From 452ade3d77eaf269ee92ff7c201f8e73cae2b224 Mon Sep 17 00:00:00 2001
From: Michael Kriese <michael.kriese@visualon.de>
Date: Mon, 22 Apr 2024 13:57:19 +0200
Subject: [PATCH] feat(config/encrypt): replace pgp library (#28312)
---
docs/usage/self-hosted-experimental.md | 4 +
lib/config/decrypt.ts | 6 +-
lib/config/decrypt/kbpgp.spec.ts | 132 +++++++++++++++++++++++++
lib/config/decrypt/kbpgp.ts | 88 +++++++++++++++++
lib/config/decrypt/openpgp.spec.ts | 4 +
package.json | 1 +
pnpm-lock.yaml | 120 +++++++++++++++++++++-
7 files changed, 353 insertions(+), 2 deletions(-)
create mode 100644 lib/config/decrypt/kbpgp.spec.ts
create mode 100644 lib/config/decrypt/kbpgp.ts
diff --git a/docs/usage/self-hosted-experimental.md b/docs/usage/self-hosted-experimental.md
index 04124a9ba7..de05425368 100644
--- a/docs/usage/self-hosted-experimental.md
+++ b/docs/usage/self-hosted-experimental.md
@@ -185,6 +185,10 @@ Don't combine with `redisUrl`, Redis would be preferred over SQlite.
Suppress the pre-commit support warning in PR bodies.
+## `RENOVATE_X_USE_OPENPGP`
+
+Use `openpgp` instead of `kbpgp` for `PGP` decryption.
+
## `RENOVATE_X_YARN_PROXY`
Configure global Yarn proxy settings if HTTP proxy environment variables are detected.
diff --git a/lib/config/decrypt.ts b/lib/config/decrypt.ts
index 127301308e..1895b6dc8f 100644
--- a/lib/config/decrypt.ts
+++ b/lib/config/decrypt.ts
@@ -4,6 +4,7 @@ import { maskToken } from '../util/mask';
import { regEx } from '../util/regex';
import { addSecretForSanitizing } from '../util/sanitize';
import { ensureTrailingSlash } from '../util/url';
+import { tryDecryptKbPgp } from './decrypt/kbpgp';
import {
tryDecryptPublicKeyDefault,
tryDecryptPublicKeyPKCS1,
@@ -21,7 +22,10 @@ export async function tryDecrypt(
): Promise<string | null> {
let decryptedStr: string | null = null;
if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {
- const decryptedObjStr = await tryDecryptOpenPgp(privateKey, encryptedStr);
+ const decryptedObjStr =
+ process.env.RENOVATE_X_USE_OPENPGP === 'true'
+ ? await tryDecryptOpenPgp(privateKey, encryptedStr)
+ : await tryDecryptKbPgp(privateKey, encryptedStr);
if (decryptedObjStr) {
decryptedStr = validateDecryptedValue(decryptedObjStr, repository);
}
diff --git a/lib/config/decrypt/kbpgp.spec.ts b/lib/config/decrypt/kbpgp.spec.ts
new file mode 100644
index 0000000000..008ba46fa2
--- /dev/null
+++ b/lib/config/decrypt/kbpgp.spec.ts
@@ -0,0 +1,132 @@
+import { Fixtures } from '../../../test/fixtures';
+import { CONFIG_VALIDATION } from '../../constants/error-messages';
+import { decryptConfig } from '../decrypt';
+import { GlobalConfig } from '../global';
+import type { RenovateConfig } from '../types';
+import { tryDecryptKbPgp } from './kbpgp';
+
+const privateKey = Fixtures.get('private-pgp.pem', '..');
+const repository = 'abc/def';
+
+describe('config/decrypt/kbpgp', () => {
+ describe('decryptConfig()', () => {
+ let config: RenovateConfig;
+
+ beforeEach(() => {
+ config = {};
+ GlobalConfig.reset();
+ });
+
+ it('returns null for invalid key', async () => {
+ expect(
+ await tryDecryptKbPgp(
+ 'invalid-key',
+ 'wcFMAw+4H7SgaqGOAQ/+Lz6RlbEymbnmMhrktuaGiDPWRNPEQFuMRwwYM6/B/r0JMZa9tskAA5RpyYKxGmJJeuRtlA8GkTw02GoZomlJf/KXJZ95FwSbkXMSRJRD8LJ2402Hw2TaOTaSvfamESnm8zhNo8cok627nkKQkyrpk64heVlU5LIbO2+UgYgbiSQjuXZiW+QuJ1hVRjx011FQgEYc59+22yuKYqd8rrni7TrVqhGRlHCAqvNAGjBI4H7uTFh0sP4auunT/JjxTeTkJoNu8KgS/LdrvISpO67TkQziZo9XD5FOzSN7N3e4f8vO4N4fpjgkIDH/9wyEYe0zYz34xMAFlnhZzqrHycRqzBJuMxGqlFQcKWp9IisLMoVJhLrnvbDLuwwcjeqYkhvODjSs7UDKwTE4X4WmvZr0x4kOclOeAAz/pM6oNVnjgWJd9SnYtoa67bZVkne0k6mYjVhosie8v8icijmJ4OyLZUGWnjZCRd/TPkzQUw+B0yvsop9FYGidhCI+4MVx6W5w7SRtCctxVfCjLpmU4kWaBUUJ5YIQ5xm55yxEYuAsQkxOAYDCMFlV8ntWStYwIG1FsBgJX6VPevXuPPMjWiPNedIpJwBH2PLB4blxMfzDYuCeaIqU4daDaEWxxpuFTTK9fLdJKuipwFG6rwE3OuijeSN+2SLszi834DXtUjQdikHSTQG392+oTmZCFPeffLk/OiV2VpdXF3gGL7sr5M9hOWIZ783q0vW1l6nAElZ7UA//kW+L6QRxbnBVTJK5eCmMY6RJmL76zjqC1jQ0FC10',
+ ),
+ ).toBeNull();
+ });
+
+ it('rejects invalid PGP message', async () => {
+ GlobalConfig.set({ privateKey });
+ config.encrypted = {
+ token:
+ 'long-but-wrong-wcFMAw+4H7SgaqGOAQ//ZNPgHJ4RQBdfFoDX8Ywe9UxqMlc8k6VasCszQ2JULh/BpEdKdgRUGNaKaeZ+oBKYDBmDwAD5V5FEMlsg+KO2gykp/p2BAwvKGtYK0MtxLh4h9yJbN7TrVnGO3/cC+Inp8exQt0gD6f1Qo/9yQ9NE4/BIbaSs2b2DgeIK7Ed8N675AuSo73UOa6o7t+9pKeAAK5TQwgSvolihbUs8zjnScrLZD+nhvL3y5gpAqK9y//a+bTu6xPA1jdLjsswoCUq/lfVeVsB2GWV2h6eex/0fRKgN7xxNgdMn0a7msrvumhTawP8mPisPY2AAsHRIgQ9vdU5HbOPdGoIwI9n9rMdIRn9Dy7/gcX9Ic+RP2WwS/KnPHLu/CveY4W5bYqYoikWtJs9HsBCyWFiHIRrJF+FnXwtKdoptRfxTfJIkBoLrV6fDIyKo79iL+xxzgrzWs77KEJUJfexZBEGBCnrV2o7mo3SU197S0qx7HNvqrmeCj8CLxq8opXC71TNa+XE6BQUVyhMFxtW9LNxZUHRiNzrTSikArT4hzjyr3f9cb0kZVcs6XJQsm1EskU3WXo7ETD7nsukS9GfbwMn7tfYidB/yHSHl09ih871BcgByDmEKKdmamcNilW2bmTAqB5JmtaYT5/H8jRQWo/VGrEqlmiA4KmwSv7SZPlDnaDFrmzmMZZDSRgHe5KWl283XLmSeE8J0NPqwFH3PeOv4fIbOjJrnbnFBwSAsgsMe2K4OyFDh2COfrho7s8EP1Kl5lBkYJ+VRreGRerdSu24',
+ };
+ await expect(decryptConfig(config, repository)).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ config.encrypted = {
+ // Missing value
+ token:
+ 'wcFMAw+4H7SgaqGOAQ//ZNPgHJ4RQBdfFoDX8Ywe9UxqMlc8k6VasCszQ2JULh/BpEdKdgRUGNaKaeZ+oBKYDBmDwAD5V5FEMlsg+KO2gykp/p2BAwvKGtYK0MtxLh4h9yJbN7TrVnGO3/cC+Inp8exQt0gD6f1Qo/9yQ9NE4/BIbaSs2b2DgeIK7Ed8N675AuSo73UOa6o7t+9pKeAAK5TQwgSvolihbUs8zjnScrLZD+nhvL3y5gpAqK9y//a+bTu6xPA1jdLjsswoCUq/lfVeVsB2GWV2h6eex/0fRKgN7xxNgdMn0a7msrvumhTawP8mPisPY2AAsHRIgQ9vdU5HbOPdGoIwI9n9rMdIRn9Dy7/gcX9Ic+RP2WwS/KnPHLu/CveY4W5bYqYoikWtJs9HsBCyWFiHIRrJF+FnXwtKdoptRfxTfJIkBoLrV6fDIyKo79iL+xxzgrzWs77KEJUJfexZBEGBCnrV2o7mo3SU197S0qx7HNvqrmeCj8CLxq8opXC71TNa+XE6BQUVyhMFxtW9LNxZUHRiNzrTSikArT4hzjyr3f9cb0kZVcs6XJQsm1EskU3WXo7ETD7nsukS9GfbwMn7tfYidB/yHSHl09ih871BcgByDmEKKdmamcNilW2bmTAqB5JmtaYT5/H8jRQWo/VGrEqlmiA4KmwSv7SZPlDnaDFrmzmMZZDSRgHe5KWl283XLmSeE8J0NPqwFH3PeOv4fIbOjJrnbnFBwSAsgsMe2K4OyFDh2COfrho7s8EP1Kl5lBkYJ+VRreGRerdSu24',
