Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add age plugin and fido2 hmac support #680

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: add age plugin and fido2 hmac support #680

wants to merge 2 commits into from
+374 −228

Conversation

brianmcgee
Copy link

No description provided.

@brianmcgee brianmcgee mentioned this pull request Nov 23, 2024
Closed
@Mic92
Copy link
Owner

Mic92 commented Nov 23, 2024

Nice. Should we also point to your sops changes?

Mic92
Mic92 reviewed Nov 23, 2024
View reviewed changes
modules/sops/default.nix
description = ''
List of plugins to use for sops decryption.
'';
};
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't that also require age plugin support in sops?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't follow.

We should probably add the fido2-hmac plugin as a default in this option though.

Copy link
Owner

@Mic92 Mic92 Nov 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we not need sops-nix to recognise these age plugin style age keys to not fail to run, even if they are not used?

@brianmcgee
Copy link
Author

Nice. Should we also point to your sops changes?

This points to my patched version of sops, which in turn relies on the patched versioned of age (purely as a lib).

@brianmcgee
Copy link
Author

To be quite honest I just looked at your PR and adapted it to use my sops. Maybe there's some extra steps missing here.

@Mic92
Copy link
Owner

Mic92 commented Nov 23, 2024
edited
Loading

sops-nix/go.mod

Line 8 in 53c853f

github.com/getsops/sops/v3 v3.8.1
this also needs to be replaced as far as I remember

@brianmcgee
Copy link
Author

I'll have a proper look rather than just copy pasta.

@OliverGeneser
Copy link

@brianmcgee what is the current status?

@brianmcgee
Copy link
Author

@OliverGeneser hoping to finish this during the holidays.

@Ramblurr
Copy link

Ramblurr commented Dec 29, 2024
edited
Loading

Replying to this quote from the previous PR

@OliverGeneser you can help if you want. Rather than my pull request this should than use FiloSottile/age#591 and getsops/sops#1641 And instead of the yubikey plugin I would now actually prefer https://github.com/olastor/age-plugin-fido2-hmac because it not only works with yubikeys but all sorts of fido2 token (less vendor login)

That sounds to me like it's one or the other? Or at least a plugin needs to be explicitly supported? Is it possible to support both? For those of us already using the yubikey plugin (there are many I think because that plugin predates the FIDO2 one) that would be really great!

Edit: and thanks @Mic92 and @brianmcgee for all your efforts getting this feature supported in sops, I saw it hasn't been straightforward and also required changes to age. ❤️

SuperSandro2000
SuperSandro2000 reviewed Jan 1, 2025
View reviewed changes
go.mod
go 1.18
go 1.22

toolchain go1.23.3
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please drop that otherwise go while whine about toolchaik incompatibles and create useless friction.

pkgs/age-fido2-hmac/default.nix
mkdir -p $out/bin
makeWrapper ${age}/bin/age $out/bin/age \
--prefix PATH : ${lib.makeBinPath [ age-plugin-fido2-hmac ]}
''
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want a final newline here

pkgs/sops-fido2-hmac/default.nix
mkdir -p $out/bin
makeWrapper ${sops}/bin/sops $out/bin/sops \
--prefix PATH : ${lib.makeBinPath [ age-plugin-fido2-hmac ]}
''
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here and the next file

pkgs/sops/default.nix
version = "age-sops";

src = fetchFromGitHub {
owner = "age-sops";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should be just two spaces

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@Mic92 Mic92 Mic92 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@brianmcgee @Mic92 @OliverGeneser @Ramblurr @SuperSandro2000