[PATCH] re-init: check for actual encryption keys to use

Michael J Gruber git at grubix.eu
Fri Feb 18 11:27:42 UTC 2022

Depending on the gpg implementation, gpg may use all valid encryption
subkeys or just the newest/best subkey. This difference becomes relevant
when pass checks whether a file in the store needs to be reencrypted
after a .gpg-id change, and also when reporting to the user which
subkeys it reencrypts to.

Make pass check the relevant encryption subkeys which gpg will use by
doing a quick test run. This (potentially) reduces the number of
required reencryption andd makes sure pass reports the actual subkeys
being encrypted to (not more).

Signed-off-by: Michael J Gruber <git at grubix.eu>
 src/password-store.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/password-store.sh b/src/password-store.sh
index 22e818f..60e6e09 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -127,7 +127,7 @@ reencrypt_path() {
 				IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190
 				unset "GPG_RECIPIENTS[$index]"
-			gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
+			gpg_keys="$(echo test | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" "${GPG_OPTS[@]}" | LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)"
 		current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -nE 's/^gpg: public key is ([A-F0-9]+)$/\1/p' | LC_ALL=C sort -u)"

More information about the Password-Store mailing list