v0.5.0

rskey is a command-line tool (and bundled Go package) that generates secret keys interoperable with the format used by RStudio's Workbench, Connect, and Package Manager products.

Changes since v0.3.0

• The rskey encrypt and decrypt commands now have a --mode=workbench flag that can handle the format used by RStudio Workbench, which differs from the one used by Connect and Package Manager.

• A new workbench package implements the encryption format used by RStudio Workbench.

• The rskey encrypt command now has a --mode=fips flag that uses AES-256-GCM for encryption, which is intended for use by organisations subject to FIPS-140. Secrets encrypted this way are only supported by RStudio Connect version 2022.03.0 and later.

• The crypt package now supports using AES-256-GCM for encryption via the new EncryptFIPS() method, which is intended for use by organisations subject to FIPS-140. The existing Decrypt() methods transparently support decrypting secrets encrypted with either algorithm.

• Releases are now automated through GitHub Actions and signed with cosign from the Sigstore project.

Binary signatures

Binary releases are signed with Sigstore. You can verify these signatures with their cosign tool, for example:

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob \
  --signature rskey_0.5.0_linux_amd64.tar.gz.sig \
  rskey_0.5.0_linux_amd64.tar.gz

We use Cosign's "keyless" mode, which uses the OpenID Connect tokens issued by GitHub for this repository and ephemeral certificates instead of private keys. This feature currently requires setting COSIGN_EXPERIMENTAL=1.