-
Notifications
You must be signed in to change notification settings - Fork 870
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for gpg2? #189
Comments
We need to add an option to use command line |
I think we should do this distinctly from the openpgp Go package. Maybe
even replace the current gpg handling to use the gpg binary like python
sops did, and add openpgp as a new master key provider (like KMS). This way
we'd end up with 3 providers, KMS, go-openpgp and gpg.
…On Fri, Jan 13, 2017, 15:54 Julien Vehent [:ulfr] ***@***.***> wrote:
We need to add an option to use command line gpg or gpg2 instead of using
the crypto/openpgp library.
I haven't looked at gpg2 yet. Do you know if the command line arguments
are the same as with gpg ?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#189 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACJ-V5w4VgRjdji4IpxVlNF4mrNX3Zo7ks5rR5AwgaJpZM4LiYBw>
.
|
That doesn't make a lot of sense to me. It's the same protocol and key format, just a different way of accessing the data. |
sops 1 supported |
It has the benefit of allowing to use sops without gpg installed. I don't
know if that is important to anyone, though. Since we already have an
implementation using crypto/openpgp, I think it might be good to keep it
around and add a new one using the binary.
…On Fri, Jan 13, 2017, 16:25 Julien Vehent [:ulfr] ***@***.***> wrote:
That doesn't make a lot of sense to me. It's the same protocol and key
format, just a different way of accessing the data.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#189 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACJ-V-d6eP5RuyyvfO1FWVEywJqijPfLks5rR5dXgaJpZM4LiYBw>
.
|
I absolutely think |
Are we sure the Go package doesn't already support the GnuPG 2.1 keyring location and format? The problem I saw from looking at the code was that sops has the paths of the keyrings hardcoded to the <= 2.0 versions of GnuPG, not necessarily a problem with the OpenPGP implementation itself. |
I don't see support for anything over v2.0 in the read tests. |
I'm 99.8% sure |
My understanding is that secring.gpg is gone, as well. Both rings are stored inside pubring.kbx. |
@jimmycuadra is correct, see the changelog Maybe we can access it through the agent?
|
Hang on; doesn't SOPS talk to gpg-agent? (This is relevant to my interests, because I was unable to get SOPS to work with my Yubikey 4 token.) |
@lvh the Python version did, as it just calls the |
Gotcha. See #191; I was confused by: also hi @autrilla long time no see |
Err, you're right, we do talk to gpg-agent. I didn't express myself correctly. SOPS talks to gpg-agent to retrieve the passphrase for private keys. It's very likely I'm totally wrong about this, as my understanding of gpg is very limited. |
OK, that makes a lot of sense after more review of the code! You're right of course, the entire point of the token is that the key lives on the card and never, never leaves -- you send the message to the token to be encrypted, and it sends the encrypted thing back to you. |
I'm glad I learned the Go version doesn't support smart cards. I've been using sops with my Yubikey for a while and only now am realizing it's cause I still have the Python version. I'd better not upgrade. >_< |
Sops 1 is still maintained and installable via pip. You're safe to upgrade, we won't force you to v2.
…On January 18, 2017 8:08:30 PM EST, Jimmy Cuadra ***@***.***> wrote:
I'm glad I learned the Go version doesn't support smart cards. I've
been using sops with my Yubikey for a while and only now am realizing
it's cause I still have the Python version. I'd better not upgrade. >_<
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#189 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
Au contraire, given that |
The path forward for now is implementing support for calling the gpg binary. What we should default to is a bit bikesheddy but I suppose it's up for discussion. As I see it, the advantages for defaulting to
And the advantages for defaulting to the binary:
Personally I agree with @jvehent that defaulting to |
Regardless of which method we use, we should try the other method automatically on failure. |
This has been fixed by #238 |
Problems still in there with the latest version
|
Well, the GPG binary is exiting with status code 2, which is unsuccessful. This usually happens when GPG doesn't have access to the key, but it could be another cause. I suggest looking at https://github.com/mozilla/sops/blob/master/pgp/keysource.go#L60-L83 and executing the equivalent manually to see why GPG is erroring. |
I'm seeing the same issue as @jubel-han
|
@autrilla I'm having an issue with Decryption. not Encryption so i guess it's this code? https://github.com/mozilla/sops/blob/master/pgp/keysource.go#L180-L195 . I haven't looked deeply into this code in a while.. |
Yes, that's it. Put the contents of "enc" for each of the GPG keys encrypting your file in a separate file and try decrypting that with GPG. |
FWIW I tried running
|
@autrilla hmmm it's working now via and btw thanks for responding so quickly 👍 |
No problem! Glad it's working. |
@chroto I'm actually having the same problem, and it doesn't resolve itself. I'm a little lost at this point. |
Perhaps see #304 too? |
fwiw, I had the same issue using a smartcard without gpg-agent. once I unlocked the smartcard via |
@habnabit that's interesting... I guess maybe GPG tries and detect if it's running in a TTY and has different behavior? Because otherwise, all SOPS does is call |
(Also relevant whenever someone describes their experience here: when you say You may want:
... specifically if you're using a gpg2 gpg-agent but gpg1 to talk to it. (They're still compatible but gpg wants that env var and gpg2 doesn't so gpg2's gpg-agent stopped setting it at some point.) |
Note that for ubuntu-16.04 variants, the package is `gpgv2` which installs: ``` root@c597dfd5ed49:/# gpgv2 --version gpgv (GnuPG) 2.1.11 libgcrypt 1.6.5 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. ``` Hence, it might not be compatible with `sops` v2. See: getsops/sops#189
I also experienced the same issue importing a key from a server to another. None of the above solutions worked for me. The issue was due to importing a public key without it's corresponding private key, so I had to:
and then import both:
This fixed the issue for me. |
so why is this closed? the problem is still exists |
A working solution was generated by Perplexity AI for me: Export keys to old format: You can export your public keys to the old format:
Then the SOPS decryption worked. |
Hi!
I'm using
gpg 2.1
and I'm unable to usesops
because it can't find the newpubring.kbx
thatgpg2
uses. Looks like it's hardcoded to open pubring.gpg.After digging a bit more, I'm not sure
crypto/openpgp
supportsgpg > 2
😦I'm guessing I can't use
sops
unless I havesecring.gpg
andpubring.gpg
and notpubring.kbx
?The text was updated successfully, but these errors were encountered: