Allow checksumming of a SOPS encrypted file without decrypting it

[adrianmoisey]

(I mentioned this to a maintainer at Kubecon EU 2025, I thought I'd file an issue too).

SOPS is great in that the structure of a file is kept after encryption. It makes it easy for a user to see what the outputted file will be without having to decrypt it.

The problem with this is that if someone wants to delete a line, they assume they can do so without using sops to decrypt/encrypt the file. Editing a file without using sops results in the file being invalid.

It would be nice if sops provided a way to checksum/validate the content of a file without the need for a decryption key.

May be sops can store a hash of the encrypted portion of the file in the sops portion, and a new "validate" option added to the CLI allowing for ensuring the file is valid without the decryption key.

[tj-smith47]

I came here to submit a feature request for a sops check <file> (not picky on the subcmd name) command that would exit 0 / 1 (maybe quietly with a -q flag) depending on whether the file was encrypted. I planned to use it in a git hook to validate sops files pre-commit. It sounds appropriate that this could be the same command? First checks if encrypted at all, then validates the content? @adrianmoisey if you disagree, lmk and I can move this to a dedicated issue.

[felixfontein]

@tj-smith47 did you see sops filestatus? It provides a simple check whether a file is encrypted with SOPS without having to decrypt. (There's no checksum/signature involved; and there could be false positives since you could fake it by providing the indications that the subcommand checks for; so it might not be perfect depending on your needs, though for what you mentioned it should be fine.)

[tj-smith47]

I had not, thanks for the pointer @felixfontein ! In that case, please ignore my comment in favor of @adrianmoisey's OP.