Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encrypt-file cannot be used for multiple files #239

Closed
BanzaiMan opened this issue Oct 20, 2014 · 9 comments
Closed

encrypt-file cannot be used for multiple files #239

BanzaiMan opened this issue Oct 20, 2014 · 9 comments

Comments

@BanzaiMan
Copy link
Contributor

@BanzaiMan BanzaiMan commented Oct 20, 2014

It seems impossible to use encrypt-file on multiple files.

One can run the command multiple times on different files, but the later invocation overwrites the secure environment variables, invalidating the earlier encryptions.

I suspect -K and -iv flags are meant to overcome this, but it fails as follows:

$ travis encrypt-file --skip-version-check -K 7b758bbf041361268b192d816d60ec84907106015402f31fdc5ae165fdce0979 -iv 7aaf728695ac967003d5345d9be63924 foo1                                                        
travis: version unknown
@rkh
Copy link
Contributor

@rkh rkh commented Oct 28, 2014

I don't know where the "version unknown" is coming from. -K and -iv should not be used in the normal workflow, even for multiple files.

Each file should have its own set of variables (that's why there's a hash in the var name). Do you have an example for this failing?

@mfornasa
Copy link

@mfornasa mfornasa commented Oct 29, 2014

+1

1 similar comment
@chris-redekop
Copy link

@chris-redekop chris-redekop commented Nov 15, 2014

+1

@rayshan
Copy link

@rayshan rayshan commented Nov 17, 2014

+1

Here's an example of encrypting multiple files failing:
https://travis-ci.org/rayshan/ga-extractor/builds/41199310

Note that I ran encrypt-file multiple times, every time seem to generate a new key / iv pair seen from the -p flag. On Travis CI only 1 pair of key / iv is saved.

@grahamc
Copy link

@grahamc grahamc commented Nov 25, 2014

+1

1 similar comment
@pirog
Copy link

@pirog pirog commented Dec 3, 2014

+1

@travis-ci travis-ci locked and limited conversation to collaborators Dec 4, 2014
@BanzaiMan
Copy link
Contributor Author

@BanzaiMan BanzaiMan commented Jan 8, 2015

I don't think we can pull the decrypted key and iv values once they are uploaded.

Workaround

Create an archive of sensitive files, and encrypt this archive. In your before_install section, you'd decrypt it, and expand the archive.

$ tar cvf secrets.tar foo bar
$ travis encrypt-file secrets.tar
$ vi .travis.yml
$ git add secrets.tar.enc .travis.yml
$ git commit -m 'use secret archive'
$ git push
before_install:
  - openssl aes-256-cbc -K $encrypted_5880cf525281_key -iv $encrypted_5880cf525281_iv -in secrets.tar.enc -out secrets.tar -d
  - tar xvf secrets.tar

The management might be a little cumbersome still.

@BanzaiMan
Copy link
Contributor Author

@BanzaiMan BanzaiMan commented Jan 8, 2015

@BanzaiMan BanzaiMan closed this Jan 8, 2015
@svenfuchs
Copy link
Contributor

@svenfuchs svenfuchs commented Sep 12, 2019

For reference, this should be fixed in #678

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants