Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reencryption fails when using age due to concurrent pinentry calls #2668

Open
rad4day opened this issue Sep 14, 2023 · 1 comment
Open

Reencryption fails when using age due to concurrent pinentry calls #2668

rad4day opened this issue Sep 14, 2023 · 1 comment
Labels
bug Defects
Milestone
1.x.x

Comments

@rad4day
Copy link

rad4day commented Sep 14, 2023
edited

Summary

During adding a new recipient when using the age backend the reencryption fails for all but one worker, resulting in only a single file being updated.
This is caused by all workers simultaneously trying to open the pinentry modal, where pinentry refuses operation due to a modal being present.

I confirmed this to be a concurrency issue by running gopass with taskset 1 to limit it to a single core, upon which reencryption worked.

$ gopass recipients add "$(cat ~/.ssh/id_ed25519.pub)"
Starting reencrypt
] 5 / 5 [Goooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooopass] 100.00% ❌ Decryption failed: failed to decrypt /home/rad4day/.config/gopass/age/identities: pinentry error: pinentry error: Operation cancelled <Pinentry>

Worker 0: Failed to get current value for extern/cloudflare/api_token: failed to decrypt
❌ Decryption failed: failed to decrypt /home/rad4day/.config/gopass/age/identities: pinentry error: pinentry error: Operation cancelled <Pinentry>

Worker 2: Failed to get current value for keycloak/grafana/secret: failed to decrypt
❌ Decryption failed: failed to decrypt /home/rad4day/.config/gopass/age/identities: pinentry error: pinentry error: Operation cancelled <Pinentry>

Worker 1: Failed to get current value for extern/cloudflare/account_id: failed to decrypt
❌ Decryption failed: failed to decrypt /home/rad4day/.config/gopass/age/identities: pinentry error: pinentry error: Operation cancelled <Pinentry>

Worker 4: Failed to get current value for keycloak/hedgedoc/secret: failed to decrypt

Steps To Reproduce

  • Have a store with more than 1 secret
  • Use age as backend
  • add a new key via gopass receipients add
  • Observe gopass failing

Expected behavior

  • Being asked a single time for password, decrypted secret reused for all workers.
  • gopass not exploding.

Environment

  • OS: ArchLinux
  • OS version: Linux - 6.5.2-arch1-1 #1 SMP PREEMPT_DYNAMIC Wed, 06 Sep 2023 21:01:01 +0000 x86_64 GNU/Linux
  • gopass Version: gopass 1.15.8 go1.21.1 linux amd64
  • Installation method: ArchLinux Repository

Additional context
@dominikschulz
Copy link
Member

This did work for me in the past, but anyway we need to fix this. Thanks for reporting it.

@dominikschulz dominikschulz added the bug Defects label Sep 14, 2023
@dominikschulz dominikschulz added this to the 1.x.x milestone Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Defects
Projects
None yet
Milestone
1.x.x
Development

No branches or pull requests
2 participants
@dominikschulz @rad4day