[PATCH] Fix for some flaws when using a key with multiple subkeys

Carl Michael Skog cmskog at gmail.com
Mon Nov 4 17:06:50 CET 2019


When encrypting with a gpg key that has multiple encryption subkeys ONLY
the newest encryption subkey is used when encrypting.
This leads to potential problems in pass when using such a key.

Consider this scenario:
Let's say we are using a key K with encryption subkey A.
We set up two password stores(S1 and S2) plus a git repository(G) with this
key.
All fine so far.
Let's say now that S1 adds a encryption subkey(B) to K.
S2 is still unchanged.
S1 then adds a new password P, and pushes this to G, which S2 then pulls.
When S2 tries to read password P it will get an error message from gpg:
"gpg: decryption failed: No secret key".
Even more dangerous: if S1 after adding the key does a "pass init" with K,
S2 will not be able to read a single password, if it pulls this change.

Patch 1,2,3 is just some tests exposing the problem.
The actual fix is in patch 4.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20191104/a2a452c9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-an-init-test-with-a-key-with-multiple-subkeys.patch
Type: text/x-diff
Size: 10502 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20191104/a2a452c9/attachment-0001.patch>


More information about the Password-Store mailing list