Skip to content

[3006.x] Document gpg_decrypt_must_succeed opt-in and upcoming default flip#69597

Open
dwoz wants to merge 1 commit into
saltstack:3006.xfrom
dwoz:dwoz/fix/issue-41846-gpg-decrypt-must-succeed-default
Open

[3006.x] Document gpg_decrypt_must_succeed opt-in and upcoming default flip#69597
dwoz wants to merge 1 commit into
saltstack:3006.xfrom
dwoz:dwoz/fix/issue-41846-gpg-decrypt-must-succeed-default

Conversation

@dwoz

@dwoz dwoz commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Documents the risk of silent GPG decryption failures on 3006.x, how to opt in for fail-loud behavior, and announces the upcoming default flip of gpg_decrypt_must_succeed. Does not change the default on 3006.x (LTS compatibility).

Why

Silent decrypt failures allow the raw GPG-armored ciphertext to pass through pillar rendering unchanged. Consumers such as file.managed's contents_pillar then write the ciphertext to disk in place of the decrypted secret, exposing encrypted-at-rest data. See #41846.

Since 3006.x is an LTS release we cannot flip the default here (same principle as #69443). Instead, this PR:

  • Adds a prominent warning + opt-in recipe to the salt.renderers.gpg module docstring
  • Announces the coming default flip (already shipped upstream on 3007.x+ via PR [master]gpg_decrypt_must_succeed default from False to True #64471; a future 3006.x release will follow)
  • Removes the now-stale warn_until("Chlorine", ...) block whose deprecation-target release (Chlorine == 3007) never triggered a flip on 3006.x
  • Pins the current silent-default contract with a unit test so an inadvertent flip is caught

Prior art

What issues does this PR fix or reference?

Refs #41846

Changes

  • salt/renderers/gpg.py: expand module docstring with a warning:: block explaining the risk, the recommended opt-in (gpg_decrypt_must_succeed: True), and the upcoming default change; drop the stale warn_until("Chlorine", ...) fall-through.
  • tests/pytests/unit/renderers/test_gpg.py: add two regression tests — one pinning the silent-default contract on 3006.x, one verifying the opt-in path raises.
  • changelog/41846.deprecated.md.

Recommended user action on 3006.x

# /etc/salt/minion.d/gpg.conf
gpg_decrypt_must_succeed: True

Merge requirements satisfied?

  • Changelog
  • Tests written/updated
  • Docs (module docstring updated)

Commits signed with GPG?

Yes

@frebib

frebib commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This is a breaking change. Isn't the point of the .x release branches to be stable? Why is salt even still supporting 3 concurrent releases?

3006.x is LTS; we cannot change the default of
gpg_decrypt_must_succeed here. Instead, document the risk of silent
GPG decryption failures (issue saltstack#41846), how to opt in for fail-loud
behavior, and announce the upcoming default flip.

Silent decrypt failures allow the raw GPG-armored ciphertext to pass
through pillar rendering unchanged; consumers such as file.managed's
contents_pillar then write the ciphertext to disk in place of the
decrypted secret, exposing encrypted-at-rest data. Users should set
"gpg_decrypt_must_succeed: True" in their minion or master config
now to get a SaltRenderError on failure instead of silent corruption.

The default was flipped to True in Potassium (3009.0) and will flip
in a future 3006.x release.

Also drops the now-stale warn_until("Chlorine") block in the gpg
renderer -- the deprecation notice pointed at a Chlorine (3007)
default flip that never happened on 3006.x, and the docstring
warning is a more accurate replacement.

Adds two unit tests pinning the 3006.x contract:
 - default config returns ciphertext silently on decrypt failure
   (guards against an inadvertent flip)
 - explicit gpg_decrypt_must_succeed: True raises SaltRenderError

Refs saltstack#41846
@dwoz dwoz force-pushed the dwoz/fix/issue-41846-gpg-decrypt-must-succeed-default branch from 1be5ff7 to f1809ce Compare July 1, 2026 02:19
@dwoz dwoz changed the title [3006.x] Default gpg_decrypt_must_succeed to True [3006.x] Document gpg_decrypt_must_succeed opt-in and upcoming default flip Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

test:full Run the full test suite

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants