Oh no It hit me again. After changing the configuration in .sops.yaml I usually run sops -i -d; sops -i -e on the encrypted files to apply the changes. (Maybe there is a better way to do this ?)

But if I run sops -i -e twice on a file, then the file can not be encrypted afterwards and sops returns the error MAC mismatch. File has .... Any succeeding sops -i -e call on a file should abort if the file is already encrypted.