Installation
To install sops
, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.
For instance, if you are using Linux on an AMD64 architecture:
# Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.linux.amd64
# Move the binary in to your PATH
mv sops-v3.9.0.linux.amd64 /usr/local/bin/sops
# Make the binary executable
chmod +x /usr/local/bin/sops
Verify checksums file signature
The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:
# Download the checksums file, certificate and signature
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.checksums.txt
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.checksums.pem
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.checksums.sig
# Verify the checksums file
cosign verify-blob sops-v3.9.0.checksums.txt \
--certificate sops-v3.9.0.checksums.pem \
--signature sops-v3.9.0.checksums.sig \
--certificate-identity-regexp=https://github.com/getsops \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
Verify binary integrity
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature:
# Verify the binary using the checksums file
sha256sum -c sops-v3.9.0.checksums.txt --ignore-missing
Verify artifact provenance
The SLSA provenance of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an in-toto link metadata file named sops-v3.9.0.intoto.jsonl
. To verify the provenance of an artifact, you can utilize the slsa-verifier
tool:
# Download the metadata file
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.intoto.jsonl
# Verify the provenance of the artifact
slsa-verifier verify-artifact <artifact> \
--provenance-path sops-v3.9.0.intoto.jsonl \
--source-uri github.com/getsops/sops \
--source-tag v3.9.0
Container Images
The sops
binaries are also available as container images, based on Debian (slim) and Alpine Linux. The Debian-based container images include any dependencies which may be required to make use of certain key services, such as GnuPG, AWS KMS, Azure Key Vault, and Google Cloud KMS. The Alpine-based container images are smaller in size, but do not include these dependencies.
These container images are available for the following architectures: linux/amd64
and linux/arm64
.
GitHub Container Registry
ghcr.io/getsops/sops:v3.9.0
ghcr.io/getsops/sops:v3.9.0-alpine
Quay.io
quay.io/getsops/sops:v3.9.0
quay.io/getsops/sops:v3.9.0-alpine
Verify container image signature
The container images are signed using Cosign with GitHub OIDC. To validate the signature of an image, run the following command:
cosign verify ghcr.io/getsops/sops:v3.9.0 \
--certificate-identity-regexp=https://github.com/getsops \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
Verify container image provenance
The container images include SLSA provenance attestations. For more information around the verification of this, please refer to the slsa-verifier
documentation.
Software Bill of Materials
The Software Bill of Materials (SBOM) for each binary is accessible within the artifacts enclosed with this release. It is presented as an SPDX JSON file, formatted as <binary>.spdx.sbom.json
.
What's Changed
- Respect aws_profile from Keygroup Config by @Kouzukii in #1049
- build(deps): Bump the go group with 6 updates by @dependabot in #1327
- build(deps): Bump the go group with 3 updates by @dependabot in #1328
- build(deps): Bump the go group with 1 update by @dependabot in #1330
- build(deps): Bump github.com/docker/docker from 20.10.24+incompatible to 24.0.7+incompatible by @dependabot in #1336
- build(deps): Bump the go group with 3 updates by @dependabot in #1334
- Improve README.rst by @Ph0tonic in #1339
- Fix typos by @felixfontein in #1337
- build(deps): Bump the go group with 7 updates by @dependabot in #1344
- Add --mac-only-encrypted to compute MAC only over values which end up encrypted by @mitar in #973
- build(deps): Bump the ci group with 1 update by @dependabot in #1347
- build(deps): Bump the go group with 7 updates by @dependabot in #1348
- README: Correctly tag code as yaml-stream by @felixfontein in #1350
- build(deps): Bump the go group with 5 updates by @dependabot in #1354
- use getUserConfigDir also in tests by @bkreitch in #1346
- Overwrite home dir in vault test by @bkreitch in #1349
- Allow configuration of indentation for YAML and JSON stores by @Ph0tonic in #1273
- build(deps): Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in #1357
- build(deps): Bump the go group with 4 updates by @dependabot in #1360
- build(deps): Bump the ci group with 1 update by @dependabot in #1359
- Fix TestGnuPGHome_Validate by @stormentt in #1370
- build(deps): Bump the go group with 6 updates by @dependabot in #1373
- build(deps): Bump the ci group with 2 updates by @dependabot in #1376
- Docs: indent is used both for encryption and decryption by @felixfontein in #1372
- fix a bug where not having a config results in a panic by @stormentt in #1371
- Polish the 'sops help' output a bit by @felixfontein in #1341
- introduce a --pristine flag to sops exec-env by @e-nikolov in #912
- Allow to pass multiple paths to 'updatekeys' by @sj14 in #1274
- Warn/fail if the wrong number of arguments is provided by @felixfontein in #1342
- Allow to override fileName with different value by @felixfontein in #1332
