Changelog ========= 3.9.1 ----- Improvements: * Dependency updates (#1550, #1554, #1558, #1562, #1565, #1568, #1575, #1581, #1589, #1593, #1602, #1603, #1618, #1629, #1635, #1639, #1640). * Clarify naming of the configuration file in the documentation (#1569). * Build with Go 1.22 (#1589). * Specify filename of missing file in error messages (#1625). * ``updatekeys`` subcommand: show changes in ``shamir_threshold`` (#1609). Bugfixes: * Fix the URL used for determining the latest SOPS version (#1553). * ``updatekeys`` subcommand: actually use option ``--shamir-secret-sharing-threshold`` (#1608). * Fix ``--config`` being ignored in subcommands by ``loadConfig`` (#1613). * Allow ``edit`` subcommand to create files (#1596). * Do not encrypt if a key group is empty, or there are no key groups (#1600). * Do not ignore config errors when trying to parse a config file (#1614). Project changes: * CI dependency updates (#1551, #1555, #1559, #1564, #1566, #1574, #1584, #1586, #1590, #1592, #1619, #1628, #1634). * Improve CI workflows (#1548, #1630). * Ignore user-set environment variable ``SOPS_AGE_KEY_FILE`` in tests (#1595). * Add example of using Age recipients in ``.sops.yaml`` (#1607). * Add linting check for Rust code formatting (#1604). * Set Rust version globally via ``rust-toolchain.toml`` for functional tests (#1612). * Improve test coverage (#1617). * Improve tests (#1622, #1624). * Simplify branch rules to check DCO and ``check`` task instead of an explicit list of tasks in the CLI workflow (#1621). * Build with Go 1.22 and 1.23 in CI and update Vault to 1.14 (#1531). * Build release with Go 1.22 (#1615). * Fix Dependabot config for Docker; add Dependabot config for Rust (#1632). * Lock Rust package versions for functional tests for improved reproducibility (#1637). * Rust dependency updates (#1638). 3.9.0 ----- Features: * Add ``--mac-only-encrypted`` to compute MAC only over values which end up encrypted (#973) * Allow configuration of indentation for YAML and JSON stores (#1273, #1372) * Introduce a ``--pristine`` flag to ``sops exec-env`` (#912) * Allow to pass multiple paths to ``sops updatekeys`` (#1274) * Allow to override ``fileName`` with different value (#1332) * Sort masterkeys according to ``--decryption-order`` (#1345) * Add separate subcommands for encryption, decryption, rotating, editing, and setting values (#1391) * Add ``filestatus`` command (#545) * Add command ``unset`` (#1475) * Merge key for key groups and make keys unique (#1493) * Support using comments to select parts to encrypt (#974, #1392) Deprecations: * Deprecate the ``--background`` option to ``exec-env`` and ``exec-file`` (#1379) Improvements: * Warn/fail if the wrong number of arguments is provided (#1342) * Warn if more than one command is used (#1388) * Dependency updates (#1327, #1328, #1330, #1336, #1334, #1344, #1348, #1354, #1357, #1360, #1373, #1381, #1383, #1385, #1408, #1428, #1429, #1427, #1439, #1454, #1460, #1466, #1489, #1519, #1525, #1528, #1540, #1543, #1545) * Build with Go 1.21 (#1427) * Improve README.rst (#1339, #1399, #1350) * Fix typos (#1337, #1477, #1484) * Polish the ``sops help`` output a bit (#1341, #1544) * Improve and fix tests (#1346, #1349, #1370, #1390, #1396, #1492) * Create a constant for the ``sops`` metadata key (#1398) * Refactoring: move extraction of encryption and rotation options to separate functions (#1389) Bug fixes: * Respect ``aws_profile`` from keygroup config (#1049) * Fix a bug where not having a config results in a panic (#1371) * Consolidate Flatten/Unflatten pre/post processing (#1356) * INI and DotEnv stores: ``shamir_threshold`` is an integer (#1394) * Make check whether file contains invalid keys for encryption dependent on output store (#1393) * Do not panic if ``updatekeys`` is used with a config that has no creation rules defined (#1506) * ``exec-file``: if ``--filename`` is used, use the provided filename without random suffix (#1474) * Do not use DotEnv store for ``exec-env``, but specialized environment serializing code (#1436) * Decryption: do not fail if no matching ``creation_rule`` is present in config file (#1434) Project changes: * CI dependency updates (#1347, #1359, #1376, #1382, #1386, #1425, #1432, #1498, #1503, #1508, #1510, #1516, #1521, #1492, #1534) * Adjust Makefile to new goreleaser 6.0.0 release (#1526) 3.8.1 ----- Improvements: * Improve handling of errors when binary store handles bad data (#1289) * On macOS, prefer ``XDG_CONFIG_HOME`` over os.UserConfigDir() (#1291) * Dependency updates (#1306, #1319, #1325) * pgp: better error reporting for missing GPG binary during import of keys (#1286) * Fix descriptions of unencrypted-regex and encrypted-regex flags, and ensure unencrypted_regex is considered in config validation (#1300) * stores/json: improve error messages when parsing invalid JSON (#1307) Bug fixes: * pgp: improve handling of GnuPG home dir (#1298) * Do not crash if an empty YAML file is encrypted (#1290) * Handling of various ignored errors (#1304, #1311) * pgp: do not require abs path for ``SOPS_GPG_EXEC`` (#1309) * Report key rotation errors (#1317) * Ensure wrapping of errors in main package (#1318) Project changes: * Enrich AWS authentication documentation (#1272) * Add linting for RST and MD files (#1287) * Delete SOPS encrypted file we don't have keys for (#1288) * CI dependency updates (#1295, #1301) * pgp: make error the last return value (#1310) * Improve documentation files (#1320) 3.8.0 ----- Features: * Support ``--version`` without network requests using ``--disable-version-check`` (#1115) * Support ``--input-type`` for updatekeys command (#1116) Improvements: * pgp: modernize and improve, and add tests (#1054, #1282) * azkv: update SDK to latest, add tests, tidy (#1067, #1092, #1256) * age: improve identity loading, add tests, tidy (#1064) * kms: AWS SDK V2, allow creds config, add tests (#1065, #1257) * gcpkms: update SDK to latest, add tests, tidy (#1072, #1255) * hcvault: update API, add tests, tidy (#1085) * Do not report version when upstream ``--version`` check fails (#1124) * Use GitHub endpoints in ``--version`` command (#1261) * Close temporary file before invoking editor to widen support on Windows (#1265) * Update dependencies (#1063, #1091, #1147, #1242, #1260, #1264, #1275, #1280, #1283) * Deal with various deprecations of dependencies (#1113, #1262) Bug fixes: * Ensure YAML comments are not displaced (#1069) * Ensure default Google credentials can be used again after introduction of ``GOOGLE_CREDENTIALS`` (#1249) * Avoid duplicate logging of errors in some key sources (#1146, #1281) * Using ``--set`` on a root level key does no longer truncate existing values (#899) * Ensure stable order of SOPS parameters in dotenv file (#1101) Project changes: * Update Go to 1.20 (#1148) * Update rustc functional tests to v1.70.0 (#1234) * Remove remaining CircleCI workflow (#1237) * Run CLI workflow on main (#1243) * Delete obsolete ``validation/`` artifact (#1248) * Rename Go module to ``github.com/getsops/sops/v3`` (#1247) * Revamp release automation, including (Cosign) signed container images and checksums file, SLSA3 provenance and SBOMs (#1250) * Update various bits of documentation (#1244) * Add missing ``--encrypt`` flag from Vault example (#1060) * Add documentation on how to use age in ``.sops.yaml`` (#1192) * Improve Make targets and address various issues (#1258) * Ensure clean working tree in CI (#1267) * Fix CHANGELOG.rst formatting (#1269) * Pin GitHub Actions to full length commit SHA and add CodeQL (#1276) * Enable Dependabot for Docker, GitHub Actions and Go Mod (#1277) * Generate versioned ``.intoto.jsonl`` (#1278) * Update CI dependencies (#1279) 3.7.3 ----- Changes: * Upgrade dependencies (#1024, #1045) * Build alpine container in CI (#1018, #1032, #1025) * keyservice: accept KeyServiceServer in LocalClient (#1035) * Add support for GCP Service Account within ``GOOGLE_CREDENTIALS`` (#953) Bug fixes: * Upload the correct binary for the linux amd64 build (#1026) * Fix bug when specifying multiple age recipients (#966) * Allow for empty yaml maps (#908) * Limit AWS role names to 64 characters (#1037) 3.7.2 ----- Changes: * README updates (#861, #860) * Various test fixes (#909, #906, #1008) * Added Linux and Darwin arm64 releases (#911, #891) * Upgrade to go v1.17 (#1012) * Support SOPS_AGE_KEY environment variable (#1006) Bug fixes: * Make sure comments in yaml files are not duplicated (#866) * Make sure configuration file paths work correctly relative to the config file in us (#853) 3.7.1 ----- Changes: * Security fix * Add release workflow (#843) * Fix issue where CI wouldn't run against master (#848) * Trim extra whitespace around age keys (#846) 3.7.0 ----- Features: * Add support for age (#688) * Add filename to exec-file (#761) Changes: * On failed decryption with GPG, return the error returned by GPG to the sops user (#762) * Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791) * Update aws-sdk-go to version v1.37.18 (#823) Project Changes: * Switch from TravisCI to Github Actions (#792) 3.6.1 ----- Features: * Add support for --unencrypted-regex (#715) Changes: * Use keys.openpgp.org instead of gpg.mozilla.org (#732) * Upgrade AWS SDK version (#714) * Support --input-type for exec-file (#699) Bug fixes: * Fixes broken Vault tests (#731) * Revert "Add standard newline/quoting behavior to dotenv store" (#706) 3.6.0 ----- Features: * Support for encrypting data through the use of Hashicorp Vault (#655) * ``sops publish`` now supports ``--recursive`` flag for publishing all files in a directory (#602) * ``sops publish`` now supports ``--omit-extensions`` flag for omitting the extension in the destination path (#602) * sops now supports JSON arrays of arrays (#642) Improvements: * Updates and standardization for the dotenv store (#612, #622) * Close temp files after using them for edit command (#685) Bug fixes: * AWS SDK usage now correctly resolves the ``~/.aws/config`` file (#680) * ``sops updatekeys`` now correctly matches config rules (#682) * ``sops updatekeys`` now correctly uses the config path cli flag (#672) * Partially empty sops config files don't break the use of sops anymore (#662) * Fix possible infinite loop in PGP's passphrase prompt call (#690) Project changes: * Dockerfile now based off of golang version 1.14 (#649) * Push alpine version of docker image to Dockerhub (#609) * Push major, major.minor, and major.minor.patch tagged docker images to Dockerhub (#607) * Removed out of date contact information (#668) * Update authors in the cli help text (#645) 3.5.0 ----- Features: * ``sops exec-env`` and ``sops exec-file``, two new commands for utilizing sops secrets within a temporary file or env vars Bug fixes: * Sanitize AWS STS session name, as sops creates it based off of the machines hostname * Fix for ``decrypt.Data`` to support ``.ini`` files * Various package fixes related to switching to Go Modules * Fixes for Vault-related tests running locally and in CI. Project changes: * Change to proper use of go modules, changing to primary module name to ``go.mozilla.org/sops/v3`` * Change tags to requiring a ``v`` prefix. * Add documentation for ``sops updatekeys`` command 3.4.0 ----- Features: * ``sops publish``, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault * Support for multiple Azure authentication mechanisms * Azure Keyvault support to the sops config file * ``encrypted_regex`` option to the sops config file Bug fixes: * Return non-zero exit code for invalid CLI flags * Broken path handling for sops editing on Windows * ``go lint/fmt`` violations * Check for pgp fingerprint before slicing it Project changes: * Build container using golang 1.12 * Switch to using go modules * Hashicorp Vault server in Travis CI build * Mozilla Publice License file to repo * Replaced expiring test gpg keys 3.3.1 ----- Bug fixes: * Make sure the pgp key fingerprint is longer than 16 characters before slicing it. (#463) * Allow for ``--set`` value to be a string. (#461) Project changes: * Using ``develop`` as a staging branch to create releases off of. What is in ``master`` is now the current stable release. * Upgrade