search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.68k stars 868 forks source link

SOPS not working in custom Gitpod workspace #935

Open doublethink13 opened 3 years ago

doublethink13 commented 3 years ago

Bug description

SOPS is not working in my custom image. I get the following error:

~ $ sops -d --in-place test.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  31F8CE55BE04D165DBE7C5562E8BD8308FC62F66: FAILED
    - | could not decrypt data key with PGP key:
      | golang.org/x/crypto/openpgp error: Could not load secring:
      | open /home/gitpod/.gnupg/secring.gpg: no such file or
      | directory; GPG binary error: exit status 2

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

I had previously encrypted the file with no problems:

my: ENC[AES256_GCM,data:YZV3QA==,iv:63Tuoc1S/P2kH8lyA2g2NE67Ld4m1vjzj2++1oZ+hZQ=,tag:47ZkFQOOiTSe1+olsefuWg==,type:str]
very: ENC[AES256_GCM,data:LmoCsaFpiAdi,iv:QQA9Q79eZz1jROHF+9htKX6IssNaEdbLAWU0qHV6f1Q=,tag:gsiRZCP5oVYqzKZE6wFu8Q==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2021-09-09T19:36:26Z"
    mac: ENC[AES256_GCM,data:TgGxanEhrCGuiz/ThBi0wdanBkpycKC7X3/e2xPSd29Pl/EatIyuP0RrU1GLaXOt244RUGKBq8gyOrpzAqq4pQx7z6Snr3/1Y6Ns10qA2P/aTz5627k6fC1eXzzJZ9VUCz5GDjRlgYLozpbnr1ewpisJlYTa5/vFLz0ulI2GinI=,iv:NpxLimDPTMLEbGFRy4wUksZl2/3iFIG0A3B10KzGf2I=,tag:UKwx6/yEHMN9LRrdUkpiJw==,type:str]
    pgp:
        - created_at: "2021-09-09T19:36:26Z"
          enc: |
            -----BEGIN PGP MESSAGE-----

            hQGMAxWBySvYZYwIAQwApty1xnCdPgaW6rsfaL6x/ErPgF2nz8TyTIV7r93+Z3Zr
            qX70eZT67LitWp9RLrUact95IGvUYCILSgwpi1cSEF258q3GgfRKI+gTz97ZoX/n
            iICaXhmgKQWgSRwsGHLnM+yK1GhDDRPpUUV6nY3otx7XSr2e05RPrc6/9iDosyQq
            RpgqkJJ++ksClLHYWvKu9Pf5yonfOJss9s8hnKtTYFw3zhuRlkW14AT/3EYzluCK
            USP+jXKjmYRNV2pVdoKiPEqTA4F6DqpACWAP0TQzZwTS1EvvU8lkViqyWT0Z5K1X
            5iM7hmNMZG7RBj2v8FA4JUmRhAYCL8PrR9VJvuB1KFu3g1tFl9jlJMU1mERi9stL
            tOSOhoV7zc61u97HFyJl6sLNvfdUUyzV6u/ZNJ/Uq9XfBuepCMvP1O2d6SHqIqDR
            2JdJlL8EKYKDhVmBlZ9qTgSEzOH+Etluveb2gbslldTo8qAey05GzkOA8Pghva2x
            Kzlfn/v0lZ3/ysQzkaRw0l4BZAaTOdPff8I9r2tRQm47QJozo2QjUAxwXC9amJpU
            XQQ9Jxcbzu+LigVrWNbIHwtR3knLVBCRS4OtAiFJ6Vbjc8kmaRUOWv1oKdYLve3a
            fiqwl3ID0aYAsWXmJnOp
            =2RnQ
            -----END PGP MESSAGE-----
          fp: 31F8CE55BE04D165DBE7C5562E8BD8308FC62F66
    unencrypted_suffix: _unencrypted
    version: 3.7.1

Steps to reproduce

# create key manually
~ $ gpg --generate-key

# list keys
~ $ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-09-09
/home/gitpod/.gnupg/pubring.kbx
-------------------------------
pub   rsa4096 2014-10-28 [SC]
      409B6B1796C275462A1703113804BB82D39DC0E3
uid           [ unknown] Michal Papis (RVM signing) <mpapis@gmail.com>
uid           [ unknown] Michal Papis <michal.papis@toptal.com>
uid           [ unknown] [jpeg image of size 5015]
sub   rsa2048 2015-11-02 [E]

pub   rsa4096 2016-11-11 [SC]
      7D2BAF1CF37B13E2069D6956105BD0E739499BDB
uid           [ unknown] Piotr Kuczynski <piotr.kuczynski@gmail.com>
sub   rsa4096 2016-11-11 [E]

pub   rsa3072 2021-09-09 [SC] [expires: 2023-09-09]
      31F8CE55BE04D165DBE7C5562E8BD8308FC62F66
uid           [ultimate] testing <test@test.com>
sub   rsa3072 2021-09-09 [E] [expires: 2023-09-09]

# export the key fingerprint for future use
~ $ export SOPS_PGP_FP="31F8CE55BE04D165DBE7C5562E8BD8308FC62F66"

# encrypt the test file
~ $ sops -e --in-place test.yaml

# decrypt - the error appears
~ $ sops -d --in-place test.yaml
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  31F8CE55BE04D165DBE7C5562E8BD8308FC62F66: FAILED
    - | could not decrypt data key with PGP key:
      | golang.org/x/crypto/openpgp error: Could not load secring:
      | open /home/gitpod/.gnupg/secring.gpg: no such file or
      | directory; GPG binary error: exit status 2

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.

Anything else?

~ $ gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/gitpod/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
~ $ sops --version
sops 3.7.1 (latest)

I did not install gpg. I did install SOPS, like so:

RUN curl -sSL -o /tmp/sops "https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux" && \
    chmod +x /tmp/sops && \
    mv /tmp/sops /usr/bin

Here is my custom image Dockerfile.

doublethink13 commented 3 years ago

Found a fix:

# check owner of current tty
gitpod ~ $ ls -la $(tty)
crw------- 1 root nogroup 136, 1 Sep 10  2021 /dev/pts/0

# if its not gitpod (or your current user), create a pseudoterminal where you are, in fact, the owner
gitpod ~ $ script /dev/null

# export the necessary variable so that gpg is aware of this pseudoterminal
gitpod ~ $ export GPG_TTY=$(tty)

The above is not necessary if using sops as root (sudo su before trying to decrypt).

See GnuPG docs.

Before closing this issue, I would like to know why we are not the owners of the pseudoterminal being used and if the above has any concerns regarding security, etc.