Skip to content

Commit

Permalink
feat(config): scoped secrets using pgp/gpg (#11673)
Browse files Browse the repository at this point in the history
  • Loading branch information
@rarkins
rarkins committed Sep 16, 2021
1 parent 73d617e commit ee29fdc
Show file tree
Hide file tree
Showing 13 changed files with 491 additions and 114 deletions.
5 changes: 4 additions & 1 deletion docs/usage/configuration-options.md
View file
Expand Up @@ -603,7 +603,10 @@ For the full list of available managers, see the [Supported Managers](https://do

## encrypted

See [Private npm module support](https://docs.renovatebot.com/getting-started/private-packages) for details on how this is used to encrypt npm tokens.
See [Private module support](https://docs.renovatebot.com/getting-started/private-packages) for details on how this is used to encrypt npm tokens.

Note: encrypted secrets must have at least an org/group scope, and optionally a repository scope.
This means that Renovate will check if a secret's scope matches the current repository before applying it, and warn/discard if there is a mismatch.

## excludeCommitPaths

Expand Down
2 changes: 0 additions & 2 deletions docs/usage/getting-started/private-packages.md
View file
Expand Up @@ -240,8 +240,6 @@ The end-result looks like this:
}
```

However be aware that if your `.npmrc` is too big to encrypt then the above command will fail.

#### Automatically authenticate for npm package stored in private GitHub npm repository

```json
Expand Down
81 changes: 72 additions & 9 deletions docs/usage/self-hosted-configuration.md
View file
Expand Up @@ -324,31 +324,94 @@ This private key is used to decrypt config files.
The corresponding public key can be used to create encrypted values for config files.
If you want a simple UI to encrypt values you can put the public key in a HTML page similar to <https://renovatebot.com/encrypt>.

To create the key pair with OpenSSL use the following commands:
To create the key pair with GPG use the following commands:

- `openssl genrsa -out rsa_priv.pem 4096` for generating the private key
- `openssl rsa -pubout -in rsa_priv.pem -out rsa_pub.pem` for extracting the public key
- `gpg --full-generate-key` and follow the prompts to generate a key. Name and email are not important to Renovate, and do not configure a passphrase. Use a 4096bit key.

