Derive build_secret key_id instead of accepting user input

alexellis · alexellis · commit e263d1dcd29d · 2026-03-24T10:30:53.000Z
Signed-off-by: Alex Ellis (OpenFaaS Ltd) &lt;alexellis2@gmail.com&gt;
diff --git a/builder/build.go b/builder/build.go
@@ -67,7 +67,7 @@ func getTemplate(lang string) (string, *stack.LanguageTemplate, error) {
 
 // BuildImage construct Docker image from function parameters
 // TODO: refactor signature to a struct to simplify the length of the method header
-func BuildImage(image string, handler string, functionName string, language string, nocache bool, squash bool, shrinkwrap bool, buildArgMap map[string]string, buildOptions []string, tagFormat schema.BuildFormat, buildLabelMap map[string]string, quietBuild bool, copyExtraPaths []string, buildSecrets map[string]string, remoteBuilder, payloadSecretPath, builderPublicKeyPath, builderKeyID string, forcePull bool) error {
+func BuildImage(image string, handler string, functionName string, language string, nocache bool, squash bool, shrinkwrap bool, buildArgMap map[string]string, buildOptions []string, tagFormat schema.BuildFormat, buildLabelMap map[string]string, quietBuild bool, copyExtraPaths []string, buildSecrets map[string]string, remoteBuilder, payloadSecretPath, builderPublicKeyPath string, forcePull bool) error {
 
 	_, langTemplate, err := getTemplate(language)
 	if err != nil {
@@ -138,7 +138,7 @@ func BuildImage(image string, handler string, functionName string, language stri
 			Scheme: u.Scheme,
 			Host:   u.Host,
 		}
-		if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, builderPublicKeyPath, builderKeyID, buildSecrets, quietBuild, functionName, imageName); err != nil {
+		if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, builderPublicKeyPath, buildSecrets, quietBuild, functionName, imageName); err != nil {
 			return fmt.Errorf("failed to invoke builder: %w", err)
 		}
 
diff --git a/builder/publish.go b/builder/publish.go
@@ -20,7 +20,7 @@ import (
 // PublishImage will publish images as multi-arch
 // TODO: refactor signature to a struct to simplify the length of the method header
 func PublishImage(image string, handler string, functionName string, language string, nocache bool, squash bool, shrinkwrap bool, buildArgMap map[string]string,
-	buildOptions []string, tagMode schema.BuildFormat, buildLabelMap map[string]string, quietBuild bool, copyExtraPaths []string, buildSecrets map[string]string, platforms string, extraTags []string, remoteBuilder, payloadSecretPath, builderPublicKeyPath, builderKeyID string, forcePull bool) error {
+	buildOptions []string, tagMode schema.BuildFormat, buildLabelMap map[string]string, quietBuild bool, copyExtraPaths []string, buildSecrets map[string]string, platforms string, extraTags []string, remoteBuilder, payloadSecretPath, builderPublicKeyPath string, forcePull bool) error {
 
 	if stack.IsValidTemplate(language) {
 		pathToTemplateYAML := fmt.Sprintf("./template/%s/template.yml", language)
@@ -98,7 +98,7 @@ func PublishImage(image string, handler string, functionName string, language st
 				Scheme: u.Scheme,
 				Host:   u.Host,
 			}
-			if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, builderPublicKeyPath, builderKeyID, buildSecrets, quietBuild, functionName, imageName); err != nil {
+			if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, builderPublicKeyPath, buildSecrets, quietBuild, functionName, imageName); err != nil {
 				return fmt.Errorf("failed to invoke builder: %w", err)
 			}
 
diff --git a/builder/remote_builder.go b/builder/remote_builder.go
@@ -22,7 +22,7 @@ type remoteBuilderPublicKeyResponse struct {
 	PublicKey string `json:"public_key"`
 }
 
