In PKCS7 RFC, the recipient certificate is not mandatory when decrypting. This is also how it is implemented in OpenSSL PKCS7_decrypt(). However, it is only since version 2.2.0 of ruby-openssl that it is possible to call OpenSSL::PKCS7#decrypt with only the private key. Ref: https://github.com/ruby/openssl/pull/183
The issue of hiera-eyaml requiring the public key when decrypting has been brought before in #137, but ruby-openssl was yet patched.
In PKCS7 RFC, the recipient certificate is not mandatory when decrypting. This is also how it is implemented in OpenSSL PKCS7_decrypt(). However, it is only since version 2.2.0 of ruby-openssl that it is possible to call OpenSSL::PKCS7#decrypt with only the private key. Ref: https://github.com/ruby/openssl/pull/183
The issue of hiera-eyaml requiring the public key when decrypting has been brought before in #137, but ruby-openssl was yet patched.