flyingcircusio
Multiple URLs with the same identities cause duplicated recipients in age encrypted secrets
Consider secret config like this:
[batou]
secret_provider = age
members =
https://my.flyingcircus.io/rg/2342/sshkeys/login/blub/keys
https://my.flyingcircus.io/rg/2343/sshkeys/login/blub/keys
Now, if I'm allowed to log into both RGs, there are two recipients with the same ssh key. My expectation would be that for each user, only one recipient is added to age_keys.txt.
It's not a big deal in practice, but still a little odd.
age_keys.txt is there to give batou the ability to notify the user if the web-fetched key files change, as well as providing a plain-text-readable file with the recipients for the repository.
Since we are fetching the public keys from the internet during encryption-time, we need to allow the user to notice changes in the public-key sources.
I'm not sure how to de-duplicate public-keys while also making sure that both properties are preserved.
So, perhaps I'm missing some context or not seeing a case you have in mind, but: what's wrong with only notifying if there's an actual change? I.e. only if one key was actually added or removed rather than duplicated or deduplicated?
If a member was added/removed to/from a RG (I've only used it with the keys feature of my.flyingcircus.io so far) it doesn't seem too interesting to me unless I now encrypt the secrets for someone new or someone loses access to the secrets from now on.
Just noticed that the https://my.flyingcircus.io/rg/2342/sshkeys/type/X/keys URLs don't have a stable order for their keys which means that batou warns me every time I edit an age encrypted secrets file.
Just noticed that the
https://my.flyingcircus.io/rg/2342/sshkeys/type/X/keysURLs don't have a stable order for their keys which means that batou warns me every time I edit an age encrypted secrets file.
Looking into this since this obviously interferes with the usecase of having the keys in a lockfile