Merge branch 'main' into fix-1846

Author: felixfontein

.github/workflows/cli.yml

@@ -29,17 +29,17 @@ jobs:
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
       - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ matrix.go-version }}
         id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
-      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -92,7 +92,7 @@ jobs:
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
@@ -105,7 +105,7 @@ jobs:
       - name: Show Rust version
         run: cargo --version
 
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }}
 

.github/workflows/codeql.yml

@@ -29,13 +29,13 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        uses: github/codeql-action/init@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -52,6 +52,6 @@ jobs:
           make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        uses: github/codeql-action/analyze@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
         with:
           category: "/language:go"

.github/workflows/docs.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 

.github/workflows/linters.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 

.github/workflows/release.yml

@@ -25,19 +25,19 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v4.0.1
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v4.0.1
         with:
           go-version: 1.24
           cache: false
 
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
+        uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
 
       - name: Setup Cosign
         uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
@@ -49,22 +49,22 @@ jobs:
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_BOT_USERNAME }}
           password: ${{ secrets.QUAY_BOT_TOKEN }}
 
       - name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           # Note that the following is the version of goreleaser, and NOT a Go version!
           # When bumping it, make sure to check out goreleaser's changelog first!

README.rst

@@ -378,6 +378,11 @@ a key. This has the following form::
 
     https://${VAULT_URL}/keys/${KEY_NAME}/${KEY_VERSION}
 
+You can omit the version, and have just a trailing slash, and this will use
+whatever the latest version of the key is::
+
+    https://${VAULT_URL}/keys/${KEY_NAME}/
+
 To create a Key Vault and assign your service principal permissions on it
 from the commandline:
 
@@ -401,6 +406,10 @@ Now you can encrypt a file using::
 
     $ sops encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml
 
+or, without the version::
+
+    $ sops encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/ test.yaml > test.enc.yaml
+
 And decrypt it using::
 
     $ sops decrypt test.enc.yaml
@@ -846,14 +855,6 @@ Example: place the following in your ``~/.bashrc``
     SOPS_GPG_EXEC = 'your_gpg_client_wrapper'
 
 
-Specify a different GPG key server
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-By default, SOPS uses the key server ``keys.openpgp.org`` to retrieve the GPG
-keys that are not present in the local keyring.
-This is no longer configurable. You can learn more about why from this write-up: `SKS Keyserver Network Under Attack <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>`_.
-
-
 Key groups
 ~~~~~~~~~~
 

audit/audit.go

@@ -14,7 +14,7 @@ import (
 
 	"github.com/getsops/sops/v3/logging"
 	"github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 )
 
 var log *logrus.Logger

azkv/keysource.go

@@ -79,12 +79,21 @@ func NewMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey
 // MasterKey. The URL format is {vaultUrl}/keys/{keyName}/{keyVersion}.
 func NewMasterKeyFromURL(url string) (*MasterKey, error) {
 	url = strings.TrimSpace(url)
-	re := regexp.MustCompile("^(https://[^/]+)/keys/([^/]+)/([^/]+)$")
+	re := regexp.MustCompile("^(https://[^/]+)/keys/([^/]+)(/[^/]*)?$")
 	parts := re.FindStringSubmatch(url)
 	if len(parts) < 3 {
-		return nil, fmt.Errorf("could not parse %q into a valid Azure Key Vault MasterKey", url)
+		return nil, fmt.Errorf("could not parse %q into a valid Azure Key Vault MasterKey %v", url, parts)
 	}
-	return NewMasterKey(parts[1], parts[2], parts[3]), nil
+	// Blank key versions are supported in Azure Key Vault, as they default to the latest
+	// version of the key. We need to put the actual version in the sops metadata block though
+	var key *MasterKey
+	if len(parts[3]) > 1 {
+		key = NewMasterKey(parts[1], parts[2], parts[3][1:])
+	} else {
+		key = NewMasterKey(parts[1], parts[2], "")
+	}
+	err := key.ensureKeyHasVersion(context.Background())
+	return key, err
 }
 
 // MasterKeysFromURLs takes a comma separated list of Azure Key Vault URLs,
@@ -145,6 +154,36 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 	return key.EncryptContext(context.Background(), dataKey)
 }
 
+func (key *MasterKey) ensureKeyHasVersion(ctx context.Context) error {
+	if (key.Version != "") {
+		// Nothing to do
+		return nil
+	}
+
+	token, err := key.getTokenCredential()
+
+	if err != nil {
+		log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Encryption failed")
+		return fmt.Errorf("failed to get Azure token credential to retrieve key version: %w", err)
+	}
+
+	c, err := azkeys.NewClient(key.VaultURL, token, key.clientOptions)
+	if err != nil {
+		log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Encryption failed")
+		return fmt.Errorf("failed to construct Azure Key Vault client to retrieve key version: %w", err)
+	}
+
+	kdetail, err := c.GetKey(ctx, key.Name, key.Version, nil)
+	if err != nil {
+		log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Encryption failed")
+		return fmt.Errorf("failed to fetch Azure Key to retrieve key version: %w", err)
+	}
+	key.Version = kdetail.Key.KID.Version()
+
+	log.WithFields(logrus.Fields{"key": key.Name, "version": key.Version}).Info("Version fetch succeeded")
+	return nil
+}
+
 // EncryptContext takes a SOPS data key, encrypts it with Azure Key Vault, and stores
 // the result in the EncryptedKey field.
 func (key *MasterKey) EncryptContext(ctx context.Context, dataKey []byte) error {

cmd/sops/main.go

@@ -78,12 +78,14 @@ func main() {
 
 	keyserviceFlags := []cli.Flag{
 		cli.BoolTFlag{
-			Name:  "enable-local-keyservice",
-			Usage: "use local key service",
+			Name:   "enable-local-keyservice",
+			Usage:  "use local key service",
+			EnvVar: "SOPS_ENABLE_LOCAL_KEYSERVICE",
 		},
 		cli.StringSliceFlag{
-			Name:  "keyservice",
-			Usage: "Specify the key services to use in addition to the local one. Can be specified more than once. Syntax: protocol://address. Example: tcp://myserver.com:5000",
+			Name:   "keyservice",
+			Usage:  "Specify the key services to use in addition to the local one. Can be specified more than once. Syntax: protocol://address. Example: tcp://myserver.com:5000",
+			EnvVar: "SOPS_KEYSERVICE",
 		},
 	}
 	app.Name = "sops"

config/config.go

@@ -19,7 +19,7 @@ import (
 	"github.com/getsops/sops/v3/kms"
 	"github.com/getsops/sops/v3/pgp"
 	"github.com/getsops/sops/v3/publish"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 )
 
 type fileSystem interface {
@@ -508,7 +508,18 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 	}
 
 	var dest publish.Destination
-	if dRule.S3Bucket != "" && dRule.GCSBucket != "" && dRule.VaultPath != "" {
+	destinationCount := 0
+	if dRule.S3Bucket != "" {
+		destinationCount++
+	}
+	if dRule.GCSBucket != "" {
+		destinationCount++
+	}
+	if dRule.VaultPath != "" {
+		destinationCount++
+	}
+
+	if destinationCount > 1 {
 		return nil, fmt.Errorf("error loading config: more than one destinations were found in a single destination rule, you can only use one per rule")
 	}
 	if dRule.S3Bucket != "" {