diff --git a/README.md b/README.md index 8497db1..6d31db7 100644 --- a/README.md +++ b/README.md @@ -81,23 +81,26 @@ The following commands explain how to update the `.sops.yaml` for a repository: ```shell # List available groups -% ${PATH_TO_THIS_REPO}/bin/update_sops.sh --list_groups +% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --list_groups # INFO: listing groups admin automation devnso-adp-argocd # For a given group, update sops config -% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd +% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd # RUN: generate SOPS config # WARN: no secrets file passed in, make sure to call 'sops updatekeys' on secrets files # [OPTIONAL] For a given group, update sops config AND specified secrets file -% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml +% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml # commit the changes to any .sops.yaml or secrets files, e.g. with ## OPINIONATED GIT - use preferred method % git add -p +# 1. review changes to the .sops.yaml +# 2. press 'y' to accept the changes +y % git commit -m "adds . to sops config" % git push ``` @@ -154,7 +157,7 @@ find groups/ -name ${keyname} # For each group, update sops config in that repo # Example: % cd devnso-adp-argocd -% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd +% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd # now git commit, push, etc ``` diff --git a/bin/update_sops.sh b/bin/update_sops.sh index 4120578..f2bf8cf 100755 --- a/bin/update_sops.sh +++ b/bin/update_sops.sh @@ -10,7 +10,7 @@ function fn_gpg_extract_fpr(){ # uid ... <...@mehrwerk.net> # uid ... <...@netgo.de> # fancy gpg src: https://unix.stackexchange.com/a/731872 - fpr="$(gpg --show-keys --list-options show-only-fpr-mbox "${gpgkeyfile}" | grep '@netgo.de' | awk "{print \$1}")" + fpr="$(gpg --show-keys --list-options show-only-fpr-mbox "$(readlink -f "${gpgkeyfile}")" | grep '@netgo.de' | awk "{print \$1}")" echo "${fpr}" } @@ -22,7 +22,7 @@ function fn_gpg_extract_uid(){ # uid ... <...@mehrwerk.net> # uid ... <...@netgo.de> # fancy gpg src: https://unix.stackexchange.com/a/731872 - uid="$(gpg --show-keys --with-colons "${gpgkeyfile}" | awk -F':' '$1=="uid" {print $10}' | grep '@netgo.de')" + uid="$(gpg --show-keys --with-colons "$(readlink -f "${gpgkeyfile}")" | awk -F':' '$1=="uid" {print $10}' | grep '@netgo.de')" echo "${uid}" } @@ -113,10 +113,8 @@ fn_sops_updatekeys_and_verify(){ # "update the keys of SOPS files using the config file" >&2 echo "# RUN: sops updatekeys ${sops_enc_file}" - sops updatekeys "${sops_enc_file}" - - # verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/ - GPG_TTY=$(tty) sops -d "${sops_enc_file}" + # HAAAACK: loop through all passed-in files, ignore any errors, always say "yes" -> rely on git diff to verify! + sops updatekeys -y "${sops_enc_file}" || echo "SKIPPING" } function main(){ diff --git a/verify/usr_confirm_keycfg.sh b/verify/usr_confirm_keycfg.sh index 51170c6..6c8c40e 100755 --- a/verify/usr_confirm_keycfg.sh +++ b/verify/usr_confirm_keycfg.sh @@ -14,6 +14,9 @@ set -x # within current dir: update .sops.yaml, update keys in encrypted file ../bin/update_sops.sh -c "${PWD}" "${secrets_file}" +# verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/ +GPG_TTY=$(tty) sops -d "${secrets_file}" + # Special Case: Add caveat header cat < .sops.yaml.tmp # PURPOSE: BLUEPRINT for .sops.yaml config