- Sort masterkeys according to decryption-order by @bkreitch in #1345
- build(deps): Bump the ci group with 4 updates by @dependabot in #1382
- build(deps): Bump the go group with 5 updates by @dependabot in #1381
- Deprecate the --background option to exec-env and exec-file by @felixfontein in #1379
- build(deps): Bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #1383
- build(deps): Bump the ci group with 1 update by @dependabot in #1386
- build(deps): Bump the go group with 5 updates by @dependabot in #1385
- Consolidate Flatten/Unflatten pre/post processing by @lancerushing in #1356
- INI, DotEnv stores: shamir_threshold is an integer by @felixfontein in #1394
- Improve integration tests: reformat test code, make sure exit codes are always checked by @felixfontein in #1390
- Make check whether file contains invalid keys for encryption dependent on output store by @felixfontein in #1393
- Create a constant for the 'sops' metadata key by @felixfontein in #1398
- build(deps): Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 by @dependabot in #1408
- build(deps): Bump the ci group with 4 updates by @dependabot in #1425
- build(deps): Bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @dependabot in #1428
- build(deps): Bump the go group with 10 updates by @dependabot in #1429
- build(deps): Bump the ci group with 4 updates by @dependabot in #1432
- Warn if more than one command is used by @felixfontein in #1388
- Move extraction of encryption and rotation options to separate functions by @felixfontein in #1389
- Add separate subcommands for encryption, decryption, rotating, editing, and setting values by @felixfontein in #1391
- Add basic tests for exec-env and exec-file by @felixfontein in #1396
- build with go 1.21 and update dependencies by @b-dean in #1427
- build(deps): Bump the go group with 4 updates by @dependabot in #1439
- sops: fix typo in interface name by @duthils in #1477
- Fix function name in comment by @pullmerge in #1484
- build(deps): Bump the ci group across 1 directory with 9 updates by @dependabot in #1498
- build(deps): Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @dependabot in #1454
- build(deps): Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @dependabot in #1460
- build(deps): Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible by @dependabot in #1466
- build(deps): Bump golang.org/x/net from 0.21.0 to 0.23.0 by @dependabot in #1489
- build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 in the ci group by @dependabot in #1503
- build(deps): Bump the ci group with 2 updates by @dependabot in #1508
- LoadCreationRuleForFile: correctly handle nil without error in callers by @felixfontein in #1506
- build(deps): Bump the ci group with 2 updates by @dependabot in #1510
- build(deps): Bump the ci group with 2 updates by @dependabot in #1516
- Fix CVE-2024-2660 by @TheoBrigitte in #1519
- build(deps): Bump the ci group with 2 updates by @dependabot in #1521
- fix(Makefile): set locale to make tests pass by @jonasbadstuebner in #1492
- build(deps): Bump the ci group with 2 updates by @dependabot in #1524
- Adjust Makefile to new goreleaser 6.0.0 release by @felixfontein in #1526
- build(deps): Bump the go group across 1 directory with 23 updates by @dependabot in #1525
- update documentation for age by @tomaszduda23 in #1399
- exec-file: if
--filename
is used, use the provided filename without random suffix by @felixfontein in #1474 - build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 by @dependabot in #1528
- Do not use DotEnv store for exec-env, but specialized environment serializing code by @felixfontein in #1436
- build(deps): Bump the ci group with 2 updates by @dependabot in #1534
- Decryption: do not fail if no matching creation_rule is present in config file by @felixfontein in #1434
- add filestatus command by @endorama in #545
- build(deps): Bump the go group across 1 directory with 16 updates by @dependabot in #1540
- build(deps): Bump the go group across 1 directory with 4 updates by @dependabot in #1543
- add command unset by @duthils in #1475
- Update sops.go comment by @rjeczkow in #1544
- Support using comments to select parts to encrypt by @felixfontein in #1392
- Feature:
merge
key for key groups and make keys unique by @jonasbadstuebner in #1493 - Update all go deps by @felixfontein in #1545
- Release 3.9.0 by @felixfontein in #1546
New Contributors
- @Kouzukii made their first contribution in #1049
- @Ph0tonic made their first contribution in #1339
- @bkreitch made their first contribution in #1346
- @stormentt made their first contribution in #1370
- @e-nikolov made their first contribution in #912
- @sj14 made their first contribution in #1274
- @lancerushing made their first contribution in #1356
- @b-dean made their first contribution in #1427
- @duthils made their first contribution in #1477
- @pullmerge made their first contribution in #1484
- @TheoBrigitte made their first contribution in #1519
- @jonasbadstuebner made their first contribution in #1492
- @tomaszduda23 made their first contribution in #1399
- @endorama made their first contribution in #545
- @rjeczkow made their first contribution in #1544
Full Changelog: v3.8.1...v3.9.0