sops truncates the file to zero after a failed key rotation

[cohadar]

Sops version: 3.7.1 (Installed from deb package)

How to reproduce:

1. create example.yaml using one KMS and one PGP key
2. turn off your aws profile / credentials
3. try to rotate the file in place: sops -r -i example.yaml

What happens:

1. example.yaml file gets truncated to zero bytes!
2. sops prints no error messages
3. sops returns exit code zero as if everything was ok

What I would like to happen:

1. sops detects that not all master keys are available
2. sops prints error message: you cannot rotate because you are missing key X
3. sops exits with non-zero code.

[cohadar]

4. sops should not delete data in my files when error happens during rotation

[renannprado]

I've just faced some issue. The worse thing is that it also prints no error, so I have no clue what's wrong.

Edit:

In my case, I was using KMS and PGP (as a backup) and while using the rotate feature, I missed the PGP key and that's why it happened.

[james-callahan]

This is still an issue with sops 3.8.0

[felixfontein]

Simple reproducer:

1. Check out sops repository.
2. Run sops -r -i stores/ini/test_resources/example.json in it.

The cause is that the error handling in https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L713-L969 is pretty much messed up. The correct error is put into err here: https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L897 - but that err is apparently a different err than the one that is checked here: https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L967 (that one is still nil).

From how I understand Go the assignment in https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L843 creates a new err in the local scope which shadows the err from the outer scope. Since this happens pretty extensively in the function, my bet is that there are several similar bugs in there.

I'm somewhat surprised that make staticcheck isn't flagging this, as obviously err is ignored here.

[felixfontein]

When removing bin/staticcheck and re-running make staticcheck it now found the problem. I guess I had an older version installed...

[felixfontein]

Fixed by #1317.