Merge branch 'main' into barbican-support

Author: devx

.github/workflows/cli.yml

@@ -19,7 +19,7 @@ jobs:
       matrix:
         os: [linux, darwin, windows]
         arch: [amd64, arm64]
-        go-version: ['1.24', '1.25']
+        go-version: ['1.24', '1.25', '1.26']
         exclude:
           - os: windows
             arch: arm64
@@ -28,18 +28,19 @@ jobs:
       VAULT_TOKEN: "root"
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ matrix.go-version }}
+          cache: false
         id: go
 
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -85,14 +86,14 @@ jobs:
     needs: [build]
     strategy:
       matrix:
-        go-version: ['1.25']
+        go-version: ['1.26']
     env:
       VAULT_VERSION: "1.14.0"
       VAULT_TOKEN: "root"
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/codeql.yml

@@ -29,13 +29,13 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -52,6 +52,6 @@ jobs:
           make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           category: "/language:go"

.github/workflows/docs.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/linters.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/release.yml

@@ -25,22 +25,25 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: Setup Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: 1.25
+          go-version: 1.26
           cache: false
 
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0.21.1
+        uses: anchore/sbom-action/download-syft@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
 
       - name: Setup Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          # TODO: update cosign and go-releaser, and adjust go-releaser config
+          cosign-release: 'v2.6.2'
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
@@ -49,22 +52,22 @@ jobs:
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Quay.io
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_BOT_USERNAME }}
           password: ${{ secrets.QUAY_BOT_TOKEN }}
 
       - name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
           # Note that the following is the version of goreleaser, and NOT a Go version!
           # When bumping it, make sure to check out goreleaser's changelog first!

