投稿時間:2022-07-04 15:28:20 RSSフィード2022-07-04 15:00 分まとめ(31件)

カテゴリー等 サイト名等 記事タイトル・トレンドワード等 リンクURL 頻出ワード・要約等/検索ボリューム 登録日
IT ITmedia 総合記事一覧 [ITmedia PC USER] キヤノンITS、柔軟なクラウド連携も実現可能な次世代EDIサービス「EDI-Master Cloud」を提供開始 https://www.itmedia.co.jp/pcuser/articles/2207/04/news113.html edimastercloud 2022-07-04 14:29:00
IT ITmedia 総合記事一覧 [ITmedia ビジネスオンライン] TBS系列のチューリップテレビ、コロナ補助金3000万円超を不正申請 過去に政務活動費の闇暴いた調査報道で注目 https://www.itmedia.co.jp/business/articles/2207/04/news103.html ITmediaビジネスオンラインTBS系列のチューリップテレビ、コロナ補助金万円超を不正申請過去に政務活動費の闇暴いた調査報道で注目富山県のTBS系ローカルテレビ局「チューリップテレビ」は国のコロナ補助金を不正申請していたとして、約万円を国に返還すると発表した。 2022-07-04 14:26:00
IT ITmedia 総合記事一覧 [ITmedia ビジネスオンライン] 「トイ・ストーリー」をモチーフにしたキャンピングカー発売 特徴は? https://www.itmedia.co.jp/business/articles/2207/04/news109.html itmedia 2022-07-04 14:25:00
IT ITmedia 総合記事一覧 [ITmedia ビジネスオンライン] ハワイ旅行で行きたいところ 3位「ダイヤモンドヘッド」、2位「ワイキキビーチ」、1位は? https://www.itmedia.co.jp/business/articles/2207/04/news110.html itmedia 2022-07-04 14:21:00
TECH Techable(テッカブル) LIXIL、高齢者施設のトイレ向けソリューションを検証。IoT・AIで利用通知や排便記録 https://techable.jp/archives/181620 高齢者施設 2022-07-04 05:00:11
IT 情報システムリーダーのためのIT情報専門サイト IT Leaders りそな銀行、請求書ベースの支払処理をAI-OCRで省力化する「りそな支払ワンストップ」 | IT Leaders https://it.impress.co.jp/articles/-/23425 りそな銀行、請求書ベースの支払処理をAIOCRで省力化する「りそな支払ワンストップ」ITLeadersりそな銀行とNTTデータは年月日、決済サービス「りそな支払ワンストップ」を提供開始した。 2022-07-04 14:07:00
python Pythonタグが付けられた新着投稿 - Qiita Codility Lesson4 MissingInteger https://qiita.com/masato314/items/6859666b2b13581a5cb4 iwhileiltlena 2022-07-04 14:32:18
python Pythonタグが付けられた新着投稿 - Qiita SQLAlchemyを使ってtimedeltaを含む辞書を読み書きする https://qiita.com/YosukeKentuckyFriedChicken/items/dcfa89b5cbbe8cfe9fd5 ormapper 2022-07-04 14:01:38
js JavaScriptタグが付けられた新着投稿 - Qiita 【javascript】【jquery】clone()メソッドの使い方 https://qiita.com/panda-chibi/items/5016ed76049bc7eefa27 xtareagtlttextareagtltdiv 2022-07-04 14:41:24
Git Gitタグが付けられた新着投稿 - Qiita SourceTree(ソースツリー)| revert(リバート)| コミットを打ち消し https://qiita.com/daikicheese2/items/31531e9483c816c30934 revert 2022-07-04 14:53:39
海外TECH DEV Community This website is open source https://dev.to/dailydevtips1/this-website-is-open-source-1826 This website is open sourceWhen I rewrote my website in Astro I decided to make it an open source project But let s dive into what this means and how you can contribute First of all being open source has several meanings This website means people can use the source code but only while maintaining the same license This ensures it will stay a free project forever Why would you open source it My main reason behind making the website open source is that I m only a one person show I try my best to deliver high quality content every single day but as I m a mere human I make mistakes on the way By making the website open source I want to give people the option to help me improve the content on each page Or fix bugs that you might have encountered This way it becomes a product for the community enhanced by the community There are many great readers out there who often see little mistakes and I would love for them to have a way to contribute How can someone contribute Let s first look at some examples of what they can contribute Typo s and grammar mistakes on existing pagesOutdated packages or code samplesPerhaps missing images or updating themProvide translations externally upcoming Fix specific future ideas that are logged in issuesCreate issues for problems you might have noticedThen the main question comes down to how they can contribute And if you are very new to open source contributions I suggest you read my article on contributing to open source However I tried to make it as simple as possible for people I included an edit on GitHub button on every article page so people can quickly navigate to the page on GitHub and make textual modifications to the article ConclusionI hope that open sourcing this website will improve the content and help more people find solutions to their problems And you can always contact me with general inquiries or issues Thank you for reading and let s connect Thank you for reading my blog Feel free to subscribe to my email newsletter and connect on Facebook or Twitter 2022-07-04 05:43:52
海外TECH DEV Community Over engineering is the root of all evil https://dev.to/polterguy/over-engineering-is-the-root-of-all-evil-262e Over engineering is the root of all evilI ve seen hundreds of software projects and a significant chunk of these failed All of the failed projects I have seen have one thing in common Over engineering Typically over engineered projects becomes over engineered because the developer starting out the project truly believes in the importance of some technology He s fallen for the Kool Aid sales argument A slightly more malicious reason for over engineering is CV based development However I suspect both of these reasons plays a role in most over engineered projects Over engineered projects are almost like a malicious disease having infected our industry at large because whenever some software company needs more software developers they ll ask for some resource having experience with every imaginable Kool Aid tech stack that exists because this is what they currently have so they need to have people with this skillset to maintain their existing garbage Software developers looking for jobs again will see these job postings and do their best to learn these tech stacks somehow while compromising whatever product they are currently working at with their current employer This results in a malicious circle of over engineering where the companies needs people with skills leading to over engineering in the industry at large My philosophy here is as follows Everything that can be fixed with a hammer is a nailAt Aista we ve turned simplicity into almost a declaration of faith Every time we ve got some problem we ask ourselves What is the simplest possible solution that works for this particular problem As we answer that question we always end up throwing the following tech stuff and architectural ideas out of our projects MongoDBCouchBaseDynamoDBScyllaCassandraCosmosDBLogical AppsMWFPulsarKafkaRabbitMQActiveMQSolaceNServiceBusOOPOODOOAOOx substitute the x by any Latin alphabet character Design PatternsDDDMVCCQRSSagasEvent sinksAIDeep LearningMachine LearningEtc etc etc If you can t implement it with a bunch of trained monkeys it s probably over engineeredThe above of course is just a tiny example For a complete list create an aggregate result of some CVs submitted to your employer by senior developers over the last years and realise that of everything on that list are things we wouldn t even consider using at Aista Don t get me wrong here all of the above technologies and ideas do have use cases where they are needed but all of them are also abused to the extreme If you don t believe me read the comments on this article please For crying out loud man you do not need a sentient self aware CRM system to track your sales people in your organisation However there exists dozens of CRM systems priding themselves in having AI in their core The laughing joke is that of a CRM system s purpose is to be a better Excel In fact if you can get away with Excel or Numbers you don t even need a CRM system at all And definitely not an AI based CRM system KISS improves your ability to deliver by orders of magnitudeKISS in the above sentence of course refers to Keep It Stupid Simple When you follow simplicity software development to its natural conclusion you realise that all the buzzwords our industry have created over the last decades are simply that Buzzwords Our industry has turned into a superstitious church where the declaration of faith has become as follows I believe in any latest and newest cutting edge tech that complicates my app by orders of magnitudes And of course if you don t believe in the above you are not experienced and you need to work on your CV Words such as presented in the above list serves the same purpose as the declaration of faith does in most other religions Because yes software development has turned into a religion where disagreeing with the common consensus is almost like cursing in church Well I m going all in on this one and I will debunk every single garbage tech and buzzword one by one in this article series in an attempt at trying to normalise the discussion The upside with KISSAs you simplify things new axioms of software development emerges For instance creating our own product would have been literally impossible if we were to apply most of the buzzwords in the above list Our product of course allows the machine to create most of the code in seconds If you want to see what KISS can truly provide feel free to register below and see KISS in action Create a Magic cloudlet 2022-07-04 05:22:03
海外TECH DEV Community Use git-secret to encrypt secrets in the repository [Tutorial Part 6] https://dev.to/pascallandau/use-git-secret-to-encrypt-secrets-in-the-repository-tutorial-part-6-53p5 Use git secret to encrypt secrets in the repository Tutorial Part How to use git secret to encrypt secrets and store them in a git repositoryThis article appeared first on at Use git secret to encrypt secrets in the repository Tutorial Part In the sixth part of this tutorial series on developing PHP on Docker we will setup git secret to store secrets directly in the repository Everything will be handled through Docker and added as make targets for a convenient workflow FYI This tutorial is a precursor to the next a part Create a CI pipeline for dockerized PHP Appsbecause dealing with secrets is an important aspect when setting up a CI system and later when deploying to production but I feel it s complex enough to warrant its own article All code samples are publicly available in my Docker PHP Tutorial repository on Github You find the branch with the final result of this tutorial at part git secret encrypt repository docker All published parts of the Docker PHP Tutorial are collected under a dedicated page at Docker PHP Tutorial The previous part was Set up PHP QA tools and control them via make and the following one is Create a CI pipeline for dockerized PHP Apps If you want to follow along please subscribe to the RSS feed or via email to get automatic notifications when the next part comes out Table of contentsIntroductionToolinggpggpg installationgpg usageCreate GPG key pairExport list and import private GPG keysExport list and import public GPG keysgit secretgit secret installationThe git permission issuegit secret usageInitialize git secretAdding listing and removing usersAdding listing and removing files for encryptionEncrypt filesDecrypting filesShow changes between encrypted and decrypted filesMakefile adjustmentsWorkflowProcess challengesUpdating secretsCode reviews and merge conflictsLocal git secret and gpg setupScenariosInitial setup of gpg keysInitial setup of git secretInitialize gpg after container startupAdding new team membersAdding and encrypting filesDecrypt filesRemoving filesRemoving team membersPros and consProConsWrapping up IntroductionDealing with secrets passwords tokens key files etc is close to naming things when it comes to hard problems in software engineering Some things to consider security is paramount but high security often goes hand in hand with high inconvenienceand if things get too complicated people look for shortcuts in a team sharing certain secret values is often mandatoryso now we need to think about secure ways to distribute and update secrets across multiplepeopleconcrete secret values often depend on the environmentinherently tricky to test or even review because those values are by definition different on your machine than on production In fact entire products have been build around dealing with secrets e g HashiCorp Vault AWS Secrets Manager or the GCP Secret Manager Introducing those in a project comes with a certain overhead as it s yet another service that needs to be integrated and maintained Maybe it is the exactly right decision for your use case maybe it s overkill By the end of this article you ll at least be aware of an alternative with a lower barrier to entry See also the Pros and cons section in the end for an overview Even though it s generally not advised to store secrets in a repository I ll propose exactly that in this tutorial identify files that contain secret valuesmake sure they are added to gitignoreencrypt them via git secretcommit the encrypted files to the repositoryIn the end we will be able to callmake secret decryptto reveal secrets in the codebase make modifications to them if necessary and then runmake secret encryptto encrypt them again so that they can be committed and pushed to the remote repository To see it in action check out branch part git secret encrypt repository docker and run the following commands checkout the branchgit checkout part git secret encrypt repository docker build and start the docker setupmake make initmake docker buildmake docker up create the secret key the file secret gpg example would usually NOT live in the repo cp secret gpg example secret gpg initialize gpgmake gpg init ensure that the decrypted secret file does not existls passwords txt decrypt the secret filemake secret decrypt show the content of the secret filecat passwords txt ToolingWe will set up gpg and git secret in the php base image so that the tools become available in all other containers Please refer to Docker from scratch for PHP Applications in for an in depth explanation of the docker images lt strong gt Caution lt strong gt All following commands are lt strong gt executed lt em gt in lt em gt the lt code gt application lt code gt container lt strong gt lt br gt lt br gt lt strong gt Tip lt strong gt lt br gt See lt a href easy container access via din bashrc helper gt Easy container access via din bashrc helper lt a gt for a convenient shortcut to log into docker containers Please note that there is a caveat when using git secret in a folder that is shared between the host system and a docker container I ll explain that in more detail including a workaround in section The git secret directory and the gpg agent socket gpggpg is short for The GNU Privacy Guard and is an open source implementation of the OpenPGP standard In short it allows us to create a personal key file pair similar to SSH keys with a private secret key and a public key that can be shared with other parties whose messages you want to decrypt gpg installationTo install it we can simply run apk add gnupg and thus update docker images php base Dockerfile accordingly File docker images php base DockerfileRUN apk add update no cache bash gnupg make gpg usageI ll only cover the strictly necessary gpg commands here Please refer to the Using GPG section in the git secret docu and or How to generate PGP keys with GPG for further information Create GPG key pairWe need gpg to create the gpg key pair vianame Pascal Landau email pascal landau example com gpg batch gen key lt lt EOFKey Type Key Length Subkey Type Subkey Length Name Real nameName Email emailExpire Date no protectionEOFThe no protection will create a key without password see also this gist to Creating gpg keys non interactively To use a password e g we could have replace the no protection line withPassphrase All options for the unattended creation are defined in the official docs at Unattended key generation Output name Pascal Landau email pascal landau example com gpg batch gen key lt lt EOF gt Key Type gt Key Length gt Subkey Type gt Subkey Length gt Name Real name gt Name Email email gt Expire Date gt no protection gt EOFgpg key EEEBC marked as ultimately trustedgpg revocation certificate stored as root gnupg opengpg revocs d DFBFBEEEBC rev You could also run gpg gen key without the batch flag to be guided interactively through the process Export list and import private GPG keysThe private key can be exported viaemail pascal landau example com path secret gpg gpg output path armor export secret key email This secret key must never be shared It looks like this BEGIN PGP PRIVATE KEY BLOCK lQOYBFVVBwBCADoun SySu InHSkPDpFVKuZXg sBbZmqFtYjvUUSoRAeSejvGnwttQGut F GdpDJLWpmLSKxptLCAxhID PRYiJQkinJfeUxWsXDPORys CmnZchcEgnbOfQlEqoDMjmRFRa svhlqhrixGxBaKnVlHkC ncIcHxNZteKnWDnjHsRi wcWsZmjkUgZLtyMPJNBqlKQQgVdEAhuZxTSieoBPd tZikhuBqyIifmLnxOJOjOIhbQrgFiblvzUiOUOTOcSIB A YmRm END PGP PRIVATE KEY BLOCK All secret keys can be listed viagpg list secret keysOutput gpg list secret keys root gnupg pubring kbx sec rsa SCEA DFBFBEEEBCuid ultimate Pascal Landau lt pascal landau example com gt ssb rsa SEA You can import the private key viapath secret gpg gpg import path and get the following output path secret gpg gpg import path gpg key EEEBC Pascal Landau lt pascal landau example com gt not changedgpg key EEEBC secret key importedgpg Total number processed gpg unchanged gpg secret keys read gpg secret keys unchanged Caution If the secret key requires a password you would now be prompted for it We can circumvent the prompt by using batch yes pinentry mode loopback path secret gpg gpg import batch yes pinentry mode loopback path See also Using Command Line Passphrase Input for GPG In doing so we don t need to provide the password just yet but we must pass it later when we attempt to decrypt files Export list and import public GPG keysThe public key can be exported to public gpg viaemail pascal landau example com path public gpg gpg armor export email gt path It looks like this BEGIN PGP PUBLIC KEY BLOCK mQENBFVVBwBCADoun SySu InHSkPDpFVKuZXg sBbZmqFtYjvUUSoRAeSejvGnwttQGut F GdpDJLWpmLSKxptLCAxhID PRYiJQkinJfeUxWs LLbKQxzcVKB neiQAYXoaWlsPWnJTFCsHoCOphjaVsncIcHxNZteKnWDnjHsRi wcWsZmjkUgZLtyMPJNBqlKQQgVdEAhuZxTSieoBPd tZikhuBqyIifmLnxOJOjOIhbQrgFiblvzUiOUOTOcSIB A ghF END PGP PUBLIC KEY BLOCK List all public keys viagpg list keysOutput gpg list keys root gnupg pubring kbx pub rsa SCEA DFBFBEEEBCuid ultimate Pascal Landau lt pascal landau example com gt sub rsa SEA The public key can be imported in the same way as private keys viapath public gpg gpg import path Example gpg import var www app public gpggpg key EEEBC Pascal Landau lt pascal landau example com gt not changedgpg Total number processed gpg unchanged git secretThe official website of git secret is already doing a great job of introducing the tool In short it allows us to declare certain files as secrets and encrypt them via gpg using the keys of all trusted parties The encrypted file can then by stored safely directly in the git repository and decrypted if required In this tutorial I m using git secret v git secret version git secret installationThe installation instructions for Alpine read as follows sh c echo gt gt etc apk repositorieswget O etc apk keys git secret apk rsa pub apk add update no cache git secretPlus we need to account for a recent change in git that requires that the parent directory is owned by the user executing the git command See also the more detailed explanation in section The git permission issue We update the docker images php base Dockerfile accordingly File docker images php base Dockerfile install git secret see alpineADD etc apk keys git secret apk rsa pubRUN echo gt gt etc apk repositories amp amp apk add update no cache bash git secret gawk gnupg make Fix the git permission issueRUN git config system add safe directory APP CODE PATH The git permission issueIn April Github accounced the security vulnerability CVE that was fixed in git v This version changes Git s behavior when looking for a top level git directory to stop when its directory traversal changes ownership from the current user In practice the following error occurs if the parent directory is not owned by the user that executes the git commandError fatal unsafe repository parent dir of git folder is owned by someone else To add an exception for this directory call git config global add safe directory parent dir of git folderWhen using git secret we would get the slightly misleading error messagegit secret abort not in dir with git repo Use git init or git clone then in repo use git secret init We can fix the issue by using the new multi valued safe directory configuration viagit config system add safe directory parent dir of git folderNote that we didn t use the suggested global option but system instead so that the configuration is set for any user Wait why not just ensure that the parent directory of the git folder has the correct permissions Well there s currently a bug in Docker Desktop that makes the permissions of bind mounts kinda unpredictable see Ownership of files set via bind mount is set to user who accesses the file first and by applying the fix directly in the Dockerfile we can solve the issue reliably git secret usage Initialize git secretgit secret is initialized via the following command run in the root of the git repositorygit secret init git secret initgit secret init created var www app gitsecret We only need to do this once because we ll commit the folder to git later It contains the following files git status grep gitsecret new file gitsecret keys pubring kbx new file gitsecret keys pubring kbx new file gitsecret keys trustdb gpg new file gitsecret paths mapping cfgThe pubring kbx file with the trailing tilde is only a temporary file and can safely be git ignored See also Can t find any docs about keyring kbx file The git secret directory and the gpg agent socketTo use git secret in a directory that is shared between the host system and docker we need to also run the following commands tee gitsecret keys S gpg agent lt lt EOF Assuan socket tmp S gpg agentEOFtee gitsecret keys S gpg agent ssh lt lt EOF Assuan socket tmp S gpg agent sshEOFtee gitsecret keys gpg agent conf lt lt EOFextra socket tmp S gpg agent extrabrowser socket tmp S gpg agent browserEOFThis is necessary because there is an issue when git secret is used in a setup where the codebase is shared between the host system and a docker container I ve explained the details in the Github issue gpg can t connect to the agent IPC connect call failed error in docker alpine on shared volume In short gpg uses a gpg agent to perform its tasks and the two tools communicate through sockets that are created in the home directory of the gpg agentthe agent is started implicitly through a gpg command used by git secret using the gitsecret keys directories as a home directorybecause the location of the home directory is shared with the host system the socket creation fails potentially only an issue for Docker Desktop see the related discussion in Github issue Support for sharing unix sockets The corresponding error messages aregpg can t connect to the agent IPC connect call failedgpg agent error binding socket to var www app gitsecret keys S gpg agent I O errorThe workaround for this problem can be found in this thread Configure gpg to use different locations for the sockets by placing additional gpg configuration files in the gitsecret keys directory S gpg agent Assuan socket tmp S gpg agentS gpg agent ssh Assuan socket tmp S gpg agent sshgpg agent confextra socket tmp S gpg agent extrabrowser socket tmp S gpg agent browser Adding listing and removing usersTo add a new user you must first import its public gpg key Then run email pascal landau example com git secret tell email In this case the user pascal landau example com will now be able to decrypt the secrets To show the users rungit secret whoknows git secret whoknowspascal landau example comTo remove a user runemail pascal landau example com git secret killperson email FYI This command was renamed to removeperson in git secret gt git secret killperson pascal landau example comgit secret removed keys git secret now pascal landau example com do not have an access to the repository git secret make sure to hide the existing secrets again User pascal landau example com will no longer be able to decrypt the secrets Caution The secrets need to be re encrypted after removing a user Reminder Rotate the encrypted secretsPlease be aware that not only your secrets are stored in git but who had access as well I e even if you remove a user and re encrypt the secrets that user would still be able to decrypt the secrets of a previous commit when the user was still added In consequence you need to rotate the encrypted secrets themselves as well after removing a user But isn t that a great flaw in the system making it a bad idea to use git secret in general In my opinion No If the removed user had access to the secrets at any point in time no matter where they have been stored he could very well have just created a local copy or simply written them down In terms of security there is really no added downside due to git secret It just makes it very clear that you must rotate the secrets ¯ ツ ¯See also this lengthy discussion on git secret on Hacker News Adding listing and removing files for encryptionRun git secret add filenames for files you want to encrypt Example git secret add envIf env is not added in gitignore git secret will display a warning and add it automatically git secret these files are not in gitignore envgit secret auto adding them to envgit secret item s added Otherwise the file is added with no warning git secret add envgit secret item s added You only need to add files once They are then stored in gitsecret paths mapping cfg cat gitsecret paths mapping cfg env fccbeacadfcbefdfbbbdYou can also show the added files viagit secret list git secret list envCaution The files are not yet encrypted If you want to remove a file from being encrypted rungit secret remove envOutput