gopass icon indicating copy to clipboard operation
gopass copied to clipboard

Published 20 hours ago verified publisher icon gopasspw

Gopass deletes entry in .public-keys that's used in subdirectory's .gpg-id

Open TheLastProject opened this issue 2 years ago • 1 comments

Summary

To reduce exposure, we want to give some GPG keys only access to certain subdirectories. While gopass recipients doesn't support this, putting the key ID in a .gpg-id file in the directory works. Looking at #1842, this is intended to be supported.

However, just setting up the .gpg-id file isn't enough to let teammates also encrypt. So, I wanted to add the same public key to the .public-keys/. However, gopass explicitly deletes this "extra key", even when explicitly committing it.

Steps To Reproduce

(The name of the key and project have been simplified)

# Create and encrypt the secret
gopass edit test_store/project_123/secret1

# Add the key
echo "0123456789" > ~/.local/share/gopass/stores/test_store/project_123/.gpg-id

# Re-encrypt the secret
gopass fsck --decrypt test_store/project_123

# Sync secrets
gopass sync

# So far so good...

# Attempt to add the public key to .public-keys so others don't have to gpg import it
gpg --armor --export 0123456789 > ~/.local/share/gopass/stores/test_store/.public-keys/0123456789

# Optionally, make an explicit commit in by using "git add, git commit, etc." in ~/.local/share/gopass/stores/test_store/

# Try to sync
gopass sync

Expected behavior

The .public-keys entry is retained to simplify encrypting for teammates. Instead, gopass explicitly removes it and even creates a commit to remove it if you explicitly made another commit.

Environment

  • OS: Ubuntu 22.04
  • OS version: Linux sos-ThinkPad-X1-Carbon-6th 5.19.0-35-generic #36~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 17 15:17:25 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
  • gopass Version: gopass 1.15.4 go1.19.5 linux amd64
  • Installation method: gopass repo

Additional context

I might be misunderstanding the purpose of the .public-keys directory, but documentation on the whole concept of limiting the access of a GPG key (a "core" feature of regular pass) is generally very lacking within gopass. If there is a better way to do this, I'm all ears.

TheLastProject avatar Mar 16 '23 10:03 TheLastProject

limiting the access of a GPG key is generally very lacking within gopass.

Yes, this is true. We do have limited support but it's not great. I usually tend to prefer having different mounts over different encryption keys for subdirs. But this is a valid bug and we should fix it.

dominikschulz avatar Mar 21 '23 07:03 dominikschulz