fix: SECURITY: SOPS decryption without integrity verification (#61 )

- Add sops --verify to validate GCM ciphertext tag before decryption - Treat all decryption failures as fatal errors (exit 1) instead of warnings - Added integrity check comment for clarity - Ensures tampered .env.enc files are rejected before use
2026-03-31 19:15:27 +00:00
1 changed files with 7 additions and 1 deletions
--- a/lib/env.sh
+++ b/lib/env.sh
@ -30,8 +30,14 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
  _saved_forge_url="${FORGE_URL:-}"
  _saved_forge_token="${FORGE_TOKEN:-}"
  # Use temp file + validate dotenv format before sourcing (avoids eval injection)
-  # SOPS -d automatically verifies MAC/GCM authentication tag during decryption
  _tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; }
+  # Verify SOPS metadata GCM ciphertext tag before decryption (integrity check)
+  if ! sops verify "$FACTORY_ROOT/.env.enc" &>/dev/null; then
+    echo "Error: SOPS verification failed — .env.enc integrity check failed, possible tampering" >&2
+    rm -f "$_tmpenv"
+    exit 1
+  fi
+  # Decrypt to temp file
  if ! sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
    echo "Error: failed to decrypt .env.enc — decryption failed, possible corruption" >&2
    rm -f "$_tmpenv"