Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

age-plugin-tpm: 0.2.0 -> 0.3.0 #382630

Merged
merged 2 commits into from
Feb 18, 2025
Merged

age-plugin-tpm: 0.2.0 -> 0.3.0 #382630

merged 2 commits into from
Feb 18, 2025

Conversation

josh
Copy link
Contributor

@josh josh commented Feb 16, 2025
edited
Loading

Upgrades age-plugin-tpm to 0.3.0.

What's really neat about this new version is it adds support for encrypting secrets on machines without a TPM—or even non-Linux. So you can encrypt secrets locally on a MacBook Pro and decrypt them only on your Linux server with that TPM. So I relaxed the Linux only platform requirement.

Other side note, it appears the test suite needs an age binary in the PATH, so I added that as a nativeCheckInputs dependency.

If maintainers think it would be useful, should I add a trivial passthru.test.encrypt?

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@josh josh mentioned this pull request Feb 16, 2025
Closed
@nix-owners nix-owners bot requested review from Kranzes and stigtsp February 16, 2025 18:08
@stigtsp
Copy link
Member

stigtsp commented Feb 17, 2025

Cc @Foxboron

@Foxboron
Copy link

@stigtsp LGTM :)

@josh josh force-pushed the age-plugin-tpm-0.3.0 branch from 5fee367 to 8d00765 Compare February 17, 2025 17:27
@stigtsp
Copy link
Member

stigtsp commented Feb 17, 2025

If maintainers think it would be useful, should I add a trivial passthru.test.encrypt?

Some NixOS tests could be nice, we also have virtual TPM support for them if you'd like to test decrypt as well.

@josh
Copy link
Contributor Author

josh commented Feb 17, 2025

Some NixOS tests could be nice, we also have virtual TPM support for them if you'd like to test decrypt as well.

Oh nice. I'll give that a shot.

@josh josh force-pushed the age-plugin-tpm-0.3.0 branch from 8d00765 to 6e9723c Compare February 17, 2025 19:08
@github-actions github-actions bot added the 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS label Feb 17, 2025
@josh
Copy link
Contributor Author

josh commented Feb 17, 2025

First time writing a nixpkgs nixosTest, this stuff is pretty cool.

Alright, so now we've got two smoke tests.

  1. Platform native encrypt test, should run anywhere regardless of tpm
  2. nixos vm test with virtualisation.tpm.enable, actually tests the full decryption path

@josh josh force-pushed the age-plugin-tpm-0.3.0 branch 2 times, most recently from 3b9258d to 7e59a88 Compare February 17, 2025 19:15
Kranzes
Kranzes reviewed Feb 18, 2025
View reviewed changes
@josh josh force-pushed the age-plugin-tpm-0.3.0 branch from 7e59a88 to 8cf3dca Compare February 18, 2025 17:57
@github-actions github-actions bot added the 8.has: maintainer-list (update) This PR changes `maintainers/maintainer-list.nix` label Feb 18, 2025
@josh josh force-pushed the age-plugin-tpm-0.3.0 branch from 8cf3dca to 2661ba9 Compare February 18, 2025 18:03
@josh
Copy link
Contributor Author

josh commented Feb 18, 2025

Pushed changes applying feedback. Thanks all!

@josh josh force-pushed the age-plugin-tpm-0.3.0 branch from 2661ba9 to 69ca233 Compare February 18, 2025 18:17
@josh josh force-pushed the age-plugin-tpm-0.3.0 branch from 69ca233 to b9ae163 Compare February 18, 2025 18:18
@SuperSandro2000 SuperSandro2000 merged commit 1e029d3 into NixOS:master Feb 18, 2025
28 of 31 checks passed
@josh josh deleted the age-plugin-tpm-0.3.0 branch February 18, 2025 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Foxboron Foxboron Foxboron left review comments

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@Kranzes Kranzes Kranzes left review comments

@stigtsp stigtsp Awaiting requested review from stigtsp

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: maintainer-list (update) This PR changes `maintainers/maintainer-list.nix` 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@josh @stigtsp @Foxboron @SuperSandro2000 @Kranzes