Changelog ========= 3.7.3 ----- Changes: * Upgrade dependencies (#1024, #1045) * Build alpine container in CI (#1018, #1032, #1025) * keyservice: accept KeyServiceServer in LocalClient (#1035) * Add support for GCP Service Account within `GOOGLE_CREDENTIALS` (#953) Bug fixes: * Upload the correct binary for the linux amd64 build (#1026) * Fix bug when specifying multiple age recipients (#966) * Allow for empty yaml maps (#908) * Limit AWS role names to 64 characters (#1037) 3.7.2 ----- Changes: * README updates (#861, #860) * Various test fixes (#909, #906, #1008) * Added Linux and Darwin arm64 releases (#911, #891) * Upgrade to go v1.17 (#1012) * Support SOPS_AGE_KEY environment variable (#1006) Bug fixes: * Make sure comments in yaml files are not duplicated (#866) * Make sure configuration file paths work correctly relative to the config file in us (#853) 3.7.1 ----- Changes: * Security fix * Add release workflow (#843) * Fix issue where CI wouldn't run against master (#848) * Trim extra whitespace around age keys (#846) 3.7.0 ----- Features: * Add support for age (#688) * Add filename to exec-file (#761) Changes: * On failed decryption with GPG, return the error returned by GPG to the sops user (#762) * Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791) * Update aws-sdk-go to version v1.37.18 (#823) Project Changes: * Switch from TravisCI to Github Actions (#792) 3.6.1 ----- Features: * Add support for --unencrypted-regex (#715) Changes: * Use keys.openpgp.org instead of gpg.mozilla.org (#732) * Upgrade AWS SDK version (#714) * Support --input-type for exec-file (#699) Bug fixes: * Fixes broken Vault tests (#731) * Revert "Add standard newline/quoting behavior to dotenv store" (#706) 3.6.0 ----- Features: * Support for encrypting data through the use of Hashicorp Vault (#655) * `sops publish` now supports `--recursive` flag for publishing all files in a directory (#602) * `sops publish` now supports `--omit-extensions` flag for omitting the extension in the destination path (#602) * sops now supports JSON arrays of arrays (#642) Improvements: * Updates and standardization for the dotenv store (#612, #622) * Close temp files after using them for edit command (#685) Bug fixes: * AWS SDK usage now correctly resolves the `~/.aws/config` file (#680) * `sops updatekeys` now correctly matches config rules (#682) * `sops updatekeys` now correctly uses the config path cli flag (#672) * Partially empty sops config files don't break the use of sops anymore (#662) * Fix possible infinite loop in PGP's passphrase prompt call (#690) Project changes: * Dockerfile now based off of golang version 1.14 (#649) * Push alpine version of docker image to Dockerhub (#609) * Push major, major.minor, and major.minor.patch tagged docker images to Dockerhub (#607) * Removed out of date contact information (#668) * Update authors in the cli help text (#645) 3.5.0 ----- Features: * `sops exec-env` and `sops exec-file`, two new commands for utilizing sops secrets within a temporary file or env vars Bug fixes: * Sanitize AWS STS session name, as sops creates it based off of the machines hostname * Fix for `decrypt.Data` to support `.ini` files * Various package fixes related to switching to Go Modules * Fixes for Vault-related tests running locally and in CI. Project changes: * Change to proper use of go modules, changing to primary module name to `go.mozilla.org/sops/v3` * Change tags to requiring a `v` prefix. * Add documentation for `sops updatekeys` command 3.4.0 ----- Features: * `sops publish`, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault * Support for multiple Azure authentication mechanisms * Azure Keyvault support to the sops config file * `encrypted_regex` option to the sops config file Bug fixes: * Return non-zero exit code for invalid CLI flags * Broken path handling for sops editing on Windows * `go lint/fmt` violations * Check for pgp fingerprint before slicing it Project changes: * Build container using golang 1.12 * Switch to using go modules * Hashicorp Vault server in Travis CI build * Mozilla Publice License file to repo * Replaced expiring test gpg keys 3.3.1 ----- Bug fixes: * Make sure the pgp key fingerprint is longer than 16 characters before slicing