Open r10r opened 11 months ago
My guess is that the code reads from SOPS_AGE_KEY_FILE
more than once. While it works during the first time, it fails during the second time, which causes failed to load age identities: ...
.
My guess is that the code reads from SOPS_AGE_KEY_FILE more than once. While it works during the first time, it fails during the second time, which causes failed to load age identities: ....
Do you mean that /dev/stdin is read twice and empty the second time when used for SOPS_AGE_KEY_FILE
?
Yes. If you look at how the error messages differ for the two keys, you can see that for the first key it apparently loaded the identities, but for the second it wasn't able to find any age identity.
I just opened #1323 for the same usecase.
Having #1323 would allow something like SOPS_AGE_KEY_EXEC="bash -c \"umask 0077; cat /dev/shm/age-key.txt || keepassxc-cli show -a password db.kdbx mykey | tee /dev/shm/age-key.txt\""
The problem here I think, is that every group is tried as an individual decryption "request", causing an isolated attempt to load credentials.
Because during the first attempt the data has already been read from stdin, any subsequent read will not be able to see this key again.
Hi,
I want to load the age keys from a password safe (keepassxc) and pass them to sops via stdin
but I'll get
Decryption works fine when I write the output from
keepassxc-cli show -a password db.kdbx mykey
into a file first and use the file path in SOPS_AGE_KEY_FILE