Adding recipient to substore with age+git backend fails at git stage

[jmpolom]

Summary

Adding a recipient to an age encrypted gopass substore fails when gopass attemps to add re-encrypted files to git repo

Steps To Reproduce

1. gopass clone --crypto age https://git.repo.com/path/to/pass.git test-pass-sub
2. gopass ls to verify that substore is mounted at test-pass-sub
3. Verify current recipients with gopass recipients
4. Attempt to add new recipient with age key: gopass recipients add --store test-pass-sub age1<...>
5. Reencryption should succeed but observe failure at the stage when changed items are added to git repo:

   Error: failed to add recipient "age1<...>": failed to add "test-pass-sub/secret.age" to git: exit status 128: fatal: pathspec 'test-pass-sub/secret.age' did not match any files
   

6. Examine the state of the git repo with gopass git --store test-pass-sub status and notice many changed files not staged for commit.

To me it appears git is being called from the wrong directory or paths are being specified incorrectly. The issue can be manually corrected by adding the files with git add, committing and pushing however this should not be necessary.

Expected behavior

Recipient can successfully be added without git error and manual recovery, as appears to be the case for the "root" store.

Environment

• OS: Fedora 36
• OS version: Linux hostname 6.1.6-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 17:00:40 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
• gopass Version: 1.15.3
• Installation method: gopass github

Additional context

None.

[poikilotherm]

I just ran into the same bug using gopass 1.15.12.

[dominikschulz]

I fail to reproduce with 1.15.12, I'm afraid.

@jmpolom The instructions are good but I think I'm missing a few steps before 1. How to you initialize the root and sub stores?

[poikilotherm]

Hey! I started over and created a new reproducer. Here's what I did:

1. Remove all Gopass from my user: rm -rf ~/.local/share/gopass ~/.config/gopass ~/.cache/gopass
2. Add new root, but don't give a remote git:
3. Add a remote as mount. This repo was created fresh and empty on Github by me, so we will need to init the crypto of it, too:
4. Now lets do a first sync:
5. All done and well, lets add a test secret (test1234):
6. Now let's add another recipient using age's sshkey feature:
7. That did not work, but the recipient seems to be added anyway?
8. Let's add another secret so we can see if it will be encrypted for both recipients:
9. Now let's see if we can decrypt it using age and giving the proper identity:

Obviously the secrets were never encrypted for the additional recipient. This can also be seen when looking at the age files in raw mode.

Here's a debug log of the step that failed when we added the recipient.: gopass-reproducer-debug-log-add-github.log

Please let me know if I should try something else! Thanks for your help and this great project!

[AnomalRoil]

I'll try to reproduce this now that I've touched much of the code handling this in #2960

[poikilotherm]

Thx for getting back to this @AnomalRoil ! Much appreciated!

[AnomalRoil]

This seems to have been fixed on master, most likely thanks to my last PR.

~/c/gopass ❯❯❯ gopass ls

   __     _    _ _      _ _   ___   ___
 /'_ '\ /'_'\ ( '_'\  /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__  |'\___/'| ,__/''\__,_)(____/(____/
( )_) |       | |
 \___/'       (_)

🌟 Welcome to gopass!
⚠ No existing configuration found.
☝ Please run 'gopass setup'

Error: not initialized
~/c/gopass ❯❯❯ gopass setup --crypto age

   __     _    _ _      _ _   ___   ___
 /'_ '\ /'_'\ ( '_'\  /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__  |'\___/'| ,__/''\__,_)(____/(____/
( )_) |       | |
 \___/'       (_)

🌟 Welcome to gopass!
🌟 Initializing a new password store ...
🔐 No useable cryptographic keys. Generating new key pair
🧪 Creating cryptographic key pair (age) ...
⚠ Do you want to enter a passphrase? (otherwise we generate one for you) [y/N/q]:
✅ Key pair for age generated
Passphrase: spoiling spinal prolonged cesarean
⚠ You need to remember this very well!
⚠ 🔐 We need to unlock your newly created private key now! Please enter the passphrase you just generated.
✅ Key pair age1f602pk6rmu9gkkm473nhea02zvenufq6rzvuaw477tssq5xrksnsq3gl2k validated
🔐 Cryptographic keys generated
🌟 Configuring your password store ...
Please enter an email address for password store git config []:
❓ Do you want to add a git remote? [y/N/q]: N
✅ Configuration written
~/c/gopass ❯❯❯ gopass mounts
🚥 Syncing with all remotes ...
[<root>]
   gitfs pull and push ... Skipped (no remote)
✅ All done
No mounts
~/c/gopass ❯❯❯ gopass config
core.autopush = true
core.autosync = true
core.cliptimeout = 45
core.exportkeys = true
core.notifications = true
mounts.path = /tmp/gopasstest11/.local/share/gopass/stores/root
pwgen.xkcd-lang = en
recipients.hash = af6f9e4ad5811a1a0dace648fe1ed8d43996509936592b493a1d6b0ee102f8ac
~/c/gopass ❯❯❯ gopass generate test 10
✅ Password for entry "test" generated
Not printing secrets by default. Use 'gopass show test' to display the password.
~/c/gopass ❯❯❯ gopass clone --crypto age git@github.com:poikilotherm/reproducer-gopass.git reproducer

   __     _    _ _      _ _   ___   ___
 /'_ '\ /'_'\ ( '_'\  /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__  |'\___/'| ,__/''\__,_)(____/(____/
( )_) |       | |
 \___/'       (_)

🌟 Welcome to gopass!
🌟 Cloning an existing password store from "git@github.com:poikilotherm/reproducer-gopass.git" ...
⚠ Cloning gitfs repository "git@github.com:poikilotherm/reproducer-gopass.git" to "/tmp/gopasstest11/.local/share/gopass/stores/reproducer" ...
Git Email not set
⚠ Failed to commit .gitattributes to git
git configured at /tmp/gopasstest11/.local/share/gopass/stores/reproducer
Mounted password store /tmp/gopasstest11/.local/share/gopass/stores/reproducer at mount point `reproducer` ...
⚠ Configuring gitfs repository ...
🎩 Gathering information for the git repository ...
🚶 What is your name? [anomalroil]:
📧 What is your email? []:
Git Email not set
⚠ Failed to commit .gitattributes to git
Your password store is ready to use! Have a look around: `gopass list reproducer`

⚠ Please ask the owner of the password store to add one of your keys: age1f602pk6rmu9gkkm473nhea02zvenufq6rzvuaw477tssq5xrksnsq3gl2k
~/c/gopass ❯❯❯ gopass ls
gopass
├── reproducer (/tmp/gopasstest11/.local/share/gopass/stores/reproducer)
│   └── test/
│       ├── mysecret
│       └── mysecret2
└── test

Feel free to re-open with reproduction instruction if this still doesn't work for you!