CHANGELOG.md

@@ -1,5 +1,74 @@
 # Changelog
 
+## 3.12.1
+
+This is a re-release of 3.12.0 with no code changes.
+
+Due to a failure during the 3.12.0 release, and the commit for the 3.12.0
+release already being cached by the Go infrastructure, we need to bump
+the version to properly get a release out.
+(We did learn this from a similar incident with the 3.10.0 release.)
+
+## 3.12.0
+
+Features:
+
+* Add support for HuaweiCloud KMS ([#2001](https://github.com/getsops/sops/pull/2001)).
+* GCP KMS: Add `SOPS_GCP_KMS_CLIENT_TYPE` environment variable support to select
+  between gRPC and REST clients ([#1973](https://github.com/getsops/sops/pull/1973)).
+* Age: support hybrid post-quantum identities ([#2033](https://github.com/getsops/sops/pull/2033)).
+* Age: pass `SOPS_AGE_RECIPIENT` environment variable to `SOPS_AGE_KEY_CMD` ([#2045](https://github.com/getsops/sops/pull/2045)).
+* Age: add `SOPS_AGE_SSH_PRIVATE_KEY_CMD` environment variable ([#2070](https://github.com/getsops/sops/pull/2070)).
+
+Improvements:
+
+* Dependency updates ([#1967](https://github.com/getsops/sops/pull/1967),
+  [#1971](https://github.com/getsops/sops/pull/1971), [#1978](https://github.com/getsops/sops/pull/1978),
+  [#1986](https://github.com/getsops/sops/pull/1986), [#1988](https://github.com/getsops/sops/pull/1988),
+  [#1991](https://github.com/getsops/sops/pull/1991), [#1993](https://github.com/getsops/sops/pull/1993),
+  [#2002](https://github.com/getsops/sops/pull/2002), [#2004](https://github.com/getsops/sops/pull/2004),
+  [#2007](https://github.com/getsops/sops/pull/2007), [#2012](https://github.com/getsops/sops/pull/2012),
+  [#2018](https://github.com/getsops/sops/pull/2018), [#2024](https://github.com/getsops/sops/pull/2024),
+  [#2029](https://github.com/getsops/sops/pull/2029), [#2037](https://github.com/getsops/sops/pull/2037),
+  [#2043](https://github.com/getsops/sops/pull/2043), [#2047](https://github.com/getsops/sops/pull/2047),
+  [#2050](https://github.com/getsops/sops/pull/2050), [#2059](https://github.com/getsops/sops/pull/2059),
+  [#2074](https://github.com/getsops/sops/pull/2074), [#2078](https://github.com/getsops/sops/pull/2078)).
+* Fix mistakes in `--help` output ([#1975](https://github.com/getsops/sops/pull/1975),
+  [#1963](https://github.com/getsops/sops/pull/1963)).
+* Improve documentation ([#1997](https://github.com/getsops/sops/pull/1997)).
+* Unset user's `GNUPGHOME` environment variable for tests ([#2052](https://github.com/getsops/sops/pull/2052)).
+* Use age's `plugin.NewTerminalUI()` instead of vendoring the code ([#2034](https://github.com/getsops/sops/pull/2034)).
+* Remove dead code during YAML loading ([#2072](https://github.com/getsops/sops/pull/2072)).
+* Build release with Go 1.26 ([#2071](https://github.com/getsops/sops/pull/2071)).
+
+Bugfixes:
+
+* Add `--decryption-order` flag to `exec-env`, `exec-file`, and `publish` commands.
+  The subcommand code was using the flags, but it wasn't declared ([#1965](https://github.com/getsops/sops/pull/1965)).
+* Fix AWS KMS encryption context not being passed when config is pre-loaded ([#2021](https://github.com/getsops/sops/pull/2021)).
+* Fix recursive publish ([#2019](https://github.com/getsops/sops/pull/2019)).
+* Set quota project to API project in GCP KMS ([#1697](https://github.com/getsops/sops/pull/1697)).
+* DotEnv store now properly reports missing metadata ([#2055](https://github.com/getsops/sops/pull/2055)).
+* AWS KMS: allow role splitting without hard-coded `aws` partition ([#2042](https://github.com/getsops/sops/pull/2042)).
+
+Project changes:
+
+* Add Go 1.26 to CI ([#2071](https://github.com/getsops/sops/pull/2071)).
+* CI dependency updates ([#1961](https://github.com/getsops/sops/pull/1961),
+  [#1966](https://github.com/getsops/sops/pull/1966), [#1970](https://github.com/getsops/sops/pull/1970),
+  [#1979](https://github.com/getsops/sops/pull/1979), [#1985](https://github.com/getsops/sops/pull/1985),
+  [#1989](https://github.com/getsops/sops/pull/1989), [#1992](https://github.com/getsops/sops/pull/1992),
+  [#2003](https://github.com/getsops/sops/pull/2003), [#2006](https://github.com/getsops/sops/pull/2006),
+  [#2010](https://github.com/getsops/sops/pull/2010), [#2011](https://github.com/getsops/sops/pull/2011),
+  [#2017](https://github.com/getsops/sops/pull/2017), [#2023](https://github.com/getsops/sops/pull/2023),
+  [#2028](https://github.com/getsops/sops/pull/2028), [#2038](https://github.com/getsops/sops/pull/2038),
+  [#2044](https://github.com/getsops/sops/pull/2044), [#2046](https://github.com/getsops/sops/pull/2046),
+  [#2049](https://github.com/getsops/sops/pull/2049), [#2058](https://github.com/getsops/sops/pull/2058),
+  [#2075](https://github.com/getsops/sops/pull/2075)).
+* Rust dependency updates for functional tests ([#1962](https://github.com/getsops/sops/pull/1962),
+  [#2027](https://github.com/getsops/sops/pull/2027), [#2035](https://github.com/getsops/sops/pull/2035),
+  [#2073](https://github.com/getsops/sops/pull/2073)).
+
 ## 3.11.0
 
 Security fixes:

README.rst

@@ -265,17 +265,25 @@ You can override the default lookup by:
 
 - setting the environment variable **SOPS_AGE_KEY_FILE**;
 - setting the **SOPS_AGE_KEY** environment variable;
-- providing a command to output the age keys by setting the **SOPS_AGE_KEY_CMD** environment variable..
+- providing a command to output the age keys by setting the **SOPS_AGE_KEY_CMD** environment variable.
+  This command can read the age recipient for which to return the private key from the **SOPS_AGE_RECIPIENT** environment variable.
 
 The contents of this key file should be a list of age X25519 identities, one
 per line. Lines beginning with ``#`` are considered comments and ignored. Each
 identity will be tried in sequence until one is able to decrypt the data.
 
