search

AGWA / git-crypt

Transparent file encryption in git
https://www.agwa.name/projects/git-crypt/
GNU General Public License v3.0
8.28k stars 479 forks source link

Cannot use git crypt with sudo #242

Closed akademsubotnik closed 2 years ago

akademsubotnik commented 2 years ago

$sudo git crypt init .............. Generating key $git crypt add-gpg-user abc@gmx.com .............. git-crypt: Error: Unable to open key file - have you unlocked/initialized this repository yet?

$git crypt init ............... Generating key.... $sudo git crypt add-gpg-user abc@gmx.com ................ gpg: error reading key: No public key Error: public key for 'abc@gmx.com' not found in your GPG keyring

$sudo git crypt add-gpg-user abc@gmx.com ... does not work, even if $sudo git crypt init is run ................... gpg: error reading key: No public key Error: public key for 'abc@gmx.com' not found in your GPG keyring

alerque commented 2 years ago

This isn't really a problem with git-crypt so much as with gpg. By using sudo you are changing some environment variables and working with the root keychain instead of your own.

You either need to setup GPG stuff under the root user or stop running it under sudo. You can't mix and match and expect a root process to use your user's keyring, that will just get your system all screwed up.

akademsubotnik commented 2 years ago

Is there any downside to adding a gpg key that I created with my user account to my root gpg keychain? I am thinking I can add the gpg key that I created with my user account to my root keychain, then I will have the gpg key I created with my user account in both my user keychain and root keychain.

alerque commented 2 years ago

There are lots of downsides to doing security-sensitive things as the root user instead of in a user account. You greatly increase the vulnerable surface area and the scope of damage that can be done if something goes wrong. However such discussions are out of scope for this git-crypt issue tracker. If you are already managing your repo as root user then you've already opened that pandora's box anyway, adding a user key to the root env isn't making it substantially worse.

Again my main point is this is not a git-crypt issue. If you are having the repo be managed by root of course the GPG key needs to be in the root keyring — git-crypt only cares that the git user has access to the right gpg keys. It is your job to make them match. My suggestion is do both as a user and nothing as root. If you do both as root that will get the job done too and the extra issues that go along with doing stuff as root are on you.

akademsubotnik commented 2 years ago

Thanks @alerque