-func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPublicKeyPath, builderKeyID string, buildSecrets map[string]string, quietBuild bool, functionName, imageName string) error {
+func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPublicKeyPath string, buildSecrets map[string]string, quietBuild bool, functionName, imageName string) error {
 	payloadSecret, err := os.ReadFile(payloadSecretPath)
 	if err != nil {
 		return fmt.Errorf("failed to read payload secret: %w", err)
@@ -34,11 +34,11 @@ func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPubl
 	}
 
 	if len(buildSecrets) > 0 {
-		publicKey, err := resolveRemoteBuilderPublicKey(builderURL, builderPublicKeyPath, builderKeyID)
+		publicKey, err := resolveRemoteBuilderPublicKey(builderURL, builderPublicKeyPath)
 		if err != nil {
 			return err
 		}
-		opts = append(opts, sdkbuilder.WithBuildSecretsKey(publicKey.KeyID, []byte(publicKey.PublicKey)))
+		opts = append(opts, sdkbuilder.WithBuildSecretsKey([]byte(publicKey.PublicKey)))
 	}
 
 	b := sdkbuilder.NewFunctionBuilder(builderURL, http.DefaultClient, opts...)
@@ -57,7 +57,7 @@ func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPubl
 	return consumeBuildStream(stream, quietBuild, functionName, imageName)
 }
 
-func resolveRemoteBuilderPublicKey(builderURL *url.URL, builderPublicKeyPath, builderKeyID string) (*remoteBuilderPublicKeyResponse, error) {
+func resolveRemoteBuilderPublicKey(builderURL *url.URL, builderPublicKeyPath string) (*remoteBuilderPublicKeyResponse, error) {
 	if builderPublicKeyPath == "" {
 		return fetchRemoteBuilderPublicKey(builderURL)
 	}
@@ -67,20 +67,7 @@ func resolveRemoteBuilderPublicKey(builderURL *url.URL, builderPublicKeyPath, bu
 		return nil, err
 	}
 
-	publicKey, err := parseRemoteBuilderPublicKey(publicKeyData)
-	if err != nil {
-		return nil, err
-	}
-
-	if builderKeyID != "" {
-		publicKey.KeyID = builderKeyID
-	}
-
-	if publicKey.KeyID == "" {
-		return nil, fmt.Errorf("builder key id is required when using a pinned builder public key")
-	}
-
-	return publicKey, nil
+	return parseRemoteBuilderPublicKey(publicKeyData)
 }
 
 func readBuilderPublicKeyInput(value string) ([]byte, error) {
@@ -134,7 +121,7 @@ func fetchRemoteBuilderPublicKey(builderURL *url.URL) (*remoteBuilderPublicKeyRe
 		algorithm = naclBoxAlgorithm
 	}
 	if algorithm != naclBoxAlgorithm {
-		return nil, fmt.Errorf("unsupported encrypted build secrets algorithm: %s", publicKey.Algorithm)
+		return nil, fmt.Errorf("unsupported build secrets algorithm: %s", publicKey.Algorithm)
 	}
 	if publicKey.PublicKey == "" {
 		return nil, fmt.Errorf("builder public key response did not include a public key")
@@ -160,7 +147,7 @@ func parseRemoteBuilderPublicKey(data []byte) (*remoteBuilderPublicKeyResponse,
 			algorithm = naclBoxAlgorithm
 		}
 		if algorithm != naclBoxAlgorithm {
-			return nil, fmt.Errorf("unsupported encrypted build secrets algorithm: %s", publicKey.Algorithm)
+			return nil, fmt.Errorf("unsupported build secrets algorithm: %s", publicKey.Algorithm)
 		}
 		if publicKey.PublicKey == "" {
 			return nil, fmt.Errorf("builder public key JSON did not include a public key")
diff --git a/builder/remote_builder_test.go b/builder/remote_builder_test.go
@@ -108,7 +108,7 @@ func TestRunRemoteBuildWithSecrets(t *testing.T) {
 		t.Fatalf("url.Parse returned error: %v", err)
 	}
 
-	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, "", "", map[string]string{
+	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, "", map[string]string{
 		"pip_token": "s3cr3t",
 	}, true, "fn", "ttl.sh/test:latest"); err != nil {
 		t.Fatalf("runRemoteBuild returned error: %v", err)
@@ -159,7 +159,7 @@ func TestRunRemoteBuildWithPinnedPublicKey(t *testing.T) {
 		t.Fatalf("url.Parse returned error: %v", err)
 	}
 
-	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, publicKeyPath, "", map[string]string{
+	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, publicKeyPath, map[string]string{
 		"pip_token": "s3cr3t",
 	}, true, "fn", "ttl.sh/test:latest"); err != nil {
 		t.Fatalf("runRemoteBuild returned error: %v", err)
@@ -197,7 +197,7 @@ func TestRunRemoteBuildWithLiteralPublicKey(t *testing.T) {
 		t.Fatalf("url.Parse returned error: %v", err)
 	}
 
