bug: Password is encrypted with multiple gpg keys. .gpg-id is ignored.

[dd84ai]

Summary

gopass does not honour .gpg-id, and tries to use multiple gpg keys to sign inserted passwords.
The same behavior is not present for pass

Steps To Reproduce

create gpg key_1 with password
create gpg key_2 without password

pass init repository with key_1
pass init -p sub_folder with key_2

cat ~/.password-store/.gpg-id shows only key_1
cat ~/.password-store/sub_folder/.gpg-id shows only key_2

pass insert personal/example/first
gpg -d personal/example/first.gpg and then insert wrong passwords. descryption will fail. (Expected)

gopass insert personal/example/second
gpg -d personal/example/second.gpg and then insert wrong passwords. access will be defined for gpg key_1 (Expected), but key_2 will be used as fallback and secret shown anyway (Not expected!)

Expected behavior

I expected gopass to sign my inserted password in not subfolder, only with key_1 and fail on inserting wrong passwords for key_1. But it used as fallback my unprotected key_2

Environment

pass version: v1.7.4
gopass version: gopass 1.15.13-git+HEAD go1.22.5 linux amd64
os version: VERSION="22.04.3 LTS (Jammy Jellyfish)"
installation method: go install github.com/gopasspw/gopass@latest

Additional context

At current moment issue is fixable for me if i delete record
and reinsert with pass insert again.

[dominikschulz]

I'm not sure I follow your report.

You are saying that gopass incorrectly used a sub-keyid as a recipient for a secret outside of that folder?

Can you please provide more details information and steps to reproduce?
Please set GOPASS_DEBUG_LOG=/tmp/gopass.log (or simliar), GOPASS_HOMEDIR=/tmp/gopass and then execute all the steps necessary from the shell where these variables are set. This should allow you to operate in an isolated password store. Please provide the exact commands used and the log file.

[dd84ai]

@dominikschulz recreating from zero on emtpy user

• adduser testuser

• sudo usermod -a -G sudo testuser

• su - user

• apt install screen

• script /dev/null

• screen (and press enter), just su user does not have right to use gpg, we use screen to go around this problem

• gpg --full-generate-key (picking default, default, default, name: mykey1) first key. optionally making it passworded by better visibility of a bug, but not necessary

• pass init mykey1 create pass storage

• gpg --full-generate-key create second gpg key, named mykey2

• pass init --path=api mykey2 creating subfolder

$ cat /home/testuser/.password-store/.gpg-id
mykey1
$ cat /home/testuser/.password-store/api/.gpg-id
mykey2

• pass insert smth1
• cd /home/testuser/.password-store/

$ gpg -d smth1.gpg
gpg: encrypted with 3072-bit RSA key, ID CB6FC1F250432CDC, created 2024-07-30
"mykey1 [email protected]"
123
// All is good, encrypted with one key.

$ sudo snap install go --classic
$ go install github.com/gopasspw/gopass@latest
$ ~/go/bin/gopass
gopass> insert smth2
gopass> quit

$ gpg -d smth2.gpg
gpg: encrypted with 3072-bit RSA key, ID CB6FC1F250432CDC, created 2024-07-30
"mykey1 [email protected]"
123123

// :thinking: okay one key is used

$ ~/go/bin/gopass
gopass> insert api/smth3
gopass> insert smth4
gopass> quit

$ gpg -d api/smth3.gpg
gpg: encrypted with 3072-bit RSA key, ID CB6FC1F250432CDC, created 2024-07-30
"mykey1 [email protected]"
gpg: encrypted with 3072-bit RSA key, ID 1B8A2CABDBA7ACB1, created 2024-07-30
"mykey2"
123123

// :exclamation: aha. bug is reproduced partially from zero. i expected seeing only mykey2 here, but we see both keys used to encrypt api/smth3.gpg

$ gpg -d smth4.gpg
gpg: encrypted with 3072-bit RSA key, ID CB6FC1F250432CDC, created 2024-07-30
"mykey1 [email protected]"
123123

// okay, this one still encrypted with mykey1 only, but i had bug before where both mykey1 and mykey2 shown for non root path
// this time i only caught where subfolder inserted record (with gopass) for some reason acquired mykey1 and mykey2 keys both at the same time, while it should have used mykey2 only

$ pass insert api/smth5
Enter password for api/smth5:
Retype password for api/smth5:
$ gpg -d api/smth5.gpg
gpg: encrypted with 3072-bit RSA key, ID 1B8A2CABDBA7ACB1, created 2024-07-30
"mykey2"
123

// as u can see pass encrypts only with one key in subfolder
TLDR: this is instruction for partial bug reproduction, but my original issue was that double gpg key was used for non subfolder inserted keys too. that was issue.
This reproducing instruction a similar uncovered situation where double gpg key (instead of one) is used to encrypt stuff for subfolder

We can note here that those are issues for using gopass with basically stuff from pass

$ pass version
============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.7.4                  =
=                                          =
=             Jason A. Donenfeld           =
=               [email protected]            =
=                                          =
=      http://www.passwordstore.org/       =
============================================