Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package kubeseal for openSUSE:Factory
checked in at 2022-04-26 20:16:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kubeseal (Old)
and /work/SRC/openSUSE:Factory/.kubeseal.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kubeseal"
Tue Apr 26 20:16:04 2022 rev:3 rq:972903 version:0.17.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/kubeseal/kubeseal.changes 2022-04-01
21:37:11.780779520 +0200
+++ /work/SRC/openSUSE:Factory/.kubeseal.new.1538/kubeseal.changes
2022-04-26 20:17:56.692773486 +0200
@@ -1,0 +2,20 @@
+Tue Apr 26 06:21:45 UTC 2022 - ka...@b1-systems.de
+
+- Update to version 0.17.5:
+ * Bump goreleaser to v1.7.0
+ * Update v0.17.5 release notes (#824)
+ * Publish sealed-secret-controller in Dockerhub (#823)
+ * Enable goimports in golangci-lint (#816)
+ * Added a nosec comment to a deferred f.close call (#793)
+ * Format code with goimports (#815)
+ * Add a nosec directory to allow http.Dir("/") (#812)
+ * Include cosign public key (#814)
+ * Adding post-quantum analysis and recommendations (#801)
+ * Updated the distroless image verification to use a local key (#813)
+ * Add cosign verification for distroless image (#796)
+ * Crypto doc rewrite (#794)
+ * Chart: bump image version (#807)
+ * Update VIB pipeline (#809)
+ * Run CI with the last two Go releases (#805)
+
+-------------------------------------------------------------------
Old:
----
sealed-secrets-0.17.4.tar.gz
New:
----
sealed-secrets-0.17.5.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kubeseal.spec ++++++
--- /var/tmp/diff_new_pack.VIjgrd/_old 2022-04-26 20:17:57.420774367 +0200
+++ /var/tmp/diff_new_pack.VIjgrd/_new 2022-04-26 20:17:57.428774377 +0200
@@ -21,7 +21,7 @@
%define archive_name sealed-secrets
Name: kubeseal
-Version: 0.17.4
+Version: 0.17.5
Release: 0
Summary: CLI for encrypting secrets to SealedSecrets
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.VIjgrd/_old 2022-04-26 20:17:57.456774411 +0200
+++ /var/tmp/diff_new_pack.VIjgrd/_new 2022-04-26 20:17:57.460774416 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/bitnami-labs/sealed-secrets</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.17.4</param>
+ <param name="revision">v0.17.5</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
@@ -16,7 +16,7 @@
<param name="compression">gz</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">sealed-secrets-0.17.4.tar.gz</param>
+ <param name="archive">sealed-secrets-0.17.5.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.VIjgrd/_old 2022-04-26 20:17:57.476774435 +0200
+++ /var/tmp/diff_new_pack.VIjgrd/_new 2022-04-26 20:17:57.480774440 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/bitnami-labs/sealed-secrets</param>
- <param
name="changesrevision">2a003fb95bf4265a5568d90882ac77e108a5e0c1</param></service></servicedata>
+ <param
name="changesrevision">e3ec8c0bd83b708b524f74dbea30c94c3a6c59e2</param></service></servicedata>
(No newline at EOF)
++++++ sealed-secrets-0.17.4.tar.gz -> sealed-secrets-0.17.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/.github/workflows/ci.yml
new/sealed-secrets-0.17.5/.github/workflows/ci.yml
