Closed habibalamin closed 1 year ago
Figured it out; git-crypt uses gpg
, not gpg2
binary, and my gpg
points to the Homebrew one, whereas gpg2
points to the MacGPG2 binary. gpp
is around 2.3 or something and gpg2
2.0.something, but I think I got used to specifying gpg2
from back when gpg
shipped by Homebrew was GPG 1.
When I use either version on the command line, they both show all the keys created from either version, but evidently, keys created by gpg2
don't work with gpg
(2.3), (and maybe vice versa too, I haven't tested that way around).
The fix in my case is to simply use the gpg
command instead of gpg2
when creating my GPG key pair.
Was git-crypt
installed via Homebrew too? In that case we should make sure it gets paired with the gpg
provided by Homebrew
.
Yes, it was.
Unfortunately this project doesn't seem to have any sort of configure tooling, so there isn't a way for the packaging to configure this at build time without just patching the hard coded default value.
That being said there does seem to be a way to configure which GPG to use at run time, and that is using the git config
system:
https://github.com/AGWA/git-crypt/blob/08dbdcfed4fb182c0efaacb32a6c46481ced095b/gpg.cpp#L40
It sounds thought like it's current defaults are good and your OTHER gpg usage should be what is adapted anyway.
Here's an example shell session. I've broken up the dump so it's easier to see what's going on where, but it's all one session.
Set up git-crypt:
Add encrypted file:
View the key, unencrypted in
.git/git-crypt/keys/default
, and GPG encrypted, but decryptable to the same value, ingit-crypt/keys/default/0/$GPG_PUBKEY_LONG_ID.gpg
:View the encrypted but unlocked file:
Lock the repo and view the locked file:
Try to unlock the repo again:
Manually decrypt the symmetric key encrypted by asymmetric key and save to default location
.git/git-crypt/keys/default
:You see the stderr, but that's not a problem, the stdout went to the file. Try unlocking the repo again:
It still fails. Try specifying the symmetric key:
Success! Try viewing the unlocked file:
Success! Lock again and attempt unlock:
Same result. See what's up with the agent since it's giving me weird warnings?:
Okay, let's restart it:
Attempt to unlock the repo again:
Hmm, no more GPG agent warnings, but still failure to unlock the repo. View the file to see it's still locked:
As you can see, all the data is there and I'm using the right key, as I can specify the default symmetric key file to get
git-crypt(1)
to skip the decryption of the GPG encrypted key files if I manually do that first, but when I try to just saygit crypt unlock
, it fails to find the GPG secret key, even though I just created it right before testing with this brand new repo.