-	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, string(pub), "builder-key-1", map[string]string{
+	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, string(pub), map[string]string{
 		"pip_token": "s3cr3t",
 	}, true, "fn", "ttl.sh/test:latest"); err != nil {
 		t.Fatalf("runRemoteBuild returned error: %v", err)
diff --git a/commands/build.go b/commands/build.go
@@ -236,7 +236,6 @@ func runBuild(cmd *cobra.Command, args []string) error {
 			remoteBuilder,
 			payloadSecretPath,
 			builderPublicKeyPath,
-			builderKeyID,
 			forcePull,
 		); err != nil {
 			return err
@@ -296,7 +295,6 @@ func build(services *stack.Services, queueDepth int, shrinkwrap, quietBuild bool
 						remoteBuilder,
 						payloadSecretPath,
 						builderPublicKeyPath,
-						builderKeyID,
 						forcePull,
 					)
 
diff --git a/commands/priority.go b/commands/priority.go
@@ -14,7 +14,6 @@ const (
 	remoteBuilderEnvironment    = "OPENFAAS_REMOTE_BUILDER"
 	payloadSecretEnvironment    = "OPENFAAS_PAYLOAD_SECRET"
 	builderPublicKeyEnvironment = "OPENFAAS_BUILDER_PUBLIC_KEY"
-	builderKeyIDEnvironment     = "OPENFAAS_BUILDER_KEY_ID"
 	templateURLEnvironment      = "OPENFAAS_TEMPLATE_URL"
 	templateStoreURLEnvironment = "OPENFAAS_TEMPLATE_STORE_URL"
 	defaultFunctionNamespace    = ""
@@ -91,5 +90,4 @@ func applyRemoteBuilderEnvironment() {
 	remoteBuilder = getStringValue(remoteBuilder, os.Getenv(remoteBuilderEnvironment))
 	payloadSecretPath = getStringValue(payloadSecretPath, os.Getenv(payloadSecretEnvironment))
 	builderPublicKeyPath = getStringValue(builderPublicKeyPath, os.Getenv(builderPublicKeyEnvironment))
-	builderKeyID = getStringValue(builderKeyID, os.Getenv(builderKeyIDEnvironment))
 }
diff --git a/commands/priority_test.go b/commands/priority_test.go
@@ -6,12 +6,10 @@ func TestApplyRemoteBuilderEnvironmentUsesEnvFallbacks(t *testing.T) {
 	t.Setenv(remoteBuilderEnvironment, "http://builder.example.com")
 	t.Setenv(payloadSecretEnvironment, "/var/run/secrets/payload-secret")
 	t.Setenv(builderPublicKeyEnvironment, "/var/run/secrets/builder-public-key")
-	t.Setenv(builderKeyIDEnvironment, "builder-key-1")
 
 	remoteBuilder = ""
 	payloadSecretPath = ""
 	builderPublicKeyPath = ""
-	builderKeyID = ""
 
 	applyRemoteBuilderEnvironment()
 
@@ -24,21 +22,16 @@ func TestApplyRemoteBuilderEnvironmentUsesEnvFallbacks(t *testing.T) {
 	if builderPublicKeyPath != "/var/run/secrets/builder-public-key" {
 		t.Fatalf("want builderPublicKeyPath from env, got %q", builderPublicKeyPath)
 	}
-	if builderKeyID != "builder-key-1" {
-		t.Fatalf("want builderKeyID from env, got %q", builderKeyID)
-	}
 }
 
 func TestApplyRemoteBuilderEnvironmentPreservesFlags(t *testing.T) {
 	t.Setenv(remoteBuilderEnvironment, "http://builder.example.com")
 	t.Setenv(payloadSecretEnvironment, "/var/run/secrets/payload-secret")
 	t.Setenv(builderPublicKeyEnvironment, "/var/run/secrets/builder-public-key")
-	t.Setenv(builderKeyIDEnvironment, "builder-key-1")
 
 	remoteBuilder = "http://flag-builder.example.com"
 	payloadSecretPath = "/tmp/payload-secret"
 	builderPublicKeyPath = "/tmp/public-key"
-	builderKeyID = "flag-key-id"
 
 	applyRemoteBuilderEnvironment()
 
