Gopass: Failed to fetch public key

Try export GOPASS_DEBUG=true to get some more debug output.

You can use: gpg --list-keys to check if a key with the fingerprint exists. We do not much more under the hood.

Ah, so when I run the command displayed in the debug output, I see:

gpg: Note: '--with-colons' is not considered an option
gpg: Note: '--with-fingerprint' is not considered an option
gpg: Note: '--fixed-list-mode' is not considered an option
gpg: Note: '--list-public-keys' is not considered an option
tru::1:1451480729:0:3:1:5
pub:-:4096:1:0205FA0EFEAD8457:1409057771:1566737771::-:::scaESCA:::::::
fpr:::::::::B01CECF21E703749B083E1780205FA0EFEAD8457:
uid:-::::1409057771::50DF8E6034F328B63C1B03A18D0955E79A3DF349::Nolan 
Darilek <[email protected]>:::::::::
sub:-:4096:1:1FA166BC17ECABA2:1409057771:1566737771:::::e::::::

Wondering if the errors at the beginning of the output are causing this
to fail?

This is on Fedora 24 with the default gnupg packages installed.

Thanks.

Wait, never mind. Previous was a cut-and-paste error on my part, but I
did find something else:

Fedora 24 has both /usr/bin/gpg and /usr/bin/gpg2. On both, gpg --version reports 2.1.13. Yet, if I call /usr/bin/gpg as gopass does,
the key isn't found. It is found when I call the binary as /usr/bin/gpg2.

Maybe there is a GPG 1.x compatibility mode that can't read 2.x keys?

Oh, nice find.

This should be fixed by #9

Cool. And that isn't yet merged into master I assume? I'm using go get.

Thanks, looking forward to using this.

We're collecting the first batch of feedback in develop and will soon do a point release. If you're using go get you can check out master and build that anytime.

Got it. So I've been fumbling around on Google for a while and can't
find this. How do I go get from develop? All I find is that go get
retrieves from the head of the default branch. Is develop the default?

Simply use go get to fetch the repository to your machine. Once done go to $GOPATH/src/github.com/justwachcom/gopass. If you are in that directory you can see that it is a normal git repository. Run git checkout develop. Now you can build a new binary by running make build.
Hope that helps. Didn't test it, because I'm on mobile right now.

Got it, now I have a develop binary, but now it tells me no private keys
were found.

Error: No useable private keys found

There is definitely output for the command. Is it safe to paste said
output into this issue?

FWIW, I've created a repo with pass, then used gopass to pull entries
from it. So there doesn't appear to be anything wrong with my GPG setup,
just Gopass' ability to parse the keys in the init command.

I've tracked down the root cause: Depending on your GPG version and config GPG may mark trused but not signed keys as unknown. Thus gopass would ignore this key for encryption.

To work around this limitation we currently disabled recipient checking and default to alwaystrust.

@dominikschulz I'm running into this problem with the latest version of gopass.

gopass 1.4.1 (634dd033d9ddc5777e0ff5d8ab221b96e6265113 2017-10-06 03:03:40) go1.9.1 darwin amd64

gpg1 --version
gpg (GnuPG) 1.4.22

gpg --version
gpg (GnuPG) 2.2.1
libgcrypt 1.8.1

▶ gopass init D507934588256274
[DEBUG] Loaded config: &{Root:0xc42000f440 Mounts:map[wms:0xc42000f620] Version:1.4.1 XXX:map[]}
[DEBUG] Loaded config from /Users/z002nd2/.config/gopass/config.yml: &{Root:0xc42000f440 Mounts:map[wms:0xc42000f620] Version:1.4.1 XXX:map[]}
Failed to initialized mount wms (/Users/z002nd2/.password-store-wms): password store wms is not initialized. Try gopass init --store wms --path /Users/z002nd2/.password-store-wms. Ignoring
Initializing a new password store ...

[DEBUG] gpg.listKeys: /usr/local/bin/gpg1 [/usr/local/bin/gpg1 --with-colons --with-fingerprint --fixed-list-mode --list-public-keys D507934588256274]
[DEBUG] gpg.listKeys: /usr/local/bin/gpg1 [/usr/local/bin/gpg1 --with-colons --with-fingerprint --fixed-list-mode --list-secret-keys 21169A2321248830D72E81C8D507934588256274]
gpg: error reading key: secret key not available

▶ /usr/local/bin/gpg1 --with-colons --with-fingerprint --fixed-list-mode --list-secret-keys 21169A2321248830D72E81C8D507934588256274
gpg: error reading key: secret key not available

the same command with gpg2 works fine though.

▶ /usr/local/bin/gpg --with-colons --with-fingerprint --fixed-list-mode --list-secret-keys 21169A2321248830D72E81C8D507934588256274
sec:u:4096:1:D507934588256274:1495601237:::u:::scESC::::::23::0:
fpr:::::::::21169A2321248830D72E81C8D507934588256274:
grp:::::::::246896E55F78A2E8DFB17D05923930E3C1753241:
uid:u::::1495601237::68C277AEC585FED73C672133CBAFBFED8730E01F::WMS Secrets <[email protected]>::::::::::0:
ssb:u:4096:1:C35D3935D344E22F:1495601237::::::e::::::23:
fpr:::::::::F0B179BFDA03F1CBFDC77664C35D3935D344E22F:
grp:::::::::7E2938F202C4B9F831A4D1E2C2F1A9FDD3A05CA4:

gopass should use gpg2 if that's available.

I think this line https://github.com/justwatchcom/gopass/blob/master/backend/gpg/cli/gpg.go#L62 might be wrong.

Probably. There's no gpg2 binary on my system. Aliasing gpg2 to gpg didn't
seem to help.

On Tue, Oct 17, 2017 at 10:42 AM, Dominik Schulz notifications@github.com
wrote:

gopass should use gpg2 if that's available.

I think this line https://github.com/justwatchcom/gopass/blob/
master/backend/gpg/cli/gpg.go#L62 might be wrong.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/justwatchcom/gopass/issues/5#issuecomment-337269826,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABTjZ4MLTvKRwjCRDqdpi90bqAWMGDBlks5stMrWgaJpZM4L1dGZ
.

It looks like this was a change in the homebrew recipe when the version went from 2.1.21 to 2.2.1

For some reason I had gpg1 installed also, I don't need that so I uninstalled and it works for me. Might be worth just adding an override via an env variable in case this comes up for someone who doesn't have a good workaround?

Might not hurt to capture the version of gpg with gpg --version and do slightly different handling or offer a warning if two versions are detected. Could also do a "smart" detection where if the .gnupg/secring.db exists that means gpg has been initialized, otherwise if the .gnupg/pubring.kbx exists they are using gpg2. I also noticed if you ran gpg2 after gpg1 there is a .gnupg/.gpg-v21-migrated file which reading their release notes strongly suggestions you stop using gpg if possible because gpg2 operations won't update the gpg1 pub/priv keys for trust anymore.