decryptWithGnuPG attempts to obtain the data key from the EncryptedKey using GnuPG and returns the result. If DisableAgent is configured on the MasterKey, the GnuPG agent is not enabled. When the decryption command fails, it returns the error from stdout.
(ctx context.Context)
| 447 | // the GnuPG agent is not enabled. When the decryption command fails, it returns |
| 448 | // the error from stdout. |
| 449 | func (key *MasterKey) decryptWithGnuPG(ctx context.Context) ([]byte, error) { |
| 450 | args := []string{ |
| 451 | "-d", |
| 452 | } |
| 453 | stdout, stderr, err := gpgExec(ctx, key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey)) |
| 454 | if err != nil { |
| 455 | return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s", |
| 456 | strings.TrimSpace(stderr.String())) |
| 457 | } |
| 458 | result := stdout.Bytes() |
| 459 | if len(result) == 0 { |
| 460 | // This can happen if an older GnuPG version is used to decrypt a key encrypted with a |
| 461 | // newer GnuPG version that used an AEAD cipher, which the old version does not support. |
| 462 | // Apparently some GnuPG versions drop the unspuported packets, which results in a decrypted |
| 463 | // data of 0 bytes, and returns nothing with exit code 0. |
| 464 | // |
| 465 | // (See https://github.com/getsops/sops/issues/896#issuecomment-2688079300 for more infos.) |
| 466 | return nil, fmt.Errorf("failed to decrypt sops data key with pgp: zero bytes returned") |
| 467 | } |
| 468 | return result, nil |
| 469 | } |
| 470 | |
| 471 | // NeedsRotation returns whether the data key needs to be rotated |
| 472 | // or not. |