@@ -51,7 +44,4 @@ func TestApplyRemoteBuilderEnvironmentPreservesFlags(t *testing.T) {
 	if builderPublicKeyPath != "/tmp/public-key" {
 		t.Fatalf("want builderPublicKeyPath flag value, got %q", builderPublicKeyPath)
 	}
-	if builderKeyID != "flag-key-id" {
-		t.Fatalf("want builderKeyID flag value, got %q", builderKeyID)
-	}
 }
diff --git a/commands/publish.go b/commands/publish.go
@@ -56,8 +56,7 @@ func init() {
 	publishCmd.Flags().BoolVar(&resetQemu, "reset-qemu", false, "Runs \"docker run multiarch/qemu-user-static --reset -p yes\" to enable multi-arch builds. Compatible with AMD64 machines only.")
 	publishCmd.Flags().StringVar(&remoteBuilder, "remote-builder", "", "URL to the builder")
 	publishCmd.Flags().StringVar(&payloadSecretPath, "payload-secret", "", "Path to the payload secret file")
-	publishCmd.Flags().StringVar(&builderPublicKeyPath, "builder-public-key", "", "Builder public key as a literal value, or a path to a file containing raw base64 or the JSON response from /public-key")
-	publishCmd.Flags().StringVar(&builderKeyID, "builder-key-id", "", "Key ID for the pinned builder public key when using a raw base64 key file")
+	publishCmd.Flags().StringVar(&builderPublicKeyPath, "builder-public-key", "", "Builder public key as a literal value, or a path to a file containing raw base64 or the JSON response from /publickey")
 	publishCmd.Flags().BoolVar(&forcePull, "pull", false, "Force a re-pull of base images in template during build, useful for publishing images")
 
 	publishCmd.Flags().BoolVar(&pullDebug, "debug", false, "Enable debug output when pulling templates")
@@ -291,7 +290,6 @@ func publish(services *stack.Services, queueDepth int, shrinkwrap, quietBuild, m
 						remoteBuilder,
 						payloadSecretPath,
 						builderPublicKeyPath,
-						builderKeyID,
 						forcePull,
 					)
 
diff --git a/commands/secret_keygen.go b/commands/secret_keygen.go
@@ -54,8 +54,14 @@ func runSecretKeygen(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("writing public key: %w", err)
 	}
 
+	keyID, err := seal.DeriveKeyID(pub)
+	if err != nil {
+		return fmt.Errorf("deriving key ID: %w", err)
+	}
+
 	fmt.Printf("Wrote private key: %s\n", privPath)
 	fmt.Printf("Wrote public key:  %s\n", pubPath)
+	fmt.Printf("Key ID:            %s\n", keyID)
 
 	return nil
 }
diff --git a/commands/secret_seal.go b/commands/secret_seal.go
@@ -10,7 +10,6 @@ import (
 )
 
 var (
-	sealKeyID       string
 	sealOutput      string
 	sealFromLiteral []string
 	sealFromFile    []string
@@ -30,9 +29,8 @@ var secretSealCmd = &cobra.Command{
     --from-file ca.crt=./certs/ca.crt \
     --from-literal api_key=sk-1234
 
-  # Specify key ID and output path
+  # Specify output path
   faas-cli secret seal key.pub \
-    --key-id builder-key-1 \
     --from-literal token=s3cr3t \
     -o ./build/com.openfaas.secrets
 `,
@@ -42,7 +40,6 @@ var secretSealCmd = &cobra.Command{
 }
 
 func init() {
-	secretSealCmd.Flags().StringVar(&sealKeyID, "key-id", "", "Key ID for rotation tracking (optional)")
 	secretSealCmd.Flags().StringVarP(&sealOutput, "output", "o", "com.openfaas.secrets", "Output file path")
 	secretSealCmd.Flags().StringArrayVar(&sealFromLiteral, "from-literal", nil, "Literal secret in key=value format (can be repeated)")
 	secretSealCmd.Flags().StringArrayVar(&sealFromFile, "from-file", nil, "Secret from file in key=path format (can be repeated)")
@@ -86,7 +83,7 @@ func runSecretSeal(cmd *cobra.Command, args []string) error {
 		values[k] = data
 	}
 