+ };
+ await expect(decryptConfig(config, repository)).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ config.encrypted = {
+ // Missing org scope
+ token:
+ 'wcFMAw+4H7SgaqGOAQ//W38A3PmaZnE9XTCHGDQFD52Kz78UYnaiYeAT13cEqYWTwEvQ57B7D7I6i4jCLe7KwkUCS90kyoqd7twD75W/sO70MyIveKnMlqqnpkagQkFgmzMaXXNHaJXEkjzsflTELZu6UsUs/kZYmab7r14YLl9HbH/pqN9exil/9s3ym9URCPOyw/l04KWntdMAy0D+c5M4mE+obv6fz6nDb8tkdeT5Rt2uU+qw3gH1OsB2yu+zTWpI/xTGwDt5nB5txnNTsVrQ/ZK85MSktacGVcYuU9hsEDmSrShmtqlg6Myq+Hjb7cYAp2g4n13C/I3gGGaczl0PZaHD7ALMjI7p6O1q+Ix7vMxipiKMVjS3omJoqBCz3FKc6DVhyX4tfhxgLxFo0DpixNwGbBRbMBO8qZfUk7bicAl/oCRc2Ijmay5DDYuvtkw3G3Ou+sZTe6DNpWUFy6VA4ai7hhcLvcAuiYmLdwPISRR/X4ePa8ZrmSVPyVOvbmmwLhcDYSDlC9Mw4++7ELomlve5kvjVSHvPv9BPVb5sJF7gX4vOT4FrcKalQRPmhNCZrE8tY2lvlrXwV2EEhya8EYv4QTd3JUYEYW5FXiJrORK5KDTnISw+U02nFZjFlnoz9+R6h+aIT1crS3/+YjCHE/EIKvSftOnieYb02Gk7M9nqU19EYL9ApYw4+IjSRgFM3DShIrvuDwDkAwUfaq8mKtr9Vjg/r+yox//GKS3u3r4I3+dfCljA3OwskTPfbSD+huBk4mylIvaL5v8Fngxo979wiLw',
+ };
+ await expect(decryptConfig(config, repository)).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ config.encrypted = {
+ // Impossible to parse
+ token:
+ 'wcFMAw+4H7SgaqGOAQ//Wa/gHgQdH7tj3LQdW6rWKjzmkYVKZW9EbexJExu4WLaMgEKodlRMilcqCKfQZpjzoiC31J8Ly/x6Soury+lQnLVbtIQ4KWa/uCIz4lXCpPpGNgN2jPfOmdwWBMOcXIT+BgAMxRu3rAmvTtunrkACJ3J92eYNwJhTzp2Azn9LpT7kHnZ64z2SPhbdUgMMhCBwBG5BPArPzF5fdaqa8uUSbKhY0GMiqPXq6Zeq+EBNoPc/RJp2urpYTknO+nRb39avKjihd9MCZ/1d3QYymbRj7SZC3LJhenVF0hil3Uk8TBASnGQiDmBcIXQFhJ0cxavXqKjx+AEALq+kTdwGu5vuE2+2B820/o3lAXR9OnJHr8GodJ2ZBpzOaPrQe5zvxL0gLEeUUPatSOwuLhdo/6+bRCl2wNz23jIjDEFFTmsLqfEHcdVYVTH2QqvLjnUYcCRRuM32vS4rCMOEe0l6p0CV2rk22UZDIPcxqXjKucxse2Sow8ATWiPoIw7zWj7XBLqUKHFnMpPV2dCIKFKBsOKYgLjF4BvKzZJyhmVEPgMcKQLYqeT/2uWDR77NSWH0Cyiwk9M3KbOIMmV3pWh9PiXk6CvumECELbJHYH0Mc+P//BnbDq2Ie9dHdmKhFgRyHU7gWvkPhic9BX36xyldPcnhTgr1XWRoVe0ETGLDPCcqrQ/SUQGrLiujSOgxGu2K/6LDJhi4IKz1/nf7FUSj5eTIDqQiSPP5pXDjlH7oYxXXrHI/aYOCZ5sBx7mOzlEcENIrYblCHO/CYMTWdCJ4Wrftqk7K/A=',
+ };
+ await expect(decryptConfig(config, repository)).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ config.encrypted = {
+ token: 'too-short',
+ };
+ await expect(decryptConfig(config, repository)).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ });
+
+ it('handles PGP org constraint', async () => {
+ GlobalConfig.set({ privateKey });
+ config.encrypted = {
+ token:
+ 'wcFMAw+4H7SgaqGOAQ/+Lz6RlbEymbnmMhrktuaGiDPWRNPEQFuMRwwYM6/B/r0JMZa9tskAA5RpyYKxGmJJeuRtlA8GkTw02GoZomlJf/KXJZ95FwSbkXMSRJRD8LJ2402Hw2TaOTaSvfamESnm8zhNo8cok627nkKQkyrpk64heVlU5LIbO2+UgYgbiSQjuXZiW+QuJ1hVRjx011FQgEYc59+22yuKYqd8rrni7TrVqhGRlHCAqvNAGjBI4H7uTFh0sP4auunT/JjxTeTkJoNu8KgS/LdrvISpO67TkQziZo9XD5FOzSN7N3e4f8vO4N4fpjgkIDH/9wyEYe0zYz34xMAFlnhZzqrHycRqzBJuMxGqlFQcKWp9IisLMoVJhLrnvbDLuwwcjeqYkhvODjSs7UDKwTE4X4WmvZr0x4kOclOeAAz/pM6oNVnjgWJd9SnYtoa67bZVkne0k6mYjVhosie8v8icijmJ4OyLZUGWnjZCRd/TPkzQUw+B0yvsop9FYGidhCI+4MVx6W5w7SRtCctxVfCjLpmU4kWaBUUJ5YIQ5xm55yxEYuAsQkxOAYDCMFlV8ntWStYwIG1FsBgJX6VPevXuPPMjWiPNedIpJwBH2PLB4blxMfzDYuCeaIqU4daDaEWxxpuFTTK9fLdJKuipwFG6rwE3OuijeSN+2SLszi834DXtUjQdikHSTQG392+oTmZCFPeffLk/OiV2VpdXF3gGL7sr5M9hOWIZ783q0vW1l6nAElZ7UA//kW+L6QRxbnBVTJK5eCmMY6RJmL76zjqC1jQ0FC10',
+ };
+ const res = await decryptConfig(config, repository);
+ expect(res.encrypted).toBeUndefined();
+ expect(res.token).toBe('123');
+ await expect(decryptConfig(config, 'wrong/org')).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ });
+
+ it('handles PGP multi-org constraint', async () => {
+ GlobalConfig.set({ privateKey });
+ config.encrypted = {
+ token:
+ 'wcFMAw+4H7SgaqGOAQ//Yk4RTQoLEhO0TKxN2IUBrCi88ts+CG1SXKeL06sJ2qikN/3n2JYAGGKgkHRICfu5dOnsjyFdLJ1XWUrbsM3XgVWikMbrmzD1Xe7N5DsoZXlt4Wa9pZ+IkZuE6XcKKu9whIJ22ciEwCzFwDmk/CBshdCCVVQ3IYuM6uibEHn/AHQ8K15XhraiSzF6DbJpevs5Cy7b5YHFyE936H25CVnouUQnMPsirpQq3pYeMq/oOtV/m4mfRUUQ7MUxvtrwE4lq4hLjFu5n9rwlcqaFPl7I7BEM++1c9LFpYsP5mTS7hHCZ9wXBqER8fa3fKYx0bK1ihCpjP4zUkR7P/uhWDArXamv7gHX2Kj/Qsbegn7KjTdZlggAmaJl/CuSgCbhySy+E55g3Z1QFajiLRpQ5+RsWFDbbI08YEgzyQ0yNCaRvrkgo7kZ1D95rEGRfY96duOQbjzOEqtvYmFChdemZ2+f9Kh/JH1+X9ynxY/zYe/0p/U7WD3QNTYN18loc4aXiB1adXD5Ka2QfNroLudQBmLaJpJB6wASFfuxddsD5yRnO32NSdRaqIWC1x6ti3ZYJZ2RsNwJExPDzjpQTuMOH2jtpu3q7NHmW3snRKy2YAL2UjI0YdeKIlhc/qLCJt9MRcOxWYvujTMD/yGprhG44qf0jjMkJBu7NjuVIMONujabl9b7SUQGfO/t+3rMuC68bQdCGLlO8gf3hvtD99utzXphi6idjC0HKSW/9KzuMkm+syGmIAYq/0L3EFvpZ38uq7z8KzwFFQHI3sBA34bNEr5zpU5OMWg',
+ };
+ let res = await decryptConfig(config, repository);
+ expect(res.encrypted).toBeUndefined();
+ expect(res.token).toBe('123');
+ res = await decryptConfig(config, 'def/ghi');
+ expect(res.encrypted).toBeUndefined();
+ expect(res.token).toBe('123');
+ await expect(decryptConfig(config, 'wrong/org')).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ });
+
+ it('handles PGP org/repo constraint', async () => {
+ GlobalConfig.set({ privateKey });
+ config.encrypted = {
+ token:
+ 'wcFMAw+4H7SgaqGOAQ//Wp7N0PaDZp0uOdwsc1CuqAq0UPcq+IQdHyKpJs3tHiCecXBHogy4P+rY9nGaUrVneCr4HexuKGuyJf1yl0ZqFffAUac5PjF8eDvjukQGOUq4aBlOogJCEefnuuVxVJx+NRR5iF1P6v57bmI1c+zoqZI/EQB30KU6O1BsdGPLUA/+R3dwCZd5Mbd36s34eYBasqcY9/QbqFcpElXMEPMse3kMCsVXPbZ+UMjtPJiBPUmtJq+ifnu1LzDrfshusSQMwgd/QNk7nEsijiYKllkWhHTP6g7zigvJ46x0h6AYS108YiuK3B9XUhXN9m05Ac6KTEEUdRI3E/dK2dQuRkLjXC8wceQm4A19Gm0uHoMIJYOCbiVoBCH6ayvKbZWZV5lZ4D1JbDNGmKeIj6OX9XWEMKiwTx0Xe89V7BdJzwIGrL0TCLtXuYWZ/R2k+UuBqtgzr44BsBqMpKUA0pcGBoqsEou1M05Ae9fJMF6ADezF5UQZPxT1hrMldiTp3p9iHGfWN2tKHeoW/8CqlIqg9JEkTc+Pl/L9E6ndy5Zjf097PvcmSGhxUQBE7XlrZoIlGhiEU/1HPMen0UUIs0LUu1ywpjCex2yTWnU2YmEwy0MQI1sekSr96QFxDDz9JcynYOYbqR/X9pdxEWyzQ+NJ3n6K97nE1Dj9Sgwu7mFGiUdNkf/SUAF0eZi/eXg71qumpMGBd4eWPtgkeMPLHjvMSYw9vBUfcoKFz6RJ4woG0dw5HOFkPnIjXKWllnl/o01EoBp/o8uswsIS9Nb8i+bp27U6tAHE',