git secret remove envgit secret removed from index git secret ensure that files env are now not ignored Encrypt filesTo actually encrypt the files run git secret hideOutput git secret hidegit secret done of files are hidden The encrypted binary file is stored at filename secret i e env secret in this case cat env secret� �H�B�Ӯ � �� F� ���l�Cs��S� MHWs��e������ ↓�L�s��J � ���dž֕�Za����� u�ٲ amp ¶��V� ����� lt �d �� ҨD � �� amp ��G����vWW� gt ���߶�� D� Rs�S→�Y amp J��۪���ٔF��→f���� �� ��� amp RC� � z h��ZM�T gt The encrypted files are de cryptable for all users that have been added via git secret tell That also means that you need to run this command again whenever a new user is added Decrypting filesYou can decrypt files viagit secret revealOutput git secret revealFile var www app env exists Overwrite y N ygit secret done of files are revealed the files are decrypted and will overwrite the current unencrypted files if they already exist use the f option to force the overwrite and run non interactivelyif you only want to check the content of an encrypted file you can usegit secret cat filename e g git secret cat env In case the secret gpg key is password protected you must pass the password via the p option E g for password git secret reveal p Show changes between encrypted and decrypted filesOne problem that comes with encrypted files You can t review them during a code review in a remote tool So in order to understand what changes have been made it is helpful toshow the changes between the encrypted and the decrypted files This can be done viagit secret changesOutput echo foo gt gt env git secret changesgit secret changes in var www app env dev fd var www app env MAIL ENCRYPTION null MAIL FROM ADDRESS null MAIL FROM NAME APP NAME fooNote the foo at the bottom of the output It was added in the first line via echo foo gt gt gt env Makefile adjustmentsSince I won t be able to remember all the commands for git secret and gpg I ve added them to the Makefile at make application setup mk File make application setup mk gpgDEFAULT SECRET GPG KEY secret gpgDEFAULT PUBLIC GPG KEYS dev gpg keys PHONY gpggpg Run gpg commands Specify the command e g via ARGS list keys EXECUTE IN APPLICATION CONTAINER gpg ARGS PHONY gpg export public keygpg export public key Export a gpg public key e g via EMAIL john doe example com PATH dev gpg keys john public gpg if PATH error PATH is undefined if EMAIL error EMAIL is undefined MAKE s gpg ARGS gpg armor export EMAIL gt PATH PHONY gpg export private keygpg export private key Export a gpg private key e g via EMAIL john doe example com PATH secret gpg if PATH error PATH is undefined if EMAIL error EMAIL is undefined MAKE s gpg ARGS output PATH armor export secret key EMAIL PHONY gpg importgpg import Import a gpg key file e g via GPG KEY FILES path to file path to file if GPG KEY FILES error GPG KEY FILES is undefined MAKE s gpg ARGS import batch yes pinentry mode loopback GPG KEY FILES PHONY gpg import default secret keygpg import default secret key Import the default secret key MAKE s gpg import GPG KEY FILES DEFAULT SECRET GPG KEY PHONY gpg import default public keysgpg import default public keys Import the default public keys MAKE s gpg import GPG KEY FILES DEFAULT PUBLIC GPG KEYS PHONY gpg initgpg init gpg import default secret key gpg import default public keys Initialize gpg in the container i e import all public and private keys git secret PHONY git secretgit secret Run git secret commands Specify the command e g via ARGS hide EXECUTE IN APPLICATION CONTAINER git secret ARGS PHONY secret initsecret init Initialize git secret in the repository via git secret init MAKE s git secret ARGS init PHONY secret init gpg socket configsecret init gpg socket config Initialize the config files to change the gpg socket locations echo Assuan gt gitsecret keys S gpg agent echo socket tmp S gpg agent gt gt gitsecret keys S gpg agent echo Assuan gt gitsecret keys S gpg agent ssh echo socket tmp S gpg agent ssh gt gt gitsecret keys S gpg agent ssh echo extra socket tmp S gpg agent extra gt gitsecret keys gpg agent conf echo browser socket tmp S gpg agent browser gt gt gitsecret keys gpg agent conf PHONY secret encryptsecret encrypt Decrypt secret files via git secret hide MAKE s git secret ARGS hide PHONY secret decryptsecret decrypt Decrypt secret files via git secret reveal f MAKE s git secret ARGS reveal f PHONY secret decrypt with passwordsecret decrypt with password Decrypt secret files using a password for gpg via git secret reveal f p GPG PASSWORD if GPG PASSWORD error GPG PASSWORD is undefined MAKE s git secret ARGS reveal f p GPG PASSWORD PHONY secret addsecret add Add a file to git secret via git secret add FILE if FILE error FILE is undefined MAKE s git secret ARGS add FILE PHONY secret catsecret cat Show the contents of file to git secret via git secret cat FILE if FILE error FILE is undefined MAKE s git secret ARGS cat FILE PHONY secret listsecret list List all files added to git secret git secret list MAKE s git secret ARGS list PHONY secret removesecret remove Remove a file from git secret via git secret remove FILE if FILE error FILE is undefined MAKE s git secret ARGS remove FILE PHONY secret add usersecret add user Remove a user from git secret via git secret tell EMAIL if EMAIL error EMAIL is undefined MAKE s git secret ARGS tell EMAIL PHONY secret show userssecret show users Show all users that have access to git secret via git secret whoknows MAKE s git secret ARGS whoknows PHONY secret remove usersecret remove user Remove a user from git secret via git secret killperson EMAIL if EMAIL error EMAIL is undefined MAKE s git secret ARGS killperson EMAIL PHONY secret diffsecret diff Show the diff between the content of encrypted and decrypted files via git secret changes MAKE s git secret ARGS changes WorkflowWorking with git secret is pretty straight forward initialize git secretadd all usersadd all secret files and make sure they are ignored via gitignoreencrypt the filescommit the encrypted files like any other file if any changes were made by other team members to the files gt decrypt to get the most up to date onesif any modifications are required from your side gt make the changes to the decrypted files and then re encrypt them againBut The devil is in the details The Process challenges section explains some of the pitfalls that we have encountered