age encryption: sort keys for key meta lock file

.pre-commit-config.yaml

@@ -5,6 +5,7 @@ repos:
     rev: v4.4.0
     hooks:
     -   id: trailing-whitespace
+        exclude: ^(.*\.age|.*\.gpg)
     -   id: end-of-file-fixer
         # These are non-anchored regular rexpressions
         exclude: ^(.*/encrypted.cfg|.*/secrets.cfg|.*/secret-foobar.yaml|.*\.age|.*\.gpg)

CHANGES.md

@@ -4,7 +4,8 @@
 ## 2.4.2 (unreleased)
 ---------------------
 
-- Nothing changed yet.
+- Age encryption: Sort keys in the key lockfile to avoid unnecessary changes
+  in the lockfile. (#445)
 
 
 ## 2.4.1 (2024-01-30)

examples/tutorial-secrets/environments/age/age_keys.txt

@@ -10,16 +10,14 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPYrVHEfF/DJzGyabfH/Bm9aJnKiTU827z5FPCQ7+utj
 # ssh key file from https://github.com/zagy.keys
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/V2m6ZLeYirvLbc5qGYbtBlRGLVbTUimUXIvfVdpvP
 # ssh key file from https://github.com/frlan.keys
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACtwZOhqKCRHvdk8szRkjr79tTOjw2mIwwzz7mTDoexNUHWjDBqSXIXQbTEaBr9MWcCvVvzqB6Mk/IHlKXy5C2Qc0ycH7oMvcG/jg766jNS396J2j1OLEc3UM53YDQ/GrJWBWAOceb5o3rc/qz6+rl7Oqrnq+273iM8EmZF63esU5uY53SrL+3Hm1lgbnpO8DAA5HInindUyJMpnj/W640D+60qY76QoGMwnhU9aWWdgp2EkFEyYPbvMZYZnC18iiSk9qIAOkhNX1yXvhLJfXLX6eSz7YTTxAl7xelp0Ysuuzy2uejVYNEl1S14a8+aM04dN4gFh8K+lI9U8DdFuLENvtnyQ+3+s0P6aV6dRHjQAwF7q9kIOUZ2IVO9bBXoVimqQT8hL0/qMPaF4/Bmc8ffcmXEJkN7RhGUW8Xay4SPkbES73Lupc+WPSDOlAdRbEMI6gIHmXgYwuAlk8lT+CuBB4ljjiZUMwBfS3I8gCmfNHZN+Ip9fdO5QSiZoaflZ51P8wNgcMXID7/1aZpREOQnDqQpqzUoY82lZ3GMfWaZS8f8CGr9tayXz/vK3/W0TIirE6Gnq1ccUAzYcPXFhaWJtpudLzCkwCeVLqrQB8MGoaDEXVKjYMuSzMy70xlUGmI8ryJhXqMNHJjpfjgsGzlzzBZEZMwrO6SgDpX5BtzBDJC4gJw+QRBcomD2JT1VE/QCO9MOKgWuuhkA7DJ3Raq+b1e7enoXqyvrUB/8pO79MfDDJmgu2IcHswhx6Cp6mxsTTORi74x3IE7fz9ctZUJjQCeKqa9hYf7YF01nOzlRxWU7MaPjIrf4vdYaStZtSwVg2g9L2/TqQr9RUsPcDp9MACM8KEn4mz0uHAXxNsw0WwyqzM7MryL7U7mYLLmykGsgqd2tFlQQ8WmX9CgQbVOjf+imEXR6fwh
