CHANGELOG.rst

Changelog

3.8.1

Improvements:

• Improve handling of errors when binary store handles bad data (#1289)
• On macOS, prefer XDG_CONFIG_HOME over os.UserConfigDir() (#1291)
• Dependency updates (#1306, #1319, #1325)
• pgp: better error reporting for missing GPG binary during import of keys (#1286)
• Fix descriptions of unencrypted-regex and encrypted-regex flags, and ensure unencrypted_regex is considered in config validation (#1300)
• stores/json: improve error messages when parsing invalid JSON (#1307)

Bug fixes:

• pgp: improve handling of GnuPG home dir (#1298)
• Do not crash if an empty YAML file is encrypted (#1290)
• Handling of various ignored errors (#1304, #1311)
• pgp: do not require abs path for SOPS_GPG_EXEC (#1309)
• Report key rotation errors (#1317)
• Ensure wrapping of errors in main package (#1318)

Project changes:

• Enrich AWS authentication documentation (#1272)
• Add linting for RST and MD files (#1287)
• Delete SOPS encrypted file we don't have keys for (#1288)
• CI dependency updates (#1295, #1301)
• pgp: make error the last return value (#1310)
• Improve documentation files (#1320)

3.8.0

Features:

• Support --version without network requests using --disable-version-check (#1115)
• Support --input-type for updatekeys command (#1116)

Improvements:

• pgp: modernize and improve, and add tests (#1054, #1282)
• azkv: update SDK to latest, add tests, tidy (#1067, #1092, #1256)
• age: improve identity loading, add tests, tidy (#1064)
• kms: AWS SDK V2, allow creds config, add tests (#1065, #1257)
• gcpkms: update SDK to latest, add tests, tidy (#1072, #1255)
• hcvault: update API, add tests, tidy (#1085)
• Do not report version when upstream --version check fails (#1124)
• Use GitHub endpoints in --version command (#1261)
• Close temporary file before invoking editor to widen support on Windows (#1265)
• Update dependencies (#1063, #1091, #1147, #1242, #1260, #1264, #1275, #1280, #1283)
• Deal with various deprecations of dependencies (#1113, #1262)

Bug fixes:

• Ensure YAML comments are not displaced (#1069)
• Ensure default Google credentials can be used again after introduction of GOOGLE_CREDENTIALS (#1249)
• Avoid duplicate logging of errors in some key sources (#1146, #1281)
• Using --set on a root level key does no longer truncate existing values (#899)
• Ensure stable order of SOPS parameters in dotenv file (#1101)

Project changes:

• Update Go to 1.20 (#1148)
• Update rustc functional tests to v1.70.0 (#1234)
• Remove remaining CircleCI workflow (#1237)
• Run CLI workflow on main (#1243)
• Delete obsolete validation/ artifact (#1248)
• Rename Go module to github.com/getsops/sops/v3 (#1247)
• Revamp release automation, including (Cosign) signed container images and checksums file, SLSA3 provenance and SBOMs (#1250)
• Update various bits of documentation (#1244)
• Add missing --encrypt flag from Vault example (#1060)
• Add documentation on how to use age in .sops.yaml (#1192)
• Improve Make targets and address various issues (#1258)
• Ensure clean working tree in CI (#1267)
• Fix CHANGELOG.rst formatting (#1269)
• Pin GitHub Actions to full length commit SHA and add CodeQL (#1276)
• Enable Dependabot for Docker, GitHub Actions and Go Mod (#1277)
• Generate versioned .intoto.jsonl (#1278)
• Update CI dependencies (#1279)

3.7.3

Changes:

• Upgrade dependencies (#1024, #1045)
• Build alpine container in CI (#1018, #1032, #1025)
• keyservice: accept KeyServiceServer in LocalClient (#1035)
• Add support for GCP Service Account within GOOGLE_CREDENTIALS (#953)

Bug fixes:

• Upload the correct binary for the linux amd64 build (#1026)
• Fix bug when specifying multiple age recipients (#966)
• Allow for empty yaml maps (#908)
• Limit AWS role names to 64 characters (#1037)

3.7.2

Changes:

• README updates (#861, #860)
• Various test fixes (#909, #906, #1008)
• Added Linux and Darwin arm64 releases (#911, #891)
• Upgrade to go v1.17 (#1012)
• Support SOPS_AGE_KEY environment variable (#1006)

Bug fixes:

• Make sure comments in yaml files are not duplicated (#866)
• Make sure configuration file paths work correctly relative to the config file in us (#853)

3.7.1

Changes:

• Security fix
• Add release workflow (#843)
• Fix issue where CI wouldn't run against master (#848)
• Trim extra whitespace around age keys (#846)

3.7.0

Features:

• Add support for age (#688)
• Add filename to exec-file (#761)

Changes:

• On failed decryption with GPG, return the error returned by GPG to the sops user (#762)
• Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791)
• Update aws-sdk-go to version v1.37.18 (#823)

Project Changes:

• Switch from TravisCI to Github Actions (#792)

3.6.1

Features:

• Add support for --unencrypted-regex (#715)

Changes:

• Use keys.openpgp.org instead of gpg.mozilla.org (#732)
• Upgrade AWS SDK version (#714)
• Support --input-type for exec-file (#699)

Bug fixes:

• Fixes broken Vault tests (#731)
• Revert "Add standard newline/quoting behavior to dotenv store" (#706)

3.6.0

Features:

• Support for encrypting data through the use of Hashicorp Vault (#655)
• sops publish now supports --recursive flag for publishing all files in a directory (#602)
• sops publish now supports --omit-extensions flag for omitting the extension in the destination path (#602)
• sops now supports JSON arrays of arrays (#642)

