From 9cc95d411b6c87a4336ced6c9552c4f1202ab0b1 Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Thu, 25 Mar 2021 09:35:41 -0700 Subject: [PATCH 1/7] Add release workflow Fixes #841 --- .github/workflows/release.yml | 49 +++++++++++++++++++++++++++++++++++ Dockerfile | 2 +- Makefile | 13 +++++----- 3 files changed, 57 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..70d2913d1 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,49 @@ +name: Release + +on: + push: + tags: + - "v*" + +jobs: + tagged-release: + name: "Tagged Release" + runs-on: ubuntu-latest + + steps: + - name: Install dependencies + run: sudo apt-get update && sudo apt-get install git ruby rpm -y + - name: Install fpm + run: gem install fpm || sudo gem install fpm + - name: Set up Go 1.15 + uses: actions/setup-go@v2 + with: + go-version: 1.15 + id: go + - name: Check out code into the Go module directory + uses: actions/checkout@v2 + - name: Make release directory + run: mkdir dist + - name: Build deb and rpm + run: make deb-pkg rpm-pkg + - name: Move deb and rpm into release directory + run: mv *.deb *.rpm dist/ + - name: Set RELEASE_VERSION + run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV + - name: Build darwin binary + run: GOOS=darwin CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin go.mozilla.org/sops/v3/cmd/sops + - name: Build windows binary + run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe go.mozilla.org/sops/v3/cmd/sops + - name: Copy already built linux binary + run: cp tmppkg/usr/local/bin/sops dist/sops-${{ env.RELEASE_VERSION }}.linux + - name: Create release + uses: "marvinpinto/action-automatic-releases@latest" + with: + repo_token: "${{ secrets.GITHUB_TOKEN }}" + prerelease: true + files: | + dist/sops-${{ env.RELEASE_VERSION }}.windows + dist/sops-${{ env.RELEASE_VERSION }}.darwin + dist/sops-${{ env.RELEASE_VERSION }}.linux + dist/sops_${{ env.RELEASE_VERSION }}_amd64.deb + dist/sops_${{ env.RELEASE_VERSION }}-1.x86_64.rpm diff --git a/Dockerfile b/Dockerfile index 2b19d13e0..8585f16c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14 +FROM golang:1.15 COPY . /go/src/go.mozilla.org/sops WORKDIR /go/src/go.mozilla.org/sops diff --git a/Makefile b/Makefile index 81ae958ac..b20bda234 100644 --- a/Makefile +++ b/Makefile @@ -48,27 +48,28 @@ functional-tests-all: $(GO) build -o functional-tests/sops go.mozilla.org/sops/v3/cmd/sops cd functional-tests && cargo test && cargo test -- --ignored -deb-pkg: install +deb-pkg: vendor rm -rf tmppkg mkdir -p tmppkg/usr/local/bin - cp $$GOPATH/bin/sops tmppkg/usr/local/bin/ + GOOS=linux CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ - -m "Julien Vehent " \ + -m "AJ Bahnken " \ --url https://go.mozilla.org/sops \ --architecture x86_64 \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t deb . -rpm-pkg: install +rpm-pkg: vendor rm -rf tmppkg mkdir -p tmppkg/usr/local/bin - cp $$GOPATH/bin/sops tmppkg/usr/local/bin/ + GOOS=linux CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ - -m "Julien Vehent " \ + -m "AJ Bahnken " \ --url https://go.mozilla.org/sops \ --architecture x86_64 \ + --rpm-os linux \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t rpm . From dfc7af220ec8c231f42180aba53dffcb8bfdbeca Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Tue, 30 Mar 2021 11:35:45 -0700 Subject: [PATCH 2/7] swap to fork of action-automatic-releases --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 70d2913d1..d0054b417 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,7 +37,7 @@ jobs: - name: Copy already built linux binary run: cp tmppkg/usr/local/bin/sops dist/sops-${{ env.RELEASE_VERSION }}.linux - name: Create release - uses: "marvinpinto/action-automatic-releases@latest" + uses: "mozilla/action-automatic-releases@latest" with: repo_token: "${{ secrets.GITHUB_TOKEN }}" prerelease: true From fdf4517ce8fa6578234105b9d627c1fff571ac1e Mon Sep 17 00:00:00 2001 From: Johan Fleury Date: Sat, 3 Apr 2021 22:17:45 -0400 Subject: [PATCH 3/7] Trim space from age keys --- age/keysource.go | 1 + age/keysource_test.go | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/age/keysource.go b/age/keysource.go index c0b9c6561..941f422dc 100644 --- a/age/keysource.go +++ b/age/keysource.go @@ -179,6 +179,7 @@ func MasterKeysFromRecipients(commaSeparatedRecipients string) ([]*MasterKey, er // MasterKeyFromRecipient takes a Bech32-encoded