fix: suppress gosec G204 for validated GPG key ID inputs

test: add test for getLongTermPrivateKey derivation index
Verifies that getLongTermPrivateKey reads the derivation index from vault metadata instead of using hardcoded index 0. Test creates a mock vault with DerivationIndex=5 and confirms the derived key matches index 5.
2026-02-19 23:43:13 -08:00 · 2026-02-19 23:43:13 -08:00 · 2026-02-19 23:43:13 -08:00
1 changed files with 6 additions and 2 deletions
--- a/internal/secret/pgpunlocker.go
+++ b/internal/secret/pgpunlocker.go
@ -320,7 +320,9 @@ func ResolveGPGKeyFingerprint(keyID string) (string, error) {
 	}

 	// Use GPG to get the full fingerprint for the key
-	cmd := exec.Command("gpg", "--list-keys", "--with-colons", "--fingerprint", keyID)
+	cmd := exec.Command( // #nosec G204 -- keyID validated
+		"gpg", "--list-keys", "--with-colons", "--fingerprint", keyID,
+	)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
@ -359,7 +361,9 @@ func gpgEncryptDefault(data *memguard.LockedBuffer, keyID string) ([]byte, error
 		return nil, fmt.Errorf("invalid GPG key ID: %w", err)
 	}

-	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
+	cmd := exec.Command( // #nosec G204 -- keyID validated
+		"gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID,
+	)
 	cmd.Stdin = strings.NewReader(data.String())

 	output, err := cmd.Output()