+ };
+ const res = await decryptConfig(config, repository);
+ expect(res.encrypted).toBeUndefined();
+ expect(res.token).toBe('123');
+ await expect(decryptConfig(config, 'abc/defg')).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ });
+
+ it('handles PGP multi-org/repo constraint', async () => {
+ GlobalConfig.set({ privateKey });
+ config.encrypted = {
+ token:
+ 'wcFMAw+4H7SgaqGOARAAibXL3zr0KZawiND868UGdPpGRo1aVZfn0NUBHpm8mXfgB1rBHaLsP7qa8vxDHpwH9DRD1IyB4vvPUwtu7wmuv1Vtr596tD40CCcCZYB5JjZLWRF0O0xaZFCOi7Z9SqqdaOQoMScyvPO+3/lJkS7zmLllJFH0mQoX5Cr+owUAMSWqbeCQ9r/KAXpnhmpraDjTav48WulcdTMc8iQ/DHimcdzHErLOAjtiQi4OUe1GnDCcN76KQ+c+ZHySnkXrYi/DhOOu9qB4glJ5n68NueFja+8iR39z/wqCI6V6TIUiOyjFN86iVyNPQ4Otem3KuNwrnwSABLDqP491eUNjT8DUDffsyhNC9lnjQLmtViK0EN2yLVpMdHq9cq8lszBChB7gobD9rm8nUHnTuLf6yJvZOj6toD5Yqj8Ibj58wN90Q8CUsBp9/qp0J+hBVUPOx4sT6kM2p6YarlgX3mrIW5c1U+q1eDbCddLjHiU5cW7ja7o+cqlA6mbDRu3HthjBweiXTicXZcRu1o/wy/+laQQ95x5FzAXDnOwQUHBmpTDI3tUJvQ+oy8XyBBbyC0LsBye2c2SLkPJ4Ai3IMR+Mh8puSzVywTbneiAQNBzJHlj5l85nCF2tUjvNo3dWC+9mU5sfXg11iEC6LRbg+icjpqRtTjmQURtciKDUbibWacwU5T/SVAGPXnW7adBOS0PZPIZQcSwjchOdOl0IjzBy6ofu7ODdn2CXZXi8zbevTICXsHvjnW4MAj5oXrStxK3LkWyM3YBOLe7sOfWvWz7n9TM3dHg032navQ',
+ };
+ let res = await decryptConfig(config, repository);
+ expect(res.encrypted).toBeUndefined();
+ expect(res.token).toBe('123');
+ res = await decryptConfig(config, 'def/def');
+ expect(res.encrypted).toBeUndefined();
+ expect(res.token).toBe('123');
+ await expect(decryptConfig(config, 'abc/defg')).rejects.toThrow(
+ CONFIG_VALIDATION,
+ );
+ });
+ });
+});
diff --git a/lib/config/decrypt/kbpgp.ts b/lib/config/decrypt/kbpgp.ts
new file mode 100644
index 0000000000..ccff067c73
--- /dev/null
+++ b/lib/config/decrypt/kbpgp.ts
@@ -0,0 +1,88 @@
+import kbpgp from 'kbpgp';
+import { logger } from '../../logger';
+import { regEx } from '../../util/regex';
+
+declare module 'kbpgp' {
+ export class KeyManager {
+ static import_from_armored_pgp(
+ opts: { armored: string },
+ cb: (err: Error, pk: KeyManager) => void,
+ ): void;
+ }
+
+ // eslint-disable-next-line @typescript-eslint/no-namespace
+ export namespace keyring {
+ export class KeyRing {
+ add_key_manager(pk: KeyManager): void;
+ }
+ }
+
+ export class Literal {
+ toString(): string;
+ }
+
+ export function unbox(
+ opts: { keyfetch: keyring.KeyRing; armored: string },
+ cb: (err: Error, literals: Literal[]) => void,
+ ): void;
+}
+
+export async function tryDecryptKbPgp(
+ privateKey: string,
+ encryptedStr: string,
+): Promise<string | null> {
+ if (encryptedStr.length < 500) {
+ // optimization during transition of public key -> pgp
+ return null;
+ }
+ try {
+ const pk = await new Promise<kbpgp.KeyManager>((resolve, reject) => {
+ kbpgp.KeyManager.import_from_armored_pgp(
+ {
+ armored: privateKey.replace(regEx(/\n[ \t]+/g), '\n'),
+ },
