71cc398197
Provide a transit-style Vault/OpenBao secrets engine whose key material is OpenPGP, so services can sign/verify/encrypt/decrypt with GPG keys that never leave the barrier — and so tools like pass can encrypt to an exported public key while delegating decryption back to Vault. - Add versioned key management (keys/<name> CRUD+list, config, rotate, import) with private material seal-wrapped under key/ and per-key locking. - Add sign/verify (detached OpenPGP) and encrypt/decrypt paths; decrypt auto-detects armored vs raw-binary ciphertext (what pass/gpg write). - Add export/<public-key|private-key>/<name>; public always exportable, private only when the key is marked exportable. - Use ProtonMail go-crypto for OpenPGP; support rsa-2048/3072/4096 and ed25519. - Clone the sibling plugin's build/packaging/CI: dual-target RPMs (vault + openbao plugin dirs), Woodpecker PR/release pipelines, and a Vault+OpenBao e2e harness. Unit tests include real gpg and pass interop.
36 lines
827 B
YAML
36 lines
827 B
YAML
---
|
|
# nfpm config for the vault-plugin-secrets-gpg RPM. Rendered through
|
|
# envsubst (see scripts/build-rpm.sh) then fed to `nfpm pkg`. Built once per
|
|
# target server (Vault, OpenBao); PACKAGE_NAME and PACKAGE_PLUGIN_DIR vary.
|
|
|
|
name: ${PACKAGE_NAME}
|
|
version: ${PACKAGE_VERSION}
|
|
release: ${PACKAGE_RELEASE}
|
|
arch: ${PACKAGE_ARCH}
|
|
platform: ${PACKAGE_PLATFORM}
|
|
section: default
|
|
priority: extra
|
|
description: "${PACKAGE_DESCRIPTION}"
|
|
|
|
maintainer: ${PACKAGE_MAINTAINER}
|
|
homepage: ${PACKAGE_HOMEPAGE}
|
|
license: ${PACKAGE_LICENSE}
|
|
|
|
disable_globbing: false
|
|
|
|
replaces:
|
|
- ${PACKAGE_NAME}
|
|
provides:
|
|
- ${PACKAGE_NAME}
|
|
|
|
contents:
|
|
- src: dist/vault-plugin-secrets-gpg
|
|
dst: ${PACKAGE_PLUGIN_DIR}/vault-plugin-secrets-gpg
|
|
file_info:
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
|
|
scripts:
|
|
preinstall: ${PACKAGE_PREINSTALL}
|