to using Go 1.12 to build sops * Updated all vendored packages 3.3.0 ----- New features: * Multi-document support for YAML files * Support referencing AWS KMS keys by their alias * Support for INI files * Support for AWS CLI profiles * Comment support in .env files * Added vi to the list of known editors * Added a way to specify the GPG key server to use through the SOPS_GPG_KEYSERVER environment variable Bug fixes: * Now uses $HOME instead of ~ (which didn't work) to find the GPG home * Fix panic when vim was not available as an editor, but other alternative editors were * Fix issue with AWS KMS Encryption Contexts (#445) with more than one context value failing to decrypt intermittently. Includes an automatic fix for old files affected by this issue. Project infrastructure changes: * Added integration tests for AWS KMS * Added Code of Conduct 3.2.0 ----- * Added --output flag to write output a file directly instead of through stdout * Added support for dotenv files 3.1.1 ----- * Fix incorrect version number from previous release 3.1.0 ----- * Add support for Azure Key Service * Fix bug that prevented JSON escapes in input files from working 3.0.5 ----- * Prevent files from being encrypted twice * Fix empty comments not being decrypted correctly * If keyservicecmd returns an error, log it. * Initial sops workspace auditing support (still wip) * Refactor Store interface to reflect operations SOPS performs 3.0.3 ----- * --set now works with nested data structures and not just simple values * Changed default log level to warn instead of info * Avoid creating empty files when using the editor mode to create new files and not making any changes to the example files * Output unformatted strings when using --extract instead of encoding them to yaml * Allow forcing binary input and output types from command line flags * Deprecate filename_regex in favor of path_regex. filename_regex had a bug and matched on the whole file path, when it should have only matched on the file name. path_regex on the other hand is documented to match on the whole file path. * Add an encrypted-suffix option, the exact opposite of unencrypted-suffix * Allow specifying unencrypted_suffix and encrypted_suffix rules in the .sops.yaml configuration file * Introduce key service flag optionally prompting users on encryption/decryption 3.0.1 ----- * Don't consider io.EOF returned by Decoder.Token as error * add IsBinary: true to FileHints when encoding with crypto/openpgp * some improvements to error messages 3.0.0 ----- * Shamir secret sharing scheme support allows SOPS to require multiple master keys to access a data key and decrypt a file. See ``sops groups -help`` and the documentation in README. * Keyservice to forward access to a local master key on a socket, similar to gpg-agent. See ``sops keyservice --help`` and the documentation in README. * Encrypt comments by default * Support for Google Compute Platform KMS * Refactor of the store logic to separate the internal representation SOPS has of files from the external representation used in JSON and YAML files * Reencoding of versions as string on sops 1.X files. **WARNING** this change breaks backward compatibility. SOPS shows an error message with instructions on how to solve this if it happens. * Added command to reconfigure the keys used to encrypt/decrypt a file based on the .sops.yaml config file * Retrieve missing PGP keys from gpg.mozilla.org * Improved error messages for errors when decrypting files 2.0.0 ----- * [major] rewrite in Go 1.14 ---- * [medium] Support AWS KMS Encryption Contexts * [minor] Support insertion in encrypted documents via --set * [minor] Read location of gpg binary from SOPS_GPG_EXEC env variables 1.13 ---- * [minor] handle $EDITOR variable with parameters 1.12 ---- * [minor] make sure filename_regex gets applied to file names, not paths * [minor] move check of latest version under the -V flag * [medium] fix handling of binary data to preserve file integrity * [minor] try to use configuration when encrypting existing files