--- old/sealed-secrets-0.17.4/.github/workflows/ci.yml 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/.github/workflows/ci.yml 2022-04-20
17:20:34.000000000 +0200
@@ -7,7 +7,7 @@
branches: [ main ]
env:
- CONTROLLER_IMAGE: quay.io/bitnami/sealed-secrets-controller:latest
+ CONTROLLER_IMAGE: docker.io/bitnami/sealed-secrets-controller:latest
jobs:
linter:
@@ -15,7 +15,7 @@
runs-on: ubuntu-latest
strategy:
matrix:
- go: ["1.17.8"]
+ go: ["1.17.8", "1.18.0"]
os: [ubuntu-latest]
golangci-lint: ["1.44.2"]
steps:
@@ -40,7 +40,7 @@
runs-on: ${{ matrix.os }}
strategy:
matrix:
- go: ["1.17.8"]
+ go: ["1.17.8", "1.18.0"]
os: [macos-latest, windows-latest, ubuntu-latest]
steps:
@@ -64,6 +64,18 @@
- name: Check out code
uses: actions/checkout@v2
+ - name: Install Cosign
+ uses: sigstore/cosign-installer@v2.1.0
+
+ - name: Distroless verify
+ run: |
+ cosign verify --key /dev/stdin "$(grep FROM Dockerfile | awk '{print
$2}')" <<EOF
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q
+ OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA==
+ -----END PUBLIC KEY-----
+ EOF
+
- name: Setup kubecfg
run: |
mkdir -p ~/bin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/.github/workflows/cosign.pub
new/sealed-secrets-0.17.5/.github/workflows/cosign.pub
--- old/sealed-secrets-0.17.4/.github/workflows/cosign.pub 1970-01-01
01:00:00.000000000 +0100
+++ new/sealed-secrets-0.17.5/.github/workflows/cosign.pub 2022-04-20
17:20:34.000000000 +0200
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEseWNtEaI73oDVgjfLzU4eQYHE11i
+MzRSNs1TA+cTT/Lw70ckfCC/vHnOXKACF2dnhsZsNNj647p9mAiYNVl9ug==
+-----END PUBLIC KEY-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/.github/workflows/release.yaml
new/sealed-secrets-0.17.5/.github/workflows/release.yaml
--- old/sealed-secrets-0.17.4/.github/workflows/release.yaml 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/.github/workflows/release.yaml 2022-04-20
17:20:34.000000000 +0200
@@ -10,7 +10,7 @@
build:
runs-on: ubuntu-latest
env:
- image_name: quay.io/bitnami/sealed-secrets-controller
+ image_name: docker.io/bitnami/sealed-secrets-controller
steps:
# Checkout and set env
- name: Checkout
@@ -49,18 +49,17 @@
uses: goreleaser/goreleaser-action@v2
if: success() && startsWith(github.ref, 'refs/tags/')
with:
- version: latest
+ version: v1.7.0
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Build & Publish multi-arch image
- - name: Login to Quay
+ - name: Login to Docker Hub
uses: docker/login-action@v1
with:
- registry: quay.io
- username: ${{ secrets.QUAY_USERNAME }}
- password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+ username: ${{ secrets.DOCKERHUB_USERNAME }}
+ password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/.goreleaser.yml
new/sealed-secrets-0.17.5/.goreleaser.yml
--- old/sealed-secrets-0.17.4/.goreleaser.yml 2022-03-31 15:37:29.000000000
+0200
+++ new/sealed-secrets-0.17.5/.goreleaser.yml 2022-04-20 17:20:34.000000000
+0200
@@ -55,3 +55,4 @@
extra_files:
- glob: ./controller.yaml
- glob: ./controller-norbac.yaml
+ - glob: ./.github/workflows/cosign.pub
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/.vib/vib-pipeline.json
