diff --git a/README.rst b/README.rst index 864e87240..295dbc20b 100644 --- a/README.rst +++ b/README.rst @@ -673,10 +673,9 @@ Example: place the following in your ``~/.bashrc`` Specify a different GPG key server ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -By default, ``sops`` uses the key server ``gpg.mozilla.org`` to retrieve the GPG +By default, ``sops`` uses the key server ``keys.openpgp.org`` to retrieve the GPG keys that are not present in the local keyring. -To use a different GPG key server, set the ``SOPS_GPG_KEYSERVER`` environment -variable. +This is no longer configurable. You can learn more about why from this write-up: [SKS Keyserver Network Under Attack](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f). Example: place the following in your ``~/.bashrc`` diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 6a550d2cd..913f0d337 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -109,7 +109,6 @@ func main() { the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags. To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC. - To use a GPG key server other than gpg.mozilla.org, set SOPS_GPG_KEYSERVER. To select a different editor than the default (vim), set EDITOR. @@ -185,9 +184,9 @@ func main() { Usage: "the user to run the command as", }, cli.StringFlag{ - Name: "input-type", - Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type", - }, + Name: "input-type", + Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type", + }, cli.StringFlag{ Name: "output-type", Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format", diff --git a/pgp/keysource.go b/pgp/keysource.go index 5f111df2c..fd092339c 100644 --- a/pgp/keysource.go +++ b/pgp/keysource.go @@ -86,8 +86,10 @@ func (key *MasterKey) encryptWithGPGBinary(dataKey []byte) error { return nil } -func getKeyFromKeyServer(keyserver string, fingerprint string) (openpgp.Entity, error) { - url := fmt.Sprintf("https://%s/pks/lookup?op=get&options=mr&search=0x%s", keyserver, fingerprint) +func getKeyFromKeyServer(fingerprint string) (openpgp.Entity, error) { + log.Warn("Deprecation Warning: GPG key fetching from a keyserver witihin sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.") + + url := fmt.Sprintf("https://keys.openpgp.org/vks/v1/by-fingerprint/%s", fingerprint) resp, err := http.Get(url) if err != nil { return openpgp.Entity{}, fmt.Errorf("error getting key from keyserver: %s", err) @@ -103,14 +105,6 @@ func getKeyFromKeyServer(keyserver string, fingerprint string) (openpgp.Entity, return *ents[0], nil } -func gpgKeyServer() string { - keyServer := "gpg.mozilla.org" - if envKeyServer := os.Getenv("SOPS_GPG_KEYSERVER"); envKeyServer != "" { - keyServer = envKeyServer - } - return keyServer -} - func (key *MasterKey) getPubKey() (openpgp.Entity, error) { ring, err := key.pubRing() if err == nil { @@ -120,8 +114,7 @@ func (key *MasterKey) getPubKey() (openpgp.Entity, error) { return entity, nil } } - keyServer := gpgKeyServer() - entity, err := getKeyFromKeyServer(keyServer, key.Fingerprint) + entity, err := getKeyFromKeyServer(key.Fingerprint) if err != nil { return openpgp.Entity{}, fmt.Errorf("key with fingerprint %s is not available "+ diff --git a/pgp/keysource_test.go b/pgp/keysource_test.go index 77e974bac..ff9abb7fd 100644 --- a/pgp/keysource_test.go +++ b/pgp/keysource_test.go @@ -45,6 +45,6 @@ func TestPGPKeySourceFromString(t *testing.T) { func TestRetrievePGPKey(t *testing.T) { fingerprint := "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" - _, err := getKeyFromKeyServer("gpg.mozilla.org", fingerprint) + _, err := getKeyFromKeyServer(fingerprint) assert.NoError(t, err) }