-	sealed, err := seal.Seal(pubKey, values, sealKeyID)
+	sealed, err := seal.Seal(pubKey, values)
 	if err != nil {
 		return fmt.Errorf("sealing secrets: %w", err)
 	}
@@ -95,7 +92,8 @@ func runSecretSeal(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("writing sealed file: %w", err)
 	}
 
-	fmt.Printf("Sealed %d secret(s) to %s\n", len(values), sealOutput)
+	keyID, _ := seal.DeriveKeyID(pubKey)
+	fmt.Printf("Sealed %d secret(s) to %s (key ID: %s)\n", len(values), sealOutput, keyID)
 
 	return nil
 }
diff --git a/commands/secret_seal_test.go b/commands/secret_seal_test.go
@@ -23,7 +23,6 @@ func TestSecretSealFromLiteral(t *testing.T) {
 
 	outPath := filepath.Join(dir, "com.openfaas.secrets")
 
-	sealKeyID = "test-key"
 	sealOutput = outPath
 	sealFromLiteral = []string{"pip_token=s3cr3t", "npm_token=tok123"}
 	sealFromFile = nil
@@ -72,7 +71,6 @@ func TestSecretSealFromFile(t *testing.T) {
 
 	outPath := filepath.Join(dir, "com.openfaas.secrets")
 
-	sealKeyID = ""
 	sealOutput = outPath
 	sealFromLiteral = []string{"token=abc"}
 	sealFromFile = []string{"ca.crt=" + certPath}
diff --git a/commands/secret_unseal_test.go b/commands/secret_unseal_test.go
@@ -24,7 +24,7 @@ func TestSecretUnsealAll(t *testing.T) {
 	sealed, err := seal.Seal(pub, map[string][]byte{
 		"token": []byte("s3cr3t"),
 		"url":   []byte("https://example.com"),
-	}, "test")
+	})
 	if err != nil {
 		t.Fatalf("Seal: %v", err)
 	}
@@ -57,7 +57,7 @@ func TestSecretUnsealSingleKey(t *testing.T) {
 
 	sealed, err := seal.Seal(pub, map[string][]byte{
 		"token": []byte("s3cr3t"),
-	}, "")
+	})
 	if err != nil {
 		t.Fatalf("Seal: %v", err)
 	}
@@ -88,7 +88,7 @@ func TestSecretUnsealMissingKey(t *testing.T) {
 		t.Fatalf("WriteFile: %v", err)
 	}
 
-	sealed, err := seal.Seal(pub, map[string][]byte{"a": []byte("b")}, "")
+	sealed, err := seal.Seal(pub, map[string][]byte{"a": []byte("b")})
 	if err != nil {
 		t.Fatalf("Seal: %v", err)
 	}
diff --git a/commands/up.go b/commands/up.go
@@ -32,8 +32,7 @@ func init() {
 	upFlagset.BoolVar(&skipDeploy, "skip-deploy", false, "Skip function deployment")
 	upFlagset.StringVar(&remoteBuilder, "remote-builder", "", "URL to the builder")
 	upFlagset.StringVar(&payloadSecretPath, "payload-secret", "", "Path to the payload secret file")
-	upFlagset.StringVar(&builderPublicKeyPath, "builder-public-key", "", "Builder public key as a literal value, or a path to a file containing raw base64 or the JSON response from /public-key")
-	upFlagset.StringVar(&builderKeyID, "builder-key-id", "", "Key ID for the pinned builder public key when using a raw base64 key file")
+	upFlagset.StringVar(&builderPublicKeyPath, "builder-public-key", "", "Builder public key as a literal value, or a path to a file containing raw base64 or the JSON response from /publickey")
 
