Travis decrypt failing between different branches

Hello,

We have a strange issue with our builds happening at the moment. I will try to explain the issue as the only output from the build is decrypt failed.

Currently i am in the process of migrating an application to a new version. The sole purpose of my branch is to do this upgrade. This involves changing some of out secret .env file value. Specifically the key name.

I then encrypt this file and commit the sec file which is then decrypted on build and applied to the build.

My build will then pass and no issues are raised. Someone else on my team working on a different branch will then submit a change and the decrypt command will then fail. They have not touched the .env files and have not submitted a change to the sec file. They then have to re-encrypt the files and submit them. Which then fails by build when i push again. And so on.

Not sure if i have explained this well but if anyone has any insight into what might be going on in the background of encrypt and decrypt it would be appreciated.

Hey @tom-millard-dv,

I’ll be glad to help. The information is a bit vague without seeing build instructions in your .travis.yml file or even knowing if you’re using macOS, Linux, etc is a bit limiting. So there’s a couple of things here:

  1. Your openssl invocation could be wrong.

  2. If you’re not using our encryption method, you can run openssl enc to both encrypt and decrypt the file/files in question. If you are not using our encryption method, though, I can’t tell what might go wrong.

The travis encrypt-file command will encrypt a file for you using a symmetric encryption (AES-256), and it will store the secret in a secure variable. It will output the command you can use in your build script to decrypt the file.

Try adding the following to your build script (before_install stage in your .travis.yml, for instance), so make sure it’s heading the before_install hook in your build instruction:

before_install:
  - openssl aes-256-cbc -K $encrypted_5880cf525281_key -iv $encrypted_5880cf525281_iv -in secrets.tar.enc -out secrets.tar -d
  - tar xvf secrets.tar

Then add the decryption step to your .travis.yml , adjusting $*_key and $*_iv according to your needs.

I’d also suggest you read more on decrypting/encrypting.

If this isn’t helpful, please respond back and I’ll continue helping you until we can get a solution in place.

Montana Mendy
Travis CI Staff

Thanks @Montana for the information.

The way you explained it is exactly how we are currently working.

We use travis encrypt-file locally. We then upload the new *.enc file. We only do this if we need to change the env.

We take what travis encrypt-file gives us as the keys. All seems fine here as its been working like this for years.

if [[ "${TRAVIS_BRANCH}" == "master" ]]; then
    encryption_key=$some_key
    encryption_iv=$some_iv
    secret_file=.env.sec.master
else
    encryption_key=$some_key
    encryption_iv=$some_iv
    secret_file=.env.sec.dev
fi

openssl aes-256-cbc -K "${encryption_key}" -iv "${encryption_iv}" -in "${secret_file}".enc -out .env.sec -d

Issues started happening when i changed the env file re-encrypted it then pushed it. A colleague then pushed his branch and the decryption then failed. They had not changed the env file (on their branch) and I would expect the build to pass.

In order for them to fix the issue they would need to re-encrypt the .env.sec.master and .env.sec.dev which they never changed.

The repository is private so not sure how i go about sending over the details of the build.

Thank you for your help.

Hey no problem @tom-millard-dv. Sorry this is an issue right now but we’ll get it sorted!

I’m thinking one reason is because when re-encrypting, it overwrites the key / iv variables with subsequent calls from the same working folder.

The idea I have is as stands, essentially this is what the Travis CLI does on its own (the example I’m about to use). Using this method also allows you to reuse the same key / iv to encrypt multiple files.

So as you would, use openssl to create key & iv values:

 openssl enc -aes-256-cbc -k secret -P -md sha1

Then just use cp or something to copy the key & iv variables. Then run the following:

travis env set YOUR_KEY key_value_in_hex -p
travis env set YOUR_IV iv_value_in_hex -p
openssl aes-256-cbc -K key_value_in_hex -iv iv_value_in_hex -in file_to_enc.data -out file_to_enc.data.enc
openssl aes-256-cbc -K key_value_in_hex -iv iv_value_in_hex -in file2_to_enc.data -out file2_to_enc.data.enc

Then bring up your .travis.yml file again, and inside the .travis.yml file manually add the lines to before_install: script hook:

- openssl aes-256-cbc -K $YOUR_KEY -iv $YOUR_IV -in file_to_enc.data.enc -out file_to_enc.data -d
- openssl aes-256-cbc -K $YOUR_KEY -iv $YOUR_IV -in file2_to_enc.data.enc -out file2_to_enc.data -d

My second suggestion is you should ensure that openssl versions (used to encrypt/decrypt), are compatible. For e.g. the hash used in openssl changed at version 1.1.0 from MD5 to SHA256.

This will ultimately produce a different key from the same password. So if there’s various versions of openssl being used that could be another conflict, streamlining the openssl version could be the culprit here as well.

Montana Mendy
Travis CI Staff

Will see what we can do.

From what i can tell we are all using the same version of openssl. We even have a docker container for just this job.

The reason I find it a bit strange is we all produce the same key and iv when we encrypt. If someone is working on another branch and never touches the sec environment and i choose to change them on my branch their build will fail. The branches are separate and neither have been merged to master so should have no knowledge of each other.

Imprint