search

AGWA / git-crypt

Transparent file encryption in git
https://www.agwa.name/projects/git-crypt/
GNU General Public License v3.0
8.28k stars 479 forks source link

git-crypt unlock doesn't recognize my GPG key (workaround described) #188

Open j3pic opened 4 years ago

j3pic commented 4 years ago

My workflow:

  1. I generated a GPG key pair on my laptop (macOS High Sierra) and exported the private key to a second computer.
  2. On the second computer (Ubuntu 18.04), I ran the following commands (git-crypt version 0.6.0 is installed on both machines):
git-crypt init
git-crypt add-gpg-user <my-userid>
  1. I created and committed a .gitattributes file.
  2. I created and committed a test file that matched the .gitattributes file.
  3. I pushed the resulting branch to GitHub.
  4. Returning to my laptop, I fetched and checked out the branch, then attempted to run:
git-crypt unlock

The result:

Error: no GPG secret key available to unlock this repository.
To unlock with a shared symmetric key instead, specify the path to the symmetric key as an argument to 'git-crypt unlock'.

I found the key that was generated by git-crypt add-gpg-user and was able to manually decrypt it with gpg --decrypt < .git-crypt/keys/default/0/FOOBAR.gpg, where FOOBAR.gpg is the name of the file that was generated. This gave me the symmetric key that is supposed to be automatically handled by the tool.

The following workaround is therefore possible:

#!/bin/sh
#
# git-crypt-unlock - Work around a bug in git-crypt.
# 
# This will unlock the repo even though git-crypt can't do it. May not be
# as secure as git-crypt's correct implementation would be.

umask 077
for FILE in `find .git-crypt/keys/default -type f`; do
  if gpg --decrypt < $FILE > git-crypt-symmetric-key; then
    git-crypt unlock git-crypt-symmetric-key
    rm -f git-crypt-symmetric-key
    exit 0
  fi
done
cklll commented 4 years ago

I had similar problem that git-crypt didn't try my gpg key to unlock the repo. But the repro is slightly more complicated

Repro Have 2 git-crypt environments (prod and staging) Have 2 gpg key pairs (both yubikey)

Use gpg keychain app, check that both gpg key entries have sec/pub Plug in my staging yubikey key ONLY

Result Looks like it ONLY attempt to unlock using my production gpg secret key as it thinks I have access to its secret key. But what I wanted is use staging gpg key to unlock

Workaround In gpg key chain, delete secret key for production gpg key pair and ensure it shows pub Then I can unlock the vault with staging yubikey/gpg key