From 73e19bf11b7e289380d013b6d18f69121a64047c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 3 Jul 2021 07:36:22 +0200 Subject: [PATCH 1/3] Replace sops-gpg-hook with sops-import-keys-hook --- README.md | 63 +++++++++++---- default.nix | 6 +- flake.nix | 2 +- pkgs/sops-import-keys-hook/default.nix | 8 ++ pkgs/sops-import-keys-hook/hook_test.go | 76 ++++++++++++++++++ .../sops-import-keys-hook.bash | 33 ++++++++ .../test-assets/existing-key.gpg | Bin 0 -> 1815 bytes .../test-assets/keys/key-with-subkeys.asc | 61 ++++++++++++++ .../test-assets/keys/key.asc | 1 + .../test-assets/keys/key.gpg | Bin 0 -> 1815 bytes .../test-assets/shell.nix | 15 ++++ 11 files changed, 246 insertions(+), 19 deletions(-) create mode 100644 pkgs/sops-import-keys-hook/default.nix create mode 100644 pkgs/sops-import-keys-hook/hook_test.go create mode 100644 pkgs/sops-import-keys-hook/sops-import-keys-hook.bash create mode 100644 pkgs/sops-import-keys-hook/test-assets/existing-key.gpg create mode 100644 pkgs/sops-import-keys-hook/test-assets/keys/key-with-subkeys.asc create mode 120000 pkgs/sops-import-keys-hook/test-assets/keys/key.asc create mode 100644 pkgs/sops-import-keys-hook/test-assets/keys/key.gpg create mode 100644 pkgs/sops-import-keys-hook/test-assets/shell.nix diff --git a/README.md b/README.md index b9e7ffa..4e9d24a 100644 --- a/README.md +++ b/README.md @@ -144,10 +144,20 @@ $ ssh-keygen -p -N "" -f /tmp/id_rsa $ nix-shell -p gnupg -p ssh-to-pgp --run "ssh-to-pgp -private-key -i /tmp/id_rsa | gpg --import --quiet" ``` -The hex string printed here is your GPG fingerprint that can be exported to `SOPS_PGP_FP`. +The hex string printed here is your GPG fingerprint that can written to your [`.sops.yaml`](https://github.com/mozilla/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files) in the root of your configuration directory or repository. -```console -$ export SOPS_PGP_FP=2504791468b153b8a3963cc97ba53d1919c5dfd4 +```yaml +# This example uses yaml anchors which allows to name keys +# and re-use for multiple keys in a flexible way. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example +keys: + - &admin 2504791468b153b8a3963cc97ba53d1919c5dfd4 +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin ``` If you have generated a GnuPG key directly you can get your fingerprint like this: @@ -179,32 +189,36 @@ $ nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o serv 0fd60c8c3b664aceb1796ce02b318df330331003 ``` -Also the hex