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFa6yqU0JuPZ3mtN1EVDUvaf9/IYBQQC2GJFuX5+ucO
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACtwZOhqKCRHvdk8szRkjr79tTOjw2mIwwzz7mTDoexNUHWjDBqSXIXQbTEaBr9MWcCvVvzqB6Mk/IHlKXy5C2Qc0ycH7oMvcG/jg766jNS396J2j1OLEc3UM53YDQ/GrJWBWAOceb5o3rc/qz6+rl7Oqrnq+273iM8EmZF63esU5uY53SrL+3Hm1lgbnpO8DAA5HInindUyJMpnj/W640D+60qY76QoGMwnhU9aWWdgp2EkFEyYPbvMZYZnC18iiSk9qIAOkhNX1yXvhLJfXLX6eSz7YTTxAl7xelp0Ysuuzy2uejVYNEl1S14a8+aM04dN4gFh8K+lI9U8DdFuLENvtnyQ+3+s0P6aV6dRHjQAwF7q9kIOUZ2IVO9bBXoVimqQT8hL0/qMPaF4/Bmc8ffcmXEJkN7RhGUW8Xay4SPkbES73Lupc+WPSDOlAdRbEMI6gIHmXgYwuAlk8lT+CuBB4ljjiZUMwBfS3I8gCmfNHZN+Ip9fdO5QSiZoaflZ51P8wNgcMXID7/1aZpREOQnDqQpqzUoY82lZ3GMfWaZS8f8CGr9tayXz/vK3/W0TIirE6Gnq1ccUAzYcPXFhaWJtpudLzCkwCeVLqrQB8MGoaDEXVKjYMuSzMy70xlUGmI8ryJhXqMNHJjpfjgsGzlzzBZEZMwrO6SgDpX5BtzBDJC4gJw+QRBcomD2JT1VE/QCO9MOKgWuuhkA7DJ3Raq+b1e7enoXqyvrUB/8pO79MfDDJmgu2IcHswhx6Cp6mxsTTORi74x3IE7fz9ctZUJjQCeKqa9hYf7YF01nOzlRxWU7MaPjIrf4vdYaStZtSwVg2g9L2/TqQr9RUsPcDp9MACM8KEn4mz0uHAXxNsw0WwyqzM7MryL7U7mYLLmykGsgqd2tFlQQ8WmX9CgQbVOjf+imEXR6fwh
 # ssh key file from https://github.com/chrschm.keys
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbIH7V91cNn6vBTVWrTkyMP9pmYVF0eJsWWy0lEOWJD
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxEP3GtxYFY5vQkY7qYf7J8BKLg2sTwV4oy97mJb2Qf
 # ssh key file from https://github.com/nichmoe.keys
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN73G31DK8s8C/Z7UNFiGg5+05mYfdexhjFafl7z33yH
 # ssh key file from https://github.com/elikoga.keys
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEO9rt2tmkMNPVhhKNrwSHSrZH632rbqrEzRVfCQO0gn
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhg8pee2fZwv6ADydB9Lxa2xjmJlbwUESFIILyh9PZ+
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEF+8v7VDSypngMnG/wPSQKl8jg3WBnSZpRfiHJh7ce0
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINp4T6ndjaJKZfGnvl+xNoNMsZ7hXmsblRulj8ILLI5e
 # plain ssh public key
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACZ8++sQADp8fztgumfw2i+WSgzMHB7MgSpkM2y5pHi batou-ci-test-key

