sops: don't leak secret key in debug logs

2025-10-07 11:30:54 +02:00
parent 060b22cf21
commit 10ed2cc7f7
2 changed files with 10 additions and 2 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/sops.py
@@ -355,7 +355,10 @@ def get_public_age_key_from_private_key(privkey: str) -> str:
    cmd = nix_shell(["age"], ["age-keygen", "-y"])

    error_msg = "Failed to get public key for age private key. Is the key malformed?"
-    res = run(cmd, RunOpts(input=privkey.encode(), error_msg=error_msg))
+    res = run(
+        cmd,
+        RunOpts(input=privkey.encode(), error_msg=error_msg, sensitive_input=True),
+    )
    return res.stdout.rstrip(os.linesep).rstrip()