 	upFlagset.BoolVar(&watch, "watch", false, "Watch for changes in files and re-deploy")
 	upCmd.Flags().AddFlagSet(upFlagset)
diff --git a/go.mod b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/morikuni/aec v1.0.0
 	github.com/openfaas/faas-provider v0.25.10
 	github.com/openfaas/faas/gateway v0.0.0-20250422101858-7803ea1861f2
-	github.com/openfaas/go-sdk v0.2.21
+	github.com/openfaas/go-sdk v0.2.22
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.7
@@ -29,8 +29,6 @@ require (
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cheggaaa/pb/v3 v3.1.7 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.17.0 // indirect
 	github.com/docker/cli v28.3.3+incompatible // indirect
@@ -40,31 +38,24 @@ require (
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/olekukonko/cat v0.0.0-20250817074551-3280053e4e00 // indirect
 	github.com/olekukonko/errors v1.1.0 // indirect
 	github.com/olekukonko/ll v0.1.0 // indirect
 	github.com/olekukonko/tablewriter v1.0.9 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/prometheus/client_golang v1.20.5 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/vbatts/tar-split v0.12.1 // indirect
 	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
-	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/vendor/github.com/openfaas/go-sdk/builder/build_secrets.go b/vendor/github.com/openfaas/go-sdk/builder/build_secrets.go
diff --git a/vendor/github.com/openfaas/go-sdk/seal/seal.go b/vendor/github.com/openfaas/go-sdk/seal/seal.go
diff --git a/vendor/modules.txt b/vendor/modules.txt