examples/tutorial-secrets/environments/age/secret-other.age

@@ -1,39 +1,35 @@
 age-encryption.org/v1
--> ssh-ed25519 1vui/Q wjCSYiXak2v+l5AOyOjoJ9Vh1RentiIvCwZQHzBOz24
-GTi75OAxCDBnz7Mwe8WIFlZRcmE3aGoN56Oy7vb7V+I
--> ssh-ed25519 k6dgSQ eDwbXQB353v1c/KplPH1F3O9CLq4IhnoisbqrCWup30
-e7D+uSAYpL7W3GxxyTf5uoi/Xhbm0TLlWbPJVDdldlU
+-> ssh-ed25519 1vui/Q T5vzMW0UR06VPQjq+Ps0Cn0YGrp4OyJHZPb3d0qMhnI
+nYHq5P19psM6JpD/RrE/dy0Z+kfSYb9O8uNrdoujOfM
+-> ssh-ed25519 k6dgSQ s5uk4xkLAk87kFHryvp3aStMOs9Lz9epePHg/eKaKAs
+3IDrtZwoxKyCx3Mua2YKSplumq+j6yvYyyTSRpGDKJI
+-> ssh-ed25519 u+MCKg LGMJDqY8P5uzVUr8CoTTqzhDkEpNYD4RsL64/6gsXFQ
+1khwJhuciXJqcbUtHqSsngZ+75Z0jE3qXHu3MX4cREE
 -> ssh-rsa tAvqFw
-BR+u2l7zQSJtm0uMvIOXZaeLYR+y5fDF4vQ5D4csVdacN3x2NmgRZY9h1Wj3ROFP
-PPoycZ9zg9plpzS3CgEOkJg6O9n4hQ7xee4warh3/dO/VPWxE5ixenJzBCFKqTiS
-GaUjMu9ZbztjiILiucHO4BCkx1XMkf7ZGxiLVILQja7/g+HmT1OLlHKYbLG1EyUT
-4ULIzl5xWZT2AnKNQ/WazlL/y1RezXI4KKcPINCuoGt2irIfGvkEqAg5XnJDfvVH
-+kbxWYkCX2PrJLND2xGD44MgjRQkox4xb9+/s3I21v6Pnp77TaVAtTMA3ZyD81E+
-DUr9KpoHcGvYzNNvuxEeaIdgs35Z+uSz0t2fG8yiNdzsPczxzPsdjPoTqZfZF5CU
-EwanDWJVH/Z8nTZ55Sdv1MZVj7/uVceO5LFF/VnqvH4nMFM0bYWpebmAA9O+VtSK
-l6rwkU6A0kQTO1ywshdqFk22LlgdQjHMyBLbFbbX+UqSfZMsjI+Gnj5tTuq99NVx
-9uUYqpY7Lcbk9QE411VHMqqsLTpj7SNFGkEUiZA3fb8eHsKPEqcSURSzU4YRdHND
-adjRWkmzck2STnnOrcJRto9bEhWRYpOKJhXzlJXHUA//+hq4HTHEk/Fi38T19uNL
-qk6QWHD79v3NaZAqi1fwGCtjeOUi/KWzXUmMXmxhNZtGW2C1YVKOirVX5caO2m6h
-Mod5yqMqxxAPS1xuyJAErTfgeOVl1V3gZqt7PY4Cd9HJK0nuvc7RTzFoJcxiqe8q
-jicFa1qC/6h/uEE+B53HwNmdDEA/zIqUw4v79N7XdjDt4ToiXDSG/LqnKDQ1tvrI
-0DZYXGs8Ky/wv0ebEqLF9HMz3XF/iAAreEGia4ohRBJcn4V8EUhIGrOWZARqvK6q
-rGqqh+d0P+W2HZ674TQfi1lwQRVy6DI
--> ssh-ed25519 u+MCKg 0zsqCluuEM12Ik9wN/6+ZQio+Ma7lXm3fbMK9Z+xHEI
-htfX6KRo0thKHaJtiur60P3tE5QK1Sw6O8m9HOH6I6k
--> ssh-ed25519 Mu34Yw kO1EWpo8wzAGBjP98OSm0/bZfaVThB3oUvWPyVtKeRY
-dblQxqpelBu39c5/GgzlNPVrgpD7DSL31+xkFpRjiZI
--> ssh-ed25519 uLFU0w sGjjdCBMVlb7fhzUlGTkixuwon7gdrQw8TDofbBkl3s
-9VBAhIR6vNl+0ONY109iHc2oAP3s9EcfcSmOaRhizYo
--> ssh-ed25519 NVBcrQ SwBf4Cm7GJkkB2GhcDxpl4iZXzfw3eVY2HePrqv5ABo
-E6LcReNPbZ43UbC13KYv97cOGWNsACBHdX5ej7xLCFc
--> ssh-ed25519 qJw5Ag 6MzdaN/gJ7G6ZLYV8LBvEIGOhtEJrY6qwDk2TRjG7FI
-RA/dn1xnYJg6qzF9fnBWRBvtg+PpsVGKWAp+UKbOWUc
--> ssh-ed25519 ZeVDmQ 5BEyz0UXnQLRsEKU1u4BPbN1CSGwVF7ijBw1feYWGRE
-eVExjuH/h2JyIyykfk1dmg/Lufzn/lDrIQHC6PVjmhQ
--> ssh-ed25519 yEThaA 6Sp0f6HIrho+aMfOVridz4ftEDCOKAYnxGx+Qw6IOCk
-1Jfu5+IwsvukABQDqe+RMN9ttSv2Bnl8Q6fz4wdYuWM
--> ssh-ed25519 b4mqAQ xSDnPm/gL5WS/IqEmgWamE0QUIWNNnp8eOsQmvDXjFM
-M0yfs3kKEtQAEWIqjukNc8J+vFUpPQtd8M0xkuwck0Y
---- QXJYX4gSbCgK+KfraX1FUml/qGLWfUCiBbImeGzLpiA
-I%×
ý©Ui Û÷x4ôùÃ|P‘à