string here is the fingerprint of your server's gpg key that can be exported -append to `SOPS_PGP_FP`: +Also the hex string here is the fingerprint of your server's gpg key that can be exported append to `.sops.yaml`: -```console -$ export SOPS_PGP_FP=${SOPS_PGP_FP}:2504791468b153b8a3963cc97ba53d1919c5dfd4 +```yaml +keys: + - &admin 2504791468b153b8a3963cc97ba53d1919c5dfd4 + - &server 0fd60c8c3b664aceb1796ce02b318df330331003 +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin + - *server ``` If you prefer having a separate GnuPG key, see [Use with GnuPG instead of ssh keys](#use-with-gnupg-instead-of-ssh-keys). ### 4. Create a sops file -To create a sops file you need to set export `SOPS_PGP_FP` to include both the fingerprint -of your personal gpg key (and your colleagues) and your servers: +To create a sops file you need write a `.sops.yaml` as described above and +import your personal gpg key (and your colleagues) and your servers into your +gpg key chain. -```console -$ export SOPS_PGP_FP="2504791468b153b8a3963cc97ba53d1919c5dfd4,2504791468b153b8a3963cc97ba53d1919c5dfd4" -``` - -sops-nix automates that with a hook for nix-shell and also takes care of importing all keys, allowing -public keys to be stored in git: +sops-nix automates importing gpg keys with a hook for nix-shell allowing public +keys to be shared via version control (i.e. git): ```nix # shell.nix with import {}; mkShell { - # imports all files ending in .asc/.gpg and sets $SOPS_PGP_FP. + # imports all files ending in .asc/.gpg sopsPGPKeyDirs = [ "./keys/hosts" "./keys/users" @@ -214,8 +228,23 @@ mkShell { # "./keys/users/mic92.asc" # "./keys/hosts/server01.asc" #]; + + # This hook can also import gpg keys into its own seperate + # gpg keyring instead of using the default one. This allows + # to isolate otherwise unrelated server keys from the user gpg keychain. + # By uncommenting the following lines, it will set GNUPGHOME + # to .git/gnupg. + # Storing it inside .git prevents accedentially commiting private keys. + # After setting this option you will also need to import your own + # private key into keyring, i.e. using a a command like this + # (replacing 0000000000000000000000000000000000000000 with your fingerprint) + # $ (unset GNUPGHOME; gpg --armor --export-secret-key 0000000000000000000000000000000000000000) | gpg --import + #sopsCreateGPGHome = true; + # To use a different directory for gpg dirs set sopsGPGHome + #sopsGPGHome = "${toString ./.