New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reordering of fields in encrypted data causes decryption to fail. #833
Comments
This is intended and not a bug. |
Is there anywhere I can get more information on why this is intended? YAML keys are unordered. This implementation violates the specification. Additionally, it means that it can be difficult to process the YAML output with other applications, since they may reorder the fields (which is completely valid). |
Comments are also not part of the YAML data, and we preserve them anyway, because it's what most users want. SOPS does not operate on YAML data, it operates on YAML files. We aren't going to change this, people rely on it. |
I suggest you have those applications work on the decrypted YAML and not the encrypted SOPS files. Any sort of processing you're going to do on that file is going to mess things up. You can use |
Sops computes a MAC of all values to be able to detect tampering with the file's contents. MACs require correct ordering. (What sops could do is order all keys alphabetically, but that would be a breaking change.) |
Sounds like the data fields should be implemented as a list rather than an object, though I understand that this would be a breaking change. |
For some reason, reordering fields in the output of
sops -e
causes the data to be unable to be decrypted bysops -d
. Relying on the ordering of fields in a YAML document is incorrect usage, so this is clearly a bug.The text was updated successfully, but these errors were encountered: