xaked/blackbox
1
0
Fork 0
mirror of https://github.com/StackExchange/blackbox.git synced 2025-12-16 11:33:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: xaked:master
Branches Tags
xaked:master xaked:tlim_stop xaked:tlim_noop xaked:tlim_quoted
xaked:production xaked:stable xaked:v1.20220610 xaked:v1.20200429 xaked:v1.20181219 xaked:v1.20180618 xaked:v1.20180615 xaked:v1.20170611 xaked:v1.20170309 xaked:v1.20160122 xaked:v1.20151111 xaked:v1.20150730 xaked:v1.20150609 xaked:v1.20150304 xaked:v1.20150318 xaked:v1.20150222 xaked:v1.20150203 xaked:v1.20150216 xaked:v1.20151110 xaked:release
..
compare: xaked:tlim_noop
Branches Tags
xaked:master xaked:tlim_stop xaked:tlim_noop xaked:tlim_quoted
xaked:production xaked:stable xaked:v1.20220610 xaked:v1.20200429 xaked:v1.20181219 xaked:v1.20180618 xaked:v1.20180615 xaked:v1.20170611 xaked:v1.20170309 xaked:v1.20160122 xaked:v1.20151111 xaked:v1.20150730 xaked:v1.20150609 xaked:v1.20150304 xaked:v1.20150318 xaked:v1.20150222 xaked:v1.20150203 xaked:v1.20150216 xaked:v1.20151110 xaked:release

1 Commits
master ... tlim_noop

Author SHA1 Message Date
Tom Limoncelli
6711d715fe Empty 2023-11-14 14:29:35 -05:00
7 changed files with 65 additions and 81 deletions
Expand all files Collapse all files

112
.circleci/config.yml
View File

@@ -1,56 +1,56 @@
#version: 2
#
#workflows:
# version: 2
# build_and_test:
# jobs:
# - debian
# - ubuntu
#
#jobs:
#
# debian:
# docker:
# - image: debian:9.1
# steps:
# - checkout
# - run:
# name: 'Installing'
# command: |
# apt-get update -y
# apt-get install -y build-essential expect git gnupg2 pinentry-tty procps rpm ruby-dev libffi-dev
# gem install fpm
# - run:
# name: 'Cleaning'
# command: |
# rm -rf ~/.gpnupg
# make clean
# - run:
# name: 'Testing'
# command: |
# GPG=gpg2 make test
# make packages-deb
# make packages-rpm
#
# ubuntu:
# docker:
# - image: ubuntu:16.04
# steps:
# - checkout
# - run:
# name: 'Installing'
# command: |
# apt-get update -y
# apt-get install -y build-essential expect git gnupg2 pinentry-tty procps rpm ruby-dev libffi-dev
# gem install fpm
# - run:
# name: 'Cleaning'
# command: |
# rm -rf ~/.gpnupg
# make clean
# - run:
# name: 'Testing'
# command: |
# GPG=gpg2 make test
# make packages-deb
# make packages-rpm
version: 2
workflows:
version: 2
build_and_test:
jobs:
- debian
- ubuntu
jobs:
debian:
docker:
- image: debian:9.1
steps:
- checkout
- run:
name: 'Installing'
command: |
apt-get update -y
apt-get install -y build-essential expect git gnupg2 pinentry-tty procps rpm ruby-dev libffi-dev
gem install fpm
- run:
name: 'Cleaning'
command: |
rm -rf ~/.gpnupg
make clean
- run:
name: 'Testing'
command: |
GPG=gpg2 make test
make packages-deb
make packages-rpm
ubuntu:
docker:
- image: ubuntu:16.04
steps:
- checkout
- run:
name: 'Installing'
command: |
apt-get update -y
apt-get install -y build-essential expect git gnupg2 pinentry-tty procps rpm ruby-dev libffi-dev
gem install fpm
- run:
name: 'Cleaning'
command: |
rm -rf ~/.gpnupg
make clean
- run:
name: 'Testing'
command: |
GPG=gpg2 make test
make packages-deb
make packages-rpm

