diff --git a/age/keys.txt b/age/keys.txt index c56eb4fab..9b998fcc8 100644 --- a/age/keys.txt +++ b/age/keys.txt @@ -1,3 +1,6 @@ # created: 2020-07-18T03:16:47-07:00 # public key: age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw AGE-SECRET-KEY-1NJT5YCS2LWU4V4QAJQ6R4JNU7LXPDX602DZ9NUFANVU5GDTGUWCQ5T59M6 +# created: 2021-12-12T01:39:30+01:00 +# public key: age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep +AGE-SECRET-KEY-1T0Z66WSXS6RMNCPSL7P2E8N4Q7SUD8VMG9ND27S08JL7Y2XAU9EQECHDS7 \ No newline at end of file diff --git a/age/keysource_test.go b/age/keysource_test.go index 0b30b355d..556770087 100644 --- a/age/keysource_test.go +++ b/age/keysource_test.go @@ -31,26 +31,43 @@ func TestMasterKeyFromRecipientWithLeadingAndTrailingSpaces(t *testing.T) { assert.Equal(key.Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") } +func TestMasterKeysFromRecipientsWithMultiple(t *testing.T) { + assert := assert.New(t) + + keys, err := MasterKeysFromRecipients("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw,age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") + + assert.NoError(err) + + assert.Equal(len(keys), 2) + assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") + assert.Equal(keys[1].Recipient, "age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") +} + func TestAge(t *testing.T) { assert := assert.New(t) - key, err := MasterKeyFromRecipient("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") + keys, err := MasterKeysFromRecipients("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw,age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") assert.NoError(err) - assert.Equal("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw", key.ToString()) + assert.Equal(len(keys), 2) + assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") + assert.Equal(keys[1].Recipient, "age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") dataKey := []byte("abcdefghijklmnopqrstuvwxyz123456") - err = key.Encrypt(dataKey) - assert.NoError(err) + for _, key := range keys { + err = key.Encrypt(dataKey) + assert.NoError(err) - _, filename, _, _ := runtime.Caller(0) - err = os.Setenv(SopsAgeKeyFileEnv, path.Join(path.Dir(filename), "keys.txt")) - assert.NoError(err) + _, filename, _, _ := runtime.Caller(0) + err = os.Setenv("SOPS_AGE_KEY_FILE", path.Join(path.Dir(filename), "keys.txt")) + assert.NoError(err) + + decryptedKey, err := key.Decrypt() + assert.NoError(err) + assert.Equal(dataKey, decryptedKey) + } - decryptedKey, err := key.Decrypt() - assert.NoError(err) - assert.Equal(dataKey, decryptedKey) } func TestAgeDotEnv(t *testing.T) { diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 148daa729..307dc45df 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -442,12 +442,14 @@ func main() { group = append(group, k) } for _, recipient := range ageRecipients { - k, err := age.MasterKeyFromRecipient(recipient) + keys, err := age.MasterKeysFromRecipients(recipient) if err != nil { log.WithError(err).Error("Failed to add key") continue } - group = append(group, k) + for _, key := range keys { + group = append(group, key) + } } return groups.Add(groups.AddOpts{ InputPath: c.String("file"), diff --git a/config/config.go b/config/config.go index 061d038e2..a4db7b868 100644 --- a/config/config.go +++ b/config/config.go @@ -153,11 +153,13 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[ for _, group := range cRule.KeyGroups { var keyGroup sops.KeyGroup for _, k := range group.Age { - key, err := age.MasterKeyFromRecipient(k) + keys, err := age.MasterKeysFromRecipients(k) if err != nil { return nil, err } - keyGroup = append(keyGroup, key) + for _, key := range keys { + keyGroup = append(keyGroup, key) + } } for _, k := range group.PGP { keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))