Currently rekey re-encrypts all files.
For my personal use-case, agenix would ideally only files that require rekeying, i.e. files where the identities changed.
But I don’t think there’s an (easy) way to achieve that with `age` currently, as there’s no way to get the current recipients from an encrypted file?
This change would allow the user to manually specifiy that only secrets that contain a given identity should be rekeyed.
In my use-case this is handy as when I add a new server I want all secrets that are shared between servers (where the new identity was added) to be rekeyed, but I don’t want all secrets that are personal to different servers to also be rekeyed.
Why
===
* We'd like some tests for the CLI
* Last time we tried it failed on macos
What changed
===
* This time, we try to create the temp diretory in a way that works
with macos too
Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139
What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
The functions was always called with `$FILE` as first argument, but inside the argument is ignored. This change doesn' have any impact, but can solve problems caused by the keys function called with an argument different from `$FILE`
When you do not have your pubkeys in your `secrets.nix` verbatim as
string but read them from file like this: `desktop1 = builtins.readFile
./desktop1.pub;`, you will end up with empty newlines in the resulting
list of keys, which will add `--recipient=''` arguments to your age
call, failing the call.
I had first used `printf` for outputting the data,
but that breaks if the secret itself contains null bytes.
One could fix this by using e.g. `cat`, but looking a bit more at the code
I realized that in the -d case we never need to `mktemp` at all and can
just ask `age` to write directly to stdout by not setting -o.
* use mkDerivation
* separate shell code in own file
* use shellcheck to lint shell code
* remove rage version check since rage is greater than 0.5.0 on all
maintained nixpkgs
