Better Error message for Key Provider execution

[Dsolnik]

If the Key Provider errors in encryption or decryption, the error message is not very helpful.

On encryption:

Unable to finalize encryption: error while retrieving keyprovider protocol command output: Error while running $COMMAND: exit status 1

On decryption:

decrypting layer sha256:$SHA: missing private key needed for decryption

Can we append the stderr to the message here so we can give the user back some information on what happened?

Alternatively, maybe we can add this to the Protocol structs?

[stefanberger]

Can you please also provide the commands that you used that lead to the output so we see what you tried?

[stefanberger]

@lumjjb Not sure how this will work with existing key providers that wouldn't report this (stderr output or some other error string). Not so familiar with the protocol, either.

[Dsolnik]

To reproduce this, you can make simple-ocicrypt-keyprovider return a -1 status code.

I can make a reproducer repo with the change to that if that would help?

[Dsolnik]

Maybe we could make this a flag in the key provider config to enable passing through the stderr?

[Dsolnik]

i.e.

    {
        "key-providers": {
            "isecl": {
                "path": "/usr/lib/ocicrypt-isecl",
                "args": [],
                "stderr": False,
            },
            "keyprotect": {
                "path": "/usr/lib/ocicrypt-keyprotect",
                "args": [],
                "stderr": True,
            },
            "keyvault": {
                "grpc": "localhost:50051"
            }
        }
    }

[stefanberger]

Did PR #74 resolve your issue. If so, can you close the issue?