Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set GPG encrypt. conform. to RFC4880 Fixes #896 #924

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Set GPG encrypt. conform. to RFC4880 Fixes #896 #924

wants to merge 1 commit into from

Conversation

cameronkerrnz
Copy link

Resolves an issue where a file encrypted with GnuPG 2.3 which defaults to enabling RFC4880bis) can't be decrypted in earlier versions (eg. GnuPG 2.2 as used in Debian Buster)

I have tested encryption on GnuPG 2.3.1 on Windows, and subsequent decryption on GnuPG 2.2.12 on Debian Buster.

(this is recreation of #910 rebased onto the develop branch)

@bhiravabhatla
Copy link

Any update on when this fix would be released? This is currently blocking us from using sops.

@cameronkerrnz
Copy link
Author

I'm not a SOPS maintainer, so cannot comment on when this will be merged.

Since I'm a first-time contributed, or seem to "need a maintainer to approve running workflows"

@cameronkerrnz
Copy link
Author

@ajvb @felixfontein Are you able to assist with kicking off the CI/CD workflow? "First-time contributors need a maintainer to approve running workflows."

Cheers,
Cameron

@felixfontein
Copy link
Contributor

@cameronkerrnz I'm not a maintainer either, I cannot trigger a run as wel... but @autrilla should be able to (next to @ajvb) :)

@bhiravabhatla
Copy link

@autrilla Could you please help.

@autrilla
Copy link
Contributor

I approved the run. Before merging, I'd like a better explanation of why this is needed and what the impact is.

Further, I think we should look for some other maintainers for sops, since I clearly do not have the time the project needs. I'll start a discussion for this.

@cameronkerrnz
Copy link
Author

Analysis for why this is needed is in #896. Please let me know if there is anything insufficient there.

The impact is most likely to be felt by people who have their keychains transported to different environments (eg. workstation upgrade, use of Docker in development (particular Visual Studio Code's Remote Containers, which forwards GPG material by default), multi-platform users.

The previous (v2.2) behaviour was to use RFC4880, but v2.3 (at least in GnuPG distributed in Debian Buster, and container images based on that) is to default to RFC4880bis, which results in an incompatibility (something encrypted with RFC4880bis cannot be decrypted with RFC4880)

I'm not personally using this version of GPG now (I decided to put this all into a container instead so my developers use a consistent version of GPG), but others have signalled that it is a blocking concern for them.

Thanks,
Cameron

@EdgeJ EdgeJ mentioned this pull request Sep 8, 2021
Open
@onedr0p
Copy link
Contributor

onedr0p commented Sep 29, 2021

/LGTM

@kmindi
Copy link

kmindi commented Jan 25, 2022

@autrilla is there anything blocking this? we ran across this issue more often as 2.3 is installed more and more per default....

@onedr0p
Copy link
Contributor

onedr0p commented Jan 25, 2022
edited
Loading

@kmindi see #927

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@onedr0p onedr0p onedr0p approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@cameronkerrnz @bhiravabhatla @felixfontein @autrilla @onedr0p @kmindi