new/sealed-secrets-0.17.5/.vib/vib-pipeline.json
--- old/sealed-secrets-0.17.4/.vib/vib-pipeline.json 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/.vib/vib-pipeline.json 2022-04-20
17:20:34.000000000 +0200
@@ -12,10 +12,7 @@
"action_id": "helm-package"
},
{
- "action_id": "linter-packaging",
- "params": {
- "kind": "HELM"
- }
+ "action_id": "helm-lint"
}
]
},
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/Makefile
new/sealed-secrets-0.17.5/Makefile
--- old/sealed-secrets-0.17.4/Makefile 2022-03-31 15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/Makefile 2022-04-20 17:20:34.000000000 +0200
@@ -10,7 +10,7 @@
DOCKER = docker
GINKGO = ginkgo -p
-CONTROLLER_IMAGE = quay.io/bitnami/sealed-secrets-controller:latest
+CONTROLLER_IMAGE = docker.io/bitnami/sealed-secrets-controller:latest
INSECURE_REGISTRY = false # useful for local registry
IMAGE_PULL_POLICY = Always
KUBECONFIG ?= $(HOME)/.kube/config
@@ -112,7 +112,7 @@
$(GOFMT) -s -w $(GO_FILES)
lint:
- $(GOLANGCILINT) run --timeout=5m
+ $(GOLANGCILINT) run --enable goimports --timeout=5m
lint-gosec:
$(GOSEC) -r --severity medium
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/RELEASE-NOTES.md
new/sealed-secrets-0.17.5/RELEASE-NOTES.md
--- old/sealed-secrets-0.17.4/RELEASE-NOTES.md 2022-03-31 15:37:29.000000000
+0200
+++ new/sealed-secrets-0.17.5/RELEASE-NOTES.md 2022-04-20 17:20:34.000000000
+0200
@@ -4,6 +4,13 @@
[](https://github.com/bitnami-labs/sealed-secrets/releases/latest)
+## v0.17.5
+
+### Changelog
+
+- Switch to
dockerhub([#823](https://github.com/bitnami-labs/sealed-secrets/pull/823))
+- Sign the release using cosign
([#814](https://github.com/bitnami-labs/sealed-secrets/pull/814))
+
## v0.17.4
### Changelog
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/cmd/controller/server_test.go
new/sealed-secrets-0.17.5/cmd/controller/server_test.go
--- old/sealed-secrets-0.17.4/cmd/controller/server_test.go 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/cmd/controller/server_test.go 2022-04-20
17:20:34.000000000 +0200
@@ -31,11 +31,11 @@
c.cert = cert
}
-func shutdownServer(server *http.Server, t *testing.T) (){
- err := server.Shutdown(context.Background())
- if err != nil {
- t.Fatal(err)
- }
+func shutdownServer(server *http.Server, t *testing.T) {
+ err := server.Shutdown(context.Background())
+ if err != nil {
+ t.Fatal(err)
+ }
}
func TestHttpCert(t *testing.T) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/cmd/controller/signal_notwin.go
new/sealed-secrets-0.17.5/cmd/controller/signal_notwin.go
--- old/sealed-secrets-0.17.4/cmd/controller/signal_notwin.go 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/cmd/controller/signal_notwin.go 2022-04-20
17:20:34.000000000 +0200
@@ -1,3 +1,4 @@
+//go:build !windows
// +build !windows
package main
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/cmd/kubeseal/main.go
new/sealed-secrets-0.17.5/cmd/kubeseal/main.go
--- old/sealed-secrets-0.17.4/cmd/kubeseal/main.go 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/cmd/kubeseal/main.go 2022-04-20
17:20:34.000000000 +0200
@@ -204,6 +204,7 @@
// and escape the filename properly.
t := &http.Transport{}
+ // #nosec: G111 -- we want to allow all files to be opened
t.RegisterProtocol("file", http.NewFileTransport(http.Dir("/")))
c := &http.Client{Transport: t}
@@ -625,6 +626,7 @@
if err != nil {
return nil
}
+ // #nosec: G307 -- this deferred close is fine because it is
not on a writable file
defer f.Close()
input = f
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/contrib/prometheus-mixin/README.md
new/sealed-secrets-0.17.5/contrib/prometheus-mixin/README.md
--- old/sealed-secrets-0.17.4/contrib/prometheus-mixin/README.md
2022-03-31 15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/contrib/prometheus-mixin/README.md
2022-04-20 17:20:34.000000000 +0200
@@ -65,7 +65,7 @@
Compile jsonnet to yaml:
```
$ make controller-podmonitor.yaml
-kubecfg show -V
CONTROLLER_IMAGE=quay.io/bitnami/sealed-secrets-controller:latest -V
IMAGE_PULL_POLICY=Always -o yaml controller-podmonitor.jsonnet >
controller-podmonitor.yaml.tmp
+kubecfg show -V
CONTROLLER_IMAGE=docker.io/bitnami/sealed-secrets-controller:latest -V
IMAGE_PULL_POLICY=Always -o yaml controller-podmonitor.jsonnet >
controller-podmonitor.yaml.tmp
mv controller-podmonitor.yaml.tmp controller-podmonitor.yaml
```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/docs/developer/crypto.md
new/sealed-secrets-0.17.5/docs/developer/crypto.md
--- old/sealed-secrets-0.17.4/docs/developer/crypto.md 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/docs/developer/crypto.md 2022-04-20
17:20:34.000000000 +0200
@@ -1,9 +1,188 @@
-# Crypto details
+# Cryptographic documentation
-The controller looks for a cluster-wide private/public key pair on startup,
and generates a new 4096 bit (by default) RSA key pair if not found. The key is
persisted in a regular Secret in the same namespace as the controller. The
public key portion of this (in the form of a self-signed certificate) should be
made publicly available to anyone wanting to use SealedSecrets with this
cluster. The certificate is printed to the controller log at startup, and
available via an HTTP GET to /v1/cert.pem on the controller.
+## Protocols and cryptographic tools used
-During encryption, each value in the original Secret is symmetrically
encrypted using AES-GCM (AES-256) with a randomly-generated single-use 32 byte
session key. The session key is then asymmetrically encrypted with the
controller's public key using RSA-OAEP (using SHA256), and the original
Secret's namespace/name as the OAEP input parameter (aka label). The final
output is: 2 byte encrypted session key length || encrypted session key ||
encrypted Secret.
+Sealed-secrets uses the following protocols for the secret management:
-Note that during decryption by the controller, the SealedSecret's
namespace/name is used as the OAEP input parameter, ensuring that the
SealedSecret and Secret are tied to the same namespace and name.
+- **AES-256-GCM** with a randomly generated single-use 32 bytes session key.
Since the key is single-use, we do not use any nonce. The key is used to
encrypt the secret, ensuring its confidentiality and integrity.
+- **RSA-OAEP**, with **SHA-256**. It is used to assure the confidentiality of
the AES-256-GCM session key, following the *key encapsulation mechanism*.
+- **X509** certificates are used to manage RSA public keys. This public key
contained in the certificate can be used to encrypt AES-256-GCM session key.
+
+Certificates generated by the sealed secrets controller are renewed every 30
days and have a 10 years validity span.
+
+## Entropy considerations
+
+The golang API used for the entropy is `crypto/rand`. The following
description can be found about the entropy generator used regarding the host
system:
+
+```
+// On Linux, FreeBSD, Dragonfly and Solaris, Reader uses getrandom(2) if
+// available, /dev/urandom otherwise.
+// On OpenBSD and macOS, Reader uses getentropy(2).
+// On other Unix-like systems, Reader reads from /dev/urandom.
+// On Windows systems, Reader uses the RtlGenRandom API.
+// On Wasm, Reader uses the Web Crypto API.
+```
+
+Those cryptographic APIs are known to provide a good cryptographic entropy,
and are not vulnerable to cryptographic attacks unless the seed is known.
+
+For further information about those APIs:
+
+- [Linux/FreeBSD/Dragonfly/Solaris](https://linux.die.net/man/4/urandom)
+-
[OpenBSD/macOS](https://www.freebsd.org/cgi/man.cgi?query=getentropy&sektion=3&format=html)
+-
[Windows](https://download.microsoft.com/download/1/c/9/1c9813b8-089c-4fef-b2ad-ad80e79403ba/Whitepaper%20-%20The%20Windows%2010%20random%20number%20generation%20infrastructure.pdf)
+-
[WASM](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues)
+
+## Functioning
+
+### Public/private key pair management
+
+The controller looks for a cluster-wide private/public key pair on startup. If
no key pair is found and none is provided manually, the controller generates a
new 4096 bit (by default) RSA key pair. In both cases, the key pair is
persisted in a regular Secret in the same namespace as the controller.
