Skip to content

Reject STELLAR_SECRET_KEY when --secure-store is requested. #2504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fnando merged 3 commits into from
Apr 21, 2026
+43 −3
Merged

Reject STELLAR_SECRET_KEY when --secure-store is requested. #2504

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7bb3e1d
Reject STELLAR_SECRET_KEY when --secure-store is requested.
fnando Apr 20, 2026
20bd2d9
Apply pr feedback.
fnando Apr 20, 2026
ff19c87
Merge branch 'main' into reject-env-var-when-adding-key-with-secure-s…
fnando Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions cmd/crates/soroban-test/tests/it/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,34 @@ fn seed_phrase() {
.stdout(predicates::str::contains("test_seed\n"));
}

#[test]
fn secure_store_rejects_env_secret_key() {
let sandbox = TestEnv::default();

// --secure-store with STELLAR_SECRET_KEY set should be rejected rather than
// silently writing the raw secret to a plaintext identity file.
sandbox
.new_assert_cmd("keys")
.env(
"STELLAR_SECRET_KEY",
"SDIY6AQQ75WMD4W46EYB7O6UYMHOCGQHLAQGQTKHDX4J2DYQCHVCQYFD",
)
.arg("add")
.arg("alice")
.arg("--secure-store")
.assert()
.failure()
.stderr(predicate::str::contains(
"--secure-store only supports seed phrases",
));

// The identity file must not exist — no plaintext fallback.
assert!(
!sandbox.config_dir().join("identity/alice.toml").exists(),
"identity file should not be created when --secure-store is rejected"
);
}

#[test]
fn use_env() {
let sandbox = TestEnv::default();
Expand Down
18 changes: 15 additions & 3 deletions cmd/soroban-cli/src/commands/keys/add.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,12 @@ pub enum Error {

#[error("An identity with the name '{0}' already exists")]
IdentityAlreadyExists(String),

#[error(
"--secure-store only supports seed phrases; \
unset STELLAR_SECRET_KEY or provide a seed phrase instead"
)]
SecureStoreRequiresSeedPhrase,
Comment thread
fnando marked this conversation as resolved.
}

#[derive(Debug, clap::Parser, Clone)]
Expand Down Expand Up @@ -82,9 +88,15 @@ impl Cmd {
}

fn read_secret(&self, print: &Print) -> Result<Secret, Error> {
if let Ok(secret_key) = std::env::var("STELLAR_SECRET_KEY") {
Ok(Secret::SecretKey { secret_key })
} else if self.secrets.secure_store {
if self.secrets.secure_store {
if std::env::var("STELLAR_SECRET_KEY").is_ok() {
return Err(Error::SecureStoreRequiresSeedPhrase);
}
} else if let Ok(secret_key) = std::env::var("STELLAR_SECRET_KEY") {
return Ok(Secret::SecretKey { secret_key });
}

if self.secrets.secure_store {
let prompt = "Type a 12/24 word seed phrase:";
let secret_key = read_password(print, prompt)?;
if secret_key.split_whitespace().count() < 24 {
Expand Down
Loading