and the Scenarios section gives some concrete examples for common scenarios Process challengesFrom a process perspective we ve encountered some challenges that I d like to mention including how we deal with them Updating secretsWhen updating secrets you must ensure to always decrypt the files first in order to avoid using stale files that you might still have locally I usually check out the latest main branch and run git secret reveal to have the most up to date versions of the secret files You could also use a post merge git hook to do this automatically but I personally don t want to risk overwriting my local secret files by accident Code reviews and merge conflictsSince the encrypted files cannot be diffed meaningfully the code reviews become more difficult when secrets are involved We use Gitlab for reviews and I usually first check the diff of the gitsecret paths mapping cfg file to see which files have changed directly in the UI In addition I willcheckout the main branchdecrypt the secrets via git secret reveal fcheckout the feature branchrun git secret changes to see the differences between the decrypted files from main and theencrypted files from feature branchThings get even more complicated when multiple team members need to modify secret files at the same time on different branches as the encrypted files cannot be compared i e git cannot be smart about delta updates The only way around this is coordinating the pull requests i e merge the first update the secrets of the second and then merge the second Fortunately this has only happened very rarely so far Local git secret and gpg setupCurrently all developers in our team have git secret installed locally instead of using it through docker and use their own gpg keys This means more onboarding overhead becausea new dev mustinstall git secret locally install and setup gpg locally create a gpg key pairthe public key must be added by every other team member the user of the key must be added via git secret tellthe secrets must be re encryptedAnd for offboardingthe public key must be removed by every other team member the user of the key must be removed via git secret killpersonthe secrets must be re encryptedPlus we need to ensure that the git secret and gpg versions are kept up to date for everyone to not run into any compatibility issues As an alternative I m currently leaning more towards handling everything through docker as presented in this tutorial All steps marked with are then obsolete i e there is no need to setup git secret and gpg locally But the approach also comes with some downsides becausethe secret key and all public keys have to be imported every time the container is startedeach dev needs to put his private gpg key in the codebase ignored by gitignore so it can be shared with docker and imported by gpg in docker The alternative would be using a single secret key that is shared within the team which feels very wrong PTo make this a little more convenient we put the public gpg keys of every dev in the repository under dev gpg keys and the private key has to be named secret gpg and put in the root of the codebase In this setup secret gpg must also be added to the gitignore file File gitignore vendor secret gpgThe import can now be simplified with make targets gpgDEFAULT SECRET GPG KEY secret gpgDEFAULT PUBLIC GPG KEYS dev gpg keys PHONY gpggpg Run gpg commands Specify the command e g via ARGS list keys EXECUTE IN APPLICATION CONTAINER gpg ARGS PHONY gpg importgpg import Import a gpg key file e g via GPG KEY FILES path to file path to file if GPG KEY FILES error GPG KEY FILES is undefined MAKE s gpg ARGS import batch yes pinentry mode loopback GPG KEY FILES PHONY gpg import default secret keygpg import default secret key Import the default secret key MAKE s gpg import GPG KEY FILES DEFAULT SECRET GPG KEY PHONY gpg import default public keysgpg import default public keys Import the default public keys MAKE s gpg import GPG KEY FILES DEFAULT PUBLIC GPG KEYS PHONY gpg initgpg init gpg import default secret key gpg import default public keys Initialize gpg in the container i e import all public and private keys Everything can now be handled viamake gpg initthat needs to be run one single time after a container has been started ScenariosThe scenarios assume the following preconditions You have checked out branch part git secret encrypt repository docker git checkout part git secret encrypt repository dockerand no running docker containers make docker downYou have deleted the existing git secret folder the keys in dev gpg keys the secret gpg key and the passwords files rm rf gitsecret dev gpg keys secret gpg passwords Initial setup of gpg keysUnfortunately I didn t find a way to create and export gpg keys through make and docker You need to either run the commands interactively OR pass a string with newlines to it Both things are horribly complicated with make and docker Thus you need to log into the application container and run the commands in there directly Not great but this needs to be done only once when a new developer is onboarded anyways FYI I usually log into containers via Easy container access via din bashrc helper The secret key is exported to secret gpg and the public key to dev gpg keys alice public gpg start the docker setupmake docker up log into the container winpty is only required on Windows winpty docker exec ti dofroscra local application bash export key pairname Alice Doe email alice example com gpg batch gen key lt lt EOFKey Type Key Length Subkey Type Subkey Length Name Real nameName Email emailExpire Date no protectionEOF export the private keygpg output secret gpg armor export secret key email export the public keygpg armor export email gt dev gpg keys alice public gpg make docker upENV local TAG latest DOCKER REGISTRY docker io DOCKER NAMESPACE dofroscra APP USER NAME application APP GROUP NAME application docker compose p dofroscra local env file docker env f docker docker compose docker compose yml f docker docker compose docker compose local yml up dContainer dofroscra local application Created Container dofroscra local application Started docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f dofroscra application local latest usr sbin sshd D minutes ago Up minutes gt tcp dofroscra local application winpty docker exec ti dofroscra local application bashroot var www app name