In case one key is not okay fsck gives up

[DEvil0000]

Summary

In case one key is not okay fsck gives up (in my case it was not an E type key as recipient)

Steps To Reproduce

• add a key to recipients without E type
• add some others as well
• re-encrypt on add recipient fails
• fsck --decrypt gives up re-encrypting after seeing the "bad" key

Expected behavior

re-encrypt for all vaild keys

Environment

• OS: fedora 38
• OS version: 6.3.13?
• gopass Version: 1.15.4?
• Installation method: package from github releases

[dominikschulz]

I don't think this is what we want. If we silently ignore an invalid key that might cause some users to loose access to their keys.

I'd rather expect the user to remove the invalid key and then re-encrypting again.

Do you think there is anything we can do to make this easier?

[DEvil0000]

If the error would be more clear and point to the key to remove it would already help. Maybe providing the command needed and some human readable explanation why the key is invalid would be nice.
I however think ignoring the key, warn about it and continue with the fsck/re-encrypt is the correct behavior.
I can imagine use cases where keys may not be added or removed by everyone and only some users but fsck should be possible all the time.