share-secrets-safely / cli Goto Github PK
View Code? Open in Web Editor NEWshare secrets within teams to avoid plain-text secrets from day one
Home Page: https://share-secrets-safely.github.io/cli
License: GNU Lesser General Public License v2.1
share secrets within teams to avoid plain-text secrets from day one
Home Page: https://share-secrets-safely.github.io/cli
License: GNU Lesser General Public License v2.1
Hi,
I have been using this in my project. It is very useful for storing our passwords. Thanks.
However when I check the version it comes with a newline.
shakir$./sy --version
sy 4.0.0
shakir$
Can you please fix this ?
If no TTY is attached, it will always try to read from stdin. However, this seems to block forever in certain situations, without indicating EOF or something similar.
Maybe there is a way to detect that, or to workaround it without forcefully providing something like echo '{}' | sy process ...
.
Hi,
just installed rustup
and cargo
to install sheesy-cli.
After executing cargo install sheesy-cli
, I get a bunch of lines like Compiling ...
which looks good.
Until:
Compiling libgpg-error-sys v0.3.1
Compiling gpgme-sys v0.7.0
Compiling gpgme v0.7.1
error: failed to run custom build command for `gpgme-sys v0.7.0`
process didn't exit successfully: `/var/folders/rg/jmhmvgl57rj4n1xmgyb2lt7m0000gn/T/cargo-install.MCN5Z2Gid1rP/release/build/gpgme-sys-69e4934ff7b01c8d/build-script-build` (exit code: 1)
--- stdout
cargo:rerun-if-env-changed=GPGME_LIB_DIR
cargo:rerun-if-env-changed=GPGME_LIBS
cargo:rerun-if-env-changed=GPGME_CONFIG
--- stderr
running: "git" "apply" "../gpgme-remove-doc.patch"
error: patch failed: Makefile.am:33
error: Makefile.am: patch does not apply
error: patch failed: configure.ac:883
error: configure.ac: patch does not apply
command did not execute successfully, got: exit code: 1
running: "sh" "-c" "gpgme-config --version"
sh: gpgme-config: command not found
command did not execute successfully, got: exit code: 127
warning: build failed, waiting for other jobs to finish...
I'm running OSX El Capitan Version 10.11.6 (15G1510) if that helps somehow.
Do you have any idea if I can fix it myself?
Thanks in advance.
While the sheesy
documentation is pretty fantastic already, I felt there was a little to be desired as far as the various vault
pages, in particular vault partitions
.
I was looking for basically group-like support -- being able to share a secret with a group of users but not necessarily a different group, more concretely to be able to differentiate secrets for staging/production. When looking at the vault partitions add
documentation it was unfortunately a little unclear
Since what I was looking for is likely a very common usecase, it might be nice to explain it directly, either on the add page itself or in a separate "recipes" or "use case examples" or something section.
Hi there,
I am a very happy user of sy
, and in my company we have setup a vault a long time ago. Now I would love to add partitions to it, but unfortunately I created it as a single-partition at the beginning, so if I try to add a partition named devs
I get the following error:
error: Partition at './devs' is contained in another partitions resources directory at './.'
Is there a way, even manually, to migrate a single partition vault into a multi partition one?
I am using sy
version 4.0.10
.
After running the command from the subject on linux (ubuntu) we saw this message.
Imported recipient key at path '.gpg-keys/60D52894609DDDFC794BCAC62DDE29BE8568696B'
error: The GNU Privacy Guard (GPG) does not supported the attempted operation.
GPG v2 is known to work, and you can install it here:
https://www.gnupg.org for more information.
Caused by:
2: Could not sign key of recipient 60D52894609DDDFC794BCAC62DDE29BE8568696B with signing key <user redacted>
1: Not supported (gpg error 60)
I like the GPG key based ACL of this tool and can see how it prevents leaks.
But I fail to imagine the real-world usage in a team of developers and I cannot find one in the documentation.
Is is something like:
secrets
directory into software's source code directory on it's computer, cd
into it and run sy vault init
to initialize the sheesy vault "secrets".git add . ; git commit -m "Created a secrets sheesy vault"
to commit the vault creation.echo s3cre7 | sy vault add :mysql-password
.git add . ; git commit -m "Added MySQL password to the secrets vault"; git push origin
for the changes the sy vault add
command did on the sheesy vault ("secrets") are saved to the git repository.cd secrets ; sy vault recipient init
to add it's GPG key to possible recipients and git add . ; git commit -m "Adding Bob's key to the secrets vault" ; git push origin
to persist the changes to the git repository.cd secrets ; sy vault recipient add 7DF95D5E
and git add . ; git commit -m "Granting Bob's key access to secrets sheesy vault" ; git push origin
and tells Bob that she granted him access to the "secrets" vault.cd secrets
and finally read the MySQL with sy vault show mysql-password
.sy vault
) but can never read them.Notes:
git fetch
and git merge
commands.It would be nice if the documentation would how sheesy
differentiates itself from a git-crypt
.
So far as I can see currently:
git
Maybe it doesn't make sense to compare sheesy
to a tool like git-crypt
in the first place, since the scopes are somewhat different, if so I apologize! I think that sheezy could be super useful for storing secrets right in git repos so that's one way I really want to use it.
P.S. I just saw the talk @ RustCologne -- cool project!
As of now, we depend on GPG for asymmetric cryptography. However, depending on GPGME seems to be an issue if Windows support is desired.
An alternative seems to be Sequoia, which has Windows support on their roadmap for 2019. To get started, it should already be possible to add symmetric (i.e. password based) cryptography to sheesy, serving as quick-start alternative to the key-based cryptography and thus somewhat competing with keypass and its command-line tools.
nettle
.Related to #12 .
Just to make the project even more appealing.
They need the 'cli' repository named as last argument.
Thanks a lot
Since both rust
and gpg
run on Windows, what obstacles are there to sy
running on Windows, too?
Install Sheesy with on OSX with a recent version of Homebrew:
brew tap share-secrets-safely/cli
brew install sheesy
Then run any command, for example sy --version
.
The command runs without issues.
The command fails with:
dyld[2780]: Library not loaded: /usr/local/opt/libassuan/lib/libassuan.0.dylib
Referenced from: <E27503E4-8399-3EE0-8726-E6E09272A3EC> /opt/homebrew/Cellar/sheesy/4.0.10/bin/sy
Reason: tried: '/usr/local/opt/libassuan/lib/libassuan.0.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/usr/local/opt/libassuan/lib/libassuan.0.dylib' (no such file), '/usr/local/opt/libassuan/lib/libassuan.0.dylib' (no such file), '/usr/local/lib/libassuan.0.dylib' (no such file), '/usr/lib/libassuan.0.dylib' (no such file, not in dyld cache)
zsh: abort sy vault list
Note that libassuan
is correctly installed on the system (with Homebrew).
The command sy --version
crashes, but the installed sy
version is 4.0.10
.
I am on MacOS Ventura 13.1
on Apple Silicon M1 Max.
The Homebrew version is:
$ brew --version
Homebrew 3.6.20
Homebrew/homebrew-core (git revision 9b06fea8797; last commit 2023-01-17)
Homebrew on Apple Silicon uses /opt/homebrew
as prefix instead of /usr/local
(as indicated by the output of brew --prefix
and as discussed here), therefore libassuan
is located in /opt/homebrew/lib/libassuan.0.dylib
. Currently, sy
tries to load it from /usr/local
and /usr/lib
.
Explicitly setting DYLD_LIBRARY_PATH=/opt/homebrew/lib sy --version
finds the library, but fails with:
dyld[9043]: Library not loaded: /usr/local/opt/libassuan/lib/libassuan.0.dylib
Referenced from: <E27503E4-8399-3EE0-8726-E6E09272A3EC> /opt/homebrew/Cellar/sheesy/4.0.10/bin/sy
Reason: tried: '/opt/homebrew/lib/libassuan.0.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/local/opt/libassuan/lib/libassuan.0.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/usr/local/opt/libassuan/lib/libassuan.0.dylib' (no such file), '/usr/local/opt/libassuan/lib/libassuan.0.dylib' (no such file), '/usr/local/lib/libassuan.0.dylib' (no such file), '/usr/lib/libassuan.0.dylib' (no such file, not in dyld cache)
This seems to indicate that the wrong architecture is used when downloading the pre-built sy
binary, I suspect because -x86_64
is hardcoded here, and the releases do not include an arm64
version.
Cloning the repo and building it with Cargo produces a working sy
binary, so it looks like it is really just an issue with missing pre-built binary for Apple Silicon.
check it - in pass there is no such thing.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.