 Encrypting with SSH keys via age is also supported by SOPS. You can use SSH public keys
 ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...") as age recipients when encrypting a file.
-When decrypting a file, SOPS will look for ``~/.ssh/id_ed25519`` and falls back to
-``~/.ssh/id_rsa``. You can specify the location of the private key manually by setting
-the environment variable **SOPS_AGE_SSH_PRIVATE_KEY_FILE**.
+
+When decrypting a file, SOPS will attempt to source the SSH private key as follows:
+
+- From the path specified in environment variable **SOPS_AGE_SSH_PRIVATE_KEY_FILE**.
+- From the output of the command specified in environment variable **SOPS_AGE_SSH_PRIVATE_KEY_CMD**.
+
+   .. note:: The output of this command must provide a key that is not password protected.
+
+- From ``~/.ssh/id_ed25519``.
+- From ``~/.ssh/id_rsa``.
 
 Note that only ``ssh-rsa`` and ``ssh-ed25519`` are supported.
 

age/encrypted_keys.go

@@ -145,11 +145,7 @@ func unwrapIdentities(location string, reader io.Reader) (ParsedIdentities, erro
 			Passphrase: func() (string, error) {
 				conn, err := gpgagent.NewConn()
 				if err != nil {
-					passphrase, err := readSecret(fmt.Sprintf("Enter passphrase for identity '%s':", location))
-					if err != nil {
-						return "", err
-					}
-					return string(passphrase), nil
+					return pluginTerminalUI.RequestValue("", fmt.Sprintf("Enter passphrase for identity '%s':", location), true)
 				}
 				defer func(conn *gpgagent.Conn) {
 					if err := conn.Close(); err != nil {

age/keysource.go

@@ -17,6 +17,7 @@ import (
 	"filippo.io/age/armor"
 	"filippo.io/age/plugin"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/getsops/sops/v3/logging"
 	"github.com/google/shlex"
@@ -32,6 +33,13 @@ const (
 	// SopsAgeKeyCmdEnv can be set as an environment variable with a command
 	// to execute that returns the age keys.
 	SopsAgeKeyCmdEnv = "SOPS_AGE_KEY_CMD"
+	// SopsAgeRecipientEnv is passed as an environment variable to the command
+	// set in SopsAgeKeyCmdEnv and contains the Bech32-encoded age public key
+	// for which the private key should be returned.
+	SopsAgeRecipientEnv = "SOPS_AGE_RECIPIENT"
+	// SopsAgeSshPrivateKeyCmdEnv can be set as an environment variable with a command
+	// to execute that returns the private SSH key.
+	SopsAgeSshPrivateKeyCmdEnv = "SOPS_AGE_SSH_PRIVATE_KEY_CMD"
 	// SopsAgeSshPrivateKeyFileEnv can be set as an environment variable pointing to
 	// a private SSH key file.
 	SopsAgeSshPrivateKeyFileEnv = "SOPS_AGE_SSH_PRIVATE_KEY_FILE"
@@ -286,11 +294,35 @@ func (key *MasterKey) TypeToIdentifier() string {
 	return KeyTypeIdentifier
 }
 
-// loadAgeSSHIdentity attempts to load the age SSH identity based on an SSH
-// private key from the SopsAgeSshPrivateKeyFileEnv environment variable. If the
-// environment variable is not present, it will fall back to `~/.ssh/id_ed25519`
-// or `~/.ssh/id_rsa`. If no age SSH identity is found, it will return nil.
-func loadAgeSSHIdentities() ([]age.Identity, []string, errSet) {
+// getOutputFromCmd executes a shell command provided in param 'cmdString',
+// optionally adding env vars provided in param 'envVars',
+// and returns the command's output and error
+func getOutputFromCmd(cmdString string, envVars []string) ([]byte, error) {
+	var out []byte
+
+	args, err := shlex.Split(cmdString)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse command %s: %w", cmdString, err)
+	}
+	cmd := exec.Command(args[0], args[1:]...)
+	if envVars != nil {
+		cmd.Env = append(os.Environ(), envVars[0:]...)
+	}
+	out, err = cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute command %s: %w", cmdString, err)
+	}
+
+	return out, nil
+}
+
+// loadAgeSSHIdentity attempts to load age SSH identities in this order:
+// 1. An SSH private key from the SopsAgeSshPrivateKeyFileEnv environment variable.
+// 2. An SSH private key returned by executing the command from the
+// SopsAgeSshPrivateKeyCmdEnv environment variable
+// 3. `~/.ssh/id_ed25519` or `~/.ssh/id_rsa`.
+// If no age SSH identity is found, it will return nil.
+func (key *MasterKey) loadAgeSSHIdentities() ([]age.Identity, []string, errSet) {
 	var identities []age.Identity
 	var unusedLocations []string
 	var errs errSet
@@ -307,6 +339,23 @@ func loadAgeSSHIdentities() ([]age.Identity, []string, errSet) {
 		unusedLocations = append(unusedLocations, SopsAgeSshPrivateKeyFileEnv)
 	}
 
