Decryption with multiple PGP keys fails

[philicious]

This is a question for better understanding:

When adding multiple PGP keys to a secret, it seems as if you can only decrypt the secret when also having the pubkey of the person who added your key:

I added a colleague key, however he wasnt able to decrypt until he imported my pubkey to his keyring.

This is the debug output

 kubesec patch foobar.yaml --debug
Executing sh -c "/usr/local/MacGPG2/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint" 
Attempting to decrypt DEK with PGP key _HIS_KEY_ID_ 
Executing sh -c "/usr/local/MacGPG2/bin/gpg2 -d --status-fd 3 -o /var/folders/3s/y699yyld6mj8h32yt68nblt40000gn/T/808465590E /var/folders/3s/y699yyld6mj8h32yt68nblt40000gn/T/808465590" 
gpg: encrypted with 4096-Bit RSA key, ID  _HIS_KEY_ID_ ,..
gpg: Signature made Thu Nov ..
gpg: using RSA key _MY_KEY_ID
gpg: signature verification failed: No public key
Unable to decrypt DEK with PGP key _HIS_KEY_ID_  (Signature is invalid or missing) 
Unable to decrypt Data Encryption Key (DEK) 

This behavior is rather unfavorable as every decrypter needs to retrieve and import all other pubkeys.

[tk3fftk]

I think the file (foobar.yaml) might be signed with another key (as default key). Kubesec cannot set a signing key for encrypting. My workaround is set default key via ~/.gnupg/gpg.conf if you have multiple keys.

Ref: https://unix.stackexchange.com/questions/339077/set-default-key-in-gpg-for-signing

[davinkevin]

+1 for this issue, especially if we want to do this operation within our CI pipeline. Is this possible @shyiko ?

Our CI system should know every public key of the team members, which is not very friendly...

@tk3fftk could you precise your answer because I don't get it well. I don't see the link between your answer and the original issue.

[Neonox31]

+1, sops seems to work well for this case FYI