AGWA / git-crypt

Transparent file encryption in git
https://www.agwa.name/projects/git-crypt/
GNU General Public License v3.0
8.39k stars 476 forks source link

git-crypt fails to add-gpg-user when gpg.program is set to gpgsm #302

Closed btdonovan closed 10 months ago

btdonovan commented 10 months ago

gpgsm is a part of gnupg that allows gpg operations using x509 certs signed by a certificate authority.

gpgsm commands are fairly similar to gpg commands with some differences. For example, the gpg_get_uid function in gpg.cpp uses the option --fixed-list-mode which is not available in gpgsm

Using git-crypt add-gpg-user <UID> or 0xFPR fails with Error: public key for '<UID> or 0xFPR' not found in your GPG keyring.

I think the problem is that x509 keys in the gpgsm public keyring don't have a pub entry, they have a crt entry that appears to have the same fields. The key bit length is in column 2, the usage is in column 11, etc.

In gpg.cpp gpg_lookup_key it appears is_pubkey is set to true only for rows where line.substr(0, 4) == "pub:". Adding an additional else if checking for "crt:" and setting is_pubkey to true should let it use gpgsm, although gpg_get_uid may still be broken because of the --fixed-list-mode argument.

btdonovan commented 10 months ago

--fixed-list-mode is the default in GnuPG 2.0.10 and later so that is probably why not included in gpgsm. The output of --with-colons from gpgsm appears to match what would be generated by --fixed-list-mode. I believe gpg 1 doesn't have gpgsm included so if the gpg.program option is set to gpgsm you can probably drop the --fixed-list-mode option safely.