Can't unlock after lock on fresh repo

[habibalamin]

Here's an example shell session. I've broken up the dump so it's easier to see what's going on where, but it's all one session.

Set up git-crypt:

$ git init
Initialized empty Git repository in /home/user/code/repo/.git/
$ git crypt init
Generating key...
$ git crypt add-gpg-user $GPG_PUBKEY_SHORT_ID
[master (root-commit) a1b2c3d] Add 1 git-crypt collaborator
 2 files changed, 4 insertions(+)
 create mode 100644 .git-crypt/.gitattributes
 create mode 100644 .git-crypt/keys/default/0/GPG_PUBKEY_LONG_ID.gpg

Add encrypted file:

$ echo 'test.txt filter=git-crypt diff=git-crypt' > .gitattributes
$ git add .gitattributes
$ echo test > test.txt
$ git add test.txt
$ git cm -m test
[master a1b2c3e] test
 2 files changed, 1 insertion(+)
 create mode 100644 .gitattributes
 create mode 100644 test.txt

View the key, unencrypted in .git/git-crypt/keys/default, and GPG encrypted, but decryptable to the same value, in git-crypt/keys/default/0/$GPG_PUBKEY_LONG_ID.gpg:

$ cat .git-crypt/keys/default/0/$GPG_PUBKEY_LONG_ID.gpg

g 

pg
     £Nc    rYpt 

   3d    k3y
$ cat .git/git-crypt/keys/default
un 3ncReptd k3y
$ gpg2 --decrypt .git-crypt/keys/default/0/4D8D8B36117F0A79F3ED40241E0ABCCCC9D1B382.gpg
un 3ncReptd k3y

View the encrypted but unlocked file:

$ cat test.txt
test

Lock the repo and view the locked file:

$ git crypt lock
$ cat test.txt
GITCRYPTg4rb4G3

Try to unlock the repo again:

$ git crypt unlock
gpg: WARNING: server 'gpg-agent' is older than us (2.0.30 < 2.3.8)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
Error: no GPG secret key available to unlock this repository.
To unlock with a shared symmetric key instead, specify the path to the symmetric key as an argument to 'git-crypt unlock'.

Manually decrypt the symmetric key encrypted by asymmetric key and save to default location .git/git-crypt/keys/default:

$ gpg2 --decrypt .git-crypt/keys/default/0/$GPG_PUBKEY_LONG_ID.gpg 1>.git/git-crypt/keys/default
gpg: encrypted with 2048-bit RSA key, ID A1B2C3D4, created 1970-01-01
      "GPG Key Full Name (GPG key comment) <gpgkey@email.com>"

You see the stderr, but that's not a problem, the stdout went to the file. Try unlocking the repo again:

$ git crypt unlock
gpg: WARNING: server 'gpg-agent' is older than us (2.0.30 < 2.3.8)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
Error: no GPG secret key available to unlock this repository.
To unlock with a shared symmetric key instead, specify the path to the symmetric key as an argument to 'git-crypt unlock'.

It still fails. Try specifying the symmetric key:

$ git crypt unlock .git/git-crypt/keys/default

Success! Try viewing the unlocked file:

$ cat test.txt
test

Success! Lock again and attempt unlock:

$ git crypt lock
$ git crypt unlock
gpg: WARNING: server 'gpg-agent' is older than us (2.0.30 < 2.3.8)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
Error: no GPG secret key available to unlock this repository.
To unlock with a shared symmetric key instead, specify the path to the symmetric key as an argument to 'git-crypt unlock'.

Same result. See what's up with the agent since it's giving me weird warnings?:

$ gpg-agent
gpg-agent[12345]: gpg-agent running and available

Okay, let's restart it:

$ gpgconf --kill gpg-agent
$ gpg-agent
gpg-agent[12349]: no gpg-agent running in this session
$ gpg-agent --daemon
$ gpg-agent
gpg-agent[12351]: gpg-agent running and available

Attempt to unlock the repo again:

$ git crypt unlock
Error: no GPG secret key available to unlock this repository.
To unlock with a shared symmetric key instead, specify the path to the symmetric key as an argument to 'git-crypt unlock'.

Hmm, no more GPG agent warnings, but still failure to unlock the repo. View the file to see it's still locked:

$ cat test.txt
GITCRYPTg4rb4G3

As you can see, all the data is there and I'm using the right key, as I can specify the default symmetric key file to get git-crypt(1) to skip the decryption of the GPG encrypted key files if I manually do that first, but when I try to just say git crypt unlock, it fails to find the GPG secret key, even though I just created it right before testing with this brand new repo.

[habibalamin]

Figured it out; git-crypt uses gpg, not gpg2 binary, and my gpg points to the Homebrew one, whereas gpg2 points to the MacGPG2 binary. gpp is around 2.3 or something and gpg2 2.0.something, but I think I got used to specifying gpg2 from back when gpg shipped by Homebrew was GPG 1.

When I use either version on the command line, they both show all the keys created from either version, but evidently, keys created by gpg2 don't work with gpg (2.3), (and maybe vice versa too, I haven't tested that way around).

The fix in my case is to simply use the gpg command instead of gpg2 when creating my GPG key pair.

[alerque]

Was git-crypt installed via Homebrew too? In that case we should make sure it gets paired with the gpg provided by Homebrew.

[habibalamin]

Yes, it was.

[alerque]

Unfortunately this project doesn't seem to have any sort of configure tooling, so there isn't a way for the packaging to configure this at build time without just patching the hard coded default value.

That being said there does seem to be a way to configure which GPG to use at run time, and that is using the git config system:

https://github.com/AGWA/git-crypt/blob/08dbdcfed4fb182c0efaacb32a6c46481ced095b/gpg.cpp#L40

It sounds thought like it's current defaults are good and your OTHER gpg usage should be what is adapted anyway.