Merge pull request #838 from mozilla/develop

v3.7.0 - develop -> master

.github/workflows/cli.yml

@@ -0,0 +1,77 @@
+name: CLI
+
+on:
+  push:
+    branches: [develop]
+  pull_request:
+    branches: [develop]
+
+jobs:
+  build:
+    name: Build and test ${{ matrix.os }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [linux, darwin, windows]
+    env:
+      VAULT_VERSION: "1.1.3"
+      VAULT_TOKEN: "root"
+      VAULT_ADDR: "http://127.0.0.1:8200"
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install git -y
+      - name: Set up Go 1.13
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.13
+        id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Build
+        run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
+      - name: Import test GPG keys
+        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
+      - name: Test
+        run: make test
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: sops-${{ matrix.os }}-${{ github.sha }}
+          path: sops-${{ matrix.os }}-${{ github.sha }}
+  test:
+    name: Functional tests
+    runs-on: ubuntu-latest
+    needs: [build]
+    env:
+      VAULT_VERSION: "1.1.3"
+      VAULT_TOKEN: "root"
+      VAULT_ADDR: "http://127.0.0.1:8200"
+    steps:
+      - name: Install rustup
+        run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.47.0
+      - name: Check out code
+        uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: sops-linux-${{ github.sha }}
+      - name: Move SOPS binary
+        run: mv sops-linux-${{ github.sha }} ./functional-tests/sops
+      - name: Make SOPS binary executable
+        run: chmod +x ./functional-tests/sops
+      - name: Download Vault
+        run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/
+      - name: Start Vault server
+        run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" &
+      - name: Enable Vault KV
+        run: vault secrets enable -version=1 kv
+      - name: Import test GPG keys
+        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
+      - name: Run tests
+        run: cargo test
+        working-directory: ./functional-tests

CHANGELOG.rst

@@ -1,6 +1,23 @@
 Changelog
 =========
 
+3.7.0
+-----
+Features:
+
+    * Add support for age (#688)
+    * Add filename to exec-file (#761)
+
+Changes:
+
+    * On failed decryption with GPG, return the error returned by GPG to the sops user (#762)
+    * Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791)
+    * Update aws-sdk-go to version v1.37.18 (#823)
+
+Project Changes:
+
+    * Switch from TravisCI to Github Actions (#792)
+
 3.6.1
 -----
 Features:

README.rst

@@ -2,7 +2,7 @@ SOPS: Secrets OPerationS
 ========================
 
 **sops** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY
-formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault and PGP.
+formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
 (`demo <https://www.youtube.com/watch?v=YTEVyLXFiq0>`_)
 
 .. image:: https://i.imgur.com/X0TM5NI.gif
@@ -178,6 +178,33 @@ the example files and pgp key provided with the repository::
 This last step will decrypt ``example.yaml`` using the test private key.
 
 
+Encrypting using age
+~~~~~~~~~~~~~~~~~~~~
+
+`age <https://age-encryption.org/>`_ is a simple, modern, and secure tool for
+encrypting files. It's recommended to use age over PGP, if possible.
+
+You can encrypt a file for one or more age recipients (comma separated) using
+the ``--age`` option or the **SOPS_AGE_RECIPIENTS** environment variable:
+
+.. code:: bash
+
+   $ sops --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml
+
+When decrypting a file with the corresponding identity, sops will look for a
+text file name ``keys.txt`` located in a ``sops`` subdirectory of your user
+configuration directory. On Linux, this would be ``$XDG_CONFIG_HOME/sops/keys.txt``.
+On macOS, this would be ``$HOME/Library/Application Support/sops/keys.txt``. On
+Windows, this would be ``%AppData%\sops\keys.txt``. You can specify the location
+of this file manually by setting the environment variable **SOPS_AGE_KEY_FILE**.
+
+The contents of this key file should be a list of age X25519 identities, one
+per line. Lines beginning with ``#`` are considered comments and ignored. Each
+identity will be tried in sequence until one is able to decrypt the data.
+
+Encrypting with SSH keys via age is not yet supported by sops.
+
+
 Encrypting using GCP KMS
 ~~~~~~~~~~~~~~~~~~~~~~~~
 GCP KMS uses `Application Default Credentials
@@ -372,7 +399,7 @@ The sops team recommends the ``updatekeys`` approach.
 ``updatekeys`` command
 **********************
 
-The ``updatekeys`` command uses the `.sops.yaml <#29using-sopsyaml-conf-to-select-kmspgp-for-new-files>`_
+The ``updatekeys`` command uses the `.sops.yaml <#using-sops-yaml-conf-to-select-kms-pgp-for-new-files>`_
 configuration file to update (add or remove) the corresponding secrets in the
 encrypted file. Note that the example below uses the
 `Block Scalar yaml construct <https://yaml-multiline.info/>`_ to build a space
@@ -675,7 +702,7 @@ Specify a different GPG key server
 
 By default, ``sops`` uses the key server ``keys.openpgp.org`` to retrieve the GPG
 keys that are not present in the local keyring.
-This is no longer configurable. You can learn more about why from this write-up: [SKS Keyserver Network Under Attack](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f).
+This is no longer configurable. You can learn more about why from this write-up: `SKS Keyserver Network Under Attack <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>`_.
 
 Example: place the following in your ``~/.bashrc``
 
@@ -986,6 +1013,9 @@ encrypted file is only readable by root, but the target program does not
 need root privileges to function. This flag should be used where possible
 for added security.
 
+To overwrite the default file name (``tmp-file``) in ``exec-file`` use the
+``--filename <filename>`` parameter.
+
 .. code:: bash
 
    # the encrypted file can't be read by the current user
@@ -1402,7 +1432,7 @@ By default, ``sops`` encrypts all the values of a YAML or JSON file and leaves t
 keys in cleartext. In some instances, you may want to exclude some values from
 being encrypted. This can be accomplished by adding the suffix **_unencrypted**
 to any key of a file. When set, all values underneath the key that set the
-**_unencrypted** prefix will be left in cleartext.
+**_unencrypted** suffix will be left in cleartext.
 
 Note that, while in cleartext, unencrypted content is still added to the
 checksum of the file, and thus cannot be modified outside of sops without

age/keys.txt

@@ -0,0 +1,3 @@
+# created: 2020-07-18T03:16:47-07:00
+# public key: age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw
+AGE-SECRET-KEY-1NJT5YCS2LWU4V4QAJQ6R4JNU7LXPDX602DZ9NUFANVU5GDTGUWCQ5T59M6