+
+The public key (in the form of a self-signed certificate if it was generated
by the controller) should be made publicly available to anyone wanting to use
SealedSecrets with this cluster.
+
+Note that it is possible to use your own X509 certificate with the command
bellow:
+
+```
+kubeseal --cert [https:/]/path/to/your-cert.pem
+```
+
+The certificate is printed to the controller log at startup and is also
available via an HTTP GET request to `/v1/cert.pem` on the controller.
+
+### Secret encryption
+
+The secret is encrypted by AES-256-GCM with a randomly-generated single-use 32
byte session key.
+
+The result of this operation will be called `AES encrypted data` in the next
diagram, and the present step is the `1.`.
+
+### Session key encryption
+
+The session key used by AES-256-GCM to encrypt the Secret is encapsulated with
the controller's public key using RSA-OAEP with SHA256.
+
+The OAEP input content, called `label` in the next diagram, differs depending
on the sealed secret controller scope configuration. This algorithm is only
used to encrypt the AES session key.
+
+- Default scope configuration : `label` is equal to the concatenation of the
Secret's namespace and the Secret's name.
+- Namespace-wide scope configuration : `label` is equal to the Secret's
namespace.
+- Cluster-wide scope configuration : `label` is empty.
+
+The result of the RSA-OAEP encryption is called `RSA encrypted data` in the
next diagram, and the present step is the `2.`.
+
+### Sealed Secret storage
+
+The final Sealed Secret data format is the following (where `||` is the
concatenation operator): `size of AES encrypted key (2 bytes) || RSA encrypted
data || AES encrypted data`
+
+### Diagram to summarize
+
+```
+ Secret
+ |
+ ???
+
K_s??????????????????????????????????????????
+ ??? ???
+ K_pub???????????????????????????
???
+ ??? ??? 1.
+ label??????????????????????????? 2.
???
+ ??? ???
+
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
+Sealed Secret data = ???size of AES encrypted ??? RSA encrypted ??? AES
encrypted???
+ ???key (2 bytes) ??? data ??? data
???
+
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
+
+K_s = 256 bits single-use session key, used by AES-GCM
+K_pub = Public key from the self-signed certificate, used by RSA-OAEP
+label = Additional input for RSA-OAEP encryption.
+ Content differs depending on the scope configuration:
+ * Default config : label = Secret's namespace || Secret's name
+ * Namespace-wide : label = Secret's namespace
+ * Cluster-wide : label is empty
+```
+
+### Decryption process
+
+The decryption is simply the inversion of the encryption.
+
+`Size of AES encrypted key` is read and used to separate `RSA encrypted data`
and `AES encrypted data` properly.
+
+Then the private key associated with the public key (see Session key
encryption) is used with the `label` to decrypt the `RSA encrypted data`,
effectively retrieving the AES session key.
+
+To end this process, the `AES encrypted data` is decrypted using the AES
session key, therefore unsealing the original Secret.
+
+# Post-quantum cryptography considerations
+
+## Entropy source
+
+### Analysis
+
+Even if QRNG (Quantum Random Number Generator) are considered better than PRNG
(Pseudo Random Number Generator) in a quantum cryptography context as well as
in a non-quantum context, QRNG relies on a quantum mechanical phenomenon. It
requires a physical device, therefore QRNG usage is out of Sealed Secrets
scope, which will stay on the `crypto/rand` usage.
+
+### Associated documentation
+
+[Combining a quantum random number generator and quantum-resistant algorithms
into the GnuGPG open-source software](https://doi.org/10.1515/aot-2020-0021)
+
+## AES-256-GCM
+
+### Analysis
+
+AES-256-GCM is quantum resistant.
+Grover algorithm can reduce the bruteforce of the key from 2???????? to
2??????? which is still considered very secure.
+Nevertheless, since AES uses unchangeable 128 bits blocks, Grover algorithm
can in some cases decrease the complexity of the bruteforce to 2??????.
+
+### Recommendations
+
+AES-256-GCM quantum security is not a concern.
+Cases with a bruteforce complexity of 2?????? are unlikely for Sealed Secret
considering how AES is used in the project.
+Even assuming that 2?????? bruteforce is likely, it can still be considered
secure today (but not in the long run).
+A recommendation is to look for a AES replacement that provide 128 bits
post-quantum cryptographic security in any cases, such as ChaCha20-Poly1305.
Applying this recommendation is considered low priority.
+
+### Associated documentation
+
+[Quantum Security Analysis of AES](https://eprint.iacr.org/2019/272.pdf)
+
+[Critics on AES-256-GCM](https://soatok.blog/2020/05/13/why-aes-gcm-sucks/)
+
+[Security Analysis of ChaCha20-Poly1305
AEAD](https://www.cryptrec.go.jp/exreport/cryptrec-ex-2601-2016.pdf)
+
+
+## SHA-256
+
+### Analysis
+
+SHA-256 is quantum resistant.
+Grover Algorithm can reduce the bruteforce from 2???????? to 2??????? which is
considered very secure.
+It is computationally cheaper to use a non-quantum algorithm to generate a
collision than to employ a quantum computer.
+
+### Recommendations
+
+No recommendations about SHA-256.
+
+### Associated documentation
+[Cost analysis of hash collisions: Will quantum computers make SHARCS
obsolete?](https://cr.yp.to/hash/collisioncost-20090823.pdf)
+
+## RSA-OAEP
+
+### Analysis
+
+RSA-OAEP, as any RSA algorithm, **is not quantum resistant**.
+Shor algorithm can be used to solve in a reasonable time 3 mathematical
problems on which RSA cryptography is based on: integer factorization problem,
the discrete logarithm problem and the elliptic-curve discrete logarithm
problem. Therefore, RSA-OAEP is easily breakable for an attacker with quantum
capability.
+
+### Recommendations
+
+Replace RSA. This recommendation must be the highest priority regarding the
post-quantum security of Sealed Secrets.
+There are three serious candidates to use instead of RSA: LMS and XMSS, which
are Lattice-based, and McEliece with random Goppa codes, which is code-based
and relies on SDP (Syndrome Decoding Problem).
+Those three algorithms are serious candidates for RSA replacement and the
choice must be done carefully, without forgetting to study other algorithms
such as NTRU.
+
+### Associated documentation
+
+[LMS](https://datatracker.ietf.org/doc/html/rfc8554)
+
+[XMSS](https://datatracker.ietf.org/doc/html/rfc8391)
+
+[Lattice-based
cryptography](https://en.wikipedia.org/wiki/Lattice-based_cryptography)
+
+[McEliece](https://ipnpr.jpl.nasa.gov/progress_report2/42-44/44N.PDF)
+
+[Syndrome Decoding
Problem](https://en.wikipedia.org/wiki/Decoding_methods#Syndrome_decoding)
+
+[NIST on post-quantum
algorithms](https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions)
+
+[Quantum-Resistant
Cryptography](https://arxiv.org/ftp/arxiv/papers/2112/2112.00399.pdf)
-When using the namespace-wide scope, the OAEP input (aka label) only contains
the namespace and in cluster-wide scope the label is an empty string.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/helm/sealed-secrets/Chart.yaml
new/sealed-secrets-0.17.5/helm/sealed-secrets/Chart.yaml
--- old/sealed-secrets-0.17.4/helm/sealed-secrets/Chart.yaml 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/helm/sealed-secrets/Chart.yaml 2022-04-20
17:20:34.000000000 +0200
@@ -1,7 +1,7 @@
annotations:
category: DeveloperTools
apiVersion: v2
-appVersion: v0.17.3
+appVersion: v0.17.4
description: Helm chart for the sealed-secrets controller.
home: https://github.com/bitnami-labs/sealed-secrets
icon:
https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png
@@ -16,4 +16,4 @@
email: mmikuli...@gmail.com
name: sealed-secrets
type: application
-version: 2.1.4
+version: 2.1.5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/helm/sealed-secrets/README.md
new/sealed-secrets-0.17.5/helm/sealed-secrets/README.md
--- old/sealed-secrets-0.17.4/helm/sealed-secrets/README.md 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/helm/sealed-secrets/README.md 2022-04-20
17:20:34.000000000 +0200
@@ -85,7 +85,7 @@
| ------------------------------------------------- |
------------------------------------------------------------------------------------
| ----------------------------------- |
| `image.registry` | Sealed Secrets image
registry | `quay.io`
|
| `image.repository` | Sealed Secrets image
repository |
`bitnami/sealed-secrets-controller` |
-| `image.tag` | Sealed Secrets image tag
(immutable tags are recommended) | `v0.17.3`
|
+| `image.tag` | Sealed Secrets image tag
(immutable tags are recommended) | `v0.17.4`
|
| `image.pullPolicy` | Sealed Secrets image
pull policy |
`IfNotPresent` |
| `image.pullSecrets` | Sealed Secrets image
pull secrets | `[]`
|
| `createController` | Specifies whether the
Sealed Secrets controller should be created | `true`
|
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/helm/sealed-secrets/values.yaml
new/sealed-secrets-0.17.5/helm/sealed-secrets/values.yaml
--- old/sealed-secrets-0.17.4/helm/sealed-secrets/values.yaml 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/helm/sealed-secrets/values.yaml 2022-04-20
17:20:34.000000000 +0200
@@ -29,7 +29,7 @@
image:
registry: quay.io
repository: bitnami/sealed-secrets-controller
- tag: v0.17.3
+ tag: v0.17.4
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/integration/controller_test.go
new/sealed-secrets-0.17.5/integration/controller_test.go
--- old/sealed-secrets-0.17.4/integration/controller_test.go 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/integration/controller_test.go 2022-04-20
17:20:34.000000000 +0200
@@ -1,3 +1,4 @@
+//go:build integration
// +build integration
package integration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/integration/integration_suite_test.go
new/sealed-secrets-0.17.5/integration/integration_suite_test.go
--- old/sealed-secrets-0.17.4/integration/integration_suite_test.go
2022-03-31 15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/integration/integration_suite_test.go
2022-04-20 17:20:34.000000000 +0200
@@ -1,3 +1,4 @@
+//go:build integration
// +build integration
package integration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/integration/kubeseal_test.go
new/sealed-secrets-0.17.5/integration/kubeseal_test.go
--- old/sealed-secrets-0.17.4/integration/kubeseal_test.go 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/integration/kubeseal_test.go 2022-04-20
17:20:34.000000000 +0200
@@ -1,3 +1,4 @@
+//go:build integration
// +build integration
package integration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/pkg/apis/sealed-secrets/v1alpha1/register.go
new/sealed-secrets-0.17.5/pkg/apis/sealed-secrets/v1alpha1/register.go
--- old/sealed-secrets-0.17.4/pkg/apis/sealed-secrets/v1alpha1/register.go
2022-03-31 15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/pkg/apis/sealed-secrets/v1alpha1/register.go
2022-04-20 17:20:34.000000000 +0200
@@ -4,8 +4,8 @@
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
- "k8s.io/client-go/kubernetes/scheme"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+ "k8s.io/client-go/kubernetes/scheme"
)
// GroupName is the group name used in this package