Improvements:

• Updates and standardization for the dotenv store (#612, #622)
• Close temp files after using them for edit command (#685)

Bug fixes:

• AWS SDK usage now correctly resolves the ~/.aws/config file (#680)
• sops updatekeys now correctly matches config rules (#682)
• sops updatekeys now correctly uses the config path cli flag (#672)
• Partially empty sops config files don't break the use of sops anymore (#662)
• Fix possible infinite loop in PGP's passphrase prompt call (#690)

Project changes:

• Dockerfile now based off of golang version 1.14 (#649)
• Push alpine version of docker image to Dockerhub (#609)
• Push major, major.minor, and major.minor.patch tagged docker images to Dockerhub (#607)
• Removed out of date contact information (#668)
• Update authors in the cli help text (#645)

3.5.0

Features:

• sops exec-env and sops exec-file, two new commands for utilizing sops secrets within a temporary file or env vars

Bug fixes:

• Sanitize AWS STS session name, as sops creates it based off of the machines hostname
• Fix for decrypt.Data to support .ini files
• Various package fixes related to switching to Go Modules
• Fixes for Vault-related tests running locally and in CI.

Project changes:

• Change to proper use of go modules, changing to primary module name to go.mozilla.org/sops/v3
• Change tags to requiring a v prefix.
• Add documentation for sops updatekeys command

3.4.0

Features:

• sops publish, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault
• Support for multiple Azure authentication mechanisms
• Azure Keyvault support to the sops config file
• encrypted_regex option to the sops config file

Bug fixes:

• Return non-zero exit code for invalid CLI flags
• Broken path handling for sops editing on Windows
• go lint/fmt violations
• Check for pgp fingerprint before slicing it

Project changes:

• Build container using golang 1.12
• Switch to using go modules
• Hashicorp Vault server in Travis CI build
• Mozilla Publice License file to repo
• Replaced expiring test gpg keys

3.3.1

Bug fixes:

• Make sure the pgp key fingerprint is longer than 16 characters before slicing it. (#463)
• Allow for --set value to be a string. (#461)

Project changes:

• Using develop as a staging branch to create releases off of. What is in master is now the current stable release.
• Upgrade to using Go 1.12 to build sops
• Updated all vendored packages

3.3.0

New features:

• Multi-document support for YAML files
• Support referencing AWS KMS keys by their alias
• Support for INI files
• Support for AWS CLI profiles
• Comment support in .env files
• Added vi to the list of known editors
• Added a way to specify the GPG key server to use through the SOPS_GPG_KEYSERVER environment variable

Bug fixes:

• Now uses $HOME instead of ~ (which didn't work) to find the GPG home
• Fix panic when vim was not available as an editor, but other alternative editors were
• Fix issue with AWS KMS Encryption Contexts (#445) with more than one context value failing to decrypt intermittently. Includes an automatic fix for old files affected by this issue.

Project infrastructure changes:

• Added integration tests for AWS KMS
• Added Code of Conduct

3.2.0

• Added --output flag to write output a file directly instead of through stdout
• Added support for dotenv files

3.1.1

• Fix incorrect version number from previous release

3.1.0

• Add support for Azure Key Service
• Fix bug that prevented JSON escapes in input files from working

3.0.5

• Prevent files from being encrypted twice
• Fix empty comments not being decrypted correctly
• If keyservicecmd returns an error, log it.
• Initial sops workspace auditing support (still wip)
• Refactor Store interface to reflect operations SOPS performs

3.0.3

• --set now works with nested data structures and not just simple values
• Changed default log level to warn instead of info
• Avoid creating empty files when using the editor mode to create new files and not making any changes to the example files
• Output unformatted strings when using --extract instead of encoding them to yaml
• Allow forcing binary input and output types from command line flags
• Deprecate filename_regex in favor of path_regex. filename_regex had a bug and matched on the whole file path, when it should have only matched on the file name. path_regex on the other hand is documented to match on the whole file path.
• Add an encrypted-suffix option, the exact opposite of unencrypted-suffix
• Allow specifying unencrypted_suffix and encrypted_suffix rules in the .sops.yaml configuration file
• Introduce key service flag optionally prompting users on encryption/decryption

3.0.1

• Don't consider io.EOF returned by Decoder.Token as error
• add IsBinary: true to FileHints when encoding with crypto/openpgp
• some improvements to error messages

3.0.0

• Shamir secret sharing scheme support allows SOPS to require multiple master keys to access a data key and decrypt a file. See sops groups -help and the documentation in README.
• Keyservice to forward access to a local master key on a socket, similar to gpg-agent. See sops keyservice --help and the documentation in README.
• Encrypt comments by default
• Support for Google Compute Platform KMS
• Refactor of the store logic to separate the internal representation SOPS has of files from the external representation used in JSON and YAML files
• Reencoding of versions as string on sops 1.X files. WARNING this change breaks backward compatibility. SOPS shows an error message with instructions on how to solve this if it happens.
• Added command to reconfigure the keys used to encrypt/decrypt a file based on the .sops.yaml config file
• Retrieve missing PGP keys from gpg.mozilla.org
• Improved error messages for errors when decrypting files

2.0.0

• [major] rewrite in Go

1.14

• [medium] Support AWS KMS Encryption Contexts
• [minor] Support insertion in encrypted documents via --set
• [minor] Read location of gpg binary from SOPS_GPG_EXEC env variables

1.13

• [minor] handle $EDITOR variable with parameters

1.12

• [minor] make sure filename_regex gets applied to file names, not paths
• [minor] move check of latest version under the -V flag
• [medium] fix handling of binary data to preserve file integrity
• [minor] try to use configuration when encrypting existing files