chore(deps): update dependency mozilla/sops to v3.9.0

This MR contains the following updates:

Package	Update	Change	OpenSSF
mozilla/sops	minor	v3.8.1 -> v3.9.0

---

Release Notes

mozilla/sops (mozilla/sops)

v3.9.0

Compare Source

Installation

To install sops, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.

For instance, if you are using Linux on an AMD64 architecture:

### Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.linux.amd64

### Move the binary in to your PATH
mv sops-v3.9.0.linux.amd64 /usr/local/bin/sops

### Make the binary executable
chmod +x /usr/local/bin/sops

Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

### Download the checksums file, certificate and signature
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.checksums.txt
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.checksums.pem
curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.checksums.sig

### Verify the checksums file
cosign verify-blob sops-v3.9.0.checksums.txt \
  --certificate sops-v3.9.0.checksums.pem \
  --signature sops-v3.9.0.checksums.sig \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature:

### Verify the binary using the checksums file
sha256sum -c sops-v3.9.0.checksums.txt --ignore-missing

Verify artifact provenance

The SLSA provenance of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an in-toto link metadata file named sops-v3.9.0.intoto.jsonl. To verify the provenance of an artifact, you can utilize the slsa-verifier tool:

### Download the metadata file
curl -LO  https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.intoto.jsonl

### Verify the provenance of the artifact
slsa-verifier verify-artifact <artifact> \
  --provenance-path sops-v3.9.0.intoto.jsonl \
  --source-uri github.com/getsops/sops \
  --source-tag v3.9.0

Container Images

The sops binaries are also available as container images, based on Debian (slim) and Alpine Linux. The Debian-based container images include any dependencies which may be required to make use of certain key services, such as GnuPG, AWS KMS, Azure Key Vault, and Google Cloud KMS. The Alpine-based container images are smaller in size, but do not include these dependencies.

These container images are available for the following architectures: linux/amd64 and linux/arm64.

GitHub Container Registry

• ghcr.io/getsops/sops:v3.9.0
• ghcr.io/getsops/sops:v3.9.0-alpine

Quay.io

• quay.io/getsops/sops:v3.9.0
• quay.io/getsops/sops:v3.9.0-alpine

Verify container image signature

The container images are signed using Cosign with GitHub OIDC. To validate the signature of an image, run the following command:

cosign verify ghcr.io/getsops/sops:v3.9.0 \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  -o text

Verify container image provenance

The container images include SLSA provenance attestations. For more information around the verification of this, please refer to the slsa-verifier documentation.

Software Bill of Materials

The Software Bill of Materials (SBOM) for each binary is accessible within the artifacts enclosed with this release. It is presented as an SPDX JSON file, formatted as <binary>.spdx.sbom.json.

