Comments (4)
I think there is another bug because, If I use the playground with my newly generated key (generated the same way as you did in the .ci/README.md
) without the jean-luc.pircard
key, I have the same error 😓
Λ\: kevin | kustomize-with-kubesec $ docker run -it --rm -v (pwd):/projects --workdir /projects shyiko/kubesec-playground:0.9.2 /bin/bash
root@4dcb97265bf2:/projects# printf "Key-Type: default\nSubkey-Type: default\nExpire-Date: 0\nName-Real: gitlab-ci
> Name-Email: [email protected]\n%%no-protection\n" > /tmp/key2.template
root@4dcb97265bf2:/projects# gpg2 --batch --gen-key /tmp/key2.template
gpg: key F208D8B8 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/7F566E2BD3D417F1E1C7C176D5A1A9E1F208D8B8.rev'
root@4dcb97265bf2:/projects# gpg2 --delete-secret-key 3E71C268
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa2048/3E71C268 2017-08-08 Jean-Luc Picard <[email protected]>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
root@4dcb97265bf2:/projects# kubesec encrypt secret.yml --debug
Executing sh -c "/usr/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint"
Unable to decrypt Data Encryption Key (DEK)
root@4dcb97265bf2:/projects# gpg2 --list-secret-key --keyid-format LONG
/root/.gnupg/pubring.kbx
------------------------
sec rsa2048/D5A1A9E1F208D8B8 2019-08-13 [SC]
uid [ultimate] gitlab-ci <[email protected]>
ssb rsa2048/7882018A31701F33 2019-08-13 [E]
root@4dcb97265bf2:/projects# kubesec encrypt --key=pgp:D5A1A9E1F208D8B8 secret.yml --debug
Executing sh -c "/usr/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint"
Unable to decrypt Data Encryption Key (DEK)
from kubesec.
Hi David.
Take a look at the log below.
$ docker run -it --rm ubuntu:18.10
root@fb56372e1b2a:/# apt update && apt -y install gpg curl
root@fb56372e1b2a:/# gpg --full-generate-key
gpg (GnuPG) 2.2.8; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: kubesec-issue-28
Email address: [email protected]
Comment:
You selected this USER-ID:
"kubesec-issue-28 <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
<clipped>
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B003C18C5D67A716 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/FE4070551FF477E573F2CA5FB003C18C5D67A716.rev'
public and secret key created and signed.
pub rsa4096 2019-08-16 [SC]
FE4070551FF477E573F2CA5FB003C18C5D67A716
uid kubesec-issue-28 <[email protected]>
sub rsa4096 2019-08-16 [E]
root@fb56372e1b2a:/# gpg --list-secret-keys --keyid-format LONG
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096/B003C18C5D67A716 2019-08-16 [SC]
FE4070551FF477E573F2CA5FB003C18C5D67A716
uid [ultimate] kubesec-issue-28 <[email protected]>
ssb rsa4096/A5A6ADE118B10FAA 2019-08-16 [E]
root@fb56372e1b2a:/# curl -sSL https://github.com/shyiko/kubesec/releases/download/0.9.2/kubesec-0.9.2-linux-amd64 -o /usr/local/bin/kubesec
root@fb56372e1b2a:/# chmod a+x /usr/local/bin/kubesec
root@fb56372e1b2a:/# echo '{"apiVersion":"v1","kind":"Secret","metadata":{"name":"myapp-stable-0"},"type":"Opaque","data":{"KEY":"dmFsdWUK","ANOTHER_KEY":"YW5vdGhlcl92YWx1ZQo="}}' | kubesec encrypt - -o secret.yml --debug
Executing sh -c "/usr/bin/gpg --list-secret-keys --with-colons --fingerprint --fingerprint"
Executing sh -c "/usr/bin/gpg --sign -a -e -r FE4070551FF477E573F2CA5FB003C18C5D67A716 --trusted-key B003C18C5D67A716 -o /tmp/760266332E /tmp/760266332"
gpg: signing failed: Inappropriate ioctl for device
gpg: /tmp/760266332: sign+encrypt failed: Inappropriate ioctl for device
Failed to encrypt/sign DEK with PGP key FE4070551FF477E573F2CA5FB003C18C5D67A716
root@fb56372e1b2a:/# export GPG_TTY=$(tty)
root@fb56372e1b2a:/# echo '{"apiVersion":"v1","kind":"Secret","metadata":{"name":"myapp-stable-0"},"type":"Opaque","data":{"KEY":"dmFsdWUK","ANOTHER_KEY":"YW5vdGhlcl92YWx1ZQo="}}' | kubesec encrypt - -o secret.yml
root@fb56372e1b2a:/# cat secret.yml
apiVersion: v1
data:
ANOTHER_KEY: gyjUbMLrcUBGUqvwnRKTQcYo0JwEPrE3rzqJlfXyTvI2TlSJ+ZzqlzR2v1aB88eh.Yz9yDZoe/NZawl9s.Fo5Efl2maxtba2LBBVVwAg==
KEY: Plikgx09DknmlkIFISWcusBSyU5LBxsWwPlkWPmJ4yxIygIYGcxK7o+Gxg7cio0L.NLC9RertRKSFnDl8./I31TIwOPjP9UQYhIxbeCA==
kind: Secret
metadata:
name: myapp-stable-0
type: Opaque
# kubesec:v:3
# kubesec:pgp:FE4070551FF477E573F2CA5FB003C18C5D67A716:<slipped>
# kubesec:mac:qO34wCMMSubs3fz3.ZNI2Qyqaj+lVlEXtxFDj8g==
root@fb56372e1b2a:/# kubesec decrypt secret.yml
apiVersion: v1
data:
ANOTHER_KEY: YW5vdGhlcl92YWx1ZQo=
KEY: dmFsdWUK
kind: Secret
metadata:
name: myapp-stable-0
type: Opaque
Please let me know if this does not help.
from kubesec.
This is working... I don't know how, but the secret I used to test had :
# kubesec:v:3
# kubesec:pgp:0392146FDB7AB24E285E079E60560233D8E2B84D:L...
# kubesec:mac:ErFiezwoSTjCwH6X.H5OhwJXCyhbXNqWP/azEog==
And this generates the previously shown error 😓. Thanks for your help...
from kubesec.
@davinkevin No worries!
from kubesec.
Related Issues (20)
- Support homebrew installation HOT 5
- kubesec.io HOT 1
- Make it clear what to do if encryption/decryption fails HOT 1
- kubesec edit -if fails HOT 1
- ksec --version doesnt work
- kubesec doesn't show any errors when there is no default 'gcloud auth application-default login' HOT 3
- Primary PGP key wasn't found HOT 2
- Decryption with multiple PGP keys fails HOT 3
- Support working without application-default login
- secret was encrypted with newer version error HOT 6
- Support for IBM Cloud Key Protect
- Support for GCP Service Account HOT 1
- Flag to avoid using gpg agent HOT 1
- Integration with kustomize HOT 4
- being able to use kubesec with "non secret" files in YAML stream file
- `gpg` wasn't found (make sure it's available on the PATH) HOT 1
- Space(s) just before LF makes encrypted data mess HOT 1
- kubesec ecrypt --key=... does not remove other keys
- do not support new mac OS version on 12.0.1(21A559) HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubesec.