Open TheLastProject opened 1 year ago
limiting the access of a GPG key is generally very lacking within gopass.
Yes, this is true. We do have limited support but it's not great. I usually tend to prefer having different mounts over different encryption keys for subdirs. But this is a valid bug and we should fix it.
Summary
To reduce exposure, we want to give some GPG keys only access to certain subdirectories. While
gopass recipients
doesn't support this, putting the key ID in a .gpg-id file in the directory works. Looking at #1842, this is intended to be supported.However, just setting up the .gpg-id file isn't enough to let teammates also encrypt. So, I wanted to add the same public key to the .public-keys/. However, gopass explicitly deletes this "extra key", even when explicitly committing it.
Steps To Reproduce
(The name of the key and project have been simplified)
Expected behavior
The .public-keys entry is retained to simplify encrypting for teammates. Instead, gopass explicitly removes it and even creates a commit to remove it if you explicitly made another commit.
Environment
Linux sos-ThinkPad-X1-Carbon-6th 5.19.0-35-generic #36~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 17 15:17:25 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Additional context
I might be misunderstanding the purpose of the .public-keys directory, but documentation on the whole concept of limiting the access of a GPG key (a "core" feature of regular pass) is generally very lacking within gopass. If there is a better way to do this, I'm all ears.