To encrypt a secret with OpenSSL use the following command:
<details><summary>key generation log</summary>

```bash
echo 'actual-secret' | openssl rsautl -encrypt -pubin -inkey rsa_pub.pem | base64
```
❯ gpg --full-generate-key
gpg (GnuPG) 2.2.24; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Renovate Bot
Email address: renovate@whitesourcesoftware.com
Comment:
You selected this USER-ID:
"Renovate Bot <renovate@whitesourcesoftware.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: key 0649CC3899F22A66 marked as ultimately trusted
gpg: revocation certificate stored as '/Users/rhys/.gnupg/openpgp-revocs.d/794B820F34B34A8DF32AADB20649CC3899F22A66.rev'
public and secret key created and signed.
pub rsa4096 2021-09-10 [SC]
794B820F34B34A8DF32AADB20649CEXAMPLEONLY
uid Renovate Bot <renovate@whitesourcesoftware.com>
sub rsa4096 2021-09-10 [E]
```

</details>

- Copy the key ID from the output (`794B820F34B34A8DF32AADB20649CEXAMPLEONLY` in the above example) or run `gpg --list-secret-keys` if you forgot to take a copy
- Run `gpg --armor --export-secret-keys YOUR_NEW_KEY_ID > renovate-private-key.asc` to generate an armored (text-based) private key file
- Run `gpg --armor --export YOUR_NEW_KEY_ID > renovate-public-key.asc` to generate an armored (text-based) public key file

The private key should then be added to your Renovate Bot global config (either using `privateKeyPath` or exporting it to the `RENOVATE_PRIVATE_KEY` environment variable).
The public key can be used to replace the existing key in <https://renovatebot.com/encrypt> for your own use.

Replace `actual-secret` with the secret to encrypt.
Any encrypted secrets using GPG must have a mandatory organization/group scope, and optionally can be scoped for a single repository only.
The reason for this is to avoid "replay" attacks where someone could learn your encrypted secret and then reuse it in their own Renovate repositories.
Instead, with scoped secrets it means that Renovate ensures that the organization and optionally repository values encrypted with the secret match against the running repository.

Note: simple public key encryption was previously used to encrypt secrets, but this approach has now been deprecated and no longer documented.

## privateKeyOld

Use this field if you need to perform a "key rotation" and support more than one keypair at a time.
Decryption with this key will be attempted after `privateKey`.

If you are migrating from the legacy public key encryption approach to use GPG, then move your legacy private key from `privateKey` to `privateKeyOld` and then put your new GPG private key in `privateKey`.
