-
-
Notifications
You must be signed in to change notification settings - Fork 496
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: Password is encrypted with multiple gpg keys. .gpg-id is ignored. #2915
Comments
I'm not sure I follow your report. You are saying that gopass incorrectly used a sub-keyid as a recipient for a secret outside of that folder? Can you please provide more details information and steps to reproduce? |
@dominikschulz recreating from zero on emtpy user
$ cat /home/testuser/.password-store/.gpg-id
$ gpg -d smth1.gpg $ sudo snap install go --classic $ gpg -d smth2.gpg // :thinking: okay one key is used $ ~/go/bin/gopass $ gpg -d api/smth3.gpg // :exclamation: aha. bug is reproduced partially from zero. i expected seeing only mykey2 here, but we see both keys used to encrypt api/smth3.gpg $ gpg -d smth4.gpg // okay, this one still encrypted with mykey1 only, but i had bug before where both mykey1 and mykey2 shown for non root path $ pass insert api/smth5 // as u can see We can note here that those are issues for using
|
Summary
gopass
does not honour .gpg-id, and tries to use multiple gpg keys to sign inserted passwords.The same behavior is not present for
pass
Steps To Reproduce
create gpg key_1 with password
create gpg key_2 without password
pass init repository with key_1
pass init -p sub_folder with key_2
cat ~/.password-store/.gpg-id
shows only key_1cat ~/.password-store/sub_folder/.gpg-id
shows only key_2pass insert personal/example/first
gpg -d personal/example/first.gpg
and then insert wrong passwords. descryption will fail. (Expected)gopass insert personal/example/second
gpg -d personal/example/second.gpg
and then insert wrong passwords. access will be defined for gpg key_1 (Expected), but key_2 will be used as fallback and secret shown anyway (Not expected!)Expected behavior
I expected
gopass
to sign my inserted password in not subfolder, only withkey_1
and fail on inserting wrong passwords for key_1. But it used as fallback my unprotected key_2Environment
pass version: v1.7.4
gopass version: gopass 1.15.13-git+HEAD go1.22.5 linux amd64
os version: VERSION="22.04.3 LTS (Jammy Jellyfish)"
installation method:
go install github.com/gopasspw/gopass@latest
Additional context
At current moment issue is fixable for me if i delete record
and reinsert with
pass insert
again.The text was updated successfully, but these errors were encountered: