[consfigurator] binary (non utf8) secrets

David Bremner david at tethera.net
Sat Apr 12 11:32:19 BST 2025 

My secret store is a single gpg encrypted file (using
consfigurator.data.pgp).

I need to deploy some binary secrets (keys for "MUNGE"), and it isn't
clear to me how best to do this with consfigurator. I tried the
following to save it into the secret store.

    (defun set-data (path data &key (id1 "_secrets"))
      (consfigurator.data.pgp:set-data +secret-file+ id1 path data))

    (defun save-binary-file (path source)
      (set-data path (read-file-into-byte-vector source)))

When I try to deploy

  (file:secret-uploaded "_secrets" "testbin" "/etc/testbin")

I get a traceback

      0: (UIOP/UTILITY:PARAMETER-ERROR "Invalid ~S source ~S" UIOP/RUN-PROGRAM:VOMIT-OUTPUT-STREAM #(120 125 200 167 133 188 ...))
      1: ((LABELS UIOP/RUN-PROGRAM::ACTIVITY :IN UIOP/RUN-PROGRAM::%CALL-WITH-PROGRAM-IO) #<SB-SYS:FD-STREAM for "file /tmp/tmpUX5S4ADN.tmp" {1005993303}>)
      2: (UIOP/STREAM:CALL-WITH-OUTPUT-FILE #P"/tmp/tmpUX5S4ADN.tmp" #<FUNCTION (LAMBDA (UIOP/RUN-PROGRAM::S) :IN UIOP/RUN-PROGRAM::%CALL-WITH-PROGRAM-IO) {10059931DB}> :ELEMENT-TYPE :DEFAULT :EXTERNAL-FORMAT ..
      3: ((FLET "BEFORE77" :IN UIOP/RUN-PROGRAM::%CALL-WITH-PROGRAM-IO) #P"/tmp/tmpUX5S4ADN.tmp")
      4: (UIOP/STREAM:CALL-WITH-TEMPORARY-FILE #<FUNCTION (FLET "BEFORE77" :IN UIOP/RUN-PROGRAM::%CALL-WITH-PROGRAM-IO) {7F39CF47C0DB}> :WANT-STREAM-P NIL :WANT-PATHNAME-P T :DIRECTION :IO :KEEP NIL :AFTER NIL..
      5: (UIOP/RUN-PROGRAM::%CALL-WITH-PROGRAM-IO UIOP/RUN-PROGRAM:VOMIT-OUTPUT-STREAM #<SWANK/GRAY::SLIME-INPUT-STREAM {100405EE03}> T #<FUNCTION (LAMBDA (UIOP/RUN-PROGRAM::REDUCED-INPUT UIOP/RUN-PROGRAM::INP..
      6: (UIOP/RUN-PROGRAM::%USE-LAUNCH-PROGRAM ("sh" "-c" "HOME=/home/bremner; export HOME; cd /home/bremner/; ssh root at minkowski.local \"sh -c \\\"set -e; tmpf=\\\\\\$(umask 077; exec 3>&1; if err=\\\\\\$(if..


As a workaround, I currently store the base64 encoded secret, and run

  (cmd:single "base64plain" "-D" "-o" path base64)

on the target host.

Have I missed a better solution?

More information about the sgo-software-discuss mailing list