Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decryption with multiple PGP keys fails #21

Open
philicious opened this issue Dec 17, 2018 · 3 comments

Comments

@philicious
Copy link

commented Dec 17, 2018

This is a question for better understanding:

When adding multiple PGP keys to a secret, it seems as if you can only decrypt the secret when also having the pubkey of the person who added your key:

I added a colleague key, however he wasnt able to decrypt until he imported my pubkey to his keyring.

This is the debug output

 kubesec patch foobar.yaml --debug
Executing sh -c "/usr/local/MacGPG2/bin/gpg2 --list-secret-keys --with-colons --fingerprint --fingerprint" 
Attempting to decrypt DEK with PGP key _HIS_KEY_ID_ 
Executing sh -c "/usr/local/MacGPG2/bin/gpg2 -d --status-fd 3 -o /var/folders/3s/y699yyld6mj8h32yt68nblt40000gn/T/808465590E /var/folders/3s/y699yyld6mj8h32yt68nblt40000gn/T/808465590" 
gpg: encrypted with 4096-Bit RSA key, ID  _HIS_KEY_ID_ ,..
gpg: Signature made Thu Nov ..
gpg: using RSA key _MY_KEY_ID
gpg: signature verification failed: No public key
Unable to decrypt DEK with PGP key _HIS_KEY_ID_  (Signature is invalid or missing) 
Unable to decrypt Data Encryption Key (DEK) 

This behavior is rather unfavorable as every decrypter needs to retrieve and import all other pubkeys.

@tk3fftk

This comment has been minimized.

Copy link

commented Apr 15, 2019

I think the file (foobar.yaml) might be signed with another key (as default key).
Kubesec cannot set a signing key for encrypting.
My workaround is set default key via ~/.gnupg/gpg.conf if you have multiple keys.

Ref: https://unix.stackexchange.com/questions/339077/set-default-key-in-gpg-for-signing

@davinkevin

This comment has been minimized.

Copy link

commented Aug 20, 2019

+1 for this issue, especially if we want to do this operation within our CI pipeline. Is this possible @shyiko ?

Our CI system should know every public key of the team members, which is not very friendly...

@tk3fftk could you precise your answer because I don't get it well. I don't see the link between your answer and the original issue.

@Neonox31

This comment has been minimized.

Copy link

commented Aug 20, 2019

+1, sops seems to work well for this case FYI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.