Alice Doe root var www app email alice example com gpg batch gen key lt lt EOFKey Type Key Length Subkey Type Subkey Length Name Real nameName Email emailExpire Date no protectionEOFroot var www app gpg batch gen key lt lt EOF gt Key Type gt Key Length gt Subkey Type gt Subkey Length gt Name Real name gt Name Email email gt Expire Date gt no protection gt EOFgpg directory root gnupg createdgpg keybox root gnupg pubring kbx createdgpg root gnupg trustdb gpg trustdb createdgpg key BBBEEC marked as ultimately trustedgpg directory root gnupg openpgp revocs d createdgpg revocation certificate stored as root gnupg openpgp revocs d CEEACCBBBBEEC rev root var www app gpg output secret gpg armor export secret key emailroot var www app head secret gpg BEGIN PGP PRIVATE KEY BLOCK lQOYBGJD bwBCADBGKySVPINcMmQBPNvCGOaVMBOXJdivIOSwykvPRPgR ERdSsgdKAxLcttPHGSPTypUJjCngplwDJyA cCoxyubOslLaxECfpcxUYUNXZavtEr ylOaTaRzqwSabsAgkgNZey QKmFOZvhLNlKlTIGgZPTiqPCsrhiNgWRbThnTmfpl DdTgwfPsDnHnTEMaWsrPnnqjsqUusuwtOmdSdYnTjmcpgcSjhRFehGVEoGqeLTWWmfpcuvnmWaCBDCHHgwUriq aboegcuBktlvSYq MIXABEBAAEAB wK MbuX vavRgDRgRhjUrsJTXOVGLYcIetYXRhLmHLxBriKtcBaOxLKKLAFEuNourOBdcmTPiEwuxHsIQOTrKBUmUqXvFLasXghorvoKGRLABMBgno KBAVLVIwvVIhQrlfroot var www app gpg armor export email gt dev gpg keys alice public gpgroot var www app head dev gpg keys alice public gpg BEGIN PGP PUBLIC KEY BLOCK mQENBGJD bwBCADBGKySVPINcMmQBPNvCGOaVMBOXJdivIOSwykvPRPgR ERdSsgdKAxLcttPHGSPTypUJjCngplwDJyA cCoxyubOslLaxECfpcxUYUNXZavtEr ylOaTaRzqwSabsAgkgNZey QKmFOZvhLNlKlTIGgZPTiqPCsrhiNgWRbThnTmfpl DdTgwfPsDnHnTEMaWsrPnnqjsqUusuwtOmdSdYnTjmcpgcSjhRFehGVEoGqeLTWWmfpcuvnmWaCBDCHHgwUriq aboegcuBktlvSYq MIXABEBAAGHUFsaWNlIERvZSAYWxpYVAZXhhbXBsZSjb iQFOBBMBCgAFiEEIlxzbgwrCIsBytwulREDnIMEFAmJD bwCGyFCwkIBwIGFQoJCAsCBBYCAwECHgECFAACgkQulREDnIMENAf That s it We now have a new secret and private key for alice example com and have exported it to secret gpg resp dev gpg keys alice public gpg and thus shared it with the host system The remaining commands can now be run outside of the application container directly on the host system Initial setup of git secretLet s say we want to introduce git secret from scratch to a new codebase Then you would run the following commands Initialize git secretmake secret init make secret init C Program Files Git mingw bin make s git secret ARGS init git secret init created var www app gitsecret Apply the gpg fix for shared directoriesSee The git secret directory and the gpg agent socket make secret init gpg socket config make secret init gpg socket configecho Assuan gt gitsecret keys S gpg agentecho socket tmp S gpg agent gt gt gitsecret keys S gpg agentecho Assuan gt gitsecret keys S gpg agent sshecho socket tmp S gpg agent ssh gt gt gitsecret keys S gpg agent sshecho extra socket tmp S gpg agent extra gt gitsecret keys gpg agent confecho browser socket tmp S gpg agent browser gt gt gitsecret keys gpg agent conf Initialize gpg after container startupAfter restarting the containers we need to initialize gpg i e import all public keys from dev gpg keys and the private key from secret gpg Otherwise we will not be able to en and decrypt the files make gpg init make gpg init C Program Files Git mingw bin make s gpg import GPG KEY FILES secret gpg gpg directory home application gnupg createdgpg keybox home application gnupg pubring kbx createdgpg home application gnupg trustdb gpg trustdb createdgpg key BBBEEC public key Alice Doe lt alice example com gt importedgpg key BBBEEC secret key importedgpg Total number processed gpg imported gpg secret keys read gpg secret keys imported C Program Files Git mingw bin make s gpg import GPG KEY FILES dev gpg keys gpg key BBBEEC Alice Doe lt alice example com gt not changedgpg Total number processed gpg unchanged Adding new team membersLet s start by adding our own user to git secretmake secret add user EMAIL alice example com make secret add user EMAIL alice example com C Program Files Git mingw bin make s git secret ARGS tell alice example com git secret done alice example com added as user s who know the secret And verify that it worked viamake secret show users make secret show users C Program Files Git mingw bin make s git secret ARGS whoknows alice example com Adding and encrypting filesLet s add a new encrypted file secret password txt Create the fileecho my new secret password gt secret password txtAdd it to gitignoreecho secret password txt gt gt gitignoreAdd it to git secretmake secret add FILE secret password txt make secret add FILE secret password txt C Program Files Git mingw bin make s git secret ARGS add secret password txt git secret item s added Encrypt all filesmake secret encrypt make secret encrypt C Program Files Git mingw bin make s git secret ARGS hide git secret done of files are hidden ls secret password txt secretsecret password txt secret Decrypt filesLet s first remove the plain secret password txt filerm secret password txt rm secret password txt ls secret password txtls cannot access secret password txt No such file or directoryand then decrypt the encrypted one make secret decrypt make secret decrypt C Program Files Git mingw bin make s git secret ARGS reveal f git secret done of files are revealed cat secret password txtmy new secret passwordCaution If the secret gpg key is password protected e g runmake secret decrypt with password GPG PASSWORD You could also add the GPG PASSWORD variable to the make env file as a local default value so that you wouldn t have to specify the value every time and could then simply runmake secret decrypt with passwordwithout passing GPG PASSWORD Removing filesRemove the secret password txt file we added previously make secret remove FILE secret password txt make secret remove FILE secret password txt C Program Files Git mingw bin make s git secret ARGS remove secret password txt git secret removed from index git secret ensure that files secret password txt are now not ignored Caution this will neither remove the secret password txt file nor the secret password txt secret file automatically ls l grep secret password txt rw r r Pascal Mar secret password txt rw r r Pascal Mar secret password txt secretBut even though the encrypted secret password txt secret file still exists it will not be decrypted make secret decrypt C Program Files Git mingw bin make s git secret ARGS reveal f git secret done of files are revealed Removing