From bcf9de5e7a3e653e308bf0b2546766eaf3e46482 Mon Sep 17 00:00:00 2001
From: LeeW <lee.watson@netgo.de>
Date: Wed, 5 Mar 2025 12:35:49 +0100
Subject: [PATCH] common sense: avoids printing secrets by default after sops
 update

moving the "for verification" dump back into the verify script
---
 bin/update_sops.sh           | 3 ---
 verify/usr_confirm_keycfg.sh | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bin/update_sops.sh b/bin/update_sops.sh
index 1443966..f905c58 100755
--- a/bin/update_sops.sh
+++ b/bin/update_sops.sh
@@ -114,9 +114,6 @@ fn_sops_updatekeys_and_verify(){
   # "update the keys of SOPS files using the config file"
   >&2 echo "# RUN: sops updatekeys ${sops_enc_file}"
   sops updatekeys "${sops_enc_file}"
-
-  # verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
-  GPG_TTY=$(tty) sops -d "${sops_enc_file}"
 }
 
 function main(){
diff --git a/verify/usr_confirm_keycfg.sh b/verify/usr_confirm_keycfg.sh
index 51170c6..6c8c40e 100755
--- a/verify/usr_confirm_keycfg.sh
+++ b/verify/usr_confirm_keycfg.sh
@@ -14,6 +14,9 @@ set -x
 # within current dir: update .sops.yaml, update keys in encrypted file
 ../bin/update_sops.sh -c "${PWD}" "${secrets_file}"
 
+# verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
+GPG_TTY=$(tty) sops -d "${secrets_file}"
+
 # Special Case: Add caveat header
 cat <<EOM > .sops.yaml.tmp
 # PURPOSE: BLUEPRINT for .sops.yaml config