Doing so will mean that Renovate will first attempt to decrypt using the GPG key but fall back to the legacy key and try that next.

You can remove the `privateKeyOld` config option once all the old encrypted values have been migrated, or if you no longer want to support the old key and let the processing of repositories fail.

## privateKeyPath

Used as an alternative to `privateKey`, if you wish for the key to be read from disk instead.
Used as an alternative to `privateKey`, if you want the key to be read from disk instead.

## privateKeyPathOld

Used as an alternative to `privateKeyOld`, if you want the key to be read from disk instead.

## productLinks

Override this object if you wish to change the URLs that Renovate links to, e.g. if you have an internal forum for asking for help.
Override this object if you want to change the URLs that Renovate links to, e.g. if you have an internal forum for asking for help.

## redisUrl

Expand Down
106 changes: 106 additions & 0 deletions lib/config/__fixtures__/private-pgp.pem
View file
@@ -0,0 +1,106 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQcYBGE3SPABEADmKPqubtmSvcnBZq4mBtHKUOdn0aGhn9SgnIi5jox9xf41rogu
YihdpR6nk2hBmLiHtWMkvvCwQhv0unvyHlfGi4bQB59xFToH1R6ks9cbegyhw+YB
uM8goNEu6OOhYRt4k6BJF/Fb58yVlXYtnqS77nhsFOeXuDuBzsS/Byf9CZ/AzXjT
kcodhBUXW5LMoI7AkFTZZjd+9liUez1qDlalrEmmCqFztskA9bJ1hRygj7Mq37Ng
2lGu00wfA/6+/SKkhbQNCPgbgoC4oeIczzJHmJeMpAzYt6317MJEXbdNfq2hRCas
Or8wod5JaZEBv6U1K4kM6PsdY9gCvzpcf+e8LmnuCHVZguZTC4en0ibJ2bRgMR+l
HHT8YBR0RrsyX5vFIbQ4Fej/IoQK0SMT4rwQePUfFaNuVEZ4X0nCyV9m5tbFRftS
5aJfhgoqtnyp6JvnOZFuJN+QNBT2c134LsigznXqBk7dZnDRQzANoc//+ypiFCFO
KJ16Ng6WS/R6kkb3CdN4WTcheRHrApwqcSHrUlvfTM9G6/X4KWhz1fWgVxNzujHX
5QTR/BiZsMoHhfzZjyez47mkBPFb0ilNpoZE+92EK2Z8c6IxMBGxqDSslwP9i4bx
IFhhdzS+yCMWbonlqGnNy6SXZRlTjDhY2c+js41YjM7XVwAwXBv1tJVayQARAQAB
AA/8Cs7S0r0e1261GjFdrSh10ofRDgWAjwvn2rDvFLOWclOJV/D9sRvn5FncIidg
ZnAq/ihs4u1adRRtpqTZLCnzmj20E3HAMXm7M2H1IevWBpLJJBGEbAFHLLOQjyDd
i5b5SMS56qTGrzen2kBd/89q0e5lVkH3DB9ZIAPbJlNKM+4vQ8kCSwEWGiO5L9Mb
hiNmALHmYh0ULxCXYUWWQTQyKm54OOVX5oynTLW87xrUmM+WrMU7cale25RNh0lT
PZm6djpXFaOdrwEGVWU4rnymUklemHqdpdGeSCWZi8dQ08FGmwONw1mw37JCM3VT
G19p/SCxu1r3a85j9uEO9wgElDFRyCJDQjyz09QErisMSOt3AoDT2nrJxu8OGYsK
aR8IrxygdqnU0B+wQ5wWiwlT0C9cyWSF4gA0ttAJ1lUxhS7ZNkPcBMV4TQP/jfUG
z1tSWW6F3hnrm6J8+uOsDlPxoj7UCsGKb+iGuMdhWWgZik7iFM97OomCRaI54rdx
vKaqlQc3thR+lCRvBHJeh7URomBgY2WOihw38tRhVVIbTzW1egmBINwm+i1hfhMP
4mnD5kuixpcEJmCwBZh5AbJCEHVgoKhoEYdHB7xYDf023Kz6HDdtxdbCIH3qzO8B
Tg7eBzjG5CgmR+fvMbrE6GeHD8aGgjQfRlhLT5uaLmJnZLcIAOgUL2I/ZqujgqYR
S6ASYCpMiuisRWjppXrVe1b4OZttexpWnXl1e3wEf4DteMO0NOKu9HjBbbYlWhIu