}/../gnupg"; + nativeBuildInputs = [ - (pkgs.callPackage {}).sops-pgp-hook + (pkgs.callPackage {}).sops-import-keys-hook ]; } ``` diff --git a/default.nix b/default.nix index 9127ae5..bdecfff 100644 --- a/default.nix +++ b/default.nix @@ -6,7 +6,11 @@ }; in rec { sops-init-gpg-key = pkgs.callPackage ./pkgs/sops-init-gpg-key {}; - sops-pgp-hook = pkgs.callPackage ./pkgs/sops-pgp-hook { }; + sops-pgp-hook = pkgs.lib.warn '' + sops-pgp-hook is deprecated, use sops-import-keys-hook instead. + Also see https://github.com/Mic92/sops-nix/issues/98 + '' pkgs.callPackage ./pkgs/sops-pgp-hook { }; + sops-import-keys-hook = pkgs.callPackage ./pkgs/sops-import-keys-hook { }; inherit sops-install-secrets; # backwards compatibility diff --git a/flake.nix b/flake.nix index b931857..0ce8e61 100644 --- a/flake.nix +++ b/flake.nix @@ -16,7 +16,7 @@ let localPkgs = import ./default.nix { pkgs = final; }; in { - inherit (localPkgs) sops-install-secrets sops-init-gpg-key sops-pgp-hook; + inherit (localPkgs) sops-install-secrets sops-init-gpg-key sops-pgp-hook sops-import-keys-hook; # backward compatibility inherit (prev) ssh-to-pgp; }; diff --git a/pkgs/sops-import-keys-hook/default.nix b/pkgs/sops-import-keys-hook/default.nix new file mode 100644 index 0000000..66b94aa --- /dev/null +++ b/pkgs/sops-import-keys-hook/default.nix @@ -0,0 +1,8 @@ +{ stdenv, makeSetupHook, gnupg, sops, nix }: + +(makeSetupHook { + substitutions = { + gpg = "${gnupg}/bin/gpg"; + }; + deps = [ sops gnupg ]; +} ./sops-import-keys-hook.bash) diff --git a/pkgs/sops-import-keys-hook/hook_test.go b/pkgs/sops-import-keys-hook/hook_test.go new file mode 100644 index 0000000..0cfdce0 --- /dev/null +++ b/pkgs/sops-import-keys-hook/hook_test.go @@ -0,0 +1,76 @@ +package main + +import ( + "bytes" + "fmt" + "io/ioutil" + "os" + "os/exec" + "path" + "path/filepath" + "runtime" + "strings" + "testing" +) + +// ok fails the test if an err is not nil. +func ok(tb testing.TB, err error) { + if err != nil { + _, file, line, _ := runtime.Caller(1) + fmt.Printf("\033[31m%s:%d: unexpected error: %s\033[39m\n\n", filepath.Base(file), line, err.Error()) + tb.FailNow() + } +} + +func TestShellHook(t *testing.T) { + assets := os.Getenv("TEST_ASSETS") + if assets == "" { + _, filename, _, _ := runtime.Caller(0) + assets = path.Join(path.Dir(filename), "test-assets") + } + tempdir, err := ioutil.TempDir("", "testdir") + ok(t, err) + cmd := exec.Command("cp", "-vra", assets+"/.", tempdir) + fmt.Printf("$ %s\n", strings.Join(cmd.Args, " ")) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + ok(t, cmd.Run()) + + defer os.RemoveAll(tempdir) + + cmd = exec.Command("nix-shell", path.Join(assets, "shell.nix"), "--run", "gpg --list-keys") + var stdoutBuf, stderrBuf bytes.Buffer + cmd.Stdout = &stdoutBuf + cmd.Stderr = &stderrBuf + cmd.Dir = tempdir + fmt.Println(tempdir) + err = cmd.Run() + stdout := stdoutBuf.String() + stderr := stderrBuf.String() + fmt.Printf("$ %s\nstdout: \n%s\nstderr: \n%s\n", strings.Join(cmd.Args, " "), stdout, stderr) + ok(t, err) + + expectedKeys := []string{ + "C6DA56E69A7C756564A8AFEB4A6B05B714D13EFD", + "4EC40F8E04A945339F7F7C0032C5225271038E3F", + "7FB89715AADA920D65D25E63F9BA9DEBD03F57C0", + "E3B7464FBE89F5378ED4BC60FC925B42FC8B773D", + } + for _, key := range expectedKeys { + if !strings.Contains(stdout, key) { + t.Fatalf("'%v' not in '%v'", key, stdout) + } + } + + // it should ignore subkeys from ./keys/key-with-subkeys.asc + subkey := "94F174F588090494E73D0835A79B1680BC4D9A54" + if strings.Contains(stdout, subkey) { + t.Fatalf("subkey found in %s", stdout) + } + + expectedStderr := "./non-existing-key.gpg does not exists" + if !strings.Contains(stderr, expectedStderr) { + t.Fatalf("'%v' not in '%v'", expectedStderr, stdout) + } + +} diff --git a/pkgs/sops-import-keys-hook/sops-import-keys-hook.bash b/pkgs/sops-import-keys-hook/sops-import-keys-hook.bash new file mode 100644 index 0000000..8a2e9e0 --- /dev/null +++ b/pkgs/sops-import-keys-hook/sops-import-keys-hook.bash @@ -0,0 +1,33 @@ +_sopsAddKey() { + @gpg@ --quiet --import "$key" + local fpr + # only add the first fingerprint, this way we ignore subkeys + fpr=$(@gpg@ --with-fingerprint --with-colons --show-key "$key" \ + | awk -F: '$1 == "fpr" { print $10; exit }') +} + +sopsImportKeysHook() { + local key dir + if [ -n "${sopsCreateGPGHome}" ]; then + export GNUPGHOME=${sopsGPGHome:-$(pwd)/.git/gnupg} + mkdir -m 700 -p $GNUPGHOME + fi + for key in ${sopsPGPKeys-}; do + if [[ -f "$key" ]]; then + _sopsAddKey "$key" + else + echo "$key does not exists" >&2 + fi + done + for dir in ${sopsPGPKeyDirs-}; do + while IFS= read -r -d '' key; do + _sopsAddKey "$key" + done < <(find -L "$dir" -type f \( -name '*.gpg' -o -name '*.asc' \) -print0) + done +} + +if [ -z "${shellHook-}" ]; then + shellHook=sopsImportKeysHook +else + shellHook="sopsImportKeysHook;${shellHook}" +fi diff --git a/pkgs/sops-import-keys-hook/test-assets/existing-key.gpg b/pkgs/sops-import-keys-hook/test-assets/existing-key.gpg new file mode 100644 index 0000000000000000000000000000000000000000..eba373876ddadb4d792d45c1b0e633a50bd7044d GIT binary patch literal 1815 zcmV+y2k7|4#FzvC000013;@w8fCz8TD;LU?M3a#c7pd+QKD_o6DBO|Av^mcQ#md7i zzR*AAXboz#JKQ7V049*Zwv?ywsaugwly3-od&P}t!