MCPcopy
hub / github.com/getsops/sops / decryptWithGnuPG

Method decryptWithGnuPG

pgp/keysource.go:449–469  ·  view source on GitHub ↗

decryptWithGnuPG attempts to obtain the data key from the EncryptedKey using GnuPG and returns the result. If DisableAgent is configured on the MasterKey, the GnuPG agent is not enabled. When the decryption command fails, it returns the error from stdout.

(ctx context.Context)

Source from the content-addressed store, hash-verified

447// the GnuPG agent is not enabled. When the decryption command fails, it returns
448// the error from stdout.
449func (key *MasterKey) decryptWithGnuPG(ctx context.Context) ([]byte, error) {
450 args := []string{
451 "-d",
452 }
453 stdout, stderr, err := gpgExec(ctx, key.gnuPGHomeDir, args, strings.NewReader(key.EncryptedKey))
454 if err != nil {
455 return nil, fmt.Errorf("failed to decrypt sops data key with pgp: %s",
456 strings.TrimSpace(stderr.String()))
457 }
458 result := stdout.Bytes()
459 if len(result) == 0 {
460 // This can happen if an older GnuPG version is used to decrypt a key encrypted with a
461 // newer GnuPG version that used an AEAD cipher, which the old version does not support.
462 // Apparently some GnuPG versions drop the unspuported packets, which results in a decrypted
463 // data of 0 bytes, and returns nothing with exit code 0.
464 //
465 // (See https://github.com/getsops/sops/issues/896#issuecomment-2688079300 for more infos.)
466 return nil, fmt.Errorf("failed to decrypt sops data key with pgp: zero bytes returned")
467 }
468 return result, nil
469}
470
471// NeedsRotation returns whether the data key needs to be rotated
472// or not.

Callers 2

DecryptContextMethod · 0.95

Calls 2

gpgExecFunction · 0.85
StringMethod · 0.45

Tested by 1