Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encrypt-file cannot be used for multiple files #239

Closed
BanzaiMan opened this issue Oct 20, 2014 · 9 comments
Closed

encrypt-file cannot be used for multiple files #239

BanzaiMan opened this issue Oct 20, 2014 · 9 comments
Labels
bug cli

Comments

@BanzaiMan
Copy link
Contributor

It seems impossible to use encrypt-file on multiple files.

One can run the command multiple times on different files, but the later invocation overwrites the secure environment variables, invalidating the earlier encryptions.

I suspect -K and -iv flags are meant to overcome this, but it fails as follows:

$ travis encrypt-file --skip-version-check -K 7b758bbf041361268b192d816d60ec84907106015402f31fdc5ae165fdce0979 -iv 7aaf728695ac967003d5345d9be63924 foo1                                                        
travis: version unknown
@rkh
Copy link
Contributor

rkh commented Oct 28, 2014

I don't know where the "version unknown" is coming from. -K and -iv should not be used in the normal workflow, even for multiple files.

Each file should have its own set of variables (that's why there's a hash in the var name). Do you have an example for this failing?

@mfornasa
Copy link

+1

1 similar comment
@chris-redekop
Copy link

+1

@rayshan
Copy link

rayshan commented Nov 17, 2014

+1

Here's an example of encrypting multiple files failing:
https://travis-ci.org/rayshan/ga-extractor/builds/41199310

Note that I ran encrypt-file multiple times, every time seem to generate a new key / iv pair seen from the -p flag. On Travis CI only 1 pair of key / iv is saved.

@grahamc
Copy link

grahamc commented Nov 25, 2014

+1

1 similar comment
@pirog
Copy link

pirog commented Dec 3, 2014

+1

@travis-ci travis-ci locked and limited conversation to collaborators Dec 4, 2014
@BanzaiMan
Copy link
Contributor Author

BanzaiMan commented Jan 8, 2015
edited
Loading

I don't think we can pull the decrypted key and iv values once they are uploaded.

Workaround

Create an archive of sensitive files, and encrypt this archive. In your before_install section, you'd decrypt it, and expand the archive.

$ tar cvf secrets.tar foo bar
$ travis encrypt-file secrets.tar
$ vi .travis.yml
$ git add secrets.tar.enc .travis.yml
$ git commit -m 'use secret archive'
$ git push
before_install:
  - openssl aes-256-cbc -K $encrypted_5880cf525281_key -iv $encrypted_5880cf525281_iv -in secrets.tar.enc -out secrets.tar -d
  - tar xvf secrets.tar

The management might be a little cumbersome still.

@BanzaiMan
Copy link
Contributor Author

I've added the above workarounds to http://docs.travis-ci.com/user/encrypting-files/#Encrypting-multiple-files.

@svenfuchs
Copy link
Contributor

For reference, this should be fixed in #678

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug cli
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@svenfuchs @BanzaiMan @rkh @grahamc @mfornasa @pirog @rayshan @chris-redekop