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_test.go
new/sealed-secrets-0.17.5/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_test.go
---
old/sealed-secrets-0.17.4/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_test.go
2022-03-31 15:37:29.000000000 +0200
+++
new/sealed-secrets-0.17.5/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_test.go
2022-04-20 17:20:34.000000000 +0200
@@ -10,12 +10,12 @@
"strings"
"testing"
- utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"github.com/bitnami-labs/sealed-secrets/pkg/crypto"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
+ utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/client-go/kubernetes/scheme"
// Install standard API types
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/pkg/apis/sealed-secrets/v1alpha1/zz_generated.deepcopy.go
new/sealed-secrets-0.17.5/pkg/apis/sealed-secrets/v1alpha1/zz_generated.deepcopy.go
---
old/sealed-secrets-0.17.4/pkg/apis/sealed-secrets/v1alpha1/zz_generated.deepcopy.go
2022-03-31 15:37:29.000000000 +0200
+++
new/sealed-secrets-0.17.5/pkg/apis/sealed-secrets/v1alpha1/zz_generated.deepcopy.go
2022-04-20 17:20:34.000000000 +0200
@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Code generated by deepcopy-gen. DO NOT EDIT.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/pkg/client/clientset/versioned/typed/sealed-secrets/v1alpha1/sealedsecret.go
new/sealed-secrets-0.17.5/pkg/client/clientset/versioned/typed/sealed-secrets/v1alpha1/sealedsecret.go
---
old/sealed-secrets-0.17.4/pkg/client/clientset/versioned/typed/sealed-secrets/v1alpha1/sealedsecret.go
2022-03-31 15:37:29.000000000 +0200
+++
new/sealed-secrets-0.17.5/pkg/client/clientset/versioned/typed/sealed-secrets/v1alpha1/sealedsecret.go
2022-04-20 17:20:34.000000000 +0200
@@ -3,8 +3,8 @@
package v1alpha1
import (
- "time"
"context"
+ "time"
v1alpha1
"github.com/bitnami-labs/sealed-secrets/pkg/apis/sealed-secrets/v1alpha1"
scheme
"github.com/bitnami-labs/sealed-secrets/pkg/client/clientset/versioned/scheme"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/pkg/multidocyaml/multidocyaml.go
new/sealed-secrets-0.17.5/pkg/multidocyaml/multidocyaml.go
--- old/sealed-secrets-0.17.4/pkg/multidocyaml/multidocyaml.go 2022-03-31
15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/pkg/multidocyaml/multidocyaml.go 2022-04-20
17:20:34.000000000 +0200
@@ -20,4 +20,4 @@
return fmt.Errorf("Multistream YAML not supported yet (see
https://github.com/bitnami-labs/sealed-secrets/issues/114)")
}
return nil
-}
\ No newline at end of file
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sealed-secrets-0.17.4/pkg/multidocyaml/multidocyaml_test.go
new/sealed-secrets-0.17.5/pkg/multidocyaml/multidocyaml_test.go
--- old/sealed-secrets-0.17.4/pkg/multidocyaml/multidocyaml_test.go
2022-03-31 15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/pkg/multidocyaml/multidocyaml_test.go
2022-04-20 17:20:34.000000000 +0200
@@ -20,4 +20,4 @@
t.Errorf("got: %v, want: %v (src: %q)", got, want,
tc.src)
}
}
-}
\ No newline at end of file
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sealed-secrets-0.17.4/tools.go
new/sealed-secrets-0.17.5/tools.go
--- old/sealed-secrets-0.17.4/tools.go 2022-03-31 15:37:29.000000000 +0200
+++ new/sealed-secrets-0.17.5/tools.go 2022-04-20 17:20:34.000000000 +0200
@@ -2,6 +2,7 @@
// code generation tools.
// The build tag below ensures this dep is not pulled during normal builds.
+//go:build tools
// +build tools
package sealedsecrets
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/kubeseal/vendor.tar.gz
/work/SRC/openSUSE:Factory/.kubeseal.new.1538/vendor.tar.gz differ: char 5,
line 1
