diff --git a/.circleci/config.yml b/.circleci/config.yml index 4f84e2dc7..b55a04f7a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -4,10 +4,10 @@ workflows: build-and-deploy: jobs: - build - - push: + - push: filters: tags: - only: /^v.*/ + only: /^v.*/ branches: ignore: /.*/ jobs: @@ -30,7 +30,7 @@ jobs: resource_class: large steps: - checkout - - run: + - run: name: semver check command: | MAJOR=$(echo ${CIRCLE_TAG#v} | cut -d"." -f1) @@ -46,8 +46,8 @@ jobs: This job uses the semver from the git TAG as the public version to publish. - - This should only run on workflows triggered by a tag. - - The tag name should be a semver like 'v1.2.3' + - This should only run on workflows triggered by a tag. + - The tag name should be a semver like 'v1.2.3' - The version should follow conventions documented at https://github.com/fsaintjacques/semver-tool EOF exit 1 diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 3f493bb4c..90b64f87f 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -12,11 +12,15 @@ on: jobs: build: - name: Build and test ${{ matrix.os }} + name: Build and test ${{ matrix.os }} ${{ matrix.arch }} runs-on: ubuntu-latest strategy: matrix: os: [linux, darwin, windows] + arch: [amd64, arm64] + exclude: + - os: windows + arch: arm64 env: VAULT_VERSION: "1.1.3" VAULT_TOKEN: "root" @@ -24,10 +28,10 @@ jobs: steps: - name: Install dependencies run: sudo apt-get update && sudo apt-get install git -y - - name: Set up Go 1.13 + - name: Set up Go 1.17 uses: actions/setup-go@v2 with: - go-version: 1.13 + go-version: 1.17 id: go - name: Check out code into the Go module directory uses: actions/checkout@v2 @@ -37,13 +41,24 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - name: Build + - name: Build Linux and Darwin + if: matrix.os != 'windows' + run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops + - name: Build Windows + if: matrix.os == 'windows' run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops - name: Import test GPG keys run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done - name: Test run: make test - - name: Upload artifact + - name: Upload artifact for Linux and Darwin + if: matrix.os != 'windows' + uses: actions/upload-artifact@v2 + with: + name: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} + path: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} + - name: Upload artifact for Windows + if: matrix.os == 'windows' uses: actions/upload-artifact@v2 with: name: sops-${{ matrix.os }}-${{ github.sha }} @@ -63,9 +78,9 @@ jobs: uses: actions/checkout@v2 - uses: actions/download-artifact@v2 with: - name: sops-linux-${{ github.sha }} + name: sops-linux-amd64-${{ github.sha }} - name: Move SOPS binary - run: mv sops-linux-${{ github.sha }} ./functional-tests/sops + run: mv sops-linux-amd64-${{ github.sha }} ./functional-tests/sops - name: Make SOPS binary executable run: chmod +x ./functional-tests/sops - name: Download Vault diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 962edf62b..4a64fe7ba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,13 +15,15 @@ jobs: run: sudo apt-get update && sudo apt-get install git ruby rpm -y - name: Install fpm run: gem install fpm || sudo gem install fpm - - name: Set up Go 1.15 + - name: Set up Go 1.17 uses: actions/setup-go@v2 with: - go-version: 1.15 + go-version: 1.17 id: go - name: Check out code into the Go module directory uses: actions/checkout@v2 + - name: Go vendor + run: go mod vendor - name: Make release directory run: mkdir dist - name: Build deb and rpm @@ -32,12 +34,18 @@ jobs: run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - name: Set RELEASE_NUMBER run: echo "RELEASE_NUMBER=$(echo $RELEASE_VERSION | cut -c2-)" >> $GITHUB_ENV - - name: Build darwin binary - run: GOOS=darwin CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin go.mozilla.org/sops/v3/cmd/sops + - name: Build linux arm64 binary + run: GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 go.mozilla.org/sops/v3/cmd/sops + - name: Build darwin amd64 binary + run: GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 go.mozilla.org/sops/v3/cmd/sops + - name: Copy darwin amd64 to have a no-architecture labeled version + run: cp dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 dist/sops-${{ env.RELEASE_VERSION }}.darwin + - name: Build darwin arm64 binary + run: GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 go.mozilla.org/sops/v3/cmd/sops - name: Build windows binary run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe go.mozilla.org/sops/v3/cmd/sops - name: Copy already built linux binary - run: cp tmppkg/usr/local/bin/sops dist/sops-${{ env.RELEASE_VERSION }}.linux + run: cp tmppkg/usr/local/bin/sops dist/sops-${{ env.RELEASE_VERSION }}.linux && cp tmppkg/usr/local/bin/sops dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 - name: Create release uses: "mozilla/action-automatic-releases@latest" with: @@ -45,7 +53,13 @@ jobs: prerelease: true files: | dist/sops-${{ env.RELEASE_VERSION }}.exe + dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 + dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 dist/sops-${{ env.RELEASE_VERSION }}.darwin + dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 + dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 dist/sops-${{ env.RELEASE_VERSION }}.linux dist/sops_${{ env.RELEASE_NUMBER }}_amd64.deb + dist/sops_${{ env.RELEASE_NUMBER }}_arm64.deb dist/sops-${{ env.RELEASE_NUMBER }}-1.x86_64.rpm + dist/sops-${{ env.RELEASE_NUMBER }}-1.aarch64.rpm diff --git a/Dockerfile b/Dockerfile index 8585f16c7..00d47c285 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ -FROM golang:1.15 +FROM golang:1.17 COPY . /go/src/go.mozilla.org/sops WORKDIR /go/src/go.mozilla.org/sops RUN CGO_ENABLED=1 make install RUN apt-get update -RUN apt-get install -y vim python-pip emacs +RUN apt-get install -y vim python3-pip emacs RUN pip install awscli ENV EDITOR vim diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 2be5d6b5c..1a782facf 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -1,4 +1,5 @@ FROM golang:1.12-alpine3.10 AS builder +FROM golang:1.17-alpine3.15 AS builder RUN apk --no-cache add make @@ -8,7 +9,7 @@ WORKDIR /go/src/go.mozilla.org/sops RUN CGO_ENABLED=1 make install -FROM alpine:3.10 +FROM alpine:3.15 RUN apk --no-cache add \ vim ca-certificates diff --git a/Makefile b/Makefile index b20bda234..0e9838117 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. PROJECT := go.mozilla.org/sops/v3 -GO := GO15VENDOREXPERIMENT=1 GO111MODULE=on GOPROXY=https://proxy.golang.org go +GO := GOPROXY=https://proxy.golang.org go GOLINT := golint all: test vet generate install functional-tests @@ -48,31 +48,47 @@ functional-tests-all: $(GO) build -o functional-tests/sops go.mozilla.org/sops/v3/cmd/sops cd functional-tests && cargo test && cargo test -- --ignored -deb-pkg: vendor +# Creates variables during target re-definition. Basically this block allows the particular variables to be used in the final target +build-deb-%: OS = $(word 1,$(subst -, ,$*)) +build-deb-%: ARCH = $(word 2,$(subst -, ,$*)) +build-deb-%: FPM_ARCH = $(word 3,$(subst -, ,$*)) +# Poor-mans function with parameters being split out from the variable part of it's name +build-deb-%: rm -rf tmppkg mkdir -p tmppkg/usr/local/bin - GOOS=linux CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops + GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ -m "AJ Bahnken " \ --url https://go.mozilla.org/sops \ - --architecture x86_64 \ + --architecture $(FPM_ARCH) \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t deb . -rpm-pkg: vendor +# Create .deb packages for multiple architectures +deb-pkg: vendor build-deb-linux-amd64-x86_64 build-deb-linux-arm64-arm64 + +# Creates variables during target re-definition. Basically this block allows the particular variables to be used in the final target +build-rpm-%: OS = $(word 1,$(subst -, ,$*)) +build-rpm-%: ARCH = $(word 2,$(subst -, ,$*)) +build-rpm-%: FPM_ARCH = $(word 3,$(subst -, ,$*)) +# Poor-mans function with parameters being split out from the variable part of it's name +build-rpm-%: rm -rf tmppkg mkdir -p tmppkg/usr/local/bin - GOOS=linux CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops + GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ -m "AJ Bahnken " \ --url https://go.mozilla.org/sops \ - --architecture x86_64 \ - --rpm-os linux \ + --architecture $(FPM_ARCH) \ + --rpm-os $(OS) \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t rpm . +# Create .rpm packages for multiple architectures +rpm-pkg: vendor build-rpm-linux-amd64-x86_64 build-rpm-linux-arm64-arm64 + dmg-pkg: install ifneq ($(OS),darwin) echo 'you must be on MacOS and set OS=darwin on the make command line to build an OSX package' @@ -82,7 +98,7 @@ else cp $$GOPATH/bin/sops tmppkg/usr/local/bin/ fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ - -m "Julien Vehent " \ + -m "Mozilla Security " \ --url https://go.mozilla.org/sops \ --architecture x86_64 \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ diff --git a/README.rst b/README.rst index 795318db6..c3727a077 100644 --- a/README.rst +++ b/README.rst @@ -9,11 +9,8 @@ formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. ------------ -.. image:: https://godoc.org/go.mozilla.org/sops?status.svg - :target: https://godoc.org/go.mozilla.org/sops - -.. image:: https://travis-ci.org/mozilla/sops.svg?branch=master - :target: https://travis-ci.org/mozilla/sops +.. image:: https://pkg.go.dev/badge/go.mozilla.org/sops/v3.svg + :target: https://pkg.go.dev/go.mozilla.org/sops/v3 Download -------- @@ -28,12 +25,13 @@ For the adventurous, unstable features are available in the `develop` branch, wh .. code:: bash - $ go get -u go.mozilla.org/sops/v3/cmd/sops + $ mkdir -p $GOPATH/src/go.mozilla.org/sops/ + $ git clone https://github.com/mozilla/sops.git $GOPATH/src/go.mozilla.org/sops/ $ cd $GOPATH/src/go.mozilla.org/sops/ $ git checkout develop $ make install -(requires Go >= 1.13) +(requires Go >= 1.17) If you don't have Go installed, set it up with: @@ -46,12 +44,7 @@ If you don't have Go installed, set it up with: Or whatever variation of the above fits your system and shell. -To use **sops** as a library, take a look at the `decrypt package `_. - -**What happened to Python Sops?** We rewrote Sops in Go to solve a number of -deployment issues, but the Python branch still exists under ``python-sops``. We -will keep maintaining it for a while, and you can still ``pip install sops``, -but we strongly recommend you use the Go version instead. +To use **sops** as a library, take a look at the `decrypt package `_. .. sectnum:: .. contents:: Table of Contents @@ -197,6 +190,8 @@ configuration directory. On Linux, this would be ``$XDG_CONFIG_HOME/sops/age/key On macOS, this would be ``$HOME/Library/Application Support/sops/age/keys.txt``. On Windows, this would be ``%AppData%\sops\age\keys.txt``. You can specify the location of this file manually by setting the environment variable **SOPS_AGE_KEY_FILE**. +Alternatively you can provide the the key(s) directly by setting the **SOPS_AGE_KEY** +environment variable. The contents of this key file should be a list of age X25519 identities, one per line. Lines beginning with ``#`` are considered comments and ignored. Each @@ -704,12 +699,6 @@ By default, ``sops`` uses the key server ``keys.openpgp.org`` to retrieve the GP keys that are not present in the local keyring. This is no longer configurable. You can learn more about why from this write-up: `SKS Keyserver Network Under Attack `_. -Example: place the following in your ``~/.bashrc`` - -.. code:: bash - - SOPS_GPG_KEYSERVER = 'gpg.example.com' - Key groups ~~~~~~~~~~ @@ -1207,7 +1196,7 @@ This file will not work in sops: - array - elements -But this one will because because the ``sops`` key can be added at the same level as the +But this one will work because the ``sops`` key can be added at the same level as the ``data`` key. .. code:: yaml @@ -1374,26 +1363,6 @@ The value must be formatted as json. $ sops --set '["an_array"][1] {"uid1":null,"uid2":1000,"uid3":["bob"]}' ~/git/svc/sops/example.yaml -Using sops as a library in a python script -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -You can import sops as a module and use it in your python program. - -.. code:: python - - import sops - - pathtype = sops.detect_filetype(path) - tree = sops.load_file_into_tree(path, pathtype) - sops_key, tree = sops.get_key(tree) - tree = sops.walk_and_decrypt(tree, sops_key) - sops.write_file(tree, path=path, filetype=pathtype) - -Note: this uses the previous implementation of `sops` written in python, - -and so doesn't support newer features such as GCP-KMS. -To use the current version, call out to ``sops`` using ``subprocess.run`` - Showing diffs in cleartext in git ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1709,8 +1678,8 @@ file format introduced in **1.0**. Security -------- -Please report security issues to jvehent at mozilla dot com, or by using one -of the contact method available on keybase: `https://keybase.io/jvehent `_ +Please report security issues to security at mozilla dot org, or by using one +of the contact method available here: `https://www.mozilla.org/en-US/security/#For_Developers `_ License ------- @@ -1721,9 +1690,12 @@ Authors The core team is composed of: +* AJ Banhken @ajvb + +The original authors were: + * Adrian Utrilla @autrilla * Julien Vehent @jvehent -* AJ Banhken @ajvb And a whole bunch of `contributors `_ diff --git a/age/keysource.go b/age/keysource.go index 941f422dc..e9e874ddf 100644 --- a/age/keysource.go +++ b/age/keysource.go @@ -20,7 +20,8 @@ func init() { log = logging.NewLogger("AGE") } -const privateKeySizeLimit = 1 << 24 // 16 MiB +const SopsAgeKeyEnv = "SOPS_AGE_KEY" +const SopsAgeKeyFileEnv = "SOPS_AGE_KEY_FILE" // MasterKey is an age key used to encrypt and decrypt sops' data key. type MasterKey struct { @@ -28,7 +29,6 @@ type MasterKey struct { Recipient string // a Bech32-encoded public key EncryptedKey string // a sops data key encrypted with age - parsedIdentity *age.X25519Identity // a parsed age private key parsedRecipient *age.X25519Recipient // a parsed age public key } @@ -96,27 +96,46 @@ func (key *MasterKey) SetEncryptedDataKey(enc []byte) { // Decrypt decrypts the EncryptedKey field with the age identity and returns the result. func (key *MasterKey) Decrypt() ([]byte, error) { - ageKeyFilePath, ok := os.LookupEnv("SOPS_AGE_KEY_FILE") + var ageKeyReader io.Reader + var ageKeyReaderName string + + if ageKeyReader == nil { + ageKey, ok := os.LookupEnv(SopsAgeKeyEnv) + if ok { + ageKeyReader = strings.NewReader(ageKey) + ageKeyReaderName = "environment variable" + } + } - if !ok { - userConfigDir, err := os.UserConfigDir() + if ageKeyReader == nil { + ageKeyFilePath, ok := os.LookupEnv(SopsAgeKeyFileEnv) + if ok { + ageKeyFile, err := os.Open(ageKeyFilePath) + if err != nil { + return nil, fmt.Errorf("failed to open file: %w", err) + } + defer ageKeyFile.Close() + ageKeyReader = ageKeyFile + ageKeyReaderName = ageKeyFilePath + } + } + if ageKeyReader == nil { + userConfigDir, err := os.UserConfigDir() if err != nil { return nil, fmt.Errorf("user config directory could not be determined: %w", err) } - - ageKeyFilePath = filepath.Join(userConfigDir, "sops", "age", "keys.txt") - } - - ageKeyFile, err := os.Open(ageKeyFilePath) - - if err != nil { - return nil, fmt.Errorf("failed to open file: %w", err) + ageKeyFilePath := filepath.Join(userConfigDir, "sops", "age", "keys.txt") + ageKeyFile, err := os.Open(ageKeyFilePath) + if err != nil { + return nil, fmt.Errorf("failed to open file: %w", err) + } + defer ageKeyFile.Close() + ageKeyReader = ageKeyFile + ageKeyReaderName = ageKeyFilePath } - defer ageKeyFile.Close() - - identities, err := age.ParseIdentities(ageKeyFile) + identities, err := age.ParseIdentities(ageKeyReader) if err != nil { return nil, err @@ -127,7 +146,7 @@ func (key *MasterKey) Decrypt() ([]byte, error) { r, err := age.Decrypt(ar, identities...) if err != nil { - return nil, fmt.Errorf("no age identity found in %q that could decrypt the data", ageKeyFilePath) + return nil, fmt.Errorf("no age identity found in %q that could decrypt the data", ageKeyReaderName) } var b bytes.Buffer diff --git a/age/keysource_test.go b/age/keysource_test.go index 35891b20f..0b30b355d 100644 --- a/age/keysource_test.go +++ b/age/keysource_test.go @@ -1,6 +1,7 @@ package age import ( + "io/ioutil" "os" "path" "runtime" @@ -44,7 +45,7 @@ func TestAge(t *testing.T) { assert.NoError(err) _, filename, _, _ := runtime.Caller(0) - err = os.Setenv("SOPS_AGE_KEY_FILE", path.Join(path.Dir(filename), "keys.txt")) + err = os.Setenv(SopsAgeKeyFileEnv, path.Join(path.Dir(filename), "keys.txt")) assert.NoError(err) decryptedKey, err := key.Decrypt() @@ -70,7 +71,33 @@ DOMAIN=files.127.0.0.1.nip.io` assert.NoError(err) _, filename, _, _ := runtime.Caller(0) - err = os.Setenv("SOPS_AGE_KEY_FILE", path.Join(path.Dir(filename), "keys.txt")) + err = os.Setenv(SopsAgeKeyFileEnv, path.Join(path.Dir(filename), "keys.txt")) + defer os.Unsetenv(SopsAgeKeyFileEnv) + assert.NoError(err) + + decryptedKey, err := key.Decrypt() + assert.NoError(err) + assert.Equal(dataKey, decryptedKey) +} + +func TestAgeEnv(t *testing.T) { + assert := assert.New(t) + + key, err := MasterKeyFromRecipient("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") + + assert.NoError(err) + assert.Equal("age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw", key.ToString()) + + dataKey := []byte("abcdefghijklmnopqrstuvwxyz123456") + + err = key.Encrypt(dataKey) + assert.NoError(err) + + _, filename, _, _ := runtime.Caller(0) + keysBytes, err := ioutil.ReadFile(path.Join(path.Dir(filename), "keys.txt")) + assert.NoError(err) + err = os.Setenv(SopsAgeKeyEnv, string(keysBytes)) + defer os.Unsetenv(SopsAgeKeyEnv) assert.NoError(err) decryptedKey, err := key.Decrypt() diff --git a/example.yaml b/example.yaml index e79b06e03..a22d69e64 100644 --- a/example.yaml +++ b/example.yaml @@ -25,7 +25,7 @@ this: somelist_unencrypted: - all elements of this list - remain in clear text -- because of the _encrypted suffix in the key +- because of the _unencrypted suffix in the key nested_unencrypted: this: is: diff --git a/go.mod b/go.mod index 37784afcd..ef719487e 100644 --- a/go.mod +++ b/go.mod @@ -1,42 +1,28 @@ module go.mozilla.org/sops/v3 -go 1.13 +go 1.17 require ( cloud.google.com/go v0.43.0 filippo.io/age v1.0.0-beta7 github.com/Azure/azure-sdk-for-go v31.2.0+incompatible - github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect github.com/Azure/go-autorest/autorest v0.9.0 github.com/Azure/go-autorest/autorest/azure/auth v0.1.0 - github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect - github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect - github.com/Microsoft/go-winio v0.4.14 // indirect - github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect github.com/aws/aws-sdk-go v1.37.18 github.com/blang/semver v3.5.1+incompatible - github.com/cenkalti/backoff v2.2.1+incompatible // indirect - github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect - github.com/docker/go-connections v0.4.0 // indirect - github.com/docker/go-units v0.4.0 // indirect github.com/fatih/color v1.7.0 github.com/golang/protobuf v1.4.1 github.com/google/go-cmp v0.5.0 github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf - github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect github.com/goware/prefixer v0.0.0-20160118172347-395022866408 github.com/hashicorp/vault/api v1.0.4 github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c github.com/lib/pq v1.2.0 github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-wordwrap v1.0.0 - github.com/opencontainers/go-digest v1.0.0-rc1 // indirect - github.com/opencontainers/image-spec v1.0.1 // indirect - github.com/opencontainers/runc v0.1.1 // indirect github.com/ory/dockertest v3.3.4+incompatible github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.4.2 - github.com/smartystreets/goconvey v0.0.0-20190710185942-9d28bd7c0945 // indirect github.com/stretchr/testify v1.5.1 go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 @@ -49,5 +35,59 @@ require ( gopkg.in/ini.v1 v1.44.0 gopkg.in/urfave/cli.v1 v1.20.0 gopkg.in/yaml.v3 v3.0.0-20210107172259-749611fa9fcc +) + +require ( + github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect + github.com/Azure/go-autorest/autorest/adal v0.5.0 // indirect + github.com/Azure/go-autorest/autorest/azure/cli v0.1.0 // indirect + github.com/Azure/go-autorest/autorest/date