v0.3.0
π gman v0.3.0 Release Notes
β οΈ BREAKING CHANGES - Please Read Before Upgrading!
This release contains critical security fixes and breaking changes. Grab a coffee β, take a deep breath, and read this section carefully before upgrading.
π Critical Security Fix: The Great Key Catastrophe of 2026
TL;DR: Your local vault secrets were about as secure as a diary with "DO NOT READ" written on the cover.
I discovered a rather embarrassing bug where the encryption key was being zeroized (wiped clean) before it was actually used to encrypt your secrets. This meant all your "encrypted" secrets in the local vault were essentially encrypted with an all-zeros key. π
Oops.
The good news? I fixed it! The bad news? You'll need to migrate your existing secrets.
π What You Need To Do (FIRST THING!)
After upgrading to v0.3.0, run this command before doing anything else:
gman migrateThis will:
- Read all your existing secrets (using the legacy "oops" decryption)
- Re-encrypt them properly with actual security this time
- Save them back to your vault
β‘ Important: The migrate command only works with the local provider. If you're using AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager, your secrets were always stored securely on those platforms (they handle their own encryption).
π Config File Location Change (macOS Users, This One's For You!)
We upgraded from confy v1 to confy v2, which brings improved configuration handling. However, this comes with a side effect for my macOS friends:
Old location: ~/Library/Preferences/gman/config.yml
New location: ~/Library/Application Support/gman/config.yml
π macOS Users: What To Do
Option A (Recommended): Just copy your config
mkdir -p ~/Library/Application\ Support/gman
cp ~/Library/Preferences/gman/config.yml ~/Library/Application\ Support/gman/Option B: Start fresh and re-configure (it's not that bad, I promise!)
Linux and Windows users: Your config file location hasn't changed. Carry on! π§πͺ
β¨ Other Changes
π Security Improvements
- Upgraded AWS dependencies to address CWE-20 (Improper Input Validation). Your cloud secrets are now extra cloud-secure! βοΈπ
- Hardened Argon2 parameters for key derivation (65 MiB memory, 3 iterations). Yes, it's a bit slower, but your secrets are worth the wait.
- KDF parameters are now cryptographically bound to the ciphertext via AAD. Fancy crypto speak for "extra tamper-proof."
- Password file permission checks on Unix systems - I'll yell at you if your password file is world-readable (as I should!)
π οΈ Bug Fixes
- Secrets are now stored exactly as entered - no more mysterious disappearing newlines! What you put in is what you get out.
- Fixed XNonce deprecation warning - keeping things fresh and warning-free.
ποΈ Infrastructure
- Upgraded to Azure SDK 0.31.0 - because even SDKs deserve nice things.
- Faster tests - the property tests no longer take a coffee break. βββ‘
π Migration Checklist
Here's your upgrade checklist:
- Read these release notes (you're doing great so far! π)
- Upgrade gman to v0.3.0
- macOS users: Move your config file to the new location
- Local vault users: Run
gman migrateimmediately - Verify your secrets are accessible:
gman list - Grab a snack. You earned it. πͺ
π A Note From Yours Truly
Yes, the all-zeros-key bug was bad. Really bad. The kind of bug that makes you question your life choices at 2 AM. But I found it, I fixed it, and I added a migration path so you don't lose your secrets.
If you're curious about the technical details, the issue was in the key derivation function where I called key_bytes.zeroize() (for security!) right before creating the actual key from those bytes (not so secure!). Classic case of being too clever for my own good.
Thanks for using gman, and thanks for your patience with this upgrade! π
π Full Changelog
fix: Critical security fix for local vault encryptionfix: Upgraded AWS dependencies to address CWE-20fix: Secrets stored exactly as passed without newlines strippedfix: Addressed XNonce::from_slice deprecation warningfeat: Addedgman migratecommand for vault migrationbuild: Upgraded to Azure SDK 0.31.0build: Upgraded to confy v2.0.0test: Improved test reliability and performancedocs: Fixed typo in installation script command
Happy secret managing! πβ¨