mirror of
https://github.com/fluxcd/flux2.git
synced 2026-07-02 20:05:07 +00:00
Return error for public-only GPG signing keyring
`SelectOpenPGPSigningEntity` selects `keyRing[0]` when no key id is supplied and then calls `entity.PrivateKey.Decrypt` directly. For a keyring that contains only public keys — e.g. an armor-exported public key file — `PrivateKey` is `nil` and the call panics with a nil pointer dereference rather than surfacing an actionable error. The keyed branch already guards against this; the default branch did not. Guard the default branch with the same nil check and return an error pointing at `gpg --export-secret-keys` or `--gpg-key-id` so the user knows how to recover. Cover the public-only-keyring case in `TestSelectOpenPGPSigningEntity` so a future regression cannot re-introduce the panic. Assisted-by: claude/opus-4.7 Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commit is contained in:
parent
4f45409697
commit
2ca3468423
2 changed files with 33 additions and 0 deletions
|
|
@ -574,6 +574,10 @@ func SelectOpenPGPSigningEntity(keyRing openpgp.EntityList, passphrase, keyID st
|
|||
}
|
||||
} else {
|
||||
entity = keyRing[0]
|
||||
if entity.PrivateKey == nil {
|
||||
return nil, fmt.Errorf("keyring does not contain a private key; " +
|
||||
"export the secret key with 'gpg --export-secret-keys' or specify --gpg-key-id")
|
||||
}
|
||||
}
|
||||
|
||||
err := entity.PrivateKey.Decrypt([]byte(passphrase))
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue