New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running "rails credentials:edit" returns "key must be 16 bytes" #33528
Comments
@Drillan767 |
I can reproduce the error with: .dockerignore
Error:
In this case when build the container with secretes.yml.enc and without the master.key it's was generate aoutside the container. The new build container have the new secrets.yml.enc and the old master.key, the error ActiveSupport::MessageEncryptor::InvalidMessage it's try to say that. If your case i'ts the same, you can change the step you need pass rails master key when build the container
|
It is probable that the master key is not set correctly, as MiguelSavignano already explained. Please check the setting. Also, please use the mailing list or StackOverflow for questions/help, where a wider community will be able to help you. We reserve the issues tracker for issues only. Thanks! |
The Dockerfile containing credentials:edit is very confusing.. but the root cause here is this text from the original problem description:
It's not really documented anywhere obvious (to me), but the RAILS_MASTER_KEY needs to be exactly 32 characters long. Using On a newly-generated rails app, the config/master.key is auto-generated, and If, however, you're trying to retroactively add credentials to an existing app, it's tempting to generate a long password and try use that... but if you exceed 32 characters you'll receive the error below:
Full stack trace:
Test scenario, on a newly-generated app:
If I then delete config/credentials.yml.enc and run
If, however I write an additional byte to
Normally, a https://en.wikipedia.org/wiki/Key_derivation_function takes care of mapping the supplied key in to an encryption key of the appropriate length. Since we're not using one (and I think we should...) we have to keep the key exactly the correct length. |
Thank you @oskarpearson for these details! From what you say, I understand way better where my errors come from (i.e, I thought the |
What workaround exists to ensure there are no extra chars included which such command ? |
Guys, you won't believe it. It worked for me when I switched off protection & masking settings in the CI/CD. When they were masked & protected. it was coping $RAILS_MASTER_KEY as 1 char to congif/master.key which was making Rails complain of 16 bytes need for the key. But when I relaxed it. It worked. After 16 Good hrs of debugging. -___- |
I got the same issue. If you are working on a kubernetes cluster and if you are using a secret resource to pass a value, it may adds an extra eol at the end. As a workaround, we can wrap the rails command as: #!/usr/bin/env bash
RAILS_MASTER_KEY=$(cat <(echo $RAILS_MASTER_KEY))
exec bundle exec rails "$@" or we can manipulate the env variable at the beginning of the rails boot (maybe if (key = ENV["RAILS_MASTER_KEY"])
ENV["RAILS_MASTER_KEY"] = key.chomp
end (update) I was wrong. My local $ echo -n $(cat config/master.key) |base64 But it is still confusing because it works as expected on my local environment. |
the damage that master.key caused in every deployment is more than the whole prodactivity you gain building apps on Rails :/ :/ |
Thank you for that hint. I was scratching my head like an hour. I edited my K8 secret, but the value had EOL character in it. Then I generated correct base64 encoded secret with |
✅ Solved it with the following steps:
|
I'm getting this error as well with Rails 7.0.7.2, Ruby 2.7.6. I just tried the solution @m-faseeh-qbatch proposed. It gave me the same error. To be clear, the error I'm getting is for 32 characters.
|
Getting the same error as well. Rails 7.0.7 and Ruby 3.2.2 |
If someone is able to provide a reproduction script that might identify a bug that would be greatly appreciated, otherwise this ticket just becomes a "me too" thread for anyone who had trouble deploying their application's secrets. We try to reserve the issue tracker for bugs, please use discuss for support. |
I just set |
Steps to reproduce
RAILS_MASTER_KEY
to the figaro-generated application.yml file, with the result of the "rails secret" commandbundle exec rails s
Here is the whole Dockerfile
Expected behavior
Everything should work smoothly
Actual behavior
I've seen on some other issues that I somehow needed to delete "master.key" and "credential.yml.enc", and that running
rails credentials:edit
should create them back. If I keep the original files without changing or deleting them, I get the following error:If I delete them, I'll get an error saying that the "rails_secret_key" hasn't been defined (I can't retrieve the exact message)
If I run the command
rails credentials:edit
, I'll get the error(While I've seen a lot of people running this command without trouble)
And, finally, if I run the command
EDITOR=nano rails credentials:edit
, I get the following error:So I'm stuck, I've tried a lot of solutions, and even running the commands outside the Docker context won't work.
System configuration
Rails version:
Rails 5.2.0
Ruby version:
Ruby 2.4.3 (No problem if I have to update this one)
What should I do? Thank you in advance
P.S. I have absolutely no problem whatsoever when running in development mode
The text was updated successfully, but these errors were encountered: