{"id":13595414,"url":"https://github.com/share-secrets-safely/cli","last_synced_at":"2025-04-09T13:31:58.528Z","repository":{"id":37692834,"uuid":"114230852","full_name":"share-secrets-safely/cli","owner":"share-secrets-safely","description":"share secrets within teams to avoid plain-text secrets from day one","archived":false,"fork":false,"pushed_at":"2021-04-01T10:41:29.000Z","size":1910,"stargazers_count":172,"open_issues_count":7,"forks_count":6,"subscribers_count":7,"default_branch":"main","last_synced_at":"2024-05-19T08:43:54.651Z","etag":null,"topics":["cli","gnupg","gpg","pgp","shared-secrets","team","vault"],"latest_commit_sha":null,"homepage":"https://share-secrets-safely.github.io/cli","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-2.1","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/share-secrets-safely.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-14T09:35:13.000Z","updated_at":"2024-03-24T14:55:09.000Z","dependencies_parsed_at":"2022-09-15T11:21:45.718Z","dependency_job_id":null,"html_url":"https://github.com/share-secrets-safely/cli","commit_stats":null,"previous_names":["byron/share-secrets-safely"],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/share-secrets-safely%2Fcli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/share-secrets-safely%2Fcli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/share-secrets-safely%2Fcli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/share-secrets-safely%2Fcli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/share-secrets-safely","download_url":"https://codeload.github.com/share-secrets-safely/cli/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":213549713,"owners_count":15604012,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","gnupg","gpg","pgp","shared-secrets","team","vault"],"created_at":"2024-08-01T16:01:49.596Z","updated_at":"2024-11-06T18:30:32.987Z","avatar_url":"https://github.com/share-secrets-safely.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"[![https://crates.io](https://img.shields.io/crates/v/sheesy-cli.svg)](https://crates.io/crates/sheesy-cli)\n[![ci](https://github.com/share-secrets-safely/cli/workflows/ci/badge.svg)](https://github.com/share-secrets-safely/cli/actions?query=workflow%3Aci)\n\n**sh**are-s**e**cr**e**ts-**s**afel**y** (_sheesy_) is a solution for managing\nshared secrets in teams and build pipelines.\n\nLike [`pass`][pass], `sy` allows to setup a vault to store secrets, and share\nthem with your team members and tooling.\nHowever, it wants to be a one-stop-shop in a single binary without any dependencies except\nfor a `gpg` installation,\nhelping users to work with the `gpg` toolchain and workaround peculiarities.\n\n[![asciicast](https://asciinema.org/a/164964.png)](https://asciinema.org/a/164964?t=14)\n\n[pass]: https://www.passwordstore.org/\n\n## Installation\n\nPlease read the [installation notes here][installation].\n\n[installation]: https://share-secrets-safely.github.io/cli/installation.html\n\n## Getting Started\n\nThe first steps showing on how to use the vault with a complete example and detailed\nexplanations can be found [in the book][first-steps].\n\n[first-steps]: https://share-secrets-safely.github.io/cli/vault/first-steps.html\n\n## Project Goals\n\n * **a great user experience**\n   * The user experience comes first when designing the tool, making it easy for newcomers while providing experts with all the knobs to tune\n   * deploy as *single binary*, without dynamically linked dependencies\n * **proven cryptography**\n   * Don't reinvent the wheel, use *gpg* for crypto. It's OK to require `gpg` to be installed\n     on the host\n   * Thanks to *GPG* each user is identified separately through their public key\n * **automation and scripting is easy**\n   * storing structured secrets is as easy as making them available in shell scripts\n   * common operations like substituting secrets into a file are natively supported\n   * proper program exit codes make error handling easy\n * **user management**\n   * support small and large teams, as well as multiple teams, with ease\n   * make use of gpg's *web of trust* to allow inheriting trust even across team boundaries, and incentivize thorough checking of keys\n * **basic access control**\n   * partition your secrets and define who can access them\n * **support old wheels - pass compatibility**\n   * something `pass` does really well is to setup a vault with minimal infrastructure and configuration.\n     We use said infrastructure and don't reinvent the wheel.\n   * This makes us **compatible with pass**, allowing you use `pass` on a `sheesy` vault with default configuration.  \n\n\n## Non-Goals\n\n * **replicate `pass` or `gpg` functionality directly**\n   * having seen what `pass` actually is and how difficult it can be to use it especially in conjunction with `gpg`, this project will not even look at the provided functionality but be driven by its project goals instead.\n * **become something like hashicorp vault**\n   * this solution is strictly file based and *offline*, so it can fill be used without any additional setup.\n\n## Why would I use `sheesy` over...\n\nYou will find various and probably biased and opinionated comparisons [in our book][compare].\nHowever, it's a fun read, and please feel free to make PRs for corrections.\n\n[compare]: https://share-secrets-safely.github.io/cli/compare.html\n\n## Caveats\n\n * Many crypto-operations store decrypted data in a temporary file. These touch\n   disk and currently might be picked up by attackers. A fix could be 'tempfile',\n   which allows using a secure temporary file - however, it might make getting\n   MUSL builds impossible. Static builds should still be alright.\n * GPG2 is required to use the 'sign-key' operation. The latter is required when\n   trying to add new unverified recipients via `vault recipients add \u003cfingerprint\u003e`.\n\n## Roadmap to Future\n\nAs you can see from the version numbers, this project dispenses major version generously.\nThis is mainly because, for the sake of simplicity, there is only a single version number\nfor the *CLI* as well as all used libraries.\n\nEffectively, you can expect the *CLI* will change rarely, and if it does only to improve\nthe user experience. The more tests we write, the more certain shortcomings become\nevident.\n\nThe *vault library* and its types will change much more often, but we would expect it\nto settle from 5.0.\n\n### Roadmap to 4.1\n\nThis should make the first release which can be publicised, as it should include all the\nmaterial people might need to get started using _sheesy_ comfortably.\n\n * [ ] Documentation for\n   * [ ] vault init\n   * [ ] ...\n \n### Roadmap to 5.0\n\nThe GPGME dependency is also the major flaw for usability, as it eventually goes down to\nthe quirks of GPG itself.\n[SEQUOIA](https://gitlab.com/sequoia-pgp/sequoia) is a pure-Rust implementation of the\nPGP protocol, which would greatly help making *sheesy* even more usable.\n\n  * [ ] Use SEQUOIA instead of GPGME\n  * [ ] Provide a windows binary\n\n### Roadmap to 6.0\n \n#### Add the `pass` subcommand\n\n`sy` aims to be as usable as possible, and breaks compatibility were needed to\nachieve that. However, to allow people to leverage its improved portability\nthanks to it being self-contained, it should be possible to let it act as a\nstand-in for pass.\n\nEven though its output won't be matched, its input will be matched perfectly, as\nwell as its behaviour.\n\n  * [ ] init\n   \nAnd last but not least, there should be some sort of documentation, highlighting similarities\nand differences.\n\n * [ ] documentation\n \n#### Some usability improvements\n\n * [ ] Assure that the error messages provided when we can't find a partition are\n    better and specific to the use case.\n * [ ] Tree mode for lists of\n   * [ ] recipients\n   * [ ] resources\n\n## Development Practices\n\n * **test-first development**\n   * protect against regression and make implementing features easy\n   * user docker to test more elaborate user interactions\n   * keep it practical, knowing that the Rust compiler already has your back\n     for the mundane things, like unhappy code paths.\n * **safety first**\n   * handle all errors, never unwrap\n   * provide an error chain and make it easy to understand what went wrong.\n * **strive for an MVP and version 1.0 fast...**\n   * ...even if that includes only the most common usecases.\n * **Prefer to increment major version rapidly...**\n   * ...instead of keeping major version zero for longer than needed.\n\n## Maintenance Guide\n\n### Making a release\n\nAs a prerequisite, you should be sure the build is green.\n\n * run `clippy` and fix all warnings with `cargo clippy --all-features --bin=sy`\n * change the version in the `VERSION` file\n * update the release notes in the `release.md` file.\n   * Just prefix it with a description of new features and fixes\n * run `make tag-release`\n   * requires push permissions to this repository\n   * requires maintainer or owner privileges on crates.io for all deployed crates\n\n### Making a deployment\n\nAs a prerequisite you must have made a release and your worktree must be clean,\nwith the HEAD at a commit.\n\nFor safety, tests will run once more as CI doesn't prevent you from publishing\nred builds just yet.\n\n  * run `make deployment`.\n  * copy all text from the `release.md` file and copy it into the release text on github.\n  * drag \u0026 drop all _tar.gz_  into the release and publish it.\n  * in `doc/src/installation.md`, update the URL to use the latest published version\n  * run `make update-homebrew` - it will push for you\n  * run `make update-getting-started` - it will push for you\n\n### Making a new Asciinema recording\n\nEven though the documentation is currently updated with every push to master (to allows\nfixing the existing docs easily), the *eye-candy* on the front page needs to be regenerated\ntoo.\n\nAs a prerequisite, you will need an installed binary of [`asciinema`][asciinema].\nPlease make sure your player is already linked to your account via `asciinema auth`.\n\n * Set your terminal to a size of 120x20\n   * You see these units when resizing an iterm2/3 terminal window\n * run `make asciinema-no-upload` and verify it contains what you expect with\n   `asciicast play getting-started.cast`\n * Possibly upload the recording with `make asciinema-upload`\n   * Enter the given URL and configure the asciicast to your liking, add backlinks\n     to the description, and make it nice.\n\n[asciinema]: https://asciinema.org\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshare-secrets-safely%2Fcli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshare-secrets-safely%2Fcli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshare-secrets-safely%2Fcli/lists"}