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ func getTemplate(lang string) (string, *stack.LanguageTemplate, error) {`
`67`	`67`
`68`	`68`	`// BuildImage construct Docker image from function parameters`
`69`	`69`	`// TODO: refactor signature to a struct to simplify the length of the method header`
`70`		`-func BuildImage(image string, handler string, functionName string, language string, nocache bool, squash bool, shrinkwrap bool, buildArgMap map[string]string, buildOptions []string, tagFormat schema.BuildFormat, buildLabelMap map[string]string, quietBuild bool, copyExtraPaths []string, buildSecrets map[string]string, remoteBuilder, payloadSecretPath, builderPublicKeyPath, builderKeyID string, forcePull bool) error {`
	`70`	`+func BuildImage(image string, handler string, functionName string, language string, nocache bool, squash bool, shrinkwrap bool, buildArgMap map[string]string, buildOptions []string, tagFormat schema.BuildFormat, buildLabelMap map[string]string, quietBuild bool, copyExtraPaths []string, buildSecrets map[string]string, remoteBuilder, payloadSecretPath, builderPublicKeyPath string, forcePull bool) error {`
`71`	`71`
`72`	`72`	`_, langTemplate, err := getTemplate(language)`
`73`	`73`	`if err != nil {`
`@@ -138,7 +138,7 @@ func BuildImage(image string, handler string, functionName string, language stri`
`138`	`138`	`Scheme: u.Scheme,`
`139`	`139`	`Host: u.Host,`
`140`	`140`	`}`
`141`		`- if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, builderPublicKeyPath, builderKeyID, buildSecrets, quietBuild, functionName, imageName); err != nil {`
	`141`	`+ if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, builderPublicKeyPath, buildSecrets, quietBuild, functionName, imageName); err != nil {`
`142`	`142`	`return fmt.Errorf("failed to invoke builder: %w", err)`
`143`	`143`	`}`
`144`	`144`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ type remoteBuilderPublicKeyResponse struct {`
`22`	`22`	PublicKey string `json:"public_key"`
`23`	`23`	`}`
`24`	`24`
`25`		`-func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPublicKeyPath, builderKeyID string, buildSecrets map[string]string, quietBuild bool, functionName, imageName string) error {`
	`25`	`+func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPublicKeyPath string, buildSecrets map[string]string, quietBuild bool, functionName, imageName string) error {`
`26`	`26`	`payloadSecret, err := os.ReadFile(payloadSecretPath)`
`27`	`27`	`if err != nil {`
`28`	`28`	`return fmt.Errorf("failed to read payload secret: %w", err)`
`@@ -34,11 +34,11 @@ func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPubl`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`if len(buildSecrets) > 0 {`
`37`		`- publicKey, err := resolveRemoteBuilderPublicKey(builderURL, builderPublicKeyPath, builderKeyID)`
	`37`	`+ publicKey, err := resolveRemoteBuilderPublicKey(builderURL, builderPublicKeyPath)`
`38`	`38`	`if err != nil {`
`39`	`39`	`return err`
`40`	`40`	`}`
`41`		`- opts = append(opts, sdkbuilder.WithBuildSecretsKey(publicKey.KeyID, []byte(publicKey.PublicKey)))`
	`41`	`+ opts = append(opts, sdkbuilder.WithBuildSecretsKey([]byte(publicKey.PublicKey)))`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`b := sdkbuilder.NewFunctionBuilder(builderURL, http.DefaultClient, opts...)`
`@@ -57,7 +57,7 @@ func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPubl`
`57`	`57`	`return consumeBuildStream(stream, quietBuild, functionName, imageName)`
`58`	`58`	`}`
`59`	`59`
`60`		`-func resolveRemoteBuilderPublicKey(builderURL url.URL, builderPublicKeyPath, builderKeyID string) (remoteBuilderPublicKeyResponse, error) {`
	`60`	`+func resolveRemoteBuilderPublicKey(builderURL url.URL, builderPublicKeyPath string) (remoteBuilderPublicKeyResponse, error) {`
`61`	`61`	`if builderPublicKeyPath == "" {`
`62`	`62`	`return fetchRemoteBuilderPublicKey(builderURL)`
`63`	`63`	`}`
`@@ -67,20 +67,7 @@ func resolveRemoteBuilderPublicKey(builderURL *url.URL, builderPublicKeyPath, bu`
`67`	`67`	`return nil, err`
`68`	`68`	`}`
`69`	`69`
`70`		`- publicKey, err := parseRemoteBuilderPublicKey(publicKeyData)`
`71`		`- if err != nil {`
`72`		`- return nil, err`
`73`		`- }`
`74`		`-`
`75`		`- if builderKeyID != "" {`
`76`		`- publicKey.KeyID = builderKeyID`
`77`		`- }`
`78`		`-`
`79`		`- if publicKey.KeyID == "" {`
`80`		`- return nil, fmt.Errorf("builder key id is required when using a pinned builder public key")`
`81`		`- }`
`82`		`-`
`83`		`- return publicKey, nil`
	`70`	`+ return parseRemoteBuilderPublicKey(publicKeyData)`
`84`	`71`	`}`
`85`	`72`
`86`	`73`	`func readBuilderPublicKeyInput(value string) ([]byte, error) {`
`@@ -134,7 +121,7 @@ func fetchRemoteBuilderPublicKey(builderURL url.URL) (remoteBuilderPublicKeyRe`
`134`	`121`	`algorithm = naclBoxAlgorithm`
`135`	`122`	`}`
`136`	`123`	`if algorithm != naclBoxAlgorithm {`
`137`		`- return nil, fmt.Errorf("unsupported encrypted build secrets algorithm: %s", publicKey.Algorithm)`
	`124`	`+ return nil, fmt.Errorf("unsupported build secrets algorithm: %s", publicKey.Algorithm)`
`138`	`125`	`}`
`139`	`126`	`if publicKey.PublicKey == "" {`
`140`	`127`	`return nil, fmt.Errorf("builder public key response did not include a public key")`
`@@ -160,7 +147,7 @@ func parseRemoteBuilderPublicKey(data []byte) (*remoteBuilderPublicKeyResponse,`
`160`	`147`	`algorithm = naclBoxAlgorithm`
`161`	`148`	`}`
`162`	`149`	`if algorithm != naclBoxAlgorithm {`
`163`		`- return nil, fmt.Errorf("unsupported encrypted build secrets algorithm: %s", publicKey.Algorithm)`
	`150`	`+ return nil, fmt.Errorf("unsupported build secrets algorithm: %s", publicKey.Algorithm)`
`164`	`151`	`}`
`165`	`152`	`if publicKey.PublicKey == "" {`
`166`	`153`	`return nil, fmt.Errorf("builder public key JSON did not include a public key")`
Original file line number	Diff line number	Diff line change
`@@ -54,8 +54,14 @@ func runSecretKeygen(cmd *cobra.Command, args []string) error {`
`54`	`54`	`return fmt.Errorf("writing public key: %w", err)`
`55`	`55`	`}`
`56`	`56`
	`57`	`+ keyID, err := seal.DeriveKeyID(pub)`
	`58`	`+ if err != nil {`
	`59`	`+ return fmt.Errorf("deriving key ID: %w", err)`
	`60`	`+ }`
	`61`	`+`
`57`	`62`	`fmt.Printf("Wrote private key: %s\n", privPath)`
`58`	`63`	`fmt.Printf("Wrote public key: %s\n", pubPath)`
	`64`	`+ fmt.Printf("Key ID: %s\n", keyID)`
`59`	`65`
`60`	`66`	`return nil`
`61`	`67`	`}`