age backend stores fail to encrypt using ssh keys

[pmiam]

The documentation at docs/backend/age.md states it should be possible to encrypt secrets for recipients identified by ssh-ed25519 public keys. This does not seem to work with gopass 1.15.13, but I may be doing it wrong.

It does work with age/rage directly.

$ rage -R .ssh/id_25519.pub -o foo/bar.age foo/bar

I have attempted to pass the key directly to:

$ gopass init --crypto age --path foo/bar <key>

I've also run init without the key fingerprint and selected from the list:

🍭 Initializing a new password store ...
🔑 Searching for usable private Keys ...
⚠ Hint: Use 'gopass init <subkey> to use subkeys!'
🎮 Please select a private key for encrypting secrets:
[0] age - age1ktt7fej0l6aaj0nyd67przq69heeucu735yf7d6z9k2lgzq874qs5zzr2q
[...]
[4] age - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFQHP8uEzRIFRBM4y0dvA6bJUzGXNOiTsuD3JiKDp7C
Please enter the number of a key (0-6, [q]uit) (q to abort) [0]: 4

This results in this error with or without a named store mount:

Error: Failed to initialize store: failed to init store "" at "/home/me/foo/bar": failed to initialize new sub store: none of the recipients has a secret key. You will not be able to decrypt the secrets you add

I've also allowed gopass setup --create --crypto age to create the gopass age keyring for me (option zero in the menu) and then use that option to successfully init my store.

Then, I attempted to use gopass recipients add .ssh/me.pub. This simply appends the path .ssh/me.pub to the .age-recipients file. Obviously wrong.

Alternatively gopass recipients add "$( cat .ssh/me.pub ) appends all the words inside the .pub file to the .age-recipients file.

Both of these claim to re-encrypt for each new entry in the recipients file, but the latter shows loading bars along the way.

None of these approaches work, and attempting to decrypt the resulting secrets with

rage -d -i .ssh/me foo/bar/secret.age

returns

Error: No matching keys found

I'm very excited to use gopass with ssh-ed25519 recipients and the store-mounts feature. So, I hope this is user error, otherwise I'm eager to help get it resolved.

[pmiam]

to configure a password store to use ssh public keys is very unintuitive in my opinion.

first, run gopass setup to make a password protected age keypair.
gopass setup --crypto age

Then, new substores can be initialized using this root keypair.
gopass init --crypto age --store mystore

Then, any ssh public keys may be added to a given store
gopass recipients add --store mystore "ssh-ed25519 <KeyFromSome.ssh/key.pub>"

Finally, the root age key can be removed from any store it initialized
gopass recipients remove --store mystore "age1restOfAgePubKeyFrom.age-recipients"

The root key is needed to initialize new stores. It is also needed to successfully remove itself as a recipient, so it is best kept even if unused. I may try contributing to more straightforward initialization, but I understand this is already work in progress.