oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
213 stars 18 forks source link

Can't edit secrets! #33

Closed YaroKasear closed 3 months ago

YaroKasear commented 3 months ago

I am not sure what happened, but somewhere along the line agenix-rekey seems to have gotten an update that keeps me from editing my secrets now.

When I run agenix edit on my flake, I get the following error:

Collecting information about hosts. This may take a while...
/nix/store/g370n6vnq9pmb71ynxz5183h6428xbqi-ageWrapper/bin/ageWrapper: line 43: pubkeys[0]: unbound variable
error: Failed to decrypt file. Aborting.

I didn't change how I use agenix recently, so I don't know what changed or how this can be fixed.

oddlama commented 3 months ago

I had a quick look at your repo, and it looks like your yubikey.pub is missing the comment:

AGE-PLUGIN-YUBIKEY-1GJWL7QYZY9UFWNCJU2PVY

Compare this to mine for reference:

#       Serial: 15209174, Slot: 1
#         Name: YK1 Nix Rage
#      Created: Thu, 26 Jan 2023 14:46:49 +0000
#   PIN policy: Once   (A PIN is required once per session, if set)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
#    Recipient: age1yubikey1qgf2k486ctg6rs66mlm6wudwcwg6r5h5jme2cr3ympluyjl84dgkjxpzup9
AGE-PLUGIN-YUBIKEY-16CFWSQYZC6JFAUGPQESMC

Recently we changed how encryption happens by extracting the public key from this file via the Recipient comment. Previously you needed to plug the yubikey in even for encryption, which is not required anymore. Just reexporting your keygrab with age-plugin-yubikey or manually adding the relevant comment to your file should fix the problem.

Nonetheless this is definitely a bug because it should tell you about this problem instead of throwing an error. Im going to take a look at this later.

YaroKasear commented 3 months ago

Okay, cool. Thanks for letting me know!

oddlama commented 3 months ago

After looking at it again it seemed like a simple fix, so I've already pushed something. So now there should be a proper error message :)