Depending on the gpg implementation, gpg may use all valid encryption subkeys or just the newest/best subkey. This difference becomes relevant when pass checks whether a file in the store needs to be reencrypted after a .gpg-id change, and also when reporting to the user which subkeys it reencrypts to.
Make pass check the relevant encryption subkeys which gpg will use by doing a quick test run. This (potentially) reduces the number of required reencryption andd makes sure pass reports the actual subkeys being encrypted to (not more). Signed-off-by: Michael J Gruber <[email protected]> --- src/password-store.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..60e6e09 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -127,7 +127,7 @@ reencrypt_path() { IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190 unset "GPG_RECIPIENTS[$index]" done - gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" + gpg_keys="$(echo test | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" "${GPG_OPTS[@]}" | LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)" fi current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -nE 's/^gpg: public key is ([A-F0-9]+)$/\1/p' | LC_ALL=C sort -u)" -- 2.35.1.557.gc5783a932c