TŠ+µÞ–+Ë6¾¾˜¤šj™œ‹GÏœ
+A/7c0+YwXn8lZgtyEyCB9sDLJToho8LuDZ7rq8qXg6nc0fpivEHtPdT6jv5KsaQH
+0D+t9StJ4wUOSplZLHDMW2I3Axk/E/tzvOfVvAVHkuws1e1GJOHrJO8e1B4h9pc5
+5ElE/l8AM/5mFVbwekz4xmGbM1I0ziU5LBTBrEj8M6Vkny372I1VERDf3i0T8He7
+EQQu8dW8N80eim1a+3Qtcm0mto7AB8QQnR+L5t36E5SVla4vAL7+wcs5VoXnhSEn
+lus2wEJ2tpwtF+K1Dop9nivbGs9SFKTft1HeCrLgeRLTCzyCKsPaffi5ASlxV1Pb
+ABLTfOm2Y7clRCcCtQcCkUn9u8M5hkH8vSbbS3TOzbbY/1yx2p8BCcTGuiwjTZwY
+HvwDw33C9QASnMwQYW42sfHYpZ4rWok3V4Oabu62tb7mnHoU8f3MSp/8skTcS+97
+7t2Uff/W+vZwEDxTgPOQQmHG8Y9yVfV5Es5Z+nbxCnyd82LC6TuywjcCLbHY1IQU
+AphQGlqlSSp3VQ0GiPXLTsc8eWA6lNeum/1goKWgbl58aWYkuovAGJQVzYnwHckz
+reV7aisNQyUkFJkWRZC1j62JJdJ+yoJo0dGKSf1ijOQOjYZGpWuysQWSrBHwPsvF
+Wsee1WmJmcddHuak/xY/oF7w/CDcAnfTjsr/aQ4l3vaVsWyccsUe/X5jeSWJ/Q4O
+9ohcOotwFjA2u++JC5dDsGemZoLNGukl7K/GhFomtu0ZlLLiLeyDcFBruARp2OV1
+ktXcjBxNV+8oaNasMYvIGudKcWPDpyGxT5ffWk/so7a4scFMFjidtR8q3iC4iH8c
+am3Vc4AvACbdKkR57ttz8buaA1Dzw1GVHM8A4AF/KTTap0opb6N3GKQ3tEJAKGqP
+fM0ZGN+qQ+Aasl6ScHJLdFSohyMlXpA
+-> ssh-ed25519 KK5aEQ nSRSM4iOSbUZE/l8aQbJTuL8F7ia3i68ybN6YaEN8z8
+RGQoLC77zxwmKSWfqSPxlogsnW3QTN4mXRN6HfUxgik
+-> ssh-ed25519 uLFU0w OE4SlcxBkwYt02GfLptUQZg0ATlYp0zIpWAUAQ1ZtlA
+hZvukNfT2ur52oOY/eV2NvDMAKwzT3Z21qkfUJEEu+U
+-> ssh-ed25519 qJw5Ag Thc2IWOAIV/tGMY1PX5uma+/ibI2t/D97YpMfuUi3Ug
+UBEyuShTayzyDqGQq3TNpTwYH/nq4Ctu4EfL9F/QzOg
+-> ssh-ed25519 yEThaA Mf+VUb8hGs7ZPSaFK7+6PTg0YH4r9/kSK10j/qXxoQs
+YASyYnaYzPV0n831oosOdL6d9mNDjs+nr4nkd1FBTOo
+-> ssh-ed25519 b4mqAQ GaI6oI+qYPJn9E9kDL4iqy8aczvM+3CAax/3d14QESY
+36vIAqnItCewfZMOfYEyQvpsJzO5Cb4RnR1BGoLWmv4
+--- /Y1h5aOxrkdn7TCY8nJORvP5wAmpyqhrUn6T6K+XjzM
+ç—SâüQ
•mŠžŽ’R¶šWZŒ´€»~Ÿ1~W‚…èªî;DÂ[®3a3¿qø×

src/batou/secrets/__init__.py

@@ -501,10 +501,16 @@ def process_age_recipients(members, environment_path):
                 print(f"Downloading key file from `{key}`")
             key_file = urllib.request.urlopen(key)
             key_file_content = key_file.read().decode("utf-8")
-            for line in key_file_content.splitlines():
-                if line.startswith("ssh-"):
-                    new_members.append(line)
-                    key_meta_file_content += f"{line}\n"
+            remote_keys = sorted(
+                [
+                    line
+                    for line in key_file_content.splitlines()
+                    if line.startswith("ssh-")
+                ]
+            )
+            for line in remote_keys:
+                new_members.append(line)
+                key_meta_file_content += f"{line}\n"
         else:
             # unknown key type
             print(f"WARNING: Unknown key type for {key}\nWill be ignored!")