oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
213 stars 18 forks source link

The "unencrypted identity" warning is triggered when it shouldn't be #7

Closed lierdakil closed 1 year ago

lierdakil commented 1 year ago

The warning at

https://github.com/oddlama/agenix-rekey/blob/dbe0dc1c41a9e8959baac6d7377d2051549ace2a/modules/agenix-rekey.nix#L163-L164

gets triggered, AFAICT, in any case some master identity path is not ending with .pub or .age, even when it's specified as a string referencing something outside the nix store (which is, mind, an option endorsed by the warning itself).

I'm not a Nix expert by a long shot, but I don't think anything's copied to the nix store if I have something like, e.g., age.rekey.masterIdentities = [ "/home/user/.ssh/id_ed25519" ];?

Perhaps consider checking builtins.isPath in

https://github.com/oddlama/agenix-rekey/blob/dbe0dc1c41a9e8959baac6d7377d2051549ace2a/modules/agenix-rekey.nix#L160

?

oddlama commented 1 year ago

Yes you're right, this shouldn't occur in that case. Probably an oversight of mine because most users are using keygrabs. Generally it's okay to refer to a path outside your nix flake via a string, but not via an (impure) nix path. So using isString should indeed solve that, will add that right now.