Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gopass unable to find PGP keys when running in Github Actions #2872

Open
felixhammerl opened this issue Apr 25, 2024 · 0 comments
Open

gopass unable to find PGP keys when running in Github Actions #2872

felixhammerl opened this issue Apr 25, 2024 · 0 comments
Labels
help-wanted

Comments

@felixhammerl
Copy link

felixhammerl commented Apr 25, 2024
edited

Summary

I am trying to use gopass in Github Actions.

To this end, I have a secrets store called test-gopass-1, which gets cloned via a Personal Access Token from inside the workflow. However, after cloning the store, gopass seems unable to find the secret key in GPG and tries to create a new key from git author settings, despite the key very clearly existing in the gpg keyring.

The key being used is 0xF9CA7755347E6586, belonging to gopass-terraform-example <gopass-terraform-example@github>.

gopass creates a random key, but it can actually decrypt the secret via gopass show, despite thinking it has no key available during setup. If it actually tried to use the key it just created, it would not be able to read the secrets store.

The image is ubuntu-latest.

The key is imported through a secret called PGP_KEY, the PGP key ID is provided to the root store via a secret called PGP_KEY_ID.

Steps To Reproduce

Here is the action:

name: Pipeline
on: [push, workflow_dispatch]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v2

      - name: Import GPG key
        run: echo "${{ secrets.PGP_KEY }}" | gpg --import

      - name: Install gopass
        run: wget https://github.com/gopasspw/gopass/releases/download/v1.15.8/gopass_1.15.8_linux_amd64.deb && sudo dpkg -i gopass_1.15.8_linux_amd64.deb

      - name: Initialize gopass
        run: |
          gopass --yes setup \
          --remote https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/felixhammerl/test-gopass-1.git \
          --alias test-gopass-1 \
          --name "gopass-terraform-example" \
          --email "gopass-terraform-example@github"

      - name: Make sure gopass works
        run: gopass show test-gopass-1/dev/asdasd

The log output of the gopass setup execution is:

Run gopass --yes setup \
  gopass --yes setup \
  --remote https://***@github.com/felixhammerl/test-gopass-1.git \
  --alias test-gopass-1 \
  --name "gopass-terraform-example" \
  --email "gopass-terraform-example@github"
  shell: /usr/bin/bash -e {0}
   __     _    _ _      _ _   ___   ___
 /'_ '\ /'_'\ ( '_'\  /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__  |'\___/'| ,__/''\__,_)(____/(____/
( )_) |       | |
 \___/'       (_)
🌟 Welcome to gopass!
🌟 Initializing a new password store ...
🔐 No useable cryptographic keys. Generating new key pair
🧪 Creating cryptographic key pair (gpg) ...
🎩 Gathering information for the gpg key pair ...
✅ Key pair for gpg generated
Passphrase: exerciser truck custodian rocker
⚠ You need to remember this very well!
⚠ 🔐 We need to unlock your newly created private key now! Please enter the passphrase you just generated.
✅ Key pair 0xAF428D93F835FF58 validated
🔐 Cryptographic keys generated
Joining existing team ...
🌟 Configuring your password store ...
✅ Configuration written
[test-gopass-1]Configuring git remote ...
[test-gopass-1]Cloning from the git remote ...
[test-gopass-1]✅ Done. Joined Team "test-gopass-1"
[test-gopass-1]⚠ You still need to request access to decrypt secrets!

The .gpg-id of felixhammerl/test-gopass-1:

0x7859E6520888D02E
0xF9CA7755347E6586

Expected behavior

gopass is able to access the secret located in gopass show test-gopass-1/dev/asdasd by identifying the key already present in gpg, without creating an additional key.

Environment

  • OS: Ubuntu
  • OS version: 22.0.4
  • gopass Version: gopass_1.15.8_linux_amd64.deb
  • Installation method: wget https://github.com/gopasspw/gopass/releases/download/v1.15.8/gopass_1.15.8_linux_amd64.deb && sudo dpkg -i gopass_1.15.8_linux_amd64.deb
  • which gpg: /usr/bin/gpg

gpg --version:

/usr/bin/gpg
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/runner/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

gpg --with-colons --with-fingerprint --fixed-list-mode --list-secret-keys:

sec:-:255:22:F9CA7755347E6586:1714038690:1808646690::-:::scESC:::+::ed25519:::0:
fpr:::::::::0BD7A9CD3879692AC798DB37F9CA7755347E6586:
grp:::::::::7E618A5619E3D85845A461CC2E9A17A825056261:
uid:-::::1714038690::6D88BAC39B2EE34C38E23D4059C5811A8C1E250B::gopass-terraform-example <gopass-terraform-example@github>::::::::::0:
ssb:-:255:18:34450B171B299CBB:1714038690:1808646690:::::e:::+::cv25519::
fpr:::::::::5E61279E484710460AC60C5234450B171B299CBB:
grp:::::::::421853EE087F62980288FF2D84C3078AAE6048B7:

Please let me know if you would like the debug logs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help-wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dominikschulz @felixhammerl