git-secret
git-secret copied to clipboard
sobolevn
git-secret: abort: cannot find decrypted version of file:
What are the steps to reproduce this issue?
- In github actions
-
sudo sh -c "echo 'deb https://gitsecret.jfrog.io/artifactory/git-secret-deb git-secret main' >> /etc/apt/sources.list" wget -qO - 'https://gitsecret.jfrog.io/artifactory/api/gpg/key/public' | sudo apt-key add - sudo apt-get update && sudo apt-get install -y git-secret # Testing, that it worked! git secret --version git secret reveal
What happens?
the files are not revealed
What were you expecting to happen?
Reveal the file.
Any logs, error output, etc?
Unpacking git-secret (0.4.0) ... Setting up git-secret (0.4.0) ... Processing triggers for man-db (2.9.1-1) ... Version 0.4.0 git-secret: abort: cannot find decrypted version of file: projects/api/.env/staging Error: Process completed with exit code 2.
Any other comments?
it's working on local.
What versions of software are you using?
ubuntu-latest github actions
Thank you for this bug report. Can you please try with the current master branch and -v with every git-secret command to use verbose mode, this should provide info about what's going on.
@joshrabinowitz I did, git secret reveal -v outputs the same log.
git-secret: abort: cannot find decrypted version of file: projects/api/.env/staging
Error: Process completed with exit code 2.
Thanks again for following up.
According to the best docs I could find on the subject of gnupg exit codes, (https://lists.gnupg.org/pipermail/gnupg-devel/2005-December/022559.html), (paraphrased):
- Exit code 0 means 'success' (although we've seen versions of gnupg where you can get a 0 exit code but the expected files are not decrypted)
- Exit code 1 means 'any error due to the actual data processing'
- Exit code 2 means 'could not correctly interpret the command line, or any other system error like missing files or out of memory'
So something is going wrong with gnupg decrypting your files. Maybe the file to decrypt isn't actually present, or there's a newline in your secret key env var, or you're hitting #760.
There is some improved error messaging around this in the latest master branch, and I'd also expect to see some output from gnupg in your reveal -v step; I'd recommend trying with the latest master branch and adding debug/sanity checking code in your github action. Also please let us know what version(s) of gnupg you're using on the systems you use git-secret on
Edit: looking at your exmple more closely, it looks like you're not providing a private key to use for git-secret to decrypt the secrets with. Make sure you check the docs at https://git-secret.io/ : Using git-secret for Continuous Integration / Continuous Deployment (CI/CD)
Not sure if related, but I did see some problems with git-secret 0.5.0 when I tried to reveal secrets which were not added at the top-level of the repo.
It seems to want to reveal a file in the path/repo/repo instead of path/repo.
@mihaigalos you may be running into #925. git-secret expects to be used from the top-level directory of a repo, then revealing a secret like subdir/config.txt.secret should work (we have tests for that functionality)