-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't pass golang unit tests #882
Comments
And I didn't do any changes in go.mozilla.org/sops/v3/pgp package. And tests don't pass without any changes to project. |
+1. I have the same in https://github.com/mozilla/sops/actions/runs/918083857 Looks like it is related to #774. @autrilla , @felixfontein , can anybody take a look into tests? |
There are some possibilities:
So I guess the public key retrieved changed, and no longer contains an identity. This could be because someone changed the key, or because the key server's software changed. The key server's software is Hagrid, and is actively developed (https://gitlab.com/hagrid-keyserver/hagrid/-/commits/master). I can't find a history which version was running on keys.openpgp.org at which point in time. This must have happened between May 8th (last successful CI run) and June 2nd (first unsuccessful CI run). Since Hagrid seems to filter identities with email addresses (https://gitlab.com/hagrid-keyserver/hagrid/-/commit/e1e88037e894887bdd0508b185c2fe2a34a43d3a), maybe it's related to that somehow? Though I'm not sure if the public key is supposed to contain any email address; it is the same fingerprint as is used for the integration test and the key is included in the repo, and that key has no email address associated. |
Golang 1.13 has reached EOL: https://github.com/golang/go/wiki/Go-Release-Cycle#release-maintenance Tests should parse, as soon as getsops#882 is fixed.
A similar issue (possibly related) that I have noticed with sops and newer versions of GnuPG (eg. 2.3.1) is that SOPS doesn't know about the GPG change to use keyboxes (eg. ~/.gnupg/pubring.kbx). If I start with no ~/.gnupg, and import a key (doing this in a container):
Using sops will fail to decrypt because it cannot find the key:
Note that it is looking for secring.pgp, which has been deprecated in the move to keyboxes (pubring.kbx) I can get GPG to to write this file if I edit the key and set the expiry to never (which is already the case, but apparently this still creates the side-effect of creating a file tofu.db
Not sure if this makes any other changes, but tofu.db seems to be related to the Trust On First Use trust model (Update: it can also be caused by something else having the GPG Agent socket open; if you're a user of Visual Studio Code and you're using SOPS within a Remote Container ("dev containers"), then beware that VSCode will forward the GPG socket and so its Node.JS injected componentry will be listening to this and forwarding it outside the container). |
Who's from maintainers can take a look into these tests? |
looks correct. Actually, the key lacks identity:
The key with identity is here: https://github.com/mozilla/sops/blob/v3.7.1/pgp/sops_functional_tests_key.asc#L93
|
This looks caused how keys.openpgp.org handles of non-identity information and identity information: https://keys.openpgp.org/about/faq#verify-multiple
And There looks no option for We need an alternate key with a email address used only for unit tests of sops. |
* `golang.org/x/crypto/openpgp` requires keys contain identity information. * A email address can have only a single key with identity information on keys.openpgp.org.
Created: #906 |
Since #906 has been merged, CI should be running again. |
This is fixed in |
…etsops#906) * `golang.org/x/crypto/openpgp` requires keys contain identity information. * A email address can have only a single key with identity information on keys.openpgp.org. Signed-off-by: Carsten Skov <[email protected]>
Hello, I want to add something to project but I can't pass unit tests in develop branch. What am I doing wrong?
The text was updated successfully, but these errors were encountered: