Subsequent "eyaml encrypt -s test" calls return different signatures

[christian-2]

I have a tool that operates on a Hiera file. For instance, it checks whether contained certificates are still valid and inserts renewed ones when necessary. When switching to hiera-eyaml it would seem necessary to decrypt/encrypt the Hiera file before/after the tool does its job. Since the Hiera file lives in Git, its YAML fields (also encrypted ones) should remain unmodified if they were not touched by the tool.

I have noticed that eyaml encrypt -s test returns a new signature value each time around, even when keys remain unchanged. This is presumably due to "salt" that is being added. At first sight, this prevents the use of my tool in simple combination with hiera-eyaml, when it serves for encrypting certificate keys.

Is it possible to re-obtain the same signature value each time around, or what would you suggest for dealing with a situation like this.

[kenyon]

Probably you should decrypt the encrypted values for your checks. I'm thinking that changing the encryption behavior would be bad crypto practice.

[christian-2]

I have now refactored my code such that there is no longer a simple eyaml decrypt/encrypt bracket around my tool, but that the closing bracket is smart about which keys actually changed opposite the opening bracket. With that, it can avoid repeat encryptions (that lead to unwanted new "salt", etc.)