sops
sops copied to clipboard
Decryption fails if file is not in the creation_rules
When decrypting a file with sops -d file.yaml
sops fails with error loading config: no matching creation rules found
even if the file contains the correct sops metadata. If I add this file to one creation_rules
or remove the .sops.yaml
file this is working as intended.
I was expecting sops not to complain on decryption phase since everything that it needs is present in the metadata. Moreover the key is named creation_rules
. It's confusing that you need a creation rule to decrypt an existing file.
I was trying to do sops -d /nix/store/...
while in ~/src/NIX/own/
and couldn't understand why I was getting this error. I later found out I had a stray ~/src/NIX/.sops.yaml
. Deleting that fixed the problem.
I suppose the sticking point is:
- Without
--config
, sops searches upward from$PWD
for a config file. - When a config is found, and it doesn't refer to the target file, it probably makes sense to bail, although I agree with OP.
I will say that, in my case, it would have been helpful if sops --verbose
told me the location of the config file it found.
SOPS shouldn't use the config file on decryption. It currently tries to load it since the code is somewhat a mess. I'd like to fix this, but I don't want to create yet another conflicting PR to #1391, so I'll wait until that one actually receives some feedback.
Since #1391 is now merged, I created a PR to fix this: #1434.