Merge branch 'main' into fix/issue-3

test: add test for getLongTermPrivateKey derivation index
Verifies that getLongTermPrivateKey reads the derivation index from vault metadata instead of using hardcoded index 0. Test creates a mock vault with DerivationIndex=5 and confirms the derived key matches index 5.
2026-02-09 04:48:07 +01:00 · 2026-02-08 17:45:34 -08:00 · 2026-02-08 12:03:06 -08:00
1 changed files with 2 additions and 6 deletions
--- a/internal/secret/pgpunlocker.go
+++ b/internal/secret/pgpunlocker.go
@ -320,9 +320,7 @@ func ResolveGPGKeyFingerprint(keyID string) (string, error) {
 	}

 	// Use GPG to get the full fingerprint for the key
-	cmd := exec.Command( // #nosec G204 -- keyID validated
-		"gpg", "--list-keys", "--with-colons", "--fingerprint", keyID,
-	)
+	cmd := exec.Command("gpg", "--list-keys", "--with-colons", "--fingerprint", keyID)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve GPG key fingerprint: %w", err)
@ -361,9 +359,7 @@ func gpgEncryptDefault(data *memguard.LockedBuffer, keyID string) ([]byte, error
 		return nil, fmt.Errorf("invalid GPG key ID: %w", err)
 	}

-	cmd := exec.Command( // #nosec G204 -- keyID validated
-		"gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID,
-	)
+	cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
 	cmd.Stdin = strings.NewReader(data.String())

 	output, err := cmd.Output()