20
README.md
View File

@@ -1,12 +1,6 @@
BlackBox [![CircleCI](https://circleci.com/gh/StackExchange/blackbox.svg?style=shield)](https://circleci.com/gh/StackExchange/workflows/blackbox) [![Build Status](https://github.com/StackExchange/blackbox/workflows/build/badge.svg)](https://github.com/StackExchange/blackbox/actions?query=workflow%3Abuild+branch%3Amaster)
========
THIS PROJECT IS ABANDONED. DO NOT USE. DO NOT SUBMIT BUG REPORTS OR PRs.
There are plenty of other, better, projects. A partial list is listed under "Alternatives" below.
========
Safely store secrets in a VCS repo (i.e. Git, Mercurial, Subversion or Perforce). These commands make it easy for you to Gnu Privacy Guard (GPG) encrypt specific files in a repo so they are "encrypted at rest" in your repository. However, the scripts make it easy to decrypt them when you need to view or edit them, and decrypt them for use in production. Originally written for Puppet, BlackBox now works with any Git or Mercurial repository.
@@ -42,7 +36,6 @@ Table of Contents
- User Management
- [How to indoctrinate a new user into the system?](#how-to-indoctrinate-a-new-user-into-the-system)
- [How to remove a user from the system?](#how-to-remove-a-user-from-the-system)
- [Note to the Web Of Trust](#note-to-the-web-of-trust)
- Repo Management
- [Enabling BlackBox For a Repo](#enabling-blackbox-for-a-repo)
- [Set up automated users or “role accounts”](#set-up-automated-users-or-role-accounts)
@@ -489,19 +482,6 @@ The key ring only has public keys. There are no secret keys to delete.
Remember that this person did have access to all the secrets at one time. They could have made a copy. Therefore, to be completely secure, you should change all passwords, generate new SSL keys, and so on just like when anyone that had privileged access leaves an organization.
Note to the Web Of Trust
========================
Validating the trustworthiness of keys is a task that can't be accomplished by Blackbox; this is a completely external topic that has to be dealt with manually (the same way as generating/managing your key is, for example) or by a dedicated mechanism (a company CA with corresponding workflows e.g.). Aside from the "common" benefits of a Web Of Trust (see [here](https://www.gnupg.org/gph/en/manual/x334.html) or [here](https://www.gnupg.org/gph/en/manual/x547.html) e.g.), it prevents several errors as well.
Historically Blackbox was using and enforcing a "trust every key" model but this has changed! Now the decision of whether and how to use the PGP/GPG trust models is left up to the user by configuration (or by the PGP/GPG defaults).
When updating Blackbox people might run into functional problems if they haven't yet dealt with the trustability of the keys they're using. It's the right time to do so and built up your Web Of Trust now!
If you have an external workflow in place that ensures the integrity of the keys Blackbox uses you might want to disable the PGP/GPG trust models and rely on this workflow.
This can be achieved by declaring "trust model always", either by passing the command line parameter `--trust-model=always` to your PGP/GPG binary when using Blackbox (by defining an alias or using the environment variable (e.g. `GPG="gpg2 --trust-model=always"`) or a combination of both) or by setting `trust-model always` in your `gpg.conf` (note that this disables the Web Of Trust everywhere, not just for Blackbox).
WARNING: It is strongly disadvised to not use any key validation at all! This opens up various ways to bypass the confidentiality of your encrypted secrets!
Where is the configuration stored? .blackbox vs. keyrings/live
==============================================================

2
bin/_blackbox_common.sh
View File

@@ -253,7 +253,7 @@ function encrypt_file() {
encrypted="$2"
echo "========== Encrypting: $unencrypted" >&2
$GPG --use-agent --yes --encrypt -o "$encrypted" $(awk '{ print "-r" $1 }' < "$BB_ADMINS") "$unencrypted" >&2
$GPG --use-agent --yes --trust-model=always --encrypt -o "$encrypted" $(awk '{ print "-r" $1 }' < "$BB_ADMINS") "$unencrypted" >&2
echo '========== Encrypting: DONE' >&2
}

9
integrationTest/ithelpers.go
View File

@@ -421,8 +421,13 @@ Expire-Date: 0
func hasQuick(t *testing.T) bool {
testing.Init()
fmt.Println("========== Do we run gpg2?")
err := bbutil.RunBash("gpg2", "--version")
fmt.Println("========== Do we have --quick-generate-key?")
err := bbutil.RunBash("gpg2",
"--dry-run",
"--quick-generate-key",
"--batch",
"--passphrase", "",
"foo", "rsa", "encr")
fmt.Println("========== Done")
if err == nil {
return true

1
pkg/bbutil/umask_posix.go
View File

@@ -1,4 +1,3 @@
//go:build !windows
// +build !windows
package bbutil

1
pkg/bbutil/umask_windows.go
View File

@@ -1,4 +1,3 @@
//go:build windows
// +build windows
package bbutil

1
pkg/crypters/gnupg/gnupg.go
View File

@@ -106,6 +106,7 @@ func (crypt CrypterHandle) Encrypt(filename string, umask int, receivers []strin
a := []string{
"--use-agent",
"--yes",
"--trust-model=always",
"--encrypt",
"-o", encrypted,
}