search

slok / agebox

Age based repository file encryption gitops tool
Apache License 2.0
227 stars 16 forks source link

Bump filippo.io/age from 1.0.0 to 1.1.1 #184

Closed dependabot[bot] closed 1 month ago

dependabot[bot] commented 1 year ago

Bumps filippo.io/age from 1.0.0 to 1.1.1.

Release notes

Sourced from filippo.io/age's releases.

age v1.1.1 is a patch release to fix go install filippo.io/age/...@latest.

See the release notes for v1.1.0 for changes since v1.0.0.

age v1.1.0: plugin and YubiKeys support

age is a simple, modern and secure file encryption tool, format, and Go library. It features small explicit keys, no config options, and UNIX-style composability. Learn more by reading the README, the age(1) man page, the Go API reference, the format specification, or the full release changelog. Watch the repository or follow @​filippo@abyssdomain.expert to be notified of new releases.

🛠️ FYI, age now has an extensive test suite which all age implementations are encouraged to adopt.

Plugin support

The age CLI now supports plugins, such as age-plugin-yubikey by @​str4d. To try it on macOS with Homebrew:

$ brew upgrade age
$ brew install age-plugin-yubikey
$ age-plugin-yubikey # interactive setup
$ age -r age1yubikey1qwt50d05nh5vutpdzmlg5wn80xq5negm4uj9ghv0snvdd3yysf5yw3rhl3t
$ age -d -i age-yubikey-identity-388178f3.txt

Plugins must be loaded explicitly by using their respective recipient or identity, and are not tied to a specific header stanza type. This means plugins can be used not only to support new recipient types such as PIV tokens (i.e. YubiKeys) or cloud KMS solutions, but also to produce passphrase-encrypted files that can be decrypted without plugins, to store age native private keys on secure elements, or even for agent functionality or to proxy decryption operations to remote machines.

Plugins operate over a simple textual stdin/stdout protocol (C2SP/C2SP#5). Developers are encouraged to reach out with plugin ideas and announcements. Read more in the relevant man page section.

Breaking changes

If -i is used, passphrase-encrypted files are now rejected. Previously, a passphrase-encrypted file was auto-detected and the identity file was ignored. This could lead to unexpected behavior, such as a script blocking for user interaction, based on potentially untrusted input files. Now, age -d must be invoked without -i arguments to decrypt passphrase-encrypted files. A helpful error is printed otherwise. This should not break any automated system as passphrase decryption was always interactive.

Empty final chunks are now rejected. If a payload was a multiple of 64KiB long, there were two valid encryptions for it: with a "full" last chunk encrypting 64KiB, or with an additional "empty" chunk encrypting 0 bytes. age, rage, and all other known implementations only ever produced the former. (Note that age will forever decrypt files it generated.) The latter is now rejected. The specification has been updated (C2SP/C2SP#13) and test cases are included in the test suite.

Minor changes

PKCS#8-encoded Ed25519 private keys (such as 1Password exports) are now supported as SSH identities.

If an armored file is pasted into the terminal, age will now attempt to wait until the end of the file before prompting for a password.

Some invalid files are now correctly rejected, in particular encrypted files with trailing data. (Yay for the test suite!)

If /dev/tty is present but can't be opened, age will now fallback to trying to treat stdin as a terminal as if /dev/tty wasn't present. (Thanks @​brandsimon!)

Input prompts now go to the terminal, even if standard error is redirected.

Values of the new armor.Error type are now returned wrapped in decryption errors when appropriate.

Windows binary releases are now signed. (Thanks @​technion!)

Documentation and error messages were improved.

... (truncated)

Commits
  • c6dcfa1 all: temporarily disable testscript tests
  • a1fabee all: upgrade dependencies
  • 7354aa0 internal/bech32: remove data length limit
  • bf8d2a3 age: move testkit to CCTV
  • 5d5c9c4 .github/workflows: parallelize build process (#456)
  • e05ce26 .github/workflows: use gh to upload release artifacts (#455)
  • 000e931 doc: regenerate groff and html man pages
  • ebf48f1 doc: trim trailing whitespace
  • 3f2209c doc: fix typos
  • bbac0a5 README: add a couple links to the heading
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
codecov-commenter commented 1 year ago

Codecov Report

Merging #184 (d340519) into main (2156178) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #184   +/-   ##
=======================================
  Coverage   80.49%   80.49%           
=======================================
  Files          16       16           
  Lines        1241     1241           
=======================================
  Hits          999      999           
  Misses        179      179           
  Partials       63       63

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

dependabot[bot] commented 1 month ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.