public key and returns a new MasterKey. func MasterKeyFromRecipient(recipient string) (*MasterKey, error) { + recipient = strings.TrimSpace(recipient) parsedRecipient, err := parseRecipient(recipient) if err != nil { diff --git a/age/keysource_test.go b/age/keysource_test.go index 2a3bebdfd..35891b20f 100644 --- a/age/keysource_test.go +++ b/age/keysource_test.go @@ -20,6 +20,16 @@ func TestMasterKeysFromRecipientsEmpty(t *testing.T) { assert.Equal(recipients, make([]*MasterKey, 0)) } +func TestMasterKeyFromRecipientWithLeadingAndTrailingSpaces(t *testing.T) { + assert := assert.New(t) + + key, err := MasterKeyFromRecipient(" age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw ") + + assert.NoError(err) + + assert.Equal(key.Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") +} + func TestAge(t *testing.T) { assert := assert.New(t) From 1504dbcad1cff071da2bfbdfeca69abd7f78d88f Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Mon, 5 Apr 2021 11:16:48 -0700 Subject: [PATCH 4/7] Run CI tests against master as well --- .github/workflows/cli.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 30ffde52f..3f493bb4c 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -2,9 +2,13 @@ name: CLI on: push: - branches: [develop] + branches: + - develop + - master pull_request: - branches: [develop] + branches: + - develop + - master jobs: build: From 8a2fbc0aa423c5772c9fdf346c1e47af10e5a00f Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Mon, 22 Mar 2021 15:05:10 -0700 Subject: [PATCH 5/7] Initial patch for advisory --- cmd/sops/edit.go | 2 +- go.mod | 2 +- go.sum | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go index 2741319df..d1d5e6a75 100644 --- a/cmd/sops/edit.go +++ b/cmd/sops/edit.go @@ -6,8 +6,8 @@ import ( "os" "crypto/md5" + exec "golang.org/x/sys/execabs" "io" - "os/exec" "strings" "bufio" diff --git a/go.mod b/go.mod index 3799fb843..37784afcd 100644 --- a/go.mod +++ b/go.mod @@ -42,7 +42,7 @@ require ( golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 - golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 // indirect + golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 google.golang.org/api v0.7.0 google.golang.org/grpc v1.27.0 google.golang.org/protobuf v1.25.0 diff --git a/go.sum b/go.sum index 976e3519a..c378fd2a4 100644 --- a/go.sum +++ b/go.sum @@ -327,6 +327,8 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 h1:SgQ6LNaYJU0JIuEHv9+s6EbhSCwYeAf5Yvj6lpYlqAE= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4 h1:EZ2mChiOa8udjfp6rRmswTbtZN/QzUQp4ptM4rnjHvc= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -351,7 +353,6 @@ golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBn golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= From e5bf171f33ffc7126b3ac8c7f69f00699e077245 Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Thu, 8 Apr 2021 11:25:29 -0700 Subject: [PATCH 6/7] go.sum fix --- go.sum | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/go.sum b/go.sum index c378fd2a4..976e3519a 100644 --- a/go.sum +++ b/go.sum @@ -327,8 +327,6 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 h1:SgQ6LNaYJU0JIuEHv9+s6EbhSCwYeAf5Yvj6lpYlqAE= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4 h1:EZ2mChiOa8udjfp6rRmswTbtZN/QzUQp4ptM4rnjHvc= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -353,6 +351,7 @@ golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBn golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= From 8838db65fab8908fcd1775bde50156565a21b013 Mon Sep 17 00:00:00 2001 From: AJ Bahnken Date: Thu, 8 Apr 2021 14:28:12 -0700 Subject: [PATCH 7/7] v3.7.1 prep --- CHANGELOG.rst | 9 +++++++++ version/version.go | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5a3049738..23e8034c4 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,15 @@ Changelog ========= +3.7.1 +----- +Changes: + + * Security fix + * Add release workflow (#843) + * Fix issue where CI wouldn't run against master (#848) + * Trim extra whitespace around age keys (#846) + 3.7.0 ----- Features: diff --git a/version/version.go b/version/version.go index cbcff60f0..4bd14cbb2 100644 --- a/version/version.go +++ b/version/version.go @@ -11,7 +11,7 @@ import ( ) // Version represents the value of the current semantic version -const Version = "3.7.0" +const Version = "3.7.1" // PrintVersion handles the version command for sops func PrintVersion(c *cli.Context) {