&jwRSxzn}rS~U>_=Z_UG{XL% z!06wju0^kKtJV7;myMZdoA7qdYSFwEj1}1_7o*yd)cA18pAZalQ~V58HPz^;L;D}8 zTZM_WVsLe$zz}E$L#WU2%{xNQH60I~gh1a0a;3+Iukv+*wv&ioCR^KN2*u;?Z`y8A9rw6GtfMHgH z2D+uP+Q*;5RAf4;z06(>fC+i^Ef^TliU$X?M(mB?P8}e2*jnlq2P{9p*WkfPNef+w z-_i>5qMMbsm-mRA@iAWgE{*Hr)!0RRC23;@COdIH$P zFF%2Q8B_@h(A=j)76=^Mw!}$(<@iwy@exA_kxm3+5~-F?h|X$^onR%6D`XFooT{fp zNr~t{u@(?HoFWp}gT`ht6)fogR7WUMZ%KXG%;;n=pmIm+-@C1WoM#qc6>!#yG%ZFB zX!iYw2tUnsyBMKmq|~|Q+j91Cp1eC@asyOpv(Hgc+x1d!*H52URT~|zIw&Srd-!)| zxWN$U1PP}PYv7XL(>PLai)=X_f96x8%}`5EaE2Y`WKs-9<#b;Y`LGOn6yK3x?M21b zFFwq1?q!M1B)6j9aK?QWF$E*myB|u&@5h`o6xO3{`#6`vD_0K*j&{TftN((SSn_`v z6X#_)P#!&FB$%9*_^$39_9Z6R#A4x@qk3d`-zzH}Z6VndpBJ=)%BR(Ic0XXQip;?Y zWrp|(>uOV}ZW0Nenq*-QNv1--fID{0nn@;n2Uv7Yb=3g6;x(B^J0sQsdo>Y$P&UFJ zEUTc9E<`Jd2t1HzJXL)7Qr2ib5)LTmuM{ z9uoV#tC&oQz!!e5&Ad5dfmP?jv<~uZ+16C}cLNW8A;y7yxe~I6%t-r&>S5-L5czdywKuDmFEvIUATk{ zCniW9mOUJK(Hy1}d;hNOT=*cR5cItJN0?uLKgRJnH%K}KO>8Ad#bzr`Saa~%h@$MX z1_1t8122=rN1-OjM6fD(Fph5gK4`^}GUkqsHv7;s81~vJaTb&a4d*| zS|&^1c5aWfCvmiits-3;wCJdUonx|8;_hKRwQ)xNHr_!h`yy{HJ6c{GwG?Ot;Ivvq z(eGtq_pJ69urefQKMg41Dx?7GtW-PsO!EyFe70Qun;nxG87$=t-G8FtiwHP+Rzp`N zx^0OYr@`BkF9tcd*Hzp-Tl{qgJuu2o)bq_1a&K>RAUtw!Z*)LxZ)0I>Xm4|LKElA_ z1QP)W02T!T000002@pza1-BH@KK%k44+0qh005i13;?~TP{p5iT4N#X-_8A@6D2*hZjy5->FBtgS_iP%7-@) z@(K&`BN*&KpJILob-)mCn_LJ}DKdB|{<=p8@^7j1n@-P8{vkLADvUCM6p<7AxwvtC z3Vu1=X+Lj6STahNY$6k-Xywrrt%fz@J$_wosw>D`3NO%2*y4H5Dr}=TFP95j2lrd7 ztnX38E|-a^f-BEX8Qa;iADotr{7`9bs^b@B0$&mJ zEFrn}N~g$SdnVDkS)qqG2u$CQ8&%`vhna|>_JFWDw26b+F>U)Ob$rPLvWr2}9($s% FfW51wXH5VA literal 0 HcmV?d00001 diff --git a/pkgs/sops-import-keys-hook/test-assets/keys/key-with-subkeys.asc b/pkgs/sops-import-keys-hook/test-assets/keys/key-with-subkeys.asc new file mode 100644 index 0000000..71f5405 --- /dev/null +++ b/pkgs/sops-import-keys-hook/test-assets/keys/key-with-subkeys.asc @@ -0,0 +1,61 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF8YRjUBCACfdPLn/dUxr3SHZR2p6+aFgnu0jFA1KESBAgqA5TzDNIjaecff +MV2nP7Z+vmcyRq2oJb7zAd2UfavjH0jPzRJi+TP6NvJepfMj8SaflKEh8kZN6Gv0 +Zl0Fr6WtTPuenATuesAYvFDW+b2ZYRIs/XzEI+HP96XaW4MCWgTPwMPP8gMPZO3c +Cv+A5T9p1RHZjezfHktA0z+3F07IDquIT9K5d5Iapy0illnV7TziCdN6EbPUQZis +FqAP1kxgWUzJvYLswIncGb9WAw8T49GMVUtP8hoBiw3g0mNfnvzJUTBjYQr/e5X2 ++ZnGM4qqdrMTdTHFdQtzKHlsh3S1EI9Z5qB9ABEBAAG0H0pvaG4gRG9lIDxqb2hu +LmRvZUB0aGFsaGVpbS5pbz6JAU4EEwEIADgWIQTjt0ZPvon1N47UvGD8kltC/It3 +PQUCXxhGNQIbAQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRD8kltC/It3PTqF +B/9fbQmuDb0mg+rt8ALndJUXkiUK3osGTcmPhBXWPZpViCRsP4nOmBsM0yv5aA2y +Gsei+dHfLXK48UDkUFo/bt2ACEywCE+7QFBrhCnQFKS5sbPpE6EcqKF3eWzfR0I/ +PnzXQNA/igryuvaPxvQN9lIdY/Gzfi/erhv+f4/PgR53TzIhXYw2f2rwD4dCoiH3 +QkmKez3tasTc8zq7nwhlZ0d1pnbFn0qlCJCntrQT6caCkcWh9IiutrK0ozxfoa9H +Yqt/FdTWuRgEG1vj+/0RG2pggqE9D2LSkX6+gW0vai2OzTCn1a8VlrX2uYmDnXVF +b/bQBlAFW6wyGC6HhH+xckmHuQENBF8YRk0BCADCB2ov5gXA6X388bBeJ7YwWTMr +YuSAe2PZzZ3GipuQ4PRIpFvSLXHx4G4NT60J0G48cFL8M6dZCyJbCe+dZPyCEYLl +3V+5txpN0dYcbUTiG07uEAyDbuhkuda9goSJlfvJF8vUxGPNNHbYWPOO3hLsGQse +aQVGHSqu8WlRCWSDtNEyc11cOlty/zhEv3M5ZtBrJTahfy0u5RrCzk/x9SRea+MV +0xhYd1cKfi5ud/mNpQnnrbLuD+Gy9YgcqJUyxi6zvdfoCDYR4Sv7Rf0fxafxDkNZ +GQlqmPkaEuw21eedczmwUqMC57ZJz3avgDxKcLZG8uFC+6DY4thTSERPRb85ABEB +AAGJAmwEGAEIACAWIQTjt0ZPvon1N47UvGD8kltC/It3PQUCXxhGTQIbAgFACRD8 +kltC/It3PcB0IAQZAQgAHRYhBJTxdPWICQSU5z0INaebFoC8TZpUBQJfGEZNAAoJ +EKebFoC8TZpUWpQH/3de056tFqVIvsFjkYUW3oGylexVQEXeQljoqYx7NWsSxNX6 +NMEwYYJdNWgwXhL4CD8Tn0/3sVx/mMUDtbgQnQ8rKMB3lXZ3U6yzGghh5RdSmhAk +EQGhiYkZhIONce46i7rk+AE+hGi57p1IqsZ0UketOKoWN7rVYXbVLPf78cphD7G+ +Q7v7KWJYx8i3VkXDHJXP3wRlhbkbqVJAyUTmi63c7femOB+mDPJMBHBFmw6Opxt4 +AZR+qYczOLAyJCGA2MBx2U/26mVztkMYl5rJ80VKgUe/CEb8kD/uaOBYXeokGfqh +i6TV9fQxYokkmSU/4SIa+F+VcTu0xfRC46+EosL2Pwf+NpMRgpWihbF9EEh6RqX4 +NUxN4IVV/6frG19AJD8XNq0E8+bXvKVhHEy/Ea68ILKaJb/SIpcFY0aIJ3tHC0b2 +mh97nm5FdyRXRUNXoQ/u2wsOcD+HGK3P/jdrJDkNETuLTNr4Uff5Nn1Y6XydKviK +i7UwexDtX+wmyr1JxRdu7AJhdSi3rWY2lQxMMem7+9xyyqZ8uY2SixroMjcV/DL/ +7AjvfucWL6e/pESpvTp29sAKM5PUtMWqjm/vgapiFVLhXIEYWqe6OowXQ+smlkah +zQ00HJxLILNy3Mu2Vic543OVbLNRoWlJYQ1/zAqMxU5GLmdZA1hwncQT/3UCZ5zI +L7kBDQRfGEZvAQgAoPiXUlpQFLISXSHobzPtUwx1O3x+hN7XH57+VV0Hktz94+gb +NMj+3UBd67NZeseqUG6PMQ1ztEAuht7UX/LjLlmcBwmTD7iFeT8Y+hlo1+7AeKE6 +a3RGycTMOm5HFra1n3KcQqkmh6RMlTPxcpvb5wXHJXIiWvoW/k7C3nbFbJlzVZtK +dW2x4tcU/INsk2qgpir4Ou2nCwAXOOb91E/SDR+isPj4lYOp69AZa266YvShX1/X +UObG5UXSsPGs7CbZC9i+DcgJFhGjicrjgoEbAhPBmAdUwWaFiMls2WXmIkq9utv+ +uxQmQixEXL+/OQgXPJGzCmGaq4h/2JC9nCf5swARAQABiQE2BBgBCAAgFiEE47dG +T76J9TeO1Lxg/JJbQvyLdz0FAl8YRm8CGwwACgkQ/JJbQvyLdz01cAf9EsfZye6j +p7GuxInoZaJBblWW3tbJjOOH3GdeOhcY8ygImsRDcYFRIsp9QLp91eCRxGsT/EMz +q0vgQk4zsZOyTXMcK4TUMgUtsRY6zmiHSRez7sw0CA919KY/PAbMfB5F0qkuR5FL +auoAeYOUY1oYpiE7AG5rdtNNI1PC+EUeiivs+raczH3kLJr71fwjFD6Jnh9FDgPZ +QsYaWIe6t0quho6cNaL8DYfXtdJZh2vKgWX8h/qu5dUB/aHx18rWTvcQ7zmQ/ADn +oweTR94hbSL9O9mm3LoWogr/vtUGWvs8LlIYjFDUXj4TRx2svclcBdKI0qrjrCDx +Ed+ons5QiTE1LLkBDQRfGEaGAQgArDpYiwBV9Xml93knxoGVFi+rj0YL35gdVraT +ZqbeN+s0t9QPshzVpZz0jyqZSxFE/ojUmO7WMrH/Jb8nLVGvm/fq/jLEMfnbpJnb +Cu6ym7ed1QP7Y2JDMYJorlcS8BQCOSGSe2QRRD6h0nvgygrg70XKnkIhH6YfGCLt +pC96WWdbEr78d/dMloPRIW1Tsp58bXVkTfIseXpdCB5zVGj58GBtelWibvIms+/T +SRzw7QU9uiPjcrl5iZ8UMcRlE4mdMEBhlZ+eZaKgRdDNNDpcsd38xtktA52hs3uY +AgFKUGQ+PxY9cG9haVyCwwYwCVKo24/hTreTL1DydFLmAxaonQARAQABiQE2BBgB +CAAgFiEE47dGT76J9TeO1Lxg/JJbQvyLdz0FAl8YRoYCGyAACgkQ/JJbQvyLdz1d +gggAj+Gcxy6irGlkX9mxoq+sZv9WzRjXRT8xkB8H10tzqqOLQ0uzXeob07vDi3MC +6dBahE8sJq4ByOruy4hNhKUa/vtBm/G4ijTDNFzS/fmafDxZ+FObUDz6gLHGVbf0 +/NpwOmfcc/UeDCgI5t3TRcbQ9PugwCfw7A7eCYS34NspS549WJfzdNj8FcNBzsbi +yx1/wnXb7Eq5+kvZaPR1vodAW7YptYrUQCbCbioFGwq+zd1SHPXMS2h2D0ncMNbP ++C/y/AXliH+P08WRJ6kazSkSHv93UNM2nOt6x04vlk652WejLDc0t3wWNQEp0Q4U +W1YR5NNzw2GqjhH3nhj/SnUwXg== +=jshU +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pkgs/sops-import-keys-hook/test-assets/keys/key.asc b/pkgs/sops-import-keys-hook/test-assets/keys/key.asc new file mode 120000 index 0000000..34bc240 --- /dev/null +++ b/pkgs/sops-import-keys-hook/test-assets/keys/key.asc @@ -0,0 +1 @@ +../../../sops-install-secrets/test-assets/key.asc \ No newline at end of file diff --git a/pkgs/sops-import-keys-hook/test-assets/keys/key.gpg b/pkgs/sops-import-keys-hook/test-assets/keys/key.gpg new file mode 100644 index 0000000000000000000000000000000000000000..c168d7400078d06ffc04e81b851b888c91ee3ae3 GIT binary patch literal 1815 zcmV+y2k7|4#FzvC000013;?oe7g+@;Sot|5gSTwVwk}!&shU(88;2vCqX&Fv@Py>; z?3S<{X^fd0cdV>DW zA8qd7=SkF4vTJhB+1XNf)BNgVn0iSf-YElvmJVNP5E@Vi6LBk|urf)47E!Rk)GI%K zchd7$C%v>W05p|!!(A|7o8*d(5cl?W-R*(rh1MN9i}I!cQI-Y*fdP5cS8K9(H5l`h zxMyU{LrJn;QtYuA%yM3j?+G&OzZCnhNy$e6H6CZ+%Vwm~Y;S+TzB>aANxFnM#6>zG z=2$6`K^48y>^6=$3jECF^rOh(>y@Ro67}EzTzO7FnL4h`g{thxptLd{^+=GM$s-wu zV?x~B%DK`5G;=OLG1>lDZ$;!gw%W)SbM{ZnAh2P~HC#(KwCZVTqDc=)ur2CuQKyLX zQ2ipL4CkO%-;OJi`Rl zk@dXCFA1+=-595Q^pfxgJ$*-#Boak?HIl&5eGh#@-jia&u2!%{GEY0->p}WT z6a)7y5-@bRn<*5<8F1AZXG?|t!1cs0O^QVXXGH((LffpxS|jV+rmRK0w0%xME#Xb=&unW177;O)?<-44e|pCj!AL(HEETnBk3OaGj>62-=+>{WCZ$ zu9fJ+GISr;a6(pK_!p-aur!6=Ab&Iny2%mAEs~ONf$TvlqfHX14cm#&=+)LRj)P1a z?