team membersRemoving a team member can be done viamake secret remove user EMAIL alice example com make secret remove user EMAIL alice example com C Program Files Git mingw bin make s git secret ARGS killperson alice example com git secret removed keys git secret now alice example com do not have an access to the repository git secret make sure to hide the existing secrets again If there are any users left we must make sure to re encrypt the secrets viamake secret encryptOtherwise if no more users are left git secret would simply error out make secret decrypt C Program Files Git mingw bin make s git secret ARGS reveal f git secret abort no public keys for users found run git secret tell email address make make application setup mk git secret Error make make application setup mk secret decrypt Error Caution Please keep in mind to rotate the secrets themselves as well Pros and cons Provery low barrier to entry no third party service requiredeasy to integrate in existing codebases because the secrets are located directly in the codebaseeverything can be handled through docker no additional local software necessary once set up it is very easy convenient to use and can be integrated in a team workflowchanges to secrets can be reviewed before they are mergedthis leads to less fuck ups on deployments everything is in the repository which brings a lot of familiar benefits likeversion controla single git pull is the only thing you need to get everything gt good dev experience Conssome overhead during onboarding and offboardingthe secret key must be put in the root of the repository at secret gpgno fine grained permissions for different secrets e g the mysql password on production and staging can not be treated differentlyif somebody can decrypt secrets ALL of them are exposedif the a secret key ever gets leaked all secrets are compromised gt can be mitigated to a degree by using a passphrase on the secret key gt this is kinda true for any other system that stores secrets as well BUT third parties could probably implement additional measures like multi factor authenticationsecrets are versioned alongside the users that have access i e even if a user is removed at some point he can still decrypt a previous version of the encrypted secrets gt must be mitigated byrotating the secrets themselves as well Wrapping upCongratulations you made it If some things are not completely clear by now don t hesitate to leave a comment You are now able to encrypt and decrypt secret files so that they can be stored directly in the git repository In the next part of this tutorial we will set up a CI pipeline for dockerized PHP Apps on Github and Gitlab that decrypts all necessary secrets and then runs our tests and qa tools Please subscribe to the RSS feed or via email to get automatic notifications when this next part comes out 2022-07-04 05:00:51
Java Java Code Geeks Degoo Premium Mega Backup Plan: Lifetime Subscription (50TB) https://www.javacodegeeks.com/2022/07/degoo-premium-mega-backup-plan-lifetime-subscription-50tb.html Degoo Premium Mega Backup Plan Lifetime Subscription TB Secure Your Files with This Cloud Backup s TB Storage End to End Encryption Unlimited Devices Hey fellow geeks This week on our JCG Deals store we have another extreme offer We are offering a massive off on Degoo Premium Mega Backup Plan Lifetime Subscription TB Get it 2022-07-04 06:00:00
医療系 内科開業医のお勉強日記 神経COVID-19の脳脊髄液バイオマーカー https://kaigyoi.blogspot.com/2022/07/covid-19_4.html 重症度は中等度重度重症のいずれでも観察されICUに入院中の患者には人工呼吸が有効であることがわかった患者は神経症状発症後日以内に腰椎穿刺を行ったと報告された髄膜脳炎患者では髄液のpleocytosisアルブミン比蛋白質レベルのみが上昇しその他のバイオマーカーには差が認められなかったIsoelectricfocusingpatternsandは、重症患者の、中等症患者の、重症患者ので観察された。 2022-07-04 05:39:00
医療系 医療介護 CBnews 重症化リスク因子に血管疾患・脳血管疾患を追加-新型コロナ、ロナプリーブなどの投与対象の可能性 https://www.cbnews.jp/news/entry/20220704125118 厚生労働省 2022-07-04 14:18:00
金融 ニッセイ基礎研究所 サマージャンボ2022はシンプル化-狙いが明確な2つのくじをどう組み合わせるか? https://www.nli-research.co.jp/topics_detail1/id=71661?site=nli ー「サマージャンボで、億円の大きな夢を見るか」ー「究極のシンプル化が図られたサマージャンボミニで、高確率の万円当せんを夢見るか」ー「つの夢のために、ジャンボとジャンボミニのくじを何枚ずつ買うことにするか」いろいろ考えているうちに、ドキドキ感やワクワク感を味わうことができれば、幸せな時間を過ごすことができる。 2022-07-04 14:57:17
海外ニュース Japan Times latest articles Japanese automakers in high gear to boost EV sales https://www.japantimes.co.jp/news/2022/07/04/business/corporate-business/japanese-automakers-ev-sales/ chinese 2022-07-04 14:30:24
ニュース BBC News - Home Terrence Higgins: A name that gave hope to those with HIV and Aids https://www.bbc.co.uk/news/uk-wales-61925013?at_medium=RSS&at_campaign=KARANGA aidshiggins 2022-07-04 05:01:29
北海道 北海道新聞 夏の高校野球支部予選・7月4日の試合結果 https://www.hokkaido-np.co.jp/article/701479/ 夏の高校野球 2022-07-04 14:39:25
北海道 北海道新聞 世界で7億人は電気のない生活 世銀など試算、コロナで普及減速 https://www.hokkaido-np.co.jp/article/701539/ 世界銀行 2022-07-04 14:45:00
北海道 北海道新聞 網走、北見地方に竜巻注意情報 https://www.hokkaido-np.co.jp/article/701515/ 竜巻注意情報 2022-07-04 14:41:00
北海道 北海道新聞 給付金詐取疑いの男を再逮捕 リーダー格か、警視庁 https://www.hokkaido-np.co.jp/article/701527/ 新型コロナウイルス 2022-07-04 14:07:00
ビジネス 東洋経済オンライン 「au大規模通信障害」はKDDIだけの問題ではない 輻輳を防ぐための技術基準見直しも必要か? | スマホ・ガジェット | 東洋経済オンライン https://toyokeizai.net/articles/-/601668?utm_source=rss&utm_medium=http&utm_campaign=link_back 東洋経済オンライン 2022-07-04 14:30:00
ニュース Newsweek レイプで妊娠した10歳の中絶を禁じる州法に怒り https://www.newsweekjapan.jp/stories/world/2022/07/10-157.php オハイオ州では、胎児の心拍が検出される可能性のある妊娠週以降の中絶が禁止されているため、この少女は中絶手術を受けることができなかった。 2022-07-04 14:53:42
IT 週刊アスキー 天気を気にせず開放感のある吹き抜けでビアガーデンを楽しもう! ヒルトン東京「ビアガーデン・オートクチュール」7月1日より開催 https://weekly.ascii.jp/elem/000/004/096/4096606/ 吹き抜け 2022-07-04 14:50:00
IT 週刊アスキー Switch版『ソードアート・オンライン アリシゼーション リコリス』が発売決定! https://weekly.ascii.jp/elem/000/004/096/4096624/ nintendo 2022-07-04 14:40:00
IT 週刊アスキー 横浜DeNAベイスターズ主催公式戦ペアチケットや始球式が当たる! 「京急百貨店PRESENTS 京急ナイター2022」(8月16日開催) https://weekly.ascii.jp/elem/000/004/096/4096600/ presents 2022-07-04 14:30:00
IT 週刊アスキー スマホアプリ『BD ブリリアントライツ』のハーフアニバーサリー記念公式生放送が7月8日の20時より配信! https://weekly.ascii.jp/elem/000/004/096/4096605/ 配信 2022-07-04 14:15:00
マーケティング AdverTimes メディアドゥ、出版ソリューション事業担当(22年6月24日付) https://www.advertimes.com/20220704/article388944/ 執行役員 2022-07-04 05:42:22
マーケティング AdverTimes 伊藤忠、AKQAと合弁 共同でコンサル事業 https://www.advertimes.com/20220704/article388932/ 国内企業 2022-07-04 05:01:16

コメント

このブログの人気の投稿

投稿時間:2021-06-17 22:08:45 RSSフィード2021-06-17 22:00 分まとめ(2089件)

投稿時間:2021-06-20 02:06:12 RSSフィード2021-06-20 02:00 分まとめ(3871件)

投稿時間:2021-06-17 05:05:34 RSSフィード2021-06-17 05:00 分まとめ(1274件)