Re: pass init does not re-encrypt existing files (SOLVED)
Dear all, On 07/19/2018 07:48 PM, Frank Thommen wrote: Hi, In an attempt to use pass for a shared password store @work I tried the instructions given on https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592. However even after importing a colleagues' public gpg key, signing it and applying `pass init id1 id2`, existing entries could still not be seen by him: $ pass a/b gpg: decryption failed: No secret key $ Entries created *after* the additional `pass init` could be read by both users, but not those created beforehand. We are using pass 1.5 on CentOS 7 (from EPEL). GPG is version 2.0.22. I'm grateful for any hint on how to re-encrypt also existing files. Cheers frank Problem solved: It was a combined issue of RTFM and used pass version. The pass version provided by EPEL for CentOS is 1.5, this version has an additional switch "-e" or "--reencrypt" for `pass init` which seems to have been dropped in later versions. At least it is not mentioned on https://git.zx2c4.com/password-store/about/ or on https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592. I /should/ have read the local manpage in addition to the online documentation ;-) It is working now: * for version 1.5: pass init -e id1 id2 # requires -e * for version 1.7.2: pass initid1 id2 # no need for -e Cheers frank ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
Re: pass init does not re-encrypt existing files
Hi, we don't use symlinks. All files are directly in the passord store, which is referred to by the $PASSWORD_STORE_DIR environment variable. Cheers frank On 20/07/18 09:30, Zafiris Sgouridis wrote: Hi! I had the same issue. For me it was that my directory under .password- store was a symlink. When the function that searches for files to reencrypt it uses find and without the "-L" flag for following symlinks so it didn't find any files. Are you using symlinks? My setup: .password-store secrets_test -> ~/git/secret_test I sent the patch below that adds "-L" so that find will follow symlinks and finds the files when reencrypting. From ab124563a079f01a2c4c0797f34eaf35f7e34579 Mon Sep 17 00:00:00 2001 From: Zafiris Sgouridis Date: Tue, 26 Jun 2018 11:52:32 +0200 Subject: [PATCH 1/1] Add ability to use symlinks for directory under pass-store. Use "-L" with "find" to make it follow symlinks so that it also finds files even if the directories under "./password-store" are symlinks. --- src/password-store.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index 715dc93..368f1d9 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -133,7 +133,7 @@ reencrypt_path() { mv "$passfile_temp" "$passfile" || rm -f "$passfile_temp" fi prev_gpg_recipients="${GPG_RECIPIENTS[*]}" - done < <(find "$1" -path '*/.git' -prune -o -iname '*.gpg' -print0) + done < <(find -L "$1" -path '*/.git' -prune -o -iname '*.gpg' -print0) } check_sneaky_paths() { local path -- Frank Thommen | HD-HuB / DKFZ Heidelberg | f.thom...@dkfz-heidelberg.de ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
Re: pass init does not re-encrypt existing files
Hi! I had the same issue. For me it was that my directory under .password- store was a symlink. When the function that searches for files to reencrypt it uses find and without the "-L" flag for following symlinks so it didn't find any files. Are you using symlinks? My setup: .password-store secrets_test -> ~/git/secret_test I sent the patch below that adds "-L" so that find will follow symlinks and finds the files when reencrypting. From ab124563a079f01a2c4c0797f34eaf35f7e34579 Mon Sep 17 00:00:00 2001 From: Zafiris Sgouridis Date: Tue, 26 Jun 2018 11:52:32 +0200 Subject: [PATCH 1/1] Add ability to use symlinks for directory under pass-store. Use "-L" with "find" to make it follow symlinks so that it also finds files even if the directories under "./password-store" are symlinks. --- src/password-store.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index 715dc93..368f1d9 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -133,7 +133,7 @@ reencrypt_path() { mv "$passfile_temp" "$passfile" || rm -f "$passfile_temp" fi prev_gpg_recipients="${GPG_RECIPIENTS[*]}" - done < <(find "$1" -path '*/.git' -prune -o -iname '*.gpg' -print0) + done < <(find -L "$1" -path '*/.git' -prune -o -iname '*.gpg' -print0) } check_sneaky_paths() { local path -- 2.17.1 Regards Zafiris On Thu, 2018-07-19 at 19:48 +0200, Frank Thommen wrote: > Hi, > > In an attempt to use pass for a shared password store @work I tried > the > instructions given on > https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592. > However even after importing a colleagues' public gpg key, signing > it > and applying `pass init id1 id2`, existing entries could still not > be > seen by him: > > $ pass a/b > gpg: decryption failed: No secret key > $ > > Entries created *after* the additional `pass init` could be read by > both > users, but not those created beforehand. > > We are using pass 1.5 on CentOS 7 (from EPEL). GPG is version > 2.0.22. > > I'm grateful for any hint on how to re-encrypt also existing files. > > Cheers > frank > ___ > Password-Store mailing list > Password-Store@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/password-store ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store