$nYlJo~C%h*T8Y(#eP#Gy-mf{fAFtYYa2btE)%<)S5Icr_zORgq~8Bc|%o((5NCF zioX}n7}3G5_(((=r_lxg(R(A2VEHDloq%f#Djl+NtF6YxucmwONkAHsw zX`=G^okEpvOC9Hw=Mr7SQ`_@X{`WMfY{FUng7%ETf)@D9rPzs*AsBUwbn3-X#hV90 z$Ks=1B8bijEzB7sAa@N-=%fF#T!vOjQ&uw=jnJe2hLN`1q<;TDG>!VJ;S9&i)(K! z1_0UzokdgCu&(b-^fOT*GO=OE&8J^lmD!H{4C!Jfmp5W`5KW5GmDAi{bV-njLGf9VGZ`nsC}YhJc59&I#^D>_Jqt>F?uX{;h$5Jp zd#;Sh)aCts(y=ZVpWox2VJ`SQ(rdv?w8d#Am`TIo!vv5dKK@KKVdUqwrJpKCTdFbj z(6^=+Nq^e7%(AkYKMi4K_6a(57hB=YHhIq1{j)6;+SMVOIBf<1h8tJ7vfywsFl$~K zT5yD5+xx{5h_q`8s%mZDSfc--il%iu)MrOQfAP8Y?-mkZF-L6Rn~yr!`_rLm?y%@# z*LTQWa`U{P0W*`j3fi@llf?AuRJ5C41+SkEcS<=y6WJ50963y6f9c?hKaHg~pokGT zTSWzKZ|T)_l8I0vF(lkgf0pEiVp!x<6YN+jfb&~;-BO4E>ff|uRNd4$Lu2hGe})Jp zV$%p5+fj$vLS*=9@d12A*VqiIhmcg<=Df`na&K>RAUtw!Z*)LxZ)0I>Xm4|LKElA_ z1QP)W02T!T000002@o>HB2sY!jz0n$4+0qh002S>3;;|@#n@du4K_vk${hM>*RY8G zcCMlfYxW5`UN9QeJ?qqY=ID@aGkuOU3BAxlNP@0U(dF}n1`1fEHcwEBoV_88#+3uPSgxN=)xo=t<_Sk|mGC5q}d5{DJLuh}125$w%vnZb) zB^fIJ*t`gjk`Xj z5#?8r;3fn+Dpj}-|1#HX3wNxg4GzA%!^l=5Q=2E_o$f$;R@DWv)FW;`3p{}BnUpJM z1m!V!NSuK)9ufG#GNiuh!dW3FT+JL@F*+MwCg3nNg(>K*SUDFGYQY z!U93?tL {}; +mkShell { + sopsPGPKeyDirs = [ + "./keys" + ]; + sopsPGPKeys = [ + "./existing-key.gpg" + "./non-existing-key.gpg" + ]; + sopsCreateGPGHome = "1"; + nativeBuildInputs = [ + (pkgs.callPackage ../../.. {}).sops-import-keys-hook + ]; +} From 34a650555e1ae9c5623d98bd69da5c14de8ab389 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 3 Jul 2021 08:20:25 +0200 Subject: [PATCH 2/3] fix nixos-test We no longer require membership in keys group. --- pkgs/sops-install-secrets/nixos-test.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix index ed3fbce..8dbc6da 100644 --- a/pkgs/sops-install-secrets/nixos-test.nix +++ b/pkgs/sops-install-secrets/nixos-test.nix @@ -65,9 +65,7 @@ value = server.succeed("cat /run/secrets/test_key") assertEqual("test_value", value) - server.succeed("runuser -u someuser -G keys -- cat /run/secrets/test_key >&2") - # should have no permission to read the file - server.fail("runuser -u someuser -- cat /run/secrets/test_key >&2") + server.succeed("runuser -u someuser -- cat /run/secrets/test_key >&2") target = server.succeed("readlink -f /run/existing-file") assertEqual("/run/secrets.d/1/existing-file", target.strip()) From 6d27428b35998454b6f4b155d7a75b0f8e8f9ec6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 3 Jul 2021 08:25:05 +0200 Subject: [PATCH 3/3] dependabot: add go --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace460..0cfc43c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,7 @@ updates: directory: "/" schedule: interval: "weekly" + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly"