnuPG home directory, and returns its path.
// In order of preference:
// 1. customPath
// 2. $GNUPGHOME
// 3. user.Current().HomeDir/.gnupg
// 4. $HOME/.gnupg
func gnuPGHome(customPath string) string {
if customPath != "" {
return customPath
}
dir := os.Getenv("GNUPGHOME")
if dir == "" {
usr, err := user.Current()
if err != nil {
return filepath.Join(os.Getenv("HOME"), ".gnupg")
}
return filepath.Join(usr.HomeDir, ".gnupg")
}
return dir
}
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// shortenFingerprint returns the short ID of the given fingerprint.
Fix typos. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-11-02 22:23:10 +01:00
// This is mostly used for compatibility reasons, as older versions of GnuPG
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
// do not always like long IDs.
func shortenFingerprint(fingerprint string) string {
Correctly handle trailing "!" when passing shortened fingerprints to GnuPG. Signed-off-by: Felix Fontein <felix@fontein.de>
2024-12-24 22:50:08 +01:00
offset := len(fingerprint) - 16
// If the fingerprint ends with '!', we must include '!' in the ID *and* the
// 16 hex digits before it. See https://github.com/getsops/sops/issues/1365.
if strings.HasSuffix(fingerprint, "!") {
offset -= 1
}
if offset > 0 {
pgp: modernize and improve, and add tests This replaces the current PGP keysource implementation with a modernized version the Flux project has been using[1]. It includes utilites to configure the MasterKey via other means than environment variables, to allow SDK users to have extensive control over what things are decrypted with. This can for example be combined with an own keyserver implementation. To be able to contribute it back upstream while keeping it backwards compatible with SOPS, a couple of changes have been made compared to Flux: - Instead of removing the enabling of the agent while making use of GnuPG, it can now be disabled. - Support for OpenPGP has been added back. Note however my comments on this in-code, as I am not quite sure to what extend it is used at the moment, as it will not work on most setups (GnuPG <2.1 was released in 2017.) - The absolute paths to the pub and sec keyrings can now be configured by SDK users. This would add more reason to keep OpenPGP around, if they are able to produce the keyring files themselves via other means than GnuPG. - When a sec keyring is not detected, a lookup for the pub keyring is made and loaded instead if found. This to account for GnuPG >=2.1 merging the sec keyring into pub keyring. - Support for fetching keys from servers has been removed. This can be added back if we need to keep it around for a little longer. This has extensive test coverage for GnuPG, but would need coverage for the re-added OpenPGP implementation before it can be deemed ready. [1]: https://github.com/fluxcd/kustomize-controller/tree/ffdda3f3da75aa39a5b5c29997c2654b6a2f1f89/internal/sops/pgp Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-05-07 01:23:24 +02:00
fingerprint = fingerprint[offset:]
}
return fingerprint
Added YAML encryption
2016-08-18 15:49:27 -07:00
}
Copy Permalink