li2Qaeqs5A+0ivX33GmXDpX/QzYLOy/7AzbBxpVYCEhqAYA8GoZZy45OwnQKpDnZ
VEeWwLK7L1KDBtl4FoqH0sVXjpJIfOYwRc+Y1qHT2BmduUEKqdhTr1zB2tUgRn9c
YMqIBQhurxWvl1LpdVi874gLD7pyxDbyF6JhgEQXpyZ4J8ZOXwwzin45qK00hmvg
f4vdfEGQEgEc1kAvqBvFuJALPQF3rzHjFdj2+0vaXlPhCgZuLNW9dM+K08Frsytk
6RC4gxsIAP3iKfQUjNGEEdVthu70LnqMOp16ILgOdg/gDQOQNz4P6iyq5lN1eQtT
uQkS8wQstRl/9VlbE0kDi3WwCx/VnJXQXSadPYSvVop/LOG/IGVPrxWVM4FgfzQg
rbqTTaaw8Y0WX03Z+C3ILvD0gEAmVJWjgVGbcuDGtrAu4lwcD7GyuLXluF0560LJ
YEfzafFMv3VkqmPEafz1of+MFBblkudwF4mVuomNa/9YjIp9tju6qHQHV1AMSMit
mC4zJq+IpvhuyWKU2tEnf/p8yFxnqyCbX/7fn013WqXmp+d3ts6ZAXL7Q/GkvvoA
eQdgJxGlpnt256NbBGkQO+XTNVoOE+sH/iQJbEhRQwT5TBr+s4FTWSiMIkNCZCZ9
migFJxBeVbFxoiyBTt0hqeq3xkONspK7CXfMF7O/Bq/FZa6pkLtc7cAuGNAeRyqO
9GNxTwxPeug+dWJt7ujLDR7ZcEiMcxCUJfiVDDqM/HbzENUOZzl7in+q3feRayZc
+TbP+ANqlmh7pYYa+/9tlQ6GSYYMi5cEZcn80/6HeunysA2hIuDooYjalCVJYbrG
CPcGn10hA8Pj6VfleNhVzqnhEZ0mDUkJmWzsot3UW3qAO54CnPXZRcJdYL7S3bFz
rx508fSbpQakrb3Q1hYcaaIWy+vutDjH6nKfqyyJ5T4reBq50L3fZjJuC7Q3V2hp
dGVTb3VyY2UgUmVub3ZhdGUgPHJlbm92YXRlQHdoaXRlc291cmNlc29mdHdhcmUu
Y29tPokCTgQTAQgAOBYhBIVoMo6NogAUCbUEZE57RkZBH35uBQJhN0jwAhsDBQsJ
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEE57RkZBH35uXv0QAL4Oq9uLPnvE1mUa
z/oK4cUVHVhFm/0BAFaYJ41hSDJPauRZbuewMx6X+dj1n/fVBwyjtbQOrxbl+Ymf
RmHaah8bTmLzFVvNzV0tuPgkKFU4SKylrcssoYutavUDl8dSG7nZ6IMlQQuq91bF
Ju2PYCCc22fh/loIxmxbaow8SpCfja7iyJbDy1PDe07CemxnjQWHgHDOHhsn1R12
uqwiaMNEn+tIra3VZYEX16YhKOQCMx8ftR0pJOhjDlfoWcBISfIhsjlgWiJ3tiWa
Y646Gh9tDcZWGmlCEn2mgPLv049nhrHd3Iaw+BLXMXBY9OnLgYJtk3yTCh0VGuZZ
C+/NLcUMt+Oq3iDQDapbqdPyHYhccPPhUtpBeX4qkeNEFw25LYW3CZXfGMhzGvtB
ZGjBguESshctqlXrWeFCNnzLpteLxiV77U3djFBTJuvKG+umx3/cEcd7l72y7lxu
qcpKAjkf19qutLwCMlYrREaukmxDCRRuH9X4c8afhVLzD/dfafANKkdFOzBc55L+
C3cP9zg7wjOVjcCJtc3QJU0kLx3DXDjSn5D8LOn7hgE5r3vDK4BoYfZ2vor7xYyP
26K+FC4NukNbHmtwNzX8J36bcztnHD7Nr++v5CD1nJSjZAUYyjfH+lIiNhlk68cG
y754s/ImTgS38ojYt2B1DZIZzc/YnQcYBGE3SPABEADIm2pgMiijes93t87Yi+Er
B1NI9F+JqRo+QpndALahtzp6X2FT+R8bAlV/V8yL/IV02licVw7azlD7pCNutqVk
b+9oNBRc2t9z+GVTxWEGE1XrVg05s/UOoM1+/Rr4ss7XrQ3m1iLaXdkVO1Hur4i6
tD3VIq8nKANITnkduCpYDu+WGdLyJi/3V6Y2SzFYzySIZqa3//2czuwGcqBkK8te
hLHoH3BnQEgnjx3ppuJxe8h5ySVamkgLUAQvNL+L3zZVnnpwtB7GSvzwgQoQE69l
YC/MzVhBcXFe47QqxNJN7LaQv8zjEiwhuxAC/GtCQ6vMRUGXyXlLdENQtdQJIR+Q
QRkaGwSxBVj4cEuHlzuzd97SKdvC/UCFntxt1W+WnfOjtf7AiPwx1pM5uZfvbpdQ
CEKbhtLa6tqM6kxnetGu04oK5AROAfHp5VPb6SHCp+Nnng8Yy9bUmSiK7PW4TsAe
rymqwZ1lVM7ZwQFQzXMRnvbzt6jBw9/8Yn6l6JA1j+DxvBb4YoTSOqp+JZjfZSgy
wQRQ+n3QF5ZbPutbWMEamg+CKgpEfQSdTJMYQo9sfvtejkzWBZ37EyzmDwKqHBLI
VBoFpofXQzwG5E6Gyw2OiwNVG40h1NtdqKO1exaPZ4MQ3MtAQ3nfSOt8jKM7dfyL
X2omvTNDMpytBBwlKQer8QARAQABAA/6Aihx14ESoNeUXcRTbE7s6CqXAcTnNjLk