+ (err: Error, pk) => {
+ if (err) {
+ reject(err);
+ } else {
+ resolve(pk);
+ }
+ },
+ );
+ });
+
+ const ring = new kbpgp.keyring.KeyRing();
+ ring.add_key_manager(pk);
+
+ const startBlock = '-----BEGIN PGP MESSAGE-----\n\n';
+ const endBlock = '\n-----END PGP MESSAGE-----';
+ let armoredMessage = encryptedStr.trim();
+ if (!armoredMessage.startsWith(startBlock)) {
+ armoredMessage = `${startBlock}${armoredMessage}`;
+ }
+ if (!armoredMessage.endsWith(endBlock)) {
+ armoredMessage = `${armoredMessage}${endBlock}`;
+ }
+
+ const data = await new Promise<kbpgp.Literal>((resolve, reject) => {
+ kbpgp.unbox(
+ {
+ keyfetch: ring,
+ armored: armoredMessage,
+ },
+ (err: Error, literals: any) => {
+ if (err) {
+ reject(err);
+ } else {
+ resolve(literals[0].toString());
+ }
+ },
+ );
+ });
+ logger.debug('Decrypted config using kppgp');
+ return data as string;
+ } catch (err) {
+ logger.debug({ err }, 'Could not decrypt using kppgp');
+ return null;
+ }
+}
diff --git a/lib/config/decrypt/openpgp.spec.ts b/lib/config/decrypt/openpgp.spec.ts
index e4c3703e5e..272b758df0 100644
--- a/lib/config/decrypt/openpgp.spec.ts
+++ b/lib/config/decrypt/openpgp.spec.ts
@@ -11,6 +11,10 @@ describe('config/decrypt/openpgp', () => {
describe('decryptConfig()', () => {
let config: RenovateConfig;
+ beforeAll(() => {
+ process.env.RENOVATE_X_USE_OPENPGP = 'true';
+ });
+
beforeEach(() => {
jest.resetModules();
config = {};
diff --git a/package.json b/package.json
index c222a85492..d12ea0597f 100644
--- a/package.json
+++ b/package.json
@@ -212,6 +212,7 @@
"json-stringify-pretty-compact": "3.0.0",
"json5": "2.2.3",
"jsonata": "2.0.4",
+ "kbpgp": "2.1.15",
"klona": "2.0.6",
"lru-cache": "10.2.0",
"luxon": "3.4.4",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 644ab5b3b1..0ce272cd23 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -224,6 +224,9 @@ importers:
jsonata:
specifier: 2.0.4
version: 2.0.4
+ kbpgp:
+ specifier: 2.1.15
+ version: 2.1.15
klona:
specifier: 2.0.6
version: 2.0.6
@@ -4675,6 +4678,10 @@ packages:
dev: false
optional: true
+ /bn@1.0.5:
+ resolution: {integrity: sha512-7TvGbqbZb6lDzsBtNz1VkdXXV0BVmZKPPViPmo2IpvwaryF7P+QKYKACyVkwo2mZPr2CpFiz7EtgPEcc3o/JFQ==}
+ dev: false
+
/boolbase@1.0.0:
resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==}
dev: false
@@ -4767,6 +4774,10 @@ packages:
safe-json-stringify: 1.2.0
dev: false
+ /bzip-deflate@1.0.0:
+ resolution: {integrity: sha512-9RMnpiJqMYMJcLdr4pxwowZ8Zh3P+tVswE/bnX6tZ14UGKNcdV5WVK2P+lGp2As+RCjl+i3SFJ117HyCaaHNDA==}
+ dev: false
+
/cacache@18.0.2:
resolution: {integrity: sha512-r3NU8h/P+4lVUHfeRw1dtgQYar3DZMm4/cm2bZgOvrFC/su7budSOeqh52VJIC4U4iG1WWwV6vRW0znqBvxNuw==}
engines: {node: ^16.14.0 || >=18.0.0}
@@ -5273,6 +5284,18 @@ packages:
optional: true
dev: true
+ /deep-equal@1.1.2:
+ resolution: {integrity: sha512-5tdhKF6DbU7iIzrIOa1AOUt39ZRm13cmL1cGEh//aqR8x9+tNfbywRf0n5FD/18OKMdo7DNEtrX2t22ZAkI+eg==}