What's Changed

• Respect aws_profile from Keygroup Config by @​Kouzukii in https://github.com/getsops/sops/pull/1049
• build(deps): Bump the go group with 6 updates by @​dependabot in https://github.com/getsops/sops/pull/1327
• build(deps): Bump the go group with 3 updates by @​dependabot in https://github.com/getsops/sops/pull/1328
• build(deps): Bump the go group with 1 update by @​dependabot in https://github.com/getsops/sops/pull/1330
• build(deps): Bump github.com/docker/docker from 20.10.24+incompatible to 24.0.7+incompatible by @​dependabot in https://github.com/getsops/sops/pull/1336
• build(deps): Bump the go group with 3 updates by @​dependabot in https://github.com/getsops/sops/pull/1334
• Improve README.rst by @​Ph0tonic in https://github.com/getsops/sops/pull/1339
• Fix typos by @​felixfontein in https://github.com/getsops/sops/pull/1337
• build(deps): Bump the go group with 7 updates by @​dependabot in https://github.com/getsops/sops/pull/1344
• Add --mac-only-encrypted to compute MAC only over values which end up encrypted by @​mitar in https://github.com/getsops/sops/pull/973
• build(deps): Bump the ci group with 1 update by @​dependabot in https://github.com/getsops/sops/pull/1347
• build(deps): Bump the go group with 7 updates by @​dependabot in https://github.com/getsops/sops/pull/1348
• README: Correctly tag code as yaml-stream by @​felixfontein in https://github.com/getsops/sops/pull/1350
• build(deps): Bump the go group with 5 updates by @​dependabot in https://github.com/getsops/sops/pull/1354
• use getUserConfigDir also in tests by @​bkreitch in https://github.com/getsops/sops/pull/1346
• Overwrite home dir in vault test by @​bkreitch in https://github.com/getsops/sops/pull/1349
• Allow configuration of indentation for YAML and JSON stores by @​Ph0tonic in https://github.com/getsops/sops/pull/1273
• build(deps): Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @​dependabot in https://github.com/getsops/sops/pull/1357
• build(deps): Bump the go group with 4 updates by @​dependabot in https://github.com/getsops/sops/pull/1360
• build(deps): Bump the ci group with 1 update by @​dependabot in https://github.com/getsops/sops/pull/1359
• Fix TestGnuPGHome_Validate by @​stormentt in https://github.com/getsops/sops/pull/1370
• build(deps): Bump the go group with 6 updates by @​dependabot in https://github.com/getsops/sops/pull/1373
• build(deps): Bump the ci group with 2 updates by @​dependabot in https://github.com/getsops/sops/pull/1376
• Docs: indent is used both for encryption and decryption by @​felixfontein in https://github.com/getsops/sops/pull/1372
• fix a bug where not having a config results in a panic by @​stormentt in https://github.com/getsops/sops/pull/1371
• Polish the 'sops help' output a bit by @​felixfontein in https://github.com/getsops/sops/pull/1341
• introduce a --pristine flag to sops exec-env by @​e-nikolov in https://github.com/getsops/sops/pull/912
• Allow to pass multiple paths to 'updatekeys' by @​sj14 in https://github.com/getsops/sops/pull/1274
• Warn/fail if the wrong number of arguments is provided by @​felixfontein in https://github.com/getsops/sops/pull/1342
• Allow to override fileName with different value by @​felixfontein in https://github.com/getsops/sops/pull/1332
• Sort masterkeys according to decryption-order by @​bkreitch in https://github.com/getsops/sops/pull/1345
• build(deps): Bump the ci group with 4 updates by @​dependabot in https://github.com/getsops/sops/pull/1382
• build(deps): Bump the go group with 5 updates by @​dependabot in https://github.com/getsops/sops/pull/1381
• Deprecate the --background option to exec-env and exec-file by @​felixfontein in https://github.com/getsops/sops/pull/1379
• build(deps): Bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @​dependabot in https://github.com/getsops/sops/pull/1383
• build(deps): Bump the ci group with 1 update by @​dependabot in https://github.com/getsops/sops/pull/1386
• build(deps): Bump the go group with 5 updates by @​dependabot in https://github.com/getsops/sops/pull/1385
• Consolidate Flatten/Unflatten pre/post processing by @​lancerushing in https://github.com/getsops/sops/pull/1356
• INI, DotEnv stores: shamir_threshold is an integer by @​felixfontein in https://github.com/getsops/sops/pull/1394
• Improve integration tests: reformat test code, make sure exit codes are always checked by @​felixfontein in https://github.com/getsops/sops/pull/1390
• Make check whether file contains invalid keys for encryption dependent on output store by @​felixfontein in https://github.com/getsops/sops/pull/1393
• Create a constant for the 'sops' metadata key by @​felixfontein in https://github.com/getsops/sops/pull/1398
• build(deps): Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 by @​dependabot in https://github.com/getsops/sops/pull/1408
• build(deps): Bump the ci group with 4 updates by @​dependabot in https://github.com/getsops/sops/pull/1425
• build(deps): Bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @​dependabot in https://github.com/getsops/sops/pull/1428
• build(deps): Bump the go group with 10 updates by @​dependabot in https://github.com/getsops/sops/pull/1429
• build(deps): Bump the ci group with 4 updates by @​dependabot in https://github.com/getsops/sops/pull/1432
• Warn if more than one command is used by @​felixfontein in https://github.com/getsops/sops/pull/1388
• Move extraction of encryption and rotation options to separate functions by @​felixfontein in https://github.com/getsops/sops/pull/1389
• Add separate subcommands for encryption, decryption, rotating, editing, and setting values by @​felixfontein in https://github.com/getsops/sops/pull/1391
• Add basic tests for exec-env and exec-file by @​felixfontein in https://github.com/getsops/sops/pull/1396
• build with go 1.21 and update dependencies by @​b-dean in https://github.com/getsops/sops/pull/1427
• build(deps): Bump the go group with 4 updates by @​dependabot in https://github.com/getsops/sops/pull/1439
• sops: fix typo in interface name by @​duthils in https://github.com/getsops/sops/pull/1477
• Fix function name in comment by @​pullmerge in https://github.com/getsops/sops/pull/1484
• build(deps): Bump the ci group across 1 directory with 9 updates by @​dependabot in https://github.com/getsops/sops/pull/1498
• build(deps): Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @​dependabot in https://github.com/getsops/sops/pull/1454
• build(deps): Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @​dependabot in https://github.com/getsops/sops/pull/1460
• build(deps): Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible by @​dependabot in https://github.com/getsops/sops/pull/1466
• build(deps): Bump golang.org/x/net from 0.21.0 to 0.23.0 by @​dependabot in https://github.com/getsops/sops/pull/1489
• build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 in the ci group by @​dependabot in https://github.com/getsops/sops/pull/1503
• build(deps): Bump the ci group with 2 updates by @​dependabot in https://github.com/getsops/sops/pull/1508
• LoadCreationRuleForFile: correctly handle nil without error in callers by @​felixfontein in https://github.com/getsops/sops/pull/1506
• build(deps): Bump the ci group with 2 updates by @​dependabot in https://github.com/getsops/sops/pull/1510
• build(deps): Bump the ci group with 2 updates by @​dependabot in https://github.com/getsops/sops/pull/1516
• Fix CVE-2024-2660 by @​TheoBrigitte in https://github.com/getsops/sops/pull/1519
• build(deps): Bump the ci group with 2 updates by @​dependabot in https://github.com/getsops/sops/pull/1521
• fix(Makefile): set locale to make tests pass by @​jonasbadstuebner in https://github.com/getsops/sops/pull/1492
• build(deps): Bump the ci group with 2 updates by @​dependabot in https://github.com/getsops/sops/pull/1524
• Adjust Makefile to new goreleaser 6.0.0 release by @​felixfontein in https://github.com/getsops/sops/pull/1526
• build(deps): Bump the go group across 1 directory with 23 updates by @​dependabot in https://github.com/getsops/sops/pull/1525
• update documentation for age by @​tomaszduda23 in https://github.com/getsops/sops/pull/1399
• exec-file: if --filename is used, use the provided filename without random suffix by @​felixfontein in https://github.com/getsops/sops/pull/1474
• build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 by @​dependabot in https://github.com/getsops/sops/pull/1528
• Do not use DotEnv store for exec-env, but specialized environment serializing code by @​felixfontein in https://github.com/getsops/sops/pull/1436
• build(deps): Bump the ci group with 2 updates by @​dependabot in https://github.com/getsops/sops/pull/1534
• Decryption: do not fail if no matching creation_rule is present in config file by @​felixfontein in https://github.com/getsops/sops/pull/1434
• add filestatus command by @​endorama in https://github.com/getsops/sops/pull/545
• build(deps): Bump the go group across 1 directory with 16 updates by @​dependabot in https://github.com/getsops/sops/pull/1540
• build(deps): Bump the go group across 1 directory with 4 updates by @​dependabot in https://github.com/getsops/sops/pull/1543
• add command unset by @​duthils in https://github.com/getsops/sops/pull/1475
• Update sops.go comment by @​rjeczkow in https://github.com/getsops/sops/pull/1544
• Support using comments to select parts to encrypt by @​felixfontein in https://github.com/getsops/sops/pull/1392
• Feature: merge key for key groups and make keys unique by @​jonasbadstuebner in https://github.com/getsops/sops/pull/1493
• Update all go deps by @​felixfontein in https://github.com/getsops/sops/pull/1545
• Release 3.9.0 by @​felixfontein in https://github.com/getsops/sops/pull/1546

