When sops is used to encrypt a .yaml file, the output is a .yaml file. When sops is used to encrypt any other file, the output is a .jsonfile.

My colleagues were writing a check in Python to validate that all files that by a naming convention were supposed to be encrypted, was actually encrypted properly. To do that, we looked to parse them and look for a sops key as a basic check. Since all sops encrypted files are YAML or JSON, we figured we could use a YAML parser and it would work. But, it didn't. We had to use a YAML parser for the .yaml files and a JSON parser for the .json files.

It turns out that while almost any JSON is valid YAML, JSON with tabs isn't valid YAML. The sops generated .json files included tabs instead of spaces!

Questions

The main question

Should sops keep emitting tabs in its emitted .json files, or could it switch to emitting spaces, and by doing so emit .json files that are both JSON and YAML parser compatible?

Related code

From code inspection, this seemed relevant to understand how files are written.

https://github.com/mozilla/sops/blob/66043e71a81787d6513bc2e5505a29aac67dc6f1/stores/json/store.go#L281-L300

Related issues

• sops creates yaml file with tab indentation #434