git-secret
git-secret copied to clipboard
sobolevn
fix `tell` when used with email address starting with digit
What are the steps to reproduce this issue?
- Create a GPG key with an email starting with a digit:
[email protected] - Add said GPG key to your git secret:
git secret tell '[email protected]' - Observe the error:
gpg: key "[email protected]" not found: Invalid user ID gpg: WARNING: nothing exported
What happens?
When git secret tell calls gpg --export -a "$email", the command fails, even though the email exists.
What were you expecting to happen?
The email should be correctly added with the message:
git-secret: done. [email protected] added as user(s) who know the secret.
Any logs, error output, etc?
gpg: key "[email protected]" not found: Invalid user ID
gpg: WARNING: nothing exported
Trying to call git secret tell <[email protected]> results on the following error:
git-secret: abort: email not found in gpg keyring: <[email protected]>
Any other comments?
When calling gpg --export --armor with an email address, it should always be included in angle brackets to make it explicit that it is an email address. For example:
$ gpg --export --armor '[email protected]'
gpg: key "[email protected]" not found: Invalid user ID
gpg: WARNING: nothing exported
$ gpg --export --armor '<[email protected]>'
-----BEGIN PGP PUBLIC KEY BLOCK-----
# ...
-----END PGP PUBLIC KEY BLOCK-----
What versions of software are you using?
Operating system: Linux boyne 5.9.3-1-MANJARO #1 SMP PREEMPT Sun Nov 1 14:25:36 UTC 2020 x86_64 GNU/Linux
git-secret path: /usr/bin/git-secret
git-secret version: 0.3.2
git version: git version 2.29.2
Shell type and version: zsh 5.8 (x86_64-pc-linux-gnu)
gpg version:
gpg (GnuPG) 2.2.23
libgcrypt 1.8.7
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: [redacted]
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
There seems to be a few other places where emails starting with digits are a problem.
Specifically, I tried to bypass the git secret tell issue by adding a second uid to the key with an email not starting with a digit.
Adding the key using that email worked as expected. However when trying to hide secrets (git secret hide), I get the following error:
$ git secret hide
gpg: error retrieving '[email protected]' via Local: Invalid user ID
gpg: error retrieving '[email protected]' via WKD: No data
gpg: [email protected]: skipped: No data
gpg: /absolute/path/to/password.txt: encryption failed: No data
git-secret: abort: problem encrypting file with gpg: exit code 2: relative/path/to/password.txt
When running git secret whoknows, I see both emails (from both uids) listed.
I tried removing the key from git secret, revoking the uid (revuid) for the email starting with a digit and re-adding the key to git secret, but I still see the revoked key there... When trying to hide the secrets, I keep getting the same error as above.
If I delete the uid (deluid) then it works as expected.
Hello, @0xjac, and thank you for this issue report!
This is a very well phrased and researched issue report, and we really appreciate it.
I've researched this underlying issue (about using <>'s with email addresses) and git-secret is basically blocked by the issues described here and below:
https://github.com/sobolevn/git-secret/issues/268#issuecomment-424759984
We decided the right solution is to "allow use of key ids and fingerprints" (see #268), but this is a pretty major feature addition. If you see a good path to fixing this issue/these issues in git-secret, we are all ears!
A good step towards fixing/understanding this issue more widely would be for us to make a key fixture for an email starting with '0x' (like yours), and adding a test to git-secret that shows this failing as expected. Then if/when we fix, we'll see the test pass.
@joshrabinowitz Thanks for your quick reply. Using key IDs and fingerprints sounds like a great idea but more work. When positing initially, I was hoping for a quick fix (just add a couple brackets in a few places and done). I should have known better... :confused:
Unfortunately, I have no idea how to solve this. On my side, I have switched the email address for another one not starting with a digit. :expressionless: