sops: Cannot decrypt with GPG 2.2.5 and SOPS 3.0.0
It appears the utility is looking for a secret key in a file but my GPG installation (through macOS homebrew) uses the gpg-agent. I cannot decrypt files as demonstrated below.
$ sops --version
sops 3.0.0 (latest)
$ gpg --version
gpg (GnuPG) 2.2.5
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/leeazzarello/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ env | grep PGP
SOPS_PGP_FP=743C1E72CF94A24C27C7D9FC49D6AC0457F0CB9A
$ sops testing.yaml
[PGP] INFO[0000] Encryption succeeded fingerprint=743C1E72CF94A24C27C7D9FC49D6AC0457F0CB9A
[CMD] INFO[0009] File written successfully
$ cat testing.yaml
hello: ENC[AES256_GCM,data:/TmzpVCbKHPCXRUpPBb9ItIiWbi5YysTdabccCMI8FE+4unQSwJbO2e/ZRts8A==,iv:a3wOGugv2wHJvtKOW6fDhGQnvXzpSBVSe7Y8YK+9vQo=,tag:5S2Pt/DlMaduegSU9Pyxyg==,type:str]
example_key: ENC[AES256_GCM,data:TEd4FGk3x7tInkit/Q==,iv:Pkis1I2Kbf+UJBhfKls24YkAOVwd9VP206V9WOT289U=,tag:yltevnDwDB1H/nv0hiBDdA==,type:str]
example_array:
- ENC[AES256_GCM,data:Rh2SkgdhLQNtbnWj+Aw=,iv:Vx4zHt0TC01C3pi/53zkyF5dYPXPxmjl1Bv7aCpWXoA=,tag:NvddG4qpVhhnz0//9GkEXA==,type:str]
- ENC[AES256_GCM,data:tzCeQ2yLhkhx+MJHNBE=,iv:72KDzEwZndj4pHLRYkfaAwtJqx5iIhD8YRskNRTXKC4=,tag:4/iNuneCnRztbDboMQCRWQ==,type:str]
example_number: ENC[AES256_GCM,data:6qE9Jcd9Jwjz,iv:xfoTEIMXeI0ADpmMD/kcFPWSylsvG4SZtVVL7nmZigU=,tag:4IsksVXD/PmustXL1sJi6Q==,type:float]
example_booleans:
- ENC[AES256_GCM,data:Sm2ITw==,iv:1eNe37m3l9E4vcGUxOoMIhgtQMRRQI8LZ09MHsamzog=,tag:39Wkv315VSauqrPuOo+crw==,type:bool]
- ENC[AES256_GCM,data:X+39sbE=,iv:2s6Xhrb5qqsiDNfCPjBxhBktdDq/q47sgoDm/NDQgRw=,tag:r3/hEymjEU9iEcWHvj3yYA==,type:bool]
sops:
kms: []
gcp_kms: []
lastmodified: '2018-03-06T19:13:15Z'
mac: ENC[AES256_GCM,data:TRRFKPzatPr0s1eGRfs6vw1dZWzQ62cri9jsST3LgnmICqykONTFA6290g8ENz4bolEfHpMdw//EbTFSMpprTksqJvbCPPDQiJQ9y8rEHm7i2G6frSG8ZfmzjStmSc/BUqpyv8BLYS2/W6gUwdH4YNsAIvh+eBnnGcbKKWMYV3E=,iv:oPgVVqNySE29V09PHs+mpuaJO40wlK2sHRxNaBVWQ34=,tag:ZjmijIo2LKs+DP4g28JWhw==,type:str]
pgp:
- created_at: '2018-03-06T19:13:06Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/6FE2S2NrqvARAAl1L6OqMA8hCHnW9meZrrJSIvrNT6Jw2I5RrPCHrEnrjB
RVEc1WNP6EOzTMXxi51ukuhbwle6RYElIYTG1E8vIqGhqyFP3aN4oITqwBwyXKou
qeyNwxLp/gWn29+X4KVaGNDIXRKZwx0+s8fWb1WXxNpCdCJqiNXT+ghu2b6ZZydf
po9GORDnwPBvIFchIp/ZJLBWPZiPrAWEZzKWpIiFOLO9shS7d2AWCDqiSMLh0kRh
bOWDImMxWYzsowBzSTRhaE7VilNZrghqwXYT/qiou95I9FFqPE/o2NIVOcC89zzB
o+iv+SfvknMN9oq7n/6D7SeQrlf1ySiXVMRYZ+JKHYFbhN891+pYSaeUd6bs3Bjl
T65azB+2o2hA2b1I24+uaYmJ5ROFMnGa2wBWoY8+5la94OUdM/O2ysMYOrJjw2jA
a+U+AdjQKc/X5ZZpvbNzZGqt/qQTDYZC2wv9a14RMMXXUOCORxia+EUQinGhi1o5
/VBf9v6qw3R4M6dOKvAUuSvXjBPqGk3mE9CX7ZXOdRAWCbb2FGIR2BHiQyYAl3pz
TN8W/Hm8vJNElU/6U5RMLJOeAzvDBZ2aXv6Drj4l+hb2TRZOEn0F1HerD/lK57iT
Bcbjn+Q3Gh91XemrRtxDCa1pH8OP/Nm5//YKImbatT1exNGEMu07wtusDpI+z7/S
XgGodzJuGGIv9+48qBv2h3tWfdIbbG22L0aKsZMdziJXzGp0p/1tDFKiMF3tMpKh
+qWT9bGPkvt38i7UzGl6Cq4teNttCK/3F5BC2cY4Xw+3fjdjG2q2fLifIUX8sE4=
=ix0m
-----END PGP MESSAGE-----
fp: 743C1E72CF94A24C27C7D9FC49D6AC0457F0CB9A
unencrypted_suffix: _unencrypted
version: 3.0.0
$ sops -d testing.yaml
[PGP] WARN[0000] Decryption failed fingerprint=743C1E72CF94A24C27C7D9FC49D6AC0457F0CB9A
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
743C1E72CF94A24C27C7D9FC49D6AC0457F0CB9A: FAILED
- | could not decrypt data key with PGP key:
| golang.org/x/crypto/openpgp error: Could not load secring:
| open /Users/leeazzarello/.gnupg/secring.gpg: no such file or
| directory; GPG binary error: exit status 2
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 25
- Comments: 15 (3 by maintainers)
Commits related to this issue
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 3 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 3 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 3 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 3 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 3 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
- Adjust .bashrc Fix sops problem, s. https://github.com/mozilla/sops/issues/304 — committed to damyan/dotfiles by damyan 2 years ago
The problem suddenly re-occured… I think it has to do with the gpg-agent. For the moment, this solved it for me, adding to .bashrc or similiar (I hava a .zshrc), as described in https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html:
I restarted the shell, and on first decrypt command I was asked for my passprase to my keys. After that all the shells seems to be able to decrypt again.
If this is the case, I would say the error message probably could hint at this solution.
Cheers, Alf
@stoyle I tried with this resolution and appended the below 2 lines in “.bash_profile”.
I still have the same issue.
Could it be an issue with the sops version ?
No, unfortunately I’ve seen nothing else than posted here. However, I found this issue with a google search fairly quickly, so maybe it may help others.
We may be rolling this out to the entire org, so I am sure I will see lots of variants of this. Will update the issue if I find anything else.
This is probably something wrong with your setup. SOPS calls the gpg binary, and it’s returning exit status 2, which is of course unsuccessful. Some things you could try: