Gopass: mounts' config ignored in 1.7.0 when using commands with --store option

Thank you very much for reporting this issue. Unfortunately I can't seem to reproduce it.
After testing this locally and looking at the code I see no way how a gopass sync should be run before or after gopass recipients rm.

Please try to run the commands again with GOPASS_DEBUG=true being set in your environment, e.g. GOPASS_DEBUG=true gopass recipients rm --store prefixformount/access [email protected].

Sorry for the chosen words. I don't know if gopass recipients rm --store prefixformount/access [email protected] acts like gopass sync before and after removing, but the command somehow syncs with remote git repository even when configured to not do the syncing.

Steps for this interaction:

1. New remote git repositories to contain only initial commiter GPG key.
2. Setup stores/mounts from remote git repositories in a new server and a new user.

# yes | gopass init --rcs noop --crypto gpg "<initial commiter e-mail>"

... (after setup) ...

# gopass recipients
Hint: run 'gopass sync' to import any missing public keys
gopass
├── prefixformount
│   ├── access (/usr/local/prefixformount/gopass/access)
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   ├── enable (/usr/local/prefixformount/gopass/enable)
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   ├── misc (/usr/local/prefixformount/gopass/misc)
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   └── verysecret-access (/usr/local/prefixformount/gopass/verysecret-access)
│       └── 0x<initial commiter GPG key> - Initial Commiter
└── 0x<initial commiter GPG key> - Initial Commiter

# gopass mounts
gopass (/root/.password-store)
└── prefixformount
    ├── access (/usr/local/prefixformount/gopass/access)
    ├── enable (/usr/local/prefixformount/gopass/enable)
    ├── misc (/usr/local/prefixformount/gopass/misc)
    └── verysecret-access (/usr/local/prefixformount/gopass/verysecret-access)

# gopass config
root store config:
  askformore: false
  autoclip: true
  autoimport: false
  autosync: false
  cliptimeout: 45
  editrecipients: false
  nocolor: true
  noconfirm: false
  nopager: false
  notifications: true
  path: gpgcli-noop-fs+file:///root/.password-store
  safecontent: false
  usesymbols: false
mount 'prefixformount/access' config:
  path: gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access
mount 'prefixformount/enable' config:
  path: gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable
mount 'prefixformount/misc' config:
  path: gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc
mount 'prefixformount/verysecret-access' config:
  path: gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access

# cat ~/.config/gopass/config.yml
root:
  askformore: false
  autoclip: true
  autoimport: false
  autosync: false
  cliptimeout: 45
  editrecipients: false
  nocolor: true
  noconfirm: false
  nopager: false
  path: gpgcli-noop-fs+file:///root/.password-store
  safecontent: false
  usesymbols: false
  notifications: true
mounts:
  prefixformount/access:
    askformore: false
    autoclip: true
    autoimport: false
    autosync: false
    cliptimeout: 45
    editrecipients: false
    nocolor: true
    noconfirm: false
    nopager: false
    path: gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access
    safecontent: false
    usesymbols: false
    notifications: true
  prefixformount/enable:
    askformore: false
    autoclip: true
    autoimport: false
    autosync: false
    cliptimeout: 45
    editrecipients: false
    nocolor: true
    noconfirm: false
    nopager: false
    path: gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable
    safecontent: false
    usesymbols: false
    notifications: true
  prefixformount/misc:
    askformore: false
    autoclip: true
    autoimport: false
    autosync: false
    cliptimeout: 45
    editrecipients: false
    nocolor: true
    noconfirm: false
    nopager: false
    path: