Git Product home page Git Product logo

Comments (4)

davinkevin avatar davinkevin commented on July 24, 2024

I think there is another bug because, If I use the playground with my newly generated key (generated the same way as you did in the .ci/README.md) without the jean-luc.pircard key, I have the same error 😓

Λ\: kevin | kustomize-with-kubesec $ docker run -it --rm -v (pwd):/projects  --workdir /projects shyiko/kubesec-playground:0.9.2 /bin/bash
root@4dcb97265bf2:/projects# printf "Key-Type: default\nSubkey-Type: default\nExpire-Date: 0\nName-Real: gitlab-ci
> Name-Email: [email protected]\n%%no-protection\n" > /tmp/key2.template

root@4dcb97265bf2:/projects# gpg2 --batch --gen-key /tmp/key2.template
gpg: key F208D8B8 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/7F566E2BD3D417F1E1C7C176D5A1A9E1F208D8B8.rev'

root@4dcb97265bf2:/projects# gpg2 --delete-secret-key 3E71C268
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec  rsa2048/3E71C268 2017-08-08 Jean-Luc Picard <[email protected]>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

root@4dcb97265bf2:/projects# kubesec encrypt secret.yml --debug
Executing sh -c "/usr/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint"
Unable to decrypt Data Encryption Key (DEK)

root@4dcb97265bf2:/projects# gpg2 --list-secret-key --keyid-format LONG
/root/.gnupg/pubring.kbx
------------------------
sec   rsa2048/D5A1A9E1F208D8B8 2019-08-13 [SC]
uid                 [ultimate] gitlab-ci <[email protected]>
ssb   rsa2048/7882018A31701F33 2019-08-13 [E]

root@4dcb97265bf2:/projects# kubesec encrypt --key=pgp:D5A1A9E1F208D8B8 secret.yml --debug
Executing sh -c "/usr/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint"
Unable to decrypt Data Encryption Key (DEK)

from kubesec.

shyiko avatar shyiko commented on July 24, 2024

Hi David.
Take a look at the log below.

$ docker run -it --rm ubuntu:18.10
root@fb56372e1b2a:/# apt update && apt -y install gpg curl

root@fb56372e1b2a:/# gpg --full-generate-key
gpg (GnuPG) 2.2.8; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: kubesec-issue-28
Email address: [email protected]
Comment: 
You selected this USER-ID:
    "kubesec-issue-28 <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
<clipped>
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B003C18C5D67A716 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/FE4070551FF477E573F2CA5FB003C18C5D67A716.rev'
public and secret key created and signed.

pub   rsa4096 2019-08-16 [SC]
      FE4070551FF477E573F2CA5FB003C18C5D67A716
uid                      kubesec-issue-28 <[email protected]>
sub   rsa4096 2019-08-16 [E]

root@fb56372e1b2a:/# gpg --list-secret-keys --keyid-format LONG
/root/.gnupg/pubring.kbx
------------------------
sec   rsa4096/B003C18C5D67A716 2019-08-16 [SC]
      FE4070551FF477E573F2CA5FB003C18C5D67A716
uid                 [ultimate] kubesec-issue-28 <[email protected]>
ssb   rsa4096/A5A6ADE118B10FAA 2019-08-16 [E]

root@fb56372e1b2a:/# curl -sSL https://github.com/shyiko/kubesec/releases/download/0.9.2/kubesec-0.9.2-linux-amd64 -o /usr/local/bin/kubesec
root@fb56372e1b2a:/# chmod a+x /usr/local/bin/kubesec

root@fb56372e1b2a:/# echo '{"apiVersion":"v1","kind":"Secret","metadata":{"name":"myapp-stable-0"},"type":"Opaque","data":{"KEY":"dmFsdWUK","ANOTHER_KEY":"YW5vdGhlcl92YWx1ZQo="}}' | kubesec encrypt - -o secret.yml --debug
Executing sh -c "/usr/bin/gpg --list-secret-keys --with-colons --fingerprint --fingerprint" 
Executing sh -c "/usr/bin/gpg --sign -a -e -r FE4070551FF477E573F2CA5FB003C18C5D67A716 --trusted-key B003C18C5D67A716 -o /tmp/760266332E /tmp/760266332" 
gpg: signing failed: Inappropriate ioctl for device
gpg: /tmp/760266332: sign+encrypt failed: Inappropriate ioctl for device
Failed to encrypt/sign DEK with PGP key FE4070551FF477E573F2CA5FB003C18C5D67A716 

root@fb56372e1b2a:/# export GPG_TTY=$(tty)

root@fb56372e1b2a:/# echo '{"apiVersion":"v1","kind":"Secret","metadata":{"name":"myapp-stable-0"},"type":"Opaque","data":{"KEY":"dmFsdWUK","ANOTHER_KEY":"YW5vdGhlcl92YWx1ZQo="}}' | kubesec encrypt - -o secret.yml
root@fb56372e1b2a:/# cat secret.yml 
apiVersion: v1
data:
  ANOTHER_KEY: gyjUbMLrcUBGUqvwnRKTQcYo0JwEPrE3rzqJlfXyTvI2TlSJ+ZzqlzR2v1aB88eh.Yz9yDZoe/NZawl9s.Fo5Efl2maxtba2LBBVVwAg==
  KEY: Plikgx09DknmlkIFISWcusBSyU5LBxsWwPlkWPmJ4yxIygIYGcxK7o+Gxg7cio0L.NLC9RertRKSFnDl8./I31TIwOPjP9UQYhIxbeCA==
kind: Secret
metadata:
  name: myapp-stable-0
type: Opaque
# kubesec:v:3
# kubesec:pgp:FE4070551FF477E573F2CA5FB003C18C5D67A716:<slipped>
# kubesec:mac:qO34wCMMSubs3fz3.ZNI2Qyqaj+lVlEXtxFDj8g==

root@fb56372e1b2a:/# kubesec decrypt secret.yml 
apiVersion: v1
data:
  ANOTHER_KEY: YW5vdGhlcl92YWx1ZQo=
  KEY: dmFsdWUK
kind: Secret
metadata:
  name: myapp-stable-0
type: Opaque

Please let me know if this does not help.

from kubesec.

davinkevin avatar davinkevin commented on July 24, 2024

This is working... I don't know how, but the secret I used to test had :

# kubesec:v:3
# kubesec:pgp:0392146FDB7AB24E285E079E60560233D8E2B84D:L...
# kubesec:mac:ErFiezwoSTjCwH6X.H5OhwJXCyhbXNqWP/azEog==

And this generates the previously shown error 😓. Thanks for your help...

from kubesec.

shyiko avatar shyiko commented on July 24, 2024

@davinkevin No worries!

from kubesec.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.