From ae7a074e7affa65e108fca67d15a23dda484c2f7 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Thu, 8 Feb 2024 12:14:02 -0500 Subject: [PATCH] Wave secrets protections on select files/scripts The baseline gitleaks data is unfortunately commit-locked, meaning small changes to files due to (for example) rebases, can render them useless. Manually go through all findings and where possible mark lines to be ignored directly. In a few cases where secrets are used in tests, mark them to be ignored via a new `.gitleaksignore` file. This will hopefully cut way down on the number of false-positive alerts that require review. Note: I intentionally did not wave checks in the `.cirrus.yml` file as it's currently going through a large number of changes. I'll leave it up to a future followup commit to mark known/approved secret references in this file. [NO NEW TESTS NEEDED] Signed-off-by: Chris Evich --- .github/actions/check_cirrus_cron/lib.sh | 25 +++++++++++------- .../check_cirrus_cron/rerun_failed_tasks.sh | 6 ++--- .github/actions/check_cirrus_cron/test.sh | 2 +- .github/workflows/check_cirrus_cron.yml | 26 +++++++++---------- .github/workflows/discussion_lock.yml | 16 ++++++------ .github/workflows/fcos-podman-next-build.yml | 4 +-- .github/workflows/mac-pkg.yml | 26 +++++++++---------- .github/workflows/rerun_cirrus_cron.yml | 20 +++++++------- .github/workflows/upload-win-installer.yml | 10 +++---- .gitleaksignore | 22 ++++++++++++++++ contrib/cirrus/runner.sh | 21 ++++++--------- 11 files changed, 100 insertions(+), 78 deletions(-) create mode 100644 .gitleaksignore diff --git a/.github/actions/check_cirrus_cron/lib.sh b/.github/actions/check_cirrus_cron/lib.sh index 7e8d42e83b..60648d956e 100644 --- a/.github/actions/check_cirrus_cron/lib.sh +++ b/.github/actions/check_cirrus_cron/lib.sh @@ -63,17 +63,22 @@ gql() { msg "::error file=${BASH_SOURCE[1]},line=${BASH_LINENO[0]}::Invalid query JSON: $query" return 1 fi - # SECRET_CIRRUS_API_KEY is defined github secret + + local -a _curl_cmd + # ...API_KEY is pre-defined github secret # shellcheck disable=SC2154 - if output=$(curl \ - --request POST \ - --silent \ - --show-error \ - --location \ - --header 'content-type: application/json' \ - --header "Authorization: Bearer $SECRET_CIRRUS_API_KEY" \ - --url 'https://api.cirrus-ci.com/graphql' \ - --data "$query") && [[ -n "$output" ]]; then + _curl_cmd=( + curl + --request POST + --silent + --show-error + --location + --header 'content-type: application/json' + --header "Authorization: Bearer $SECRET_CIRRUS_API_KEY" # gitleaks:allow + --url 'https://api.cirrus-ci.com/graphql' + --data "$query" + ) + if output=$("${_curl_cmd[@]}") && [[ -n "$output" ]]; then if filtered=$(jq -e "$filter" <<<"$output") && [[ -n "$filtered" ]]; then msg "result:" diff --git a/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh b/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh index 3c422b066c..8604666bc3 100755 --- a/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh +++ b/.github/actions/check_cirrus_cron/rerun_failed_tasks.sh @@ -9,7 +9,7 @@ set -eo pipefail # HOW TO TEST: This script may be manually tested assuming you have # access to the github containers-org. Cirrus API key. With that in-hand, # this script may be manually run by: -# 1. export SECRET_CIRRUS_API_KEY= +# 1. export SECRET_CIRRUS_API_KEY= # gitleaks:allow # 2. Find an old podman build that failed on `main` or another **branch**. # For example, from https://cirrus-ci.com/github/containers/podman/main # (pick an old one from the bottom, since re-running it won't affect anybody) @@ -27,8 +27,8 @@ source $(dirname "${BASH_SOURCE[0]}")/lib.sh _errfmt="Expecting %s value to not be empty" # ID_NAME_FILEPATH is defined by workflow YAML # shellcheck disable=SC2154 -if [[ -z "$SECRET_CIRRUS_API_KEY" ]]; then - err $(printf "$_errfmt" "\$SECRET_CIRRUS_API_KEY") +if [[ -z "$SECRET_CIRRUS_API_KEY" ]]; then # gitleaks:allow + err $(printf "$_errfmt" "\$SECRET_CIRRUS_API_KEY") #gitleaks:allow elif [[ ! -r "$ID_NAME_FILEPATH" ]]; then # output from cron_failures.sh err $(printf "Expecting %s value to be a readable file" "\$ID_NAME_FILEPATH") fi diff --git a/.github/actions/check_cirrus_cron/test.sh b/.github/actions/check_cirrus_cron/test.sh index 19f2e35287..e368551015 100644 --- a/.github/actions/check_cirrus_cron/test.sh +++ b/.github/actions/check_cirrus_cron/test.sh @@ -87,7 +87,7 @@ fi ##### msg "$header rerun_failed_tasks.sh" -export SECRET_CIRRUS_API_KEY=testing-nottherightkey +export SECRET_CIRRUS_API_KEY="testing-nottherightkey" # gitleaks:allow # test.sh is sensitive to the 'testing' name. Var. defined by cirrus-ci # shellcheck disable=SC2154 echo "$CIRRUS_BUILD_ID test cron job name" > "$ID_NAME_FILEPATH" diff --git a/.github/workflows/check_cirrus_cron.yml b/.github/workflows/check_cirrus_cron.yml index c4ca4efaa1..ad4b0dceed 100644 --- a/.github/workflows/check_cirrus_cron.yml +++ b/.github/workflows/check_cirrus_cron.yml @@ -18,15 +18,15 @@ on: # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows workflow_call: secrets: - SECRET_CIRRUS_API_KEY: + SECRET_CIRRUS_API_KEY: # gitleaks:allow required : true - ACTION_MAIL_SERVER: + ACTION_MAIL_SERVER: # gitleaks:allow required: true - ACTION_MAIL_USERNAME: + ACTION_MAIL_USERNAME: # gitleaks:allow required: true - ACTION_MAIL_PASSWORD: + ACTION_MAIL_PASSWORD: # gitleaks:allow required: true - ACTION_MAIL_SENDER: + ACTION_MAIL_SENDER: # gitleaks:allow required: true env: @@ -63,13 +63,13 @@ jobs: # Ref: https://github.com/dawidd6/action-send-mail uses: dawidd6/action-send-mail@v3.11.0 with: - server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_address: ${{secrets.ACTION_MAIL_SERVER}} # gitleaks:allow server_port: 465 - username: ${{secrets.ACTION_MAIL_USERNAME}} - password: ${{secrets.ACTION_MAIL_PASSWORD}} + username: ${{secrets.ACTION_MAIL_USERNAME}} # gitleaks:allow + password: ${{secrets.ACTION_MAIL_PASSWORD}} # gitleaks:allow subject: Cirrus-CI cron build failures on ${{github.repository}} to: ${{env.RCPTCSV}} - from: ${{secrets.ACTION_MAIL_SENDER}} + from: ${{secrets.ACTION_MAIL_SENDER}} # gitleaks:allow body: file://./artifacts/email_body.txt - if: always() @@ -82,11 +82,11 @@ jobs: name: Send error notification e-mail uses: dawidd6/action-send-mail@v3.11.0 with: - server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_address: ${{secrets.ACTION_MAIL_SERVER}} # gitleaks:allow server_port: 465 - username: ${{secrets.ACTION_MAIL_USERNAME}} - password: ${{secrets.ACTION_MAIL_PASSWORD}} + username: ${{secrets.ACTION_MAIL_USERNAME}} # gitleaks:allow + password: ${{secrets.ACTION_MAIL_PASSWORD}} # gitleaks:allow subject: Github workflow error on ${{github.repository}} to: ${{env.RCPTCSV}} - from: ${{secrets.ACTION_MAIL_SENDER}} + from: ${{secrets.ACTION_MAIL_SENDER}} # gitleaks:allow body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" diff --git a/.github/workflows/discussion_lock.yml b/.github/workflows/discussion_lock.yml index 79fbbb3ce4..6192bfe92f 100644 --- a/.github/workflows/discussion_lock.yml +++ b/.github/workflows/discussion_lock.yml @@ -11,13 +11,13 @@ on: # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows workflow_call: secrets: - ACTION_MAIL_SERVER: + ACTION_MAIL_SERVER: # gitleaks:allow required: true - ACTION_MAIL_USERNAME: + ACTION_MAIL_USERNAME: # gitleaks:allow required: true - ACTION_MAIL_PASSWORD: + ACTION_MAIL_PASSWORD: # gitleaks:allow required: true - ACTION_MAIL_SENDER: + ACTION_MAIL_SENDER: # gitleaks:allow required: true # Debug: Allow triggering job manually in github-actions WebUI workflow_dispatch: {} @@ -58,11 +58,11 @@ jobs: name: Send job failure notification e-mail uses: dawidd6/action-send-mail@v3.11.0 with: - server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_address: ${{secrets.ACTION_MAIL_SERVER}} # gitleaks:allow server_port: 465 - username: ${{secrets.ACTION_MAIL_USERNAME}} - password: ${{secrets.ACTION_MAIL_PASSWORD}} + username: ${{secrets.ACTION_MAIL_USERNAME}} # gitleaks:allow + password: ${{secrets.ACTION_MAIL_PASSWORD}} # gitleaks:allow subject: Github workflow error on ${{github.repository}} to: podman-monitor@lists.podman.io - from: ${{secrets.ACTION_MAIL_SENDER}} + from: ${{secrets.ACTION_MAIL_SENDER}} # gitleaks:allow body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" diff --git a/.github/workflows/fcos-podman-next-build.yml b/.github/workflows/fcos-podman-next-build.yml index cb24a46fdf..0861c664d8 100644 --- a/.github/workflows/fcos-podman-next-build.yml +++ b/.github/workflows/fcos-podman-next-build.yml @@ -93,5 +93,5 @@ jobs: image: ${{ env.IMAGE_NAME }} tags: ${{ steps.build_image_multiarch.outputs.tags }} registry: ${{ env.IMAGE_REGISTRY }} - username: ${{ secrets.QUAY_PODMAN_USERNAME }} - password: ${{ secrets.QUAY_PODMAN_PASSWORD }} + username: ${{ secrets.QUAY_PODMAN_USERNAME }} # gitleaks:allow + password: ${{ secrets.QUAY_PODMAN_PASSWORD }} # gitleaks:allow diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml index 6fdb681052..544597ddf9 100644 --- a/.github/workflows/mac-pkg.yml +++ b/.github/workflows/mac-pkg.yml @@ -24,15 +24,15 @@ jobs: build: runs-on: macos-latest env: - APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }} - CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }} - INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }} - PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }} - CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }} # gitleaks:allow + CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }} # gitleaks:allow + INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }} # gitleaks:allow + PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }} # gitleaks:allow + CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} # gitleaks:allow - NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} - NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} - NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }} + NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} # gitleaks:allow + NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} # gitleaks:allow + NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }} # gitleaks:allow KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }} steps: @@ -106,17 +106,17 @@ jobs: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' run: | - echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12 - echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12 + echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12 # gitleaks:allow + echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12 # gitleaks:allow security create-keychain -p "$KEYCHAIN_PWD" build.keychain security default-keychain -s build.keychain security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain - security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign - security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign + security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign # gitleaks:allow + security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign # gitleaks:allow security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null + xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null # gitleaks:allow - name: Build and Sign ARM if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true' working-directory: contrib/pkginstaller diff --git a/.github/workflows/rerun_cirrus_cron.yml b/.github/workflows/rerun_cirrus_cron.yml index 785c47c499..0dc78e90e4 100644 --- a/.github/workflows/rerun_cirrus_cron.yml +++ b/.github/workflows/rerun_cirrus_cron.yml @@ -17,15 +17,15 @@ on: # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows workflow_call: secrets: - SECRET_CIRRUS_API_KEY: + SECRET_CIRRUS_API_KEY: # gitleaks:allow required : true - ACTION_MAIL_SERVER: + ACTION_MAIL_SERVER: # gitleaks:allow required: true - ACTION_MAIL_USERNAME: + ACTION_MAIL_USERNAME: # gitleaks:allow required: true - ACTION_MAIL_PASSWORD: + ACTION_MAIL_PASSWORD: # gitleaks:allow required: true - ACTION_MAIL_SENDER: + ACTION_MAIL_SENDER: # gitleaks:allow required: true env: @@ -56,7 +56,7 @@ jobs: - if: steps.cron.outputs.failures > 0 shell: bash env: - SECRET_CIRRUS_API_KEY: ${{ secrets.SECRET_CIRRUS_API_KEY }} + SECRET_CIRRUS_API_KEY: ${{ secrets.SECRET_CIRRUS_API_KEY }} # gitleaks:allow run: './.github/actions/check_cirrus_cron/rerun_failed_tasks.sh' - uses: actions/upload-artifact@v4 @@ -68,11 +68,11 @@ jobs: name: Send error notification e-mail uses: dawidd6/action-send-mail@v3.11.0 with: - server_address: ${{secrets.ACTION_MAIL_SERVER}} + server_address: ${{secrets.ACTION_MAIL_SERVER}} # gitleaks:allow server_port: 465 - username: ${{secrets.ACTION_MAIL_USERNAME}} - password: ${{secrets.ACTION_MAIL_PASSWORD}} + username: ${{secrets.ACTION_MAIL_USERNAME}} # gitleaks:allow + password: ${{secrets.ACTION_MAIL_PASSWORD}} # gitleaks:allow subject: Github workflow error on ${{github.repository}} to: ${{env.RCPTCSV}} - from: ${{secrets.ACTION_MAIL_SENDER}} + from: ${{secrets.ACTION_MAIL_SENDER}} # gitleaks:allow body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml index b7cc0eacc5..420347b4a1 100644 --- a/.github/workflows/upload-win-installer.yml +++ b/.github/workflows/upload-win-installer.yml @@ -94,11 +94,11 @@ jobs: if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' run: | dotnet tool install --global AzureSignTool --version 3.0.0 - echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append - echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append + echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append # gitleaks:allow + echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append # gitleaks:allow + echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append # gitleaks:allow + echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append # gitleaks:allow + echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append # gitleaks:allow - name: Build id: build if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 0000000000..6d5cf17152 --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,22 @@ +36e29a843205e05acedd65b559757a49ffbdd19a:pkg/auth/auth_test.go:generic-api-key:17 +36e29a843205e05acedd65b559757a49ffbdd19a:pkg/auth/auth_test.go:generic-api-key:18 +36e29a843205e05acedd65b559757a49ffbdd19a:pkg/auth/auth_test.go:generic-api-key:19 +36e29a843205e05acedd65b559757a49ffbdd19a:pkg/auth/auth_test.go:generic-api-key:20 +36e29a843205e05acedd65b559757a49ffbdd19a:test/certs/domain.key:private-key:1 +36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:525 +36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:526 +36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:572 +36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:573 +36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/login_logout_test.go:generic-api-key:574 +36e29a843205e05acedd65b559757a49ffbdd19a:test/e2e/testdata/sigstore-key.key:private-key:1 +71b3437a814f7b6252fbfd568e3eaef182dd308a:pkg/auth/auth_test.go:generic-api-key:17 +71b3437a814f7b6252fbfd568e3eaef182dd308a:pkg/auth/auth_test.go:generic-api-key:18 +71b3437a814f7b6252fbfd568e3eaef182dd308a:pkg/auth/auth_test.go:generic-api-key:19 +71b3437a814f7b6252fbfd568e3eaef182dd308a:pkg/auth/auth_test.go:generic-api-key:20 +71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:525 +71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:526 +71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:572 +71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:573 +71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/login_logout_test.go:generic-api-key:574 +71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/play_kube_test.go:generic-api-key:57 +71b3437a814f7b6252fbfd568e3eaef182dd308a:test/e2e/testdata/sigstore-key.key:private-key:1 diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh index 36c6e3352b..0fe4c2e2e0 100755 --- a/contrib/cirrus/runner.sh +++ b/contrib/cirrus/runner.sh @@ -169,7 +169,7 @@ function _run_swagger() { local upload_bucket local download_url local envvarsfile - req_env_vars GCPJSON GCPNAME GCPPROJECT CTR_FQIN + req_env_vars GCPJSON GCPNAME GCPPROJECT CTR_FQIN # gitleaks:allow [[ -x /usr/local/bin/swagger ]] || \ die "Expecting swagger binary to be present and executable." @@ -203,25 +203,20 @@ function _run_swagger() { # Cirrus-CI Artifact instruction expects file here cp -v $GOSRC/pkg/api/swagger.yaml ./ - envvarsfile=$(mktemp -p '' .tmp_$(basename $0)_XXXXXXXX) - trap "rm -f $envvarsfile" EXIT # contains secrets - # Warning: These values must _not_ be quoted, podman will not remove them. #shellcheck disable=SC2154 - cat <>$envvarsfile -GCPJSON=$GCPJSON -GCPNAME=$GCPNAME -GCPPROJECT=$GCPPROJECT -FROM_FILEPATH=$GOSRC/swagger.yaml -TO_GCSURI=gs://$upload_bucket/$upload_filename -eof + export FROM_FILEPATH=$GOSRC/swagger.yaml + + #shellcheck disable=SC2154 + export TO_GCSURI=gs://$upload_bucket/$upload_filename msg "Waiting for backgrounded podman pull to complete..." wait %% showrun bin/podman run -it --rm --security-opt label=disable \ - --env-file=$envvarsfile \ -v $GOSRC:$GOSRC:ro \ --workdir $GOSRC \ - $CTR_FQIN + -e FROM_FILEPATH \ + -e TO_GCSURI \ + -e GCPJSON -e GCPNAME -e GCPPROJECT $CTR_FQIN # gitleaks:allow rm -f $envvarsfile }