From e98451e9755b33d0e76b362587499225ef3a4ef1 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 30 Mar 2021 17:40:19 +0200 Subject: [PATCH 1/9] Remove unused age code This removes two pieces of code in the age keysource that are not actually used. The `parsedIdentity` is technically a candidate to stay, but should then be changed to a `[]*age.X25519Identity` type and be lazy-loaded by `Decrypt` (with the result of `age.ParseIdentities`). Signed-off-by: Hidde Beydals --- age/keysource.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/age/keysource.go b/age/keysource.go index c0b9c6561..6a2f5c50d 100644 --- a/age/keysource.go +++ b/age/keysource.go @@ -20,15 +20,12 @@ func init() { log = logging.NewLogger("AGE") } -const privateKeySizeLimit = 1 << 24 // 16 MiB - // MasterKey is an age key used to encrypt and decrypt sops' data key. type MasterKey struct { Identity string // a Bech32-encoded private key Recipient string // a Bech32-encoded public key EncryptedKey string // a sops data key encrypted with age - parsedIdentity *age.X25519Identity // a parsed age private key parsedRecipient *age.X25519Recipient // a parsed age public key } From 688fa225babfc3009764652eb70ba82db0a730bc Mon Sep 17 00:00:00 2001 From: Enrico204 Date: Wed, 2 Jun 2021 23:43:45 +0200 Subject: [PATCH 2/9] Remove SOPS_GPG_KEYSERVER reference in README.rst --- README.rst | 6 ------ 1 file changed, 6 deletions(-) diff --git a/README.rst b/README.rst index 795318db6..72d7ab796 100644 --- a/README.rst +++ b/README.rst @@ -704,12 +704,6 @@ By default, ``sops`` uses the key server ``keys.openpgp.org`` to retrieve the GP keys that are not present in the local keyring. This is no longer configurable. You can learn more about why from this write-up: `SKS Keyserver Network Under Attack `_. -Example: place the following in your ``~/.bashrc`` - -.. code:: bash - - SOPS_GPG_KEYSERVER = 'gpg.example.com' - Key groups ~~~~~~~~~~ From 72c0ab63a622aae90cc4347e2a3d14ec1761e3b2 Mon Sep 17 00:00:00 2001 From: Julien Acroute Date: Mon, 17 Aug 2020 08:32:49 +0200 Subject: [PATCH 3/9] fix: typo in an example The suffix is 'unecrypted' --- example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example.yaml b/example.yaml index e79b06e03..a22d69e64 100644 --- a/example.yaml +++ b/example.yaml @@ -25,7 +25,7 @@ this: somelist_unencrypted: - all elements of this list - remain in clear text -- because of the _encrypted suffix in the key +- because of the _unencrypted suffix in the key nested_unencrypted: this: is: From f6e98911e044c576fc9cde38788bc3c1f22e5cb4 Mon Sep 17 00:00:00 2001 From: brant4test Date: Sun, 12 Dec 2021 16:09:50 +0800 Subject: [PATCH 4/9] fix a typo --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index b05fcf107..a3f811a15 100644 --- a/README.rst +++ b/README.rst @@ -1207,7 +1207,7 @@ This file will not work in sops: - array - elements -But this one will because because the ``sops`` key can be added at the same level as the +But this one will work because the ``sops`` key can be added at the same level as the ``data`` key. .. code:: yaml From a98768b3b6017d97e725f907e7f2b2a75a509a6f Mon Sep 17 00:00:00 2001 From: Alex Castle Date: Tue, 15 Feb 2022 08:38:31 -0800 Subject: [PATCH 5/9] Fix flakey test run on OSX On OSX newer versions of docker treat the host 'localhost' differently than '127.0.0.1'. Using resource.GetHostPort for url building will return an OS appropriate hostname --- hcvault/keysource_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hcvault/keysource_test.go b/hcvault/keysource_test.go index 9290acc1a..48a31dc83 100644 --- a/hcvault/keysource_test.go +++ b/hcvault/keysource_test.go @@ -25,7 +25,8 @@ func TestMain(m *testing.M) { logger.Fatalf("Could not start resource: %s", err) } - os.Setenv("VAULT_ADDR", fmt.Sprintf("http://127.0.0.1:%v", resource.GetPort("8200/tcp"))) + vaultAddr := fmt.Sprintf("http://%s", resource.GetHostPort("8200/tcp")) + os.Setenv("VAULT_ADDR", vaultAddr) os.Setenv("VAULT_TOKEN", "secret") // exponential backoff-retry, because the application in the container might not be ready to accept connections yet if err := pool.Retry(func() error { @@ -45,7 +46,7 @@ func TestMain(m *testing.M) { logger.Fatalf("Could not connect to docker: %s", err) } - key := NewMasterKey(fmt.Sprintf("http://127.0.0.1:%v", resource.GetPort("8200/tcp")), "sops", "main") + key := NewMasterKey(vaultAddr, "sops", "main") err = key.createVaultTransitAndKey() if err != nil { logger.Fatal(err) From dc2267e3721a1037895050f4fd02974a31692ded Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Thu, 24 Feb 2022 14:12:58 -0800 Subject: [PATCH 6/9] Upgrade to go 1.17 --- .github/workflows/cli.yml | 4 +-- Dockerfile | 2 +- Dockerfile.alpine | 3 +- Makefile | 2 +- go.mod | 70 ++++++++++++++++++++++++++++++--------- 5 files changed, 61 insertions(+), 20 deletions(-) diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 3f493bb4c..b26047f9c 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -24,10 +24,10 @@ jobs: steps: - name: Install dependencies run: sudo apt-get update && sudo apt-get install git -y - - name: Set up Go 1.13 + - name: Set up Go 1.17 uses: actions/setup-go@v2 with: - go-version: 1.13 + go-version: 1.17 id: go - name: Check out code into the Go module directory uses: actions/checkout@v2 diff --git a/Dockerfile b/Dockerfile index 8585f16c7..23032828a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15 +FROM golang:1.17 COPY . /go/src/go.mozilla.org/sops WORKDIR /go/src/go.mozilla.org/sops diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 2be5d6b5c..1a782facf 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,5 @@ FROM golang:1.12-alpine3.10 AS builder +FROM golang:1.17-alpine3.15 AS builder RUN apk --no-cache add make @@ -8,7 +9,7 @@ WORKDIR /go/src/go.mozilla.org/sops RUN CGO_ENABLED=1 make install -FROM alpine:3.10 +FROM alpine:3.15 RUN apk --no-cache add \ vim ca-certificates diff --git a/Makefile b/Makefile index b20bda234..066c5b1e4 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. PROJECT := go.mozilla.org/sops/v3 -GO := GO15VENDOREXPERIMENT=1 GO111MODULE=on GOPROXY=https://proxy.golang.org go +GO := GOPROXY=https://proxy.golang.org go GOLINT := golint all: test vet generate install functional-tests diff --git a/go.mod b/go.mod index 37784afcd..ef719487e 100644 --- a/go.mod +++ b/go.mod @@ -1,42 +1,28 @@ module go.mozilla.org/sops/v3 -go 1.13 +go 1.17 require ( cloud.google.com/go v0.43.0 filippo.io/age v1.0.0-beta7 github.com/Azure/azure-sdk-for-go v31.2.0+incompatible - github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/Azure/go-autorest/autorest v0.9.0 github.com/Azure/go-autorest/autorest/azure/auth v0.1.0 - github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect - github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect - github.com/Microsoft/go-winio v0.4.14 // indirect - github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect github.com/aws/aws-sdk-go v1.37.18 github.com/blang/semver v3.5.1+incompatible - github.com/cenkalti/backoff v2.2.1+incompatible // indirect - github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect - github.com/docker/go-connections v0.4.0 // indirect - github.com/docker/go-units v0.4.0 // indirect github.com/fatih/color v1.7.0 github.com/golang/protobuf v1.4.1 github.com/google/go-cmp v0.5.0 github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf - github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect github.com/goware/prefixer v0.0.0-20160118172347-395022866408 github.com/hashicorp/vault/api v1.0.4 github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c github.com/lib/pq v1.2.0 github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-wordwrap v1.0.0 - github.com/opencontainers/go-digest v1.0.0-rc1 // indirect - github.com/opencontainers/image-spec v1.0.1 // indirect - github.com/opencontainers/runc v0.1.1 // indirect github.com/ory/dockertest v3.3.4+incompatible github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.4.2 - github.com/smartystreets/goconvey v0.0.0-20190710185942-9d28bd7c0945 // indirect github.com/stretchr/testify v1.5.1 go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 @@ -49,5 +35,59 @@ require ( gopkg.in/ini.v1 v1.44.0 gopkg.in/urfave/cli.v1 v1.20.0 gopkg.in/yaml.v3 v3.0.0-20210107172259-749611fa9fcc +) + +require ( + github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect + github.com/Azure/go-autorest/autorest/adal v0.5.0 // indirect + github.com/Azure/go-autorest/autorest/azure/cli v0.1.0 // indirect + github.com/Azure/go-autorest/autorest/date v0.1.0 // indirect + github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect + github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect + github.com/Azure/go-autorest/logger v0.1.0 // indirect + github.com/Azure/go-autorest/tracing v0.5.0 // indirect + github.com/Microsoft/go-winio v0.4.14 // indirect + github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect + github.com/cenkalti/backoff v2.2.1+incompatible // indirect + github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect + github.com/dimchansky/utfbom v1.1.0 // indirect + github.com/docker/go-connections v0.4.0 // indirect + github.com/docker/go-units v0.4.0 // indirect + github.com/golang/snappy v0.0.1 // indirect + github.com/googleapis/gax-go/v2 v2.0.5 // indirect + github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect + github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.1 // indirect + github.com/hashicorp/go-multierror v1.0.0 // indirect + github.com/hashicorp/go-retryablehttp v0.5.4 // indirect + github.com/hashicorp/go-rootcerts v1.0.1 // indirect + github.com/hashicorp/go-sockaddr v1.0.2 // indirect + github.com/hashicorp/golang-lru v0.5.1 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect + github.com/hashicorp/vault/sdk v0.1.13 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect + github.com/mattn/go-colorable v0.0.9 // indirect + github.com/mattn/go-isatty v0.0.3 // indirect + github.com/mitchellh/mapstructure v1.1.2 // indirect + github.com/opencontainers/go-digest v1.0.0-rc1 // indirect + github.com/opencontainers/image-spec v1.0.1 // indirect + github.com/opencontainers/runc v0.1.1 // indirect + github.com/pierrec/lz4 v2.0.5+incompatible // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/ryanuber/go-glob v1.0.0 // indirect + github.com/sergi/go-diff v1.1.0 // indirect + github.com/smartystreets/goconvey v0.0.0-20190710185942-9d28bd7c0945 // indirect + github.com/stretchr/objx v0.1.1 // indirect + go.opencensus.io v0.22.0 // indirect + golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 // indirect + golang.org/x/text v0.3.3 // indirect + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect + google.golang.org/appengine v1.6.1 // indirect + google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect + gopkg.in/square/go-jose.v2 v2.3.1 // indirect + gopkg.in/yaml.v2 v2.2.8 // indirect gotest.tools v2.2.0+incompatible // indirect ) From 076f29539434046c7fc76fbac33d90580bfe866f Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Thu, 24 Feb 2022 14:13:20 -0800 Subject: [PATCH 7/9] rm extra whitespace in CircleCI config --- .circleci/config.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 4f84e2dc7..b55a04f7a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -4,10 +4,10 @@ workflows: build-and-deploy: jobs: - build - - push: + - push: filters: tags: - only: /^v.*/ + only: /^v.*/ branches: ignore: /.*/ jobs: @@ -30,7 +30,7 @@ jobs: resource_class: large steps: - checkout - - run: + - run: name: semver check command: | MAJOR=$(echo ${CIRCLE_TAG#v} | cut -d"." -f1) @@ -46,8 +46,8 @@ jobs: This job uses the semver from the git TAG as the public version to publish. - - This should only run on workflows triggered by a tag. - - The tag name should be a semver like 'v1.2.3' + - This should only run on workflows triggered by a tag. + - The tag name should be a semver like 'v1.2.3' - The version should follow conventions documented at https://github.com/fsaintjacques/semver-tool EOF exit 1 From 7f503bcbfdab065216b3628a176662d8b1213d41 Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Thu, 24 Feb 2022 14:16:10 -0800 Subject: [PATCH 8/9] Upgrade release job to go 1.17 --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 962edf62b..540d4b3da 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,10 +15,10 @@ jobs: run: sudo apt-get update && sudo apt-get install git ruby rpm -y - name: Install fpm run: gem install fpm || sudo gem install fpm - - name: Set up Go 1.15 + - name: Set up Go 1.17 uses: actions/setup-go@v2 with: - go-version: 1.15 + go-version: 1.17 id: go - name: Check out code into the Go module directory uses: actions/checkout@v2 From 4bd3e5a9b4399217453ff9b60f99ac0ea97c309f Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Thu, 24 Feb 2022 14:48:30 -0800 Subject: [PATCH 9/9] Update pip package name in Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 23032828a..00d47c285 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,6 @@ WORKDIR /go/src/go.mozilla.org/sops RUN CGO_ENABLED=1 make install RUN apt-get update -RUN apt-get install -y vim python-pip emacs +RUN apt-get install -y vim python3-pip emacs RUN pip install awscli ENV EDITOR vim