getsops/sops
1
0
Fork 0
mirror of https://github.com/getsops/sops.git synced 2026-02-05 12:45:21 +01:00
Code Issues Activity

Merge pull request #1776 from felixfontein/gpg

Browse Source 
Check GnuPG decryption result for non-empty size
This commit is contained in:
Felix Fontein
2025-03-01 18:30:07 +01:00
committed by GitHub
parent 1b99a29f72 40b9c12200
commit daffabb453
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pgp/keysource.go
View File

@@ -428,7 +428,17 @@ func (key *MasterKey) decryptWithGnuPG() ([]byte, error) {
return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s",
strings.TrimSpace(stderr.String()))
}
return stdout.Bytes(), nil
result := stdout.Bytes()
if len(result) == 0 {
// This can happen if an older GnuPG version is used to decrypt a key encrypted with a
// newer GnuPG version that used an AEAD cipher, which the old version does not support.
// Apparently some GnuPG versions drop the unspuported packets, which results in a decrypted
// data of 0 bytes, and returns nothing with exit code 0.
//
// (See https://github.com/getsops/sops/issues/896#issuecomment-2688079300 for more infos.)
return nil, fmt.Errorf("failed to decrypt sops data key with pgp: zero bytes returned")
}
return result, nil
}
// NeedsRotation returns whether the data key needs to be rotated