fmD3CMKWNF0lOuXFxUJ7zC2VP95w69yWjvA+Xcgt97qacmqMmwdJ9i+iEqvkwC72
kmfMpz8LUSZqGTL+x20hKLwgGcqdPKmnwfgxmxcYnuK9kBXoRroKrX983ssVuUUb
6+40LVaq1fGrMCEs/L/eajm+Jv1eFYd87B62kmolj0dGkLcw9ILoGCczRrz315SA
cjR+7OGHtBLR0EWSqkvYlI6SzPMzUEzhZ8Bhrs6xOg7ac7ffpNahX2TOftSCq4mN
36hxarhdTstKF3qIuLScVuyNOor+mGLj+TmRgBGBxYcFplueYU7C6SRzoGcy82OZ
int66Pjnc15vuCi5lV3f6VRqFFCOgsb+Xz7EXnDY/9/Mn8RaGEe8DIiUoNiTxijL
Nyor0wxR6z5VRUYG62h0qbaP1394VQVZDkt/RwCn7bXCmRwmbwQg7DhefwX27y7z
yzPzojya3+wmXKXkL1wRUMXmxf3nZoQ7Xi60maY+RNXItqi5O3Bpl+rN0ikICLFj
44AXFSgassNV78jlduEWakGz2I1X0w1fUQpbl7bfpUwBHEwdxlLm8lmYGIyehX4R
eTYfSi26spYpN/3ciDJxEU40E4fz1PnKP1qcY1oz856ldQ1yXK87U5wtV6xh7ahJ
kz7QJqfFCKUIAMzmUHyCxEpzusdwgJfGpwD88mcj+8ZveXLJPzrI6OkfuM5xItUY
SHAH7X5Y0aa24/joGOQDwOB/6BrJNDq0gjHeqJfYdBRzGDwm1+1TIYAE20LmhcWD
ybaziEz0UfZym5ka1ulXMdUhohjMtUkoRQbSGeGDzod8C8PJC4NVqG+bKNOWZOTz
JkHTVCIm9rB2Zdov904TwGty34bp10P3BF9N8T4/KPxWru8DCC0ze9COObbVg+SF
YyRZprgcUJ+nP2ATjnmHrV7cZl8TJ6xBZGXYNfaD3jUKsNK6YcOW+XY+7JkiHQ8r
WWmHxIacJBs2xtUTNfzmUBpXdQNBIVeDa4cIAPqjC2hGKM7kfBvSguO029jkkBNs
lDX9Ric0sAHXNyVXR9AXKcnheIsJ0jtL9YlM5dcC1+UI7vxrXMW2UhAxquftnWDM
jkMqg4Ie1QcgJ0NwShE8ukQUc/CBxEJ8b/Hsy5qzLbs9brqCrQmUxBl+iK6N3b0m
T71qiLBNyhTWLWVOtlzHnnDjtWTZ6H44HR/NpBZ+Tb5/8tT1xROp6gzaebZTfzBV
LLtl6INKQE9SWwEVe2HywXAgKDgHEGoeeTHh0htxiLWCHsjJ63hXOPxYk91XXe93
oa6bY2MG1hEOrmim27ENvDoBmxRgj2OP8KXvOI5Z5lIOenXe/QltLrIJuscIAMSt
mMxQnjng23AcO0HUgbvqakKFn5D+hH54RpaWlj9zhfYRD9ZW+7qeNJ5BXenL9nna
YK7R0dFXnq072HefTiu/eOI+LWKgFyMujRALGrUFVB5RQgXAPEoQCzo5NyvB+slz
mRvYJVsWm1jxK/mZtvBx6abuZUp949HSOyWqy/5DCtJF+llf39feznx6I7mjsnYW
72QTVUYo4TPNuzB5DAHJgEYYP9QuimutROcmYYvw2twjMX5idLAtgbOmJQlxbeCq
6oVDZ5WiW3H7huyQo2Na9aeRou11vItEGhAoivrs2MQT+Oh16vuyICtsATpf1y3v
VEnIfvmI4eFzPF4l+uCHU4kCNgQYAQgAIBYhBIVoMo6NogAUCbUEZE57RkZBH35u
BQJhN0jwAhsMAAoJEE57RkZBH35uFWcP/3t+FNSsrtrO4YISSFxCIqn1OJ/H1Eji
ro+n5cAMQojqpCY/khPVZ9jMa0+NrY6BycIWjIVNBkyUw6KSyhCd98mCUDzMeGSw
HJSPA4DI0MLcX+8knqwJ9aKeNRuWypAfcXjxy6DE65Fe7Zj19GtEYSWYTizsQhHd
5ZYj/L6IyYc2gfBSSr09kRrye7X/IIMRbwuafXBcfUPIz8kWTEpa9sBjymiUkbgF
PzsahXgioCHm8yNSCbG/mEYwlwnCH9u01Wj106ahyuKjwI4YEOKkA4X0K+RJtRWw
QWiabGAfsOSL1MQ0CMOH7pAOtixd059ecpNQ6qv5YvTFMsxcj0xSheOU/uBnCUaS
Mr3LPOXWIwg4fcY3xOX3OU6neeAxOnu00RpVM5lBAZrmSM3ltKfYPU8m7N5ROouE
wG07SQTHui1yIusYpZelhFvJKnjRwpafyGYv2N4t5HVd+yL1/RdhCvfpA+MsRaOL
Fk+JZlkjFg8vWBeFUrU2t9J2L12gy85gW00+FM14s5M7O4SMzhCDPFkLTWzYCB6D
+N8qSRPGiYSiLZAHC951FIvinSAW5dqUAyLcsY97/5aJZcfOlCLKZ6uuz8umR9qA
xd49U6bRvQe7FWnIgPGg0r+8wHeYhsD2RS9/Rxz1cHc8t7kwlKSz+7o/x9XC9zez
mJ4R+EnCuazu
=UnDn
-----END PGP PRIVATE KEY BLOCK-----

0 comments on commit ee29fdc

Please sign in to comment.