SOPS v3.13.0 released on 08-05-2026
SOPS v3.13.0 is out now. Security-conscious operators and CI pipelines benefit from clearer installation and verification workflows so downloaded binaries and container images can be validated before use.
Visit the GitHub release for downloads, signed checksums, SLSA provenance and SBOMs, plus container images on ghcr.io and quay.io and step-by-step verification examples.
What’s in this release
- Installation and verification: signed checksums validated with cosign (GitHub OIDC constraints), binary integrity checks via sha256sum -c, and provenance verification using the included sops-v3.13.0.intoto.jsonl with slsa-verifier.
- Container images and signatures: Debian and Alpine images for linux/amd64 and linux/arm64 available at ghcr.io/getsops/sops:v3.13.0 (and -alpine) and quay.io/getsops/sops:v3.13.0 (and -alpine); images are signed with cosign and include SLSA provenance attestations.
- Notable user-facing changes and fixes: YAML inline comments are preserved through encrypt/edit roundtrips; new SOPS_GCP_KMS_ENDPOINT and SOPS_GCP_KMS_UNIVERSE_DOMAIN environment variables; support for space-separated keys in SOPS_AGE_KEY; clearer error for top-level arrays; prefixed/truncated key hash for GPG agent cache keys; sops exec-file fixes (correct GID, improved filename handling) and passing global –indent to stores.
Upgrade notes
- Deprecated/compatibility: support for Go 1.24 has been dropped. If you build from source, ensure your Go toolchain is newer; check the changelog for the exact required minimum.
- Rollback: if you need to revert, the previous release is v3.12.2 — see the full changelog and compare view at https://github.com/getsops/sops/compare/v3.12.2…v3.13.0.
Share your experience verifying binaries or running the container images on the project’s GitHub — issue reports and feedback are welcome.