v0.1.0 // indirect + github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect + github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect + github.com/Azure/go-autorest/logger v0.1.0 // indirect + github.com/Azure/go-autorest/tracing v0.5.0 // indirect + github.com/Microsoft/go-winio v0.4.14 // indirect + github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect + github.com/cenkalti/backoff v2.2.1+incompatible // indirect + github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect + github.com/dimchansky/utfbom v1.1.0 // indirect + github.com/docker/go-connections v0.4.0 // indirect + github.com/docker/go-units v0.4.0 // indirect + github.com/golang/snappy v0.0.1 // indirect + github.com/googleapis/gax-go/v2 v2.0.5 // indirect + github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect + github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.1 // indirect + github.com/hashicorp/go-multierror v1.0.0 // indirect + github.com/hashicorp/go-retryablehttp v0.5.4 // indirect + github.com/hashicorp/go-rootcerts v1.0.1 // indirect + github.com/hashicorp/go-sockaddr v1.0.2 // indirect + github.com/hashicorp/golang-lru v0.5.1 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect + github.com/hashicorp/vault/sdk v0.1.13 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect + github.com/mattn/go-colorable v0.0.9 // indirect + github.com/mattn/go-isatty v0.0.3 // indirect + github.com/mitchellh/mapstructure v1.1.2 // indirect + github.com/opencontainers/go-digest v1.0.0-rc1 // indirect + github.com/opencontainers/image-spec v1.0.1 // indirect + github.com/opencontainers/runc v0.1.1 // indirect + github.com/pierrec/lz4 v2.0.5+incompatible // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/ryanuber/go-glob v1.0.0 // indirect + github.com/sergi/go-diff v1.1.0 // indirect + github.com/smartystreets/goconvey v0.0.0-20190710185942-9d28bd7c0945 // indirect + github.com/stretchr/objx v0.1.1 // indirect + go.opencensus.io v0.22.0 // indirect + golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 // indirect + golang.org/x/text v0.3.3 // indirect + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect + google.golang.org/appengine v1.6.1 // indirect + google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect + gopkg.in/square/go-jose.v2 v2.3.1 // indirect + gopkg.in/yaml.v2 v2.2.8 // indirect gotest.tools v2.2.0+incompatible // indirect ) diff --git a/hcvault/keysource_test.go b/hcvault/keysource_test.go index 9290acc1a..48a31dc83 100644 --- a/hcvault/keysource_test.go +++ b/hcvault/keysource_test.go @@ -25,7 +25,8 @@ func TestMain(m *testing.M) { logger.Fatalf("Could not start resource: %s", err) } - os.Setenv("VAULT_ADDR", fmt.Sprintf("http://127.0.0.1:%v", resource.GetPort("8200/tcp"))) + vaultAddr := fmt.Sprintf("http://%s", resource.GetHostPort("8200/tcp")) + os.Setenv("VAULT_ADDR", vaultAddr) os.Setenv("VAULT_TOKEN", "secret") // exponential backoff-retry, because the application in the container might not be ready to accept connections yet if err := pool.Retry(func() error { @@ -45,7 +46,7 @@ func TestMain(m *testing.M) { logger.Fatalf("Could not connect to docker: %s", err) } - key := NewMasterKey(fmt.Sprintf("http://127.0.0.1:%v", resource.GetPort("8200/tcp")), "sops", "main") + key := NewMasterKey(vaultAddr, "sops", "main") err = key.createVaultTransitAndKey() if err != nil { logger.Fatal(err) diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index 0c10996d1..1e66056bc 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -44,7 +44,10 @@ func TestPGPKeySourceFromString(t *testing.T) { } func TestRetrievePGPKey(t *testing.T) { - fingerprint := "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" + // Requires a key available in https://keys.openpgp.org/ *with identity information* (that is, an email address). + // See https://keys.openpgp.org/about/faq#verify-multiple for details about identity information. + // We use the key of release@mozilla.com for here. + fingerprint := "14F26682D0916CDD81E37B6D61B7B526D98F0353" _, err := getKeyFromKeyServer(fingerprint) assert.NoError(t, err) }