New Contributors

• @​Kouzukii made their first contribution in https://github.com/getsops/sops/pull/1049
• @​Ph0tonic made their first contribution in https://github.com/getsops/sops/pull/1339
• @​bkreitch made their first contribution in https://github.com/getsops/sops/pull/1346
• @​stormentt made their first contribution in https://github.com/getsops/sops/pull/1370
• @​e-nikolov made their first contribution in https://github.com/getsops/sops/pull/912
• @​sj14 made their first contribution in https://github.com/getsops/sops/pull/1274
• @​lancerushing made their first contribution in https://github.com/getsops/sops/pull/1356
• @​b-dean made their first contribution in https://github.com/getsops/sops/pull/1427
• @​duthils made their first contribution in https://github.com/getsops/sops/pull/1477
• @​pullmerge made their first contribution in https://github.com/getsops/sops/pull/1484
• @​TheoBrigitte made their first contribution in https://github.com/getsops/sops/pull/1519
• @​jonasbadstuebner made their first contribution in https://github.com/getsops/sops/pull/1492
• @​tomaszduda23 made their first contribution in https://github.com/getsops/sops/pull/1399
• @​endorama made their first contribution in https://github.com/getsops/sops/pull/545
• @​rjeczkow made their first contribution in https://github.com/getsops/sops/pull/1544

Full Changelog: https://github.com/getsops/sops/compare/v3.8.1...v3.9.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot. The local configuration can be found in the SI Renovate Bot repository.