import from gopass to keepassxc fail with expired gpg-keys

[jeremyp3]

I can't export from gopass to import in keepassxc or in a csv file. my gpg key is usable, in any case, it is unlocked when I launch my session and gopass can read it I can't export from gopass to import in keepassxc or in a csv file. my gpg key is usable, in any case, it is unlocked when I start my session and gopass can read it

$ pimport -vvv keepassxc gopass /home/$USER/.local/share/gopass/stores/exploitation/ --out /tmp/test.kdbx . Trying to guess file format. . Importer: gopass, Format: gopass, Version:
. Importing passwords from Gopass to KeepassxcKDBX . Checking for breached passwords . Traceback (most recent call last): File "/tmp/myenv/lib/python3.11/site-packages/pass_import/main.py", line 356, in pass_import with cls_import(conf['in'], settings=settings) as importer: File "/tmp/myenv/lib/python3.11/site-packages/pass_import/core.py", line 115, in enter raise PMError( pass_import.errors.PMError: invalid credentials, password encryption/decryption aborted.

[x] Error: invalid credentials, password encryption/decryption aborted.

I was inspired by #114 to check the commands on my gpg key

am I doing something wrong?

I specify that pimport is launched from a python venv

[roddhjav]

Can you ensure you are trusting all the keys in .gpgid as detailed in https://github.com/roddhjav/pass-import#gpg-keyring

[jeremyp3]

hello,

gpg --list-keys /home/$USER/.gnupg/pubring.kbx

pub rsa3072 2021-07-12 [SC] [expire : 2023-07-12] EADB280xxxxxx uid [ ultime ] xxxxxx xxx@xxx sub rsa3072 2021-07-12 [E] [expire : 2023-07-12]

pub rsa3072 2022-07-27 [SC] [expire : 2024-07-26] F7C090xxxxxxxxx uid [ ultime ] xxxxxxxxxxxxxxxx xxxxxx@xxxx sub rsa3072 2022-07-27 [E] [expire : 2024-07-26]

pub rsa3072 2023-01-23 [SC] [expire : 2029-01-21] FDFA96xxxxxxxx uid [ ultime ] Jeremyp3 xxxx@xxx sub rsa3072 2023-01-23 [E] [expire : 2029-01-21]

pub rsa3072 2023-01-18 [SC] [expire : 2025-01-17] 442F38Dxxxxxxxxxxx uid [ ultime ] xxxxxxxxx xxxxxx@xxxx sub rsa3072 2023-01-18 [E] [expire : 2025-01-17]

pub rsa3072 2023-01-23 [SC] 54998xxxxxxxx uid [ ultime ] xxxxxxxxx xxxxxx@xxxxxx sub rsa3072 2023-01-23 [E]

pub rsa3072 2021-02-17 [SC] [expirée : 2023-02-17] 8D627xxxxxxxxx uid [ expirée ] xxxxxxxx xxxxxx@xxxx

pub rsa4096 2021-08-27 [SC] [expire : 2024-08-26] B284Dxxxxxxxx uid [ ultime ] xxxxxxxxxxx xxxxxx@xxxxxx sub rsa4096 2021-08-27 [E] [expire : 2024-08-26]

pub rsa3072 2021-02-17 [SC] [expirée : 2023-02-17] B326Fxxxxxxxx uid [ expirée ] xxxxxxxxx xxxxx@xxxxx

pub rsa2048 2022-01-25 [SCEA] BB94D1xxxxxxxxx uid [ ultime ] xxxxxxxx xxxxxx@xxxxx sub rsa2048 2022-01-25 [SEA]

I confirm that the expired keys are in ultimate too, but even if I remove them from my keychain I have the same behavior.

There is only one private key, it's the jeremyp3 key

[roddhjav]

Can you ensure the keys id in .gpgid are all here too?

[jeremyp3]

I don't understand your last question

[roddhjav]

Like pass, gopass stores the ID of the key it uses for encryption/decryption in password in a file called .gpgid at the root of the password repository. This is the key from the ID in this file that need to be usable.

[jeremyp3]

Ok.

in the file, there were all the public gpg keys stated above . I removed all the keys, except mine, and the import worked

for information, mine was the last one in the file since I made it recently.

thanks for assistance !

[jeremyp3]

i don't close the issue, because i wonder if it's a bug or not. if it's not a bug, i think it should be specified somewhere, i don't know if the fact that there are several gpg keys in the .gpg-id of gopass is expected

[roddhjav]

Most likely, this is a misconfiguration on your hand. As pass/gopass encrypts the passwords with all the key present in .gpgid you usually only setup pass with keys you control (or fully trust to be able to share your passwords with someone else).

[jeremyp3]

Maybe it's the expired keys that are still in gopass. I'll try removing only the expired keys.

before today, i never touched this part of gopass. as a proof, i didn't have the knowledge of the .gpg-id file :)

i'm closing the issue, but i'll make a return if it can be useful to someone :)

[jeremyp3]

I confirm that it is from the expired keys. I just removed them from the .gpg-id and the import works with the others.

I thought that it would only use my gpg key to decrypt the passwords and that even if the other keys were expired, it would not be a problem.

[roddhjav]

For some context, it works this way because:

1. It is the same test either it reads or writes on the password repo
2. Encrypting password using not trusted or expired key would failed