Update SOPS to v3.9.0

[aivanov-citc]

Please, update sops to v3.9.0

We're really looking forward to this feature:

• Add --mac-only-encrypted to compute MAC only over values which end up encrypted

[julienkosinski]

Hi @stefanprodan. This new version fix lots of CVEs. In my opinion, this should be a priority...
getsops/sops#1453 (comment)

[stefanprodan]

@aivanov-citc did you tried the latest SOPS CLI and it didn't work with Flux?

@julienkosinski what makes you think we use the SOPS binary?

[aivanov-citc]

@stefanprodan yes of course I tried. When encoding a file, sops adds a parameter to the file, I think it is based on this parameter and it is understood that the file is encrypted with this option

sops:
    ...
    mac: ENC[...]
    pgp:
    mac_only_encrypted: true
    version: 3.9.0

when decoding with version 3.8.1 (flux) encoded with version 3.9.0, an error occurs

MAC mismatch.

[stefanprodan]

So MAC mismatch is an error returned by kustomize-controller?

[aivanov-citc]

@stefanprodan hmm... very strange, but it works in kustomize-controller.
The question with "mac_only_encrypted" is closed

[stefanprodan]

It's not strange, we had support for partially encrypted files since years ago.

[julienkosinski]

@stefanprodan I know it's used as a dependency. I admit I have not checked if CVEs still applies, and in what cases and extents, in this very case. Thank you for making me aware of the difference, and sorry for tagging you if it wasn't necessary... :)