I have a project that requires some sensitive data. I have followed the steps specified at https://docs.travis-ci.com/user/encrypting-files/. However, some of the builds fail, and some others work just fine.
When a build succeeds I see this log:
Setting environment variables from repository settings
$ export encrypted_2c77c0ced414c_key=[secure]
$ export encrypted_2c77c0ced414c_iv=[secure]
$ export encrypted_c066d37aa1a1_key=[secure]
$ export encrypted_c066d37aa1a1_iv=[secure]
I don't see these environment variables when builds fail. I get this error instead:
The command "openssl aes-256-cbc -K $encrypted_2c77c0ced414c_key -iv $encrypted_c066d37aa1a1_key -in seeds.json.enc -out tests/data/seeds.json -d" failed and exited with 1 during .
Related
I am trying to start Conclave in release mode, followed instructions as below :
// Firstly, built the signing material:
./gradlew prepareForSigning -PenclaveMode=release
// Generated a signature from the signing material. The password for the sample external key is '12345'
openssl dgst -sha256 -out signing/signature.bin -sign signing/external_signing_private.pem -keyform PEM enclave/build/enclave/Release/signing_material.bin
// Finally built the signed enclave:
./gradlew build -PenclaveMode="release" -x test
./gradlew host:installDist
cd host/build/install
./host/bin/host
After invoking request from client , the attestation still prints:
Mode: SIMULATION
Is there any flag/step being missed ?
You need to include -PenclaveMode=release when building the host:installDist target otherwise it will build the default Simulation version and package that, even if you previously built the release enclave.
Just run this command and it will use the release enclave instead:
./gradlew host:installDist -PenclaveMode=release
Having a pipeline with a stage that executes a script that is supposed to decrypt a key file, the GitLab Runner fails:
$ scripts/decrypt.sh $LWCMAP_SERVER_KEY
bad decrypt
139810674749504:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:536:
ERROR: Job failed: exit code 1
The $LWCMAP_SERVER_KEY contains a passphrase that is used to decrypt the key inside a folder, using the following command in the .gitlab-ci.yml:
- scripts/decrypt.sh $LWCMAP_SERVER_KEY
And the content of the shell script is just the OpenSSL command to decrypt the file:
openssl aes-256-cbc -k $1 -in assets/server.key.enc -out assets/decripted_server.key -d
I wonder why the job fails with "bad decrypt" since the exact same command executes just fine locally. I even calculated the md5 of both the file and the key used on decryption, and they are the exact same on the runner and locally (which means it is not corrupted data).
Any ideas?
Edit:
Locally openssl version outputs "LibreSSL 2.8.3", and on the server, I upgraded it to the same version. On the Runner's container though, the output is "OpenSSL 1.1.0j 20 Nov 2018".
So I think I figured why, and what to do to fix..
It does seem like LibreSSL 2.8x is incompatible with OpenSSL 1.1x.
This means that files encrypted on one TLS implementation is unable to decrypt with the other.
What I did instead, was to ssh into the Ubuntu VM then run the encryption there. Since the CI is going to be run with any of our Ubuntu VMs and will be deployed on similar machines using similar TLS implementations, I do not anticipate any further problems with key file encryption/decryption.
This means that I would be unable to test decrypt on my local machine though, but I'm sure I can live with that :-)
I have a name.crt file i convert it using the following command
openssl pkcs12 -export -in name.crt -inkey name.key -out name.p12 -name "name".
I get the following error
unable to load certificates
but the name.p12 file gets generated which I am not able to use as it shows EOF when using with rest template.
I tried the process by removing ^M from name.crt file which again shows
unable to load certificates
I am currently writing a batch script to automate signing and encrypting files, on GnuPG version 2.0.30.
Can someone explain why the following will not work on my Windows machine:
echo "passphrase"| gpg2 --batch --yes --always-trust --passphrase-fd 0 -es -r "Public key for encryption" "Path of file to encrypt"
To my knowledge, this should be piping the output of echo (my passphrase) as the input of --passphrase-fd 0 (0 operating on STDIN handle of course). I can't seem to get this to work, and wasn't sure if it was my code, or if it's just an issue running this on Windows.
Whenever I execute this command, I get
"no default secret key: Bad passphrase"
"sign+encrypt failed: Bad passphrase"
As a workaround, I was able to use redirection operater < and passed the filepath to my passphrase, still using the STDIN handle (0):
gpg2 --batch --yes --always-trust --passphrase-fd 0 -es -r "Public key for encryption" "Path of file to encrypt" < "Filepath to passphrase"
I realize it's bad practice to store a passphrase in a local file, and may consider removing the signature altogether, but for my own sake, I want to better understand why this won't work using piping (on Windows).
Thanks!
If I run gpg to sign and encrypt a file from the command line, it works. I have an application that tries the same and I get the following error. The application has worked signing and encrypting before, so I do not think that it is a permission issue. Any ideas?
Running on windows. GnuPG 1.4.2.2
gpg: keyblock resource C:/Program Files/GNU/GnuPG" --output D:/WEA/ACH/milw472b.gpg --yes --batch --armor --recipient JPMC_ECS_PROD_2015 --default-key wea#weatrust.com --passphrase-fd 0 --no-verbose --sign --encrypt D:/WEA/ACH/ACH \secring.gpg': file open error
gpg: keyblock resourceC:/Program Files/GNU/GnuPG" --output D:/WEA/ACH/milw472b.gpg --yes --batch --armor --recipient JPMC_ECS_PROD_2015 --default-key wea#weatrust.com --passphrase-fd 0 --no-verbose --sign --encrypt D:/WEA/ACH/ACH \pubring.gpg': file open error
gpg: no valid OpenPGP data found.
gpg: processing message failed: eof
Why is your program including the paths to the public and secret keyrings? GPG should find them in the home directory, if you're using a different location for those files then you either need to specify the new home directory (with the --homedir flag) or prepend the two keyring files with the relevant flags (--keyring and --secret-keyring).
As it is, that command appears to be trying to encrypt your public and secret keyrings to the "JPMC_ECS_PROD_2015" recipient. If "JPMC_ECS_PROD_2015" is not a group name (specified in the gpg.conf file) or specified elsewhere in the code for your program, then that will generate errors relating to an invalid recipient (or recipient format).