Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New recipient syncing removes all other public keys #2620

Open
LeadingMoominExpert opened this issue Jul 24, 2023 · 9 comments
Open

New recipient syncing removes all other public keys #2620

LeadingMoominExpert opened this issue Jul 24, 2023 · 9 comments
Assignees
@dominikschulz
Labels
bug Defects
Milestone
1.15.8

Comments

@LeadingMoominExpert
Copy link

Summary

I added myself as a new recipient to a store on a new machine. After running gopass clone and sync I'm able to see the stored secrets, but syncing removed all other public keys from the store. Syncing shows the following output

$ gopass sync --store tuomas
❌ Failed to initialize mount 3 (/home/tuomas/.local/share/gopass/stores/3). Ignoring: failed to init sub store "3" at "/home/tuomas/.local/share/gopass/stores/3": password store 3 is not initialized. Try gopass init --store 3 --path /home/tuomas/.local/share/gopass/stores/3
🚥 Syncing with all remotes ...
[tuomas] 
   gitfs pull and push ... OK (no changes)❌ Failed to decode public key 0x011B48107A2944E1: public key "0x011B48107A2944E1" not found❌ failed to export public key for "0x011B48107A2944E1": failed to export public key: key not found❌ Failed to export missing public keys for "tuomas": some keys failed✅ All done

Steps To Reproduce

Sync an existing store using a new recipient.

Expected behavior

Syncing would import the existing public keys to the new recipients machine instead of removing them from the store.

Environment

  • OS: Ubuntu 22.04.2 LTS
  • OS version: Linux mylly 5.17.0-1034-oem # 35-Ubuntu SMP PREEMPT Wed Jun 21 14:47:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
  • gopass Version: gopass 1.15.5 go1.20.2 linux amd64
  • Installation method: downloaded from gopass repo releases
@AnomalRoil
Copy link
Member

How did you install that store?

I think you might need to import the old public keys first using:

gpg --import /path/to/your/store/.public-keys/*

@LeadingMoominExpert
Copy link
Author

I used gopass clone to initiate the new store from git. Having done that the public keys located in /path/to/your/store/.public-keys/* are just my own keys, not the ones already set in the git repository, so importing them really doesn't do anything.

@AnomalRoil
Copy link
Member

That's surprising.
sync should detect the missing keys and import them.

I could reproduce locally, adding a substore using:

gopass setup --remote git@git.github.com:example/example.git --alias example

seems to work fine, but doing the same thing using gopass clone doesn't:

$ gopass setup --remote git@git.github.com:example/example.git --alias example
🌟 Configuring your password store ...
✅ Configuration written
[example]Configuring git remote ...
[example]Cloning from the git remote ...
[example]✅ Done. Joined Team "example"
[example]⚠ You still need to request access to decrypt secrets!

$ gopass clone git@git.github.com:example/example.git second
[...]
Your password store is ready to use! Have a look around: `gopass list second`

❌ Failed to git commit: exit status 128: error: gpg failed to sign the data
fatal: failed to write commit object
⚠ Please ask the owner of the password store to add one of your keys: 0x1...
⚠ The missing keys were exported to the password store. Run `gopass sync` to push them.

$ gopass sync
🚥 Syncing with all remotes ...
[<root>]
   gitfs pull and push ... Skipped (no remote)
[example]
   gitfs pull and push ... OK (no changes)Do you want to import the public key "0x..." (Names: [...]) into your keyring? [y/N/q]: y
Imported public key for 0x... into Keyring
[second]
   gitfs pull and push ... OK (no changes)❌ Failed to decode public key 0x...

@uschtwill
Copy link

Trying to introduce gopass in my team, and we've run into this repeatedly, specifically gopass clone not using the keys that are there.

@dominikschulz dominikschulz self-assigned this Aug 17, 2023
@dominikschulz dominikschulz added the bug Defects label Aug 17, 2023
@dominikschulz dominikschulz added this to the 1.15.8 milestone Aug 17, 2023
@uschtwill
Copy link

And now we had the same thing happen as OP. Upon their first sync, a colleague's gopass removed all public keys but their own and immediately pushed that change to the remote. 😔

@dominikschulz
Copy link
Member

Sorry for that. I hope that I can take a look at this soon.

@dominikschulz
Copy link
Member

Can anyone that is affected re-run the steps to reproduce with GOPASS_DEBUG_LOG=/tmp/gopass.log and provide (possibly truncated) logs?

I think there might be a mismatch between how recipients are specified in the .gpg-id file and their filenames.

dominikschulz added a commit to dominikschulz/gopass that referenced this issue Sep 9, 2023
@dominikschulz
[bugfix] Do not remove unused keys on import by default
c4770d4 
The cleanup during import is currently buggy on some scenarios
so as a workaround we'll disable auto-cleanup by default and
introduce `recipients.remove-extra-keys` to allow users to turn
it back on.

See gopasspwGH-2620

Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This was referenced Sep 9, 2023
Merged
Closed
dominikschulz added a commit that referenced this issue Sep 11, 2023
@dominikschulz
[bugfix] Do not remove unused keys on import by default (#2657)
c391b07 
The cleanup during import is currently buggy on some scenarios
so as a workaround we'll disable auto-cleanup by default and
introduce `recipients.remove-extra-keys` to allow users to turn
it back on.

See GH-2620

Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
@jonmz
Copy link

jonmz commented Sep 18, 2023

We observed this problem as well, but only with our newest team member. The only difference we came across was that she was the only team member initializing the password store with gopass clone straight from our git repo, while all the other team members had used the original pass earlier and later switched to gopass, resulting in the following difference:

  • the new team member has its root store in ~/.local/share/gopass/stores/root
  • the other team members have their root store in ~/.password-store

We tried simulating this for her by moving her root store into the legacy location and removing all other stuff created by gopass clone:

$ mv ~/.local/share/gopass/stores/root ~/.password-store
$ rm -rf ~/.local/share/gopass ~/.config/gopass

When we tried again, gopass sync worked like a charm and happily imported all team member's public keys into her local keyring.

@dominikschulz
Copy link
Member

Thank you @jonmz . This is useful feedback. I will try to reproduce this as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dominikschulz dominikschulz

Labels
bug Defects
Projects
None yet
Milestone
1.15.8
Development

No branches or pull requests
5 participants
@jonmz @dominikschulz @AnomalRoil @uschtwill @LeadingMoominExpert