…7_FixEmptyYaml

Upgrade all dependencies

Previous setup relied implicitly of the correct file to be there. Introduction of arm64 builds broke that implicit assumption.

Explicitly build linux amd64 binary

Remove duplicated stage from Dockerfile.alpine

…ipients

I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.

I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.

However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:

```yaml
creation_rules:
  - encrypted_regex: '^(data|stringData|spec)$'
    age: 'agePubKey1,agePubKey2'
```

However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.

After digging a bit trough the code, I think this should fix it.

I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

In [this](#966 (comment)) comment
it was proposed to make `masterKeyFromRecipient` private to avoid
reintroducing this bug in the future.
Since I agree with the Idea, this change will make the mehtod private
and update all unit-tests to use the `MasterKeysFromRecipients` method
instead.

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

Adding tests to verify we do not break the usage of a single AGE key

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

[Fix] sops multi recipient for age encryption

Allow empty maps for yaml (#907)

Build alpine container in CI (#870)

Use latest dockerd in CI to allow build alpine image (#870)

This allows for easier injection of your own (local) key service server
implementation, in situations where e.g. you do not want to rely on
environment variables or other runtime defaults.

It is not of impact to end-users, but improves the experience of
developers making use of SOPS as an SDK to e.g. provide decryption
services to users. As they will now in many cases end up copying this
bit of code to make this precise change.

Signed-off-by: Hidde Beydals <hello@hidde.co>

Originally fixed by @SinisterMinister

Fixes #741

Limit role session name length to 64 characters.

keyservice: accept KeyServiceServer in LocalClient

Version past CVE-2022-27191.

Signed-off-by: Hidde Beydals <hello@hidde.co>

Latest API clients are (most) often greatest.

Signed-off-by: Hidde Beydals <hello@hidde.co>

Signed-off-by: Hidde Beydals <hello@hidde.co>

Signed-off-by: Hidde Beydals <hello@hidde.co>

As `golang.org/x/crypto/openpgp` has been deprecated (see
golang/go#44226 for details).

Signed-off-by: Hidde Beydals <hello@hidde.co>

Solve CVE-2022-27191 and replace x/crypto/openpgp

Support for GCP Service Account as JSON or Path in Default Application Credentials

prep for v3.7.3