How to prolong expired public keys?

gopasspw / gopass

The slightly more awesome standard unix password manager for teams

https://www.gopass.pw/

MIT License

5.87k stars 493 forks source link

How to prolong expired public keys? #1430

Open robaca opened 4 years ago

robaca commented 4 years ago

Summary

Currently when a public key expires, replacing that key in the repository is not a straightforward task. It also seems that updates keys in .gpg-keys are not updated in other team members' keychains automatically on 'gopass sync, so that they still get errors and have to do it manually via a GPG import. For now at least some docs on how to perform such updates "the right way" would be great.

Expected behavior

There should be a command to update a public key in the repository from the local keyring or even better some convenience command that directly allows us to update the expiry date and keep changes in sync with the keyring. I would also expect that if a public key changed, the teammates are informed on the next sync and get supported on importing the new key.

Environment

OS: Mac OS X, NixOS, ...
gopass Version: v1.9.2
Installation method: via brew / package mgmt.

dominikschulz commented 4 years ago

Yes, that seems like a reasonable request. GPG can be quite annoying in that regard.

resident-uhlig commented 2 years ago

We experience the same issue. Often the result is that previous recipients get deleted by accident and have to ask for access again despite the fact that they had uploaded the re-newed public key. Maybe the config option autoimport could also import changed keys automatically?

flixr commented 2 years ago

So how do you actually update a key in the .public-keys dir in the repo? Re-adding the key via gopass recipients add doesn't update it...

dominikschulz commented 2 years ago

Likely a bug ...

flixr commented 2 years ago

Any hints on how to do that manually in the mean time?

Dominik Schulz @.***> schrieb am Fr., 26. Aug. 2022, 19:16:

Likely a bug ...

— Reply to this email directly, view it on GitHub https://github.com/gopasspw/gopass/issues/1430#issuecomment-1228737930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAZOQJYPGXN7STXJKMD5LTV3D3YNANCNFSM4OGQ2LFQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

dominikschulz commented 2 years ago

Yes, you can export the updated public key into that directory using the correct name and commit the change.

However we won't automatically import/update the key.

danielcb commented 1 month ago

Just for clarification:

core.autoimport: true imports public keys from .public-keys ONLY IF they are new (as in: not yet imported into my local gpg keychain), not if the key in my gpg keychain is expired and there already is a newer/other key inside .public-keys
core.exportkeys: true also exports public keys only if they are missing and does not replace keys, if they are renewed

Meaning: If a key expires one has to manually update and commit e.g. .public-keys/some.user@example.com and each user of the repository has to gpg --import .public-keys/some.user@example.com?