+	sshKeyCmd, ok := os.LookupEnv(SopsAgeSshPrivateKeyCmdEnv)
+	if ok {
+		out, err := getOutputFromCmd(sshKeyCmd, []string{fmt.Sprintf("%s=%s", SopsAgeRecipientEnv, key.Recipient)})
+		if err != nil {
+			errs = append(errs, err)
+		} else {
+			identity, err := parseSSHIdentityFromPrivateKeyCmdOutput(out)
+			if err != nil {
+				errs = append(errs, err)
+			} else {
+				identities = append(identities, identity)
+			}
+		}
+	} else {
+		unusedLocations = append(unusedLocations, SopsAgeSshPrivateKeyCmdEnv)
+	}
+
 	userHomeDir, err := os.UserHomeDir()
 	if err != nil {
 		errs = append(errs, err)
@@ -355,7 +404,7 @@ func getUserConfigDir() (string, error) {
 // SopsAgeSshPrivateKeyFileEnv, SopsAgeKeyUserConfigPath). It will load all
 // found references, and expects at least one configuration to be present.
 func (key *MasterKey) loadIdentities() (ParsedIdentities, []string, errSet) {
-	identities, unusedLocations, errs := loadAgeSSHIdentities()
+	identities, unusedLocations, errs := key.loadAgeSSHIdentities()
 
 	var readers = make(map[string]io.Reader, 0)
 
@@ -378,16 +427,11 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, []string, errSet) {
 	}
 
 	if ageKeyCmd, ok := os.LookupEnv(SopsAgeKeyCmdEnv); ok {
-		args, err := shlex.Split(ageKeyCmd)
+		out, err := getOutputFromCmd(ageKeyCmd, []string{fmt.Sprintf("%s=%s", SopsAgeRecipientEnv, key.Recipient)})
 		if err != nil {
-			errs = append(errs, fmt.Errorf("failed to parse command %s from %s: %w", ageKeyCmd, SopsAgeKeyCmdEnv, err))
+			errs = append(errs, err)
 		} else {
-			out, err := exec.Command(args[0], args[1:]...).Output()
-			if err != nil {
-				errs = append(errs, fmt.Errorf("failed to execute command %s from %s: %w", ageKeyCmd, SopsAgeKeyCmdEnv, err))
-			} else {
-				readers[SopsAgeKeyCmdEnv] = bytes.NewReader(out)
-			}
+			readers[SopsAgeKeyCmdEnv] = bytes.NewReader(out)
 		}
 	} else {
 		unusedLocations = append(unusedLocations, SopsAgeKeyCmdEnv)
@@ -496,3 +540,16 @@ func parseIdentity(s string) (age.Identity, error) {
 		return nil, fmt.Errorf("unknown identity type")
 	}
 }
+
+// parseSSHIdentityFromPrivateKeyCmdOutput returns an age.Identity from the given
+// private key. Note that encrypted private keys are not supported.
+func parseSSHIdentityFromPrivateKeyCmdOutput(key []byte) (age.Identity, error) {
+	id, err := agessh.ParseIdentity(key)
+	if sshErr, ok := err.(*ssh.PassphraseMissingError); ok {
+		return nil, fmt.Errorf("the SSH key returned by running SOPS_AGE_SSH_PRIVATE_KEY_CMD is password protected, which is unsupported. (%q)", sshErr)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("malformed SSH identity returned by running SOPS_AGE_SSH_PRIVATE_KEY_CMD: %q", err)
+	}
+	return id, nil
+}