Skip to content

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 02 Feb 01:14

πŸš€ gman v0.3.0 Release Notes

⚠️ BREAKING CHANGES - Please Read Before Upgrading!

This release contains critical security fixes and breaking changes. Grab a coffee β˜•, take a deep breath, and read this section carefully before upgrading.


πŸ” Critical Security Fix: The Great Key Catastrophe of 2026

TL;DR: Your local vault secrets were about as secure as a diary with "DO NOT READ" written on the cover.

I discovered a rather embarrassing bug where the encryption key was being zeroized (wiped clean) before it was actually used to encrypt your secrets. This meant all your "encrypted" secrets in the local vault were essentially encrypted with an all-zeros key. πŸ™ˆ

Oops.

The good news? I fixed it! The bad news? You'll need to migrate your existing secrets.

πŸƒ What You Need To Do (FIRST THING!)

After upgrading to v0.3.0, run this command before doing anything else:

gman migrate

This will:

  1. Read all your existing secrets (using the legacy "oops" decryption)
  2. Re-encrypt them properly with actual security this time
  3. Save them back to your vault

⚑ Important: The migrate command only works with the local provider. If you're using AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager, your secrets were always stored securely on those platforms (they handle their own encryption).


πŸ“ Config File Location Change (macOS Users, This One's For You!)

We upgraded from confy v1 to confy v2, which brings improved configuration handling. However, this comes with a side effect for my macOS friends:

Old location: ~/Library/Preferences/gman/config.yml
New location: ~/Library/Application Support/gman/config.yml

🍎 macOS Users: What To Do

Option A (Recommended): Just copy your config

mkdir -p ~/Library/Application\ Support/gman
cp ~/Library/Preferences/gman/config.yml ~/Library/Application\ Support/gman/

Option B: Start fresh and re-configure (it's not that bad, I promise!)

Linux and Windows users: Your config file location hasn't changed. Carry on! 🐧πŸͺŸ


✨ Other Changes

πŸ”’ Security Improvements

  • Upgraded AWS dependencies to address CWE-20 (Improper Input Validation). Your cloud secrets are now extra cloud-secure! β˜οΈπŸ”
  • Hardened Argon2 parameters for key derivation (65 MiB memory, 3 iterations). Yes, it's a bit slower, but your secrets are worth the wait.
  • KDF parameters are now cryptographically bound to the ciphertext via AAD. Fancy crypto speak for "extra tamper-proof."
  • Password file permission checks on Unix systems - I'll yell at you if your password file is world-readable (as I should!)

πŸ› οΈ Bug Fixes

  • Secrets are now stored exactly as entered - no more mysterious disappearing newlines! What you put in is what you get out.
  • Fixed XNonce deprecation warning - keeping things fresh and warning-free.

πŸ—οΈ Infrastructure

  • Upgraded to Azure SDK 0.31.0 - because even SDKs deserve nice things.
  • Faster tests - the property tests no longer take a coffee break. β˜•β†’βš‘

πŸ“‹ Migration Checklist

Here's your upgrade checklist:

  • Read these release notes (you're doing great so far! 🌟)
  • Upgrade gman to v0.3.0
  • macOS users: Move your config file to the new location
  • Local vault users: Run gman migrate immediately
  • Verify your secrets are accessible: gman list
  • Grab a snack. You earned it. πŸͺ

πŸ™ A Note From Yours Truly

Yes, the all-zeros-key bug was bad. Really bad. The kind of bug that makes you question your life choices at 2 AM. But I found it, I fixed it, and I added a migration path so you don't lose your secrets.

If you're curious about the technical details, the issue was in the key derivation function where I called key_bytes.zeroize() (for security!) right before creating the actual key from those bytes (not so secure!). Classic case of being too clever for my own good.

Thanks for using gman, and thanks for your patience with this upgrade! πŸ’™


πŸ“š Full Changelog

  • fix: Critical security fix for local vault encryption
  • fix: Upgraded AWS dependencies to address CWE-20
  • fix: Secrets stored exactly as passed without newlines stripped
  • fix: Addressed XNonce::from_slice deprecation warning
  • feat: Added gman migrate command for vault migration
  • build: Upgraded to Azure SDK 0.31.0
  • build: Upgraded to confy v2.0.0
  • test: Improved test reliability and performance
  • docs: Fixed typo in installation script command

Happy secret managing! πŸ”‘βœ¨