search

gopasspw / gopass

The slightly more awesome standard unix password manager for teams
https://www.gopass.pw/
MIT License
5.86k stars 490 forks source link

Adding recipient to substore with age+git backend fails at git stage #2526

Open jmpolom opened 1 year ago

jmpolom commented 1 year ago

Summary

Adding a recipient to an age encrypted gopass substore fails when gopass attemps to add re-encrypted files to git repo

Steps To Reproduce

  1. gopass clone --crypto age https://git.repo.com/path/to/pass.git test-pass-sub
  2. gopass ls to verify that substore is mounted at test-pass-sub
  3. Verify current recipients with gopass recipients
  4. Attempt to add new recipient with age key: gopass recipients add --store test-pass-sub age1<...>
  5. Reencryption should succeed but observe failure at the stage when changed items are added to git repo: 
    Error: failed to add recipient "age1<...>": failed to add "test-pass-sub/secret.age" to git: exit status 128: fatal: pathspec 'test-pass-sub/secret.age' did not match any files
  6. Examine the state of the git repo with gopass git --store test-pass-sub status and notice many changed files not staged for commit.

To me it appears git is being called from the wrong directory or paths are being specified incorrectly. The issue can be manually corrected by adding the files with git add, committing and pushing however this should not be necessary.

Expected behavior

Recipient can successfully be added without git error and manual recovery, as appears to be the case for the "root" store.

Environment

Additional context

None.

poikilotherm commented 6 months ago

I just ran into the same bug using gopass 1.15.12.

dominikschulz commented 6 months ago

I fail to reproduce with 1.15.12, I'm afraid.

@jmpolom The instructions are good but I think I'm missing a few steps before 1. How to you initialize the root and sub stores?

poikilotherm commented 6 months ago

Hey! I started over and created a new reproducer. Here's what I did:

  1. Remove all Gopass from my user: rm -rf ~/.local/share/gopass ~/.config/gopass ~/.cache/gopass
  2. Add new root, but don't give a remote git: gopass-1-new-root
  3. Add a remote as mount. This repo was created fresh and empty on Github by me, so we will need to init the crypto of it, too: gopass-2-clone-remote gopass-3-init-crypto
  4. Now lets do a first sync: gopass-4-sync
  5. All done and well, lets add a test secret (test1234): gopass-5-add-test-secret
  6. Now let's add another recipient using age's sshkey feature: gopass-6-add-sshkey-recipient
  7. That did not work, but the recipient seems to be added anyway? gopass-7-list-recipients
  8. Let's add another secret so we can see if it will be encrypted for both recipients: gopass-8-add-second-secret
  9. Now let's see if we can decrypt it using age and giving the proper identity: gopass-9-cannot-decrypt-w-age

Obviously the secrets were never encrypted for the additional recipient. This can also be seen when looking at the age files in raw mode.

Here's a debug log of the step that failed when we added the recipient.: gopass-reproducer-debug-log-add-github.log

Please let me know if I should try something else! Thanks for your help and this great project!

AnomalRoil commented 3 days ago

I'll try to reproduce this now that I've touched much of the code handling this in #2960

poikilotherm commented 3 days ago

Thx for getting back to this @AnomalRoil ! Much appreciated!