git-secret: git-secret-hide fails when encrypting with a revoked and active key for the same email, so help user avoid this situation

What are the steps to reproduce this issue?

  1. Create a new git repository, with a file you’d like to encrypt
  2. git secret tell a key with multiple identities
  3. git secret hide

What happens?

git-secret aborts.

What were you expecting to happen?

The hide to succeed.

Any logs, error output, etc?

$ git secret hide
gpg: error retrieving 'email@example.com' via WKD: No data
gpg: email@example.com: skipped: No data
gpg: /path/to/example/secret.txt: encryption failed: No data
git-secret: abort: problem encrypting file with gpg: exit code 2: secret.txt

Any other comments?

I verified that another key works just fine.

This is they key I’m trying to git secret tell to: DD2C 4F19 5E70 A0D9 2F86 2D6F 60BA 2A8B FD58 3641.

There are several revoked identities on that key, and the error message says the error is in retrieving one of the revoked identities. I used one of the valid identities when I added the key via git secret tell. All identities, including the revoked ones, are listed by git secret whoknows.

What versions of software are you using?

Operating system: (uname -a) Darwin hostname 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64

git-secret path: (which git-secret) /usr/local/bin/git-secret

git-secret version: (git secret --version) 0.3.1

git version: (git --version) git version 2.23.0

Shell type and version: ($SHELL --version) zsh 5.3 (x86_64-apple-darwin18.0)

gpg version: (gpg --version)

gpg (GnuPG) 2.2.17
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 23

Most upvoted comments

Re: what is a ‘key’ and an ‘identity’:

  • My understanding is that each public/private keypair constitutes what we are calling a “key” (technically a pair of pub/priv keys).
  • I can’t find a clear definition of an ‘identity’ in gnupg, but I think it’s basically your email address (the thing you used to access the key(s)). The closest I could find to a discussion of ‘identity’ in the gnupg docs is this: https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html (let me know if you see better docs for gnupg identities).

Therefore if a user has a single keypair associated with their email, revokes it, and adds a new keypair for that email to their keychain (without removing the revoked pair), I would consider that “two key pairs” associated with one email address (identity).

What would make this much easier to debug is if we had a publicly available set of gnupg keys (both public and private parts, revoked and unrevoked, and each for the same email address, with the relevant parts recorded on https://keybase.io) that matched this issue’s use case (including the revoked and unrevoked keys). Otherwise it’s difficult to replicate the scenario.

@cantido could you possibly create a set of test keys that match the above criteria (including relevant parts on https://keybase.io) and make all portions available to us ? Then we could add a test case that exercises this exact issue and we could talk about the issue more exactly.

+1
joshrabinowitz on Jan 2, 2020

I gotcha, I forgot to git checkout the branch that had your change. It looks like I got the message you were expecting:

$ ./git-secret/git-secret tell <current email>
git-secret: warning: at least one key for email(s) is revoked, expired, or otherwise invalid: <old revoked email>

But I’m a little confused. My key was never revoked, only the identity was revoked.

+1
Cantido on Oct 7, 2019

I understand! The email address I’m using for all my operations isn’t duplicated, but it’s the other duplicate one that’s causing all the trouble, since I’m technically telling all of my IDs.

I appreciate the work you put into this, thank you!

+1
Cantido on Oct 4, 2019

git-secret is not really equipped to deal with user’s keychains which have multiple keys for the same email address, as it only uses email addresses to describe keys. This is closely related to #268 , and requires the same fix - the ability to address keys by fingerprint or ID, and not just email.

To resolve this issue with git-secret as it is, you have to ensure that there is only one, valid, key in your keyring for each email you want to use with git-secret, and then make sure you only have the right, valid keys in your repo’s keychain.

+1
joshrabinowitz on Oct 4, 2019
Read more comments on GitHub
← git-secret: git secret adding a tracked file fails with ambiguous message "file_name is not a file. abort"
git-secret: GnuPG2 2.2 vs 2.1 conflicts in keybox format →