New recipients not syncing public keys

[akadaedalus]

Summary

Add recipients not adding new keys in .public-keys or importing them

Steps To Reproduce

gopass recipients add
gopass sync

second machine:
gopass sync
gopass recipients

output:

Don't really want to paste my recipients list but I get the last line:
└── XXXXXXXXXXXXXXXXXXXXXXXXXXXXX (missing public key)

Expected behavior

Automatic import of new keys

Environment

Observed on two machines:
OS: Gentoo on WSL

$ uname -a
Linux SurfacePro4 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86_64 Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz GenuineIntel GNU/Linux

$ gopass version
gopass 1.8.6-git+HEAD go1.12.13 linux amd64
- gpg 2.2.19 - git 2.24.1 - fs 0.1.0
Available Crypto Backends: gpgcli, openpgp, plain, xc
Available RCS Backends: gitcli, noop
Available Storage Backends: fs, inmem

OS: Gentoo on desktop

$ uname -a
Linux tobiko 5.10.52-gentoo #1 SMP Tue Aug 17 15:37:44 MDT 2021 x86_64 Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz GenuineIntel GNU/Linux

$ gopass version
gopass 1.12.7 (2021-08-11 20:05:33) go1.16.7 linux amd64
- gpg 2.2.27 - git 2.31.1
Available Crypto Backends: age, gpgcli, plain
Available Storage Backends: fs, gitfs

Both versions installed from source via Gentoo ebuild

Additional context

I have been seeing this since the beginning of the year. My only resolution was to manually add the keys to .public-keys and importing them on the other machines with gpg. I have 11 keys spread across various devices.

[theryaz]

I am having the exact same issue

[dominikschulz]

This should work. Might be a regression :/

[akadaedalus]

I forgot about this issue, really. I have a workaround and I don't add devices that often.

Reproduced it in version 1.13.0 (latest Gentoo version). I can bump it to 1.13.1 if you need me to provide debug data.

[AnomalRoil]

What does gopass config say?

Is autoimport set to true?

And are the key properly located in their .public-key folder in your password store after adding them?

[akadaedalus]

As described before, I had to manually add the key to .public-key to work around the issue. I did not see it in there when I reproduced it yesterday. My config:

apalmer@sake:~$ gopass config
autoclip: false
autoimport: true
cliptimeout: 45
exportkeys: false
nopager: false
notifications: true
parsing: true
path: /home/apalmer/.password-store
safecontent: true

Actually, this cluestick was hidden in the exportkeys config. I changed that to true and synced it. That part worked but it's still not right.

apalmer@sake:~ $ gopass config exportkeys true
exportkeys: true

apalmer@sake:~ $ gopass config                
autoclip: false
autoimport: true
cliptimeout: 45
exportkeys: true
nopager: false
notifications: true
parsing: true
path: /home/apalmer/.password-store
safecontent: true

apalmer@sake:~ $ gopass recipients add        
<snip>
[ 5] 0x9710D274011CA739 - Test Key (Test Key for gopass) <testkey@example.com>
<snip>

Add Recipient - (q to abort) [0]: 5
5
Do you want to add "0x9710D274011CA739 - Test Key (Test Key for gopass) <testkey@example.com>" (key "0x9710D274011CA739") as a recipient to the store ""? [y/N/q]: y
Reencrypting existing secrets. This may take some time ...
Starting reencrypt
] 156 / 156 [Gooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooopass] 100.00% 

Added 1 recipients
You need to run 'gopass sync' to push these changes

apalmer@sake:~ $ ls .password-store/.public-keys/*39
.password-store/.public-keys/0x9710D274011CA739

apalmer@sake:~ $ gopass sync
🚥 Syncing with all remotes ...
[<root>] 
   git pull and push ... OK (no changes)
   importing missing keys ... OK
   exporting missing keys ... nothing to do
   done
✅ All done

But it still didn't import on the other system despite autoimport being set to true. On the other system...

apalmer@tobiko:~ $ gopass sync
🚥 Syncing with all remotes ...
[<root>] 
   git pull and push ... OK (no changes)nothing to do
   done
✅ All done

apalmer@tobiko:~ $ gopass recipients
Hint: run 'gopass sync' to import any missing public keys
gopass
<snip>
├── 0x9710D274011CA739 (missing public key)
<snip>

apalmer@tobiko:~ $ gopass config
autoclip: true
autoimport: true
cliptimeout: 45
exportkeys: false
nopager: false
notifications: true
parsing: true
path: /home/apalmer/.password-store
safecontent: false

apalmer@tobiko:~$ ls .password-store/.public-keys/*39
.password-store/.public-keys/0x9710D274011CA739

[akadaedalus]

I ran one more test, this time setting exportkeys to true on the second server. This time it worked.

apalmer@tobiko:~ $ gopass config exportkeys true
exportkeys: true

apalmer@tobiko:~ $ gopass sync
🚥 Syncing with all remotes ...
[<root>] 
   git pull and push ... OK (no changes)
   importing missing keys ... ❌ [] Failed to get public key for 0x9710D274011CA739: exit status 2: tru::1:1630087464:0:3:1:5
|gpg: error reading key: No public key

[] Imported public key for 0x9710D274011CA739 into Keyring
OK
   exporting missing keys ... nothing to do
   done
✅ All done

apalmer@tobiko:~ $ gopass recipients
Hint: run 'gopass sync' to import any missing public keys
gopass
<snip>
├── 0x9710D274011CA739 - Test Key (Test Key for gopass) <testkey@example.com>
<snip>

I will still call this a bug for several reasons:

• Changing the behavior of the software between versions is nonsensical, especially when I can't always have the same version on each machine. This is not the first time I've had this frustration (the flags to gopass show specifically). exportkeys should have been true by default to emulate behavior of the previous versions.
• I can accept that exportkeys needs to be true for new keys to be placed in .public-keys but I cannot accept that it needs to be set for import on other machines. autoimport needs to control that alone.
• It should probably suppress this error message on auto import. I suspect this is the exportkeys logic importing the key in a roundabout way:

[] Failed to get public key for 0x9710D274011CA739: exit status 2: tru::1:1630087464:0:3:1:5
|gpg: error reading key: No public key

[AnomalRoil]

This is definitively a bug.

We will need to discuss whether it makes sense to really have these two config options and make sure their behaviour is what we expect.

Also, we usually try to have sane default settings and to import the previous config in a compatible way when we add or change the config. It's also a bug that the behaviour changed on your machine by changing the version. Do you know when it changed? With which version?

[akadaedalus]

I don't recall when the behavior changed, unfortunately. If I had to guess via git history it probably worked in September 2019 and failed in December 2020.. The various changes in copying to a clipboard were much more visible and confusing.

Don't get me wrong, I really like this product. I've been using O.G. zx2c4 password-store since 2013 and replaced it with gopass in January 2019. It syncs over quite a few Linux, Windows, and Android devices. Thanks.

[dominikschulz]

You did make some good points in #1980 (comment).

• I'm not sure what behaviour changed how, maybe this was not intentional. But historically we did add features / flags without too much planning and discussion and that led to an overloaded interface w/o clear defintions. We have tried to improve that by documenting the intended CLI behaviour and common use cases that we want to support. But this is probably still incomplete. And the implementation might diverge from the definition. This is a lot of work, any help (like New recipients not syncing public keys #1980 (comment)) is appreciated.
• exportkeys should not be necessary to import keys if autoimport is set to true. This is a bug.
• The error message should be suppressed, this is another bug.

Also I wonder if we (still) need both of exportkeys and autoimport.