+ engines: {node: '>= 0.4'}
+ dependencies:
+ is-arguments: 1.1.1
+ is-date-object: 1.0.5
+ is-regex: 1.1.4
+ object-is: 1.1.6
+ object-keys: 1.1.1
+ regexp.prototype.flags: 1.5.2
+ dev: false
+
/deep-extend@0.6.0:
resolution: {integrity: sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==}
engines: {node: '>=4.0.0'}
@@ -6720,6 +6743,20 @@ packages:
hasBin: true
dev: true
+ /iced-error@0.0.13:
+ resolution: {integrity: sha512-yEEaG8QfyyRL0SsbNNDw3rVgTyqwHFMCuV6jDvD43f/2shmdaFXkqvFLGhDlsYNSolzYHwVLM/CrXt9GygYopA==}
+ dev: false
+
+ /iced-lock@1.1.0:
+ resolution: {integrity: sha512-J9UMVitgTMYrkUil5EB9/Q4BPWiMpFH156yjDlmMoMRKs3s3PnXj/6G0UlzIOGnNi5JVNk/zVYLXVnuo+1QnqQ==}
+ dependencies:
+ iced-runtime: 1.0.4
+ dev: false
+
+ /iced-runtime@1.0.4:
+ resolution: {integrity: sha512-rgiJXNF6ZgF2Clh/TKUlBDW3q51YPDJUXmxGQXx1b8tbZpVpTn+1RX9q1sjNkujXIIaVxZByQzPHHORg7KV51g==}
+ dev: false
+
/iconv-lite@0.6.3:
resolution: {integrity: sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==}
engines: {node: '>=0.10.0'}
@@ -7756,6 +7793,38 @@ packages:
safe-buffer: 5.2.1
dev: false
+ /kbpgp@2.1.15:
+ resolution: {integrity: sha512-iFdQT+m2Mi2DB14kEFydF2joNe9x3E2VZCGZUt7UXsiZnQx5TtSl4KofP7EPtjHvf7weCxNKlEPSYiiCNMZ2jA==}
+ dependencies:
+ bn: 1.0.5
+ bzip-deflate: 1.0.0
+ deep-equal: 1.1.2
+ iced-error: 0.0.13
+ iced-lock: 1.1.0
+ iced-runtime: 1.0.4
+ keybase-ecurve: 1.0.1
+ keybase-nacl: 1.1.4
+ minimist: 1.2.8
+ pgp-utils: 0.0.35
+ purepack: 1.0.6
+ triplesec: 4.0.3
+ tweetnacl: 0.13.3
+ dev: false
+
+ /keybase-ecurve@1.0.1:
+ resolution: {integrity: sha512-2GlVxDsNF+52LtYjgFsjoKuN7MQQgiVeR4HRdJxLuN8fm4mf4stGKPUjDJjky15c/98UsZseLjp7Ih5X0Sy1jQ==}
+ dependencies:
+ bn: 1.0.5
+ dev: false
+
+ /keybase-nacl@1.1.4:
+ resolution: {integrity: sha512-7TFyWLq42CQs7JES9arR+Vnv/eMk5D6JT1Y8samrEA5ff3FOmaiRcXIVrwJQd3KJduxmSjgAjdkXlQK7Q437xQ==}
+ dependencies:
+ iced-runtime: 1.0.4
+ tweetnacl: 0.13.3
+ uint64be: 1.0.1
+ dev: false
+
/keyv@4.5.4:
resolution: {integrity: sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==}
dependencies:
@@ -8354,6 +8423,12 @@ packages:
resolution: {integrity: sha512-iSAJLHYKnX41mKcJKjqvnAN9sf0LMDTXDEvFv+ffuRR9a1MIuXLjMNL6EsnDHSkKLTWNqQQ5uo61P4EbU4NU+Q==}
dev: false
+ /more-entropy@0.0.7:
+ resolution: {integrity: sha512-e0TxQtU1F6/ZA8WnEA2JLQwwDqBTtZFLJSW7rWgUsQou35wx1IOL0g2O7q7oGoMgIJto+jHMnNGHLfSiylHRrw==}
+ dependencies:
+ iced-runtime: 1.0.4
+ dev: false
+
/ms@2.1.2:
resolution: {integrity: sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==}
@@ -8715,6 +8790,14 @@ packages:
/object-inspect@1.13.1:
resolution: {integrity: sha512-5qoj1RUiKOMsCCNLV1CBiPYE10sziTsnmNxkAI/rZhiD63CF7IqdFGC/XzjWjpSgLf0LxXX3bDFIh0E18f6UhQ==}
+ /object-is@1.1.6:
+ resolution: {integrity: sha512-F8cZ+KfGlSGi09lJT7/Nd6KJZ9ygtvYC0/UYYLI9nmQKLMnydpB9yvbv9K1uSkEu7FU9vYPmVwLg328tX+ot3Q==}
+ engines: {node: '>= 0.4'}
+ dependencies:
+ call-bind: 1.0.7
+ define-properties: 1.2.1
+ dev: false
+
/object-keys@1.1.1:
resolution: {integrity: sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==}
engines: {node: '>= 0.4'}
@@ -9055,6 +9138,13 @@ packages:
resolution: {integrity: sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==}
dev: false
+ /pgp-utils@0.0.35:
+ resolution: {integrity: sha512-gCT6EbSTgljgycVa5qGpfRITaLOLbIKsEVRTdsNRgmLMAJpuJNNdrTn/95r8IWo9rFLlccfmGMJXkG9nVDwmrA==}
+ dependencies:
+ iced-error: 0.0.13
+ iced-runtime: 1.0.4
+ dev: false
+
/picocolors@1.0.0:
resolution: {integrity: sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==}
@@ -9153,6 +9243,11 @@ packages:
fromentries: 1.3.2
dev: true
+ /progress@1.1.8:
+ resolution: {integrity: sha512-UdA8mJ4weIkUBO224tIarHzuHs4HuYiJvsuGT7j/SPQiUJVjYvNDBIPa0hAorduOfjGohB/qHWRa/lrrWX/mXw==}
+ engines: {node: '>=0.4.0'}
+ dev: false
+
/promise-retry@2.0.1:
resolution: {integrity: sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==}
engines: {node: '>=10'}
@@ -9205,6 +9300,11 @@ packages:
resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==}
dev: true
+ /purepack@1.0.6:
+ resolution: {integrity: sha512-L/e3qq/3m/TrYtINo2aBB98oz6w8VHGyFy+arSKwPMZDUNNw2OaQxYnZO6UIZZw2OnRl2qkxGmuSOEfsuHXJdA==}
+ engines: {node: '>=0.10.0'}
+ dev: false
+
/qs@6.12.1:
resolution: {integrity: sha512-zWmv4RSuB9r2mYQw3zxQuHWeU+42aKi1wWig/j4ele4ygELZ7PEO6MM7rim9oAQH2A5MWfsAVf/jPvTPgCbvUQ==}
engines: {node: '>=0.6'}
@@ -10224,6 +10324,17 @@ packages:
engines: {node: '>=8'}
dev: false
+ /triplesec@4.0.3:
+ resolution: {integrity: sha512-fug70e1nJoCMxsXQJlETisAALohm84vl++IiTTHEqM7Lgqwz62jrlwqOC/gJEAJjO/ByN127sEcioB56HW3wIw==}
+ dependencies:
+ iced-error: 0.0.13
+ iced-lock: 1.1.0
+ iced-runtime: 1.0.4
+ more-entropy: 0.0.7
+ progress: 1.1.8
+ uglify-js: 3.17.4
+ dev: false
+
/trough@1.0.5:
resolution: {integrity: sha512-rvuRbTarPXmMb79SmzEp8aqXNKcK+y0XaB298IXueQ8I2PsrATcPBCSPyK/dDNa2iWOhKlfNnOjdAOTBU/nkFA==}
@@ -10349,6 +10460,10 @@ packages:
resolution: {integrity: sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==}
engines: {node: '>=0.6.11 <=0.7.0 || >=0.7.3'}
+ /tweetnacl@0.13.3:
+ resolution: {integrity: sha512-iNWodk4oBsZ03Qfw/Yvv0KB90uYrJqvL4Je7Gy4C5t/GS3sCXPRmIT1lxmId4RzvUp0XG62bcxJ2CBu/3L5DSg==}
+ dev: false
+
/typanion@3.14.0:
resolution: {integrity: sha512-ZW/lVMRabETuYCd9O9ZvMhAh8GslSqaUjxmK/JLPCh6l73CvLBiuXswj/+7LdnWOgYsQ130FqLzFz5aGT4I3Ug==}
dev: false
@@ -10492,7 +10607,10 @@ packages:
engines: {node: '>=0.8.0'}
hasBin: true
requiresBuild: true
- optional: true
+
+ /uint64be@1.0.1:
+ resolution: {integrity: sha512-w+VZSp8hSZ/xWZfZNMppWNF6iqY+dcMYtG5CpwRDgxi94HIE6ematSdkzHGzVC4SDEaTsG65zrajN+oKoWG6ew==}
+ dev: false
/unbox-primitive@1.0.2:
resolution: {integrity: sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==}
--
GitLab