it. (#463) * Allow for `--set` value to be a string. (#461) Project changes: * Using `develop` as a staging branch to create releases off of. What is in `master` is now the current stable release. * Upgrade to using Go 1.12 to build sops * Updated all vendored packages 3.3.0 ----- New features: * Multi-document support for YAML files * Support referencing AWS KMS keys by their alias * Support for INI files * Support for AWS CLI profiles * Comment support in .env files * Added vi to the list of known editors * Added a way to specify the GPG key server to use through the SOPS_GPG_KEYSERVER environment variable Bug fixes: * Now uses $HOME instead of ~ (which didn't work) to find the GPG home * Fix panic when vim was not available as an editor, but other alternative editors were * Fix issue with AWS KMS Encryption Contexts (#445) with more than one context value failing to decrypt intermittently. Includes an automatic fix for old files affected by this issue. Project infrastructure changes: * Added integration tests for AWS KMS * Added Code of Conduct 3.2.0 ----- * Added --output flag to write output a file directly instead of through stdout * Added support for dotenv files 3.1.1 ----- * Fix incorrect version number from previous release 3.1.0 ----- * Add support for Azure Key Service * Fix bug that prevented JSON escapes in input files from working 3.0.5 ----- * Prevent files from being encrypted twice * Fix empty comments not being decrypted correctly * If keyservicecmd returns an error, log it. * Initial sops workspace auditing support (still wip) * Refactor Store interface to reflect operations SOPS performs 3.0.3 ----- * --set now works with nested data structures and not just simple values * Changed default log level to warn instead of info * Avoid creating empty files when using the editor mode to create new files and not making any changes to the example files * Output unformatted strings when using --extract instead of encoding them to yaml * Allow forcing binary input and output types from command line flags * Deprecate filename_regex in favor of path_regex. filename_regex had a bug and matched on the whole file path, when it should have only matched on the file name. path_regex on the other hand is documented to match on the whole file path. * Add an encrypted-suffix option, the exact opposite of unencrypted-suffix * Allow specifying unencrypted_suffix and encrypted_suffix rules in the .sops.yaml configuration file * Introduce key service flag optionally prompting users on encryption/decryption 3.0.1 ----- * Don't consider io.EOF returned by Decoder.Token as error * add IsBinary: true to FileHints when encoding with crypto/openpgp * some improvements to error messages 3.0.0 ----- * Shamir secret sharing scheme support allows SOPS to require multiple master keys to access a data key and decrypt a file. See `sops groups -help` and the documentation in README. * Keyservice to forward access to a local master key on a socket, similar to gpg-agent. See `sops keyservice --help` and the documentation in README. * Encrypt comments by default * Support for Google Compute Platform KMS * Refactor of the store logic to separate the internal representation SOPS has of files from the external representation used in JSON and YAML files * Reencoding of versions as string on sops 1.X files. **WARNING** this change breaks backward compatibility. SOPS shows an error message with instructions on how to solve this if it happens. * Added command to reconfigure the keys used to encrypt/decrypt a file based on the .sops.yaml config file * Retrieve missing PGP keys from gpg.mozilla.org * Improved error messages for errors when decrypting files 2.0.0 ----- * [major] rewrite in Go 1.14 ---- * [medium] Support AWS KMS Encryption Contexts * [minor] Support insertion in encrypted documents via --set * [minor] Read location of gpg binary from SOPS_GPG_EXEC env variables 1.13 ---- * [minor] handle $EDITOR variable with parameters 1.12 ---- * [minor] make sure filename_regex gets applied to file names, not paths * [minor] move check of latest version under the -V flag * [medium] fix handling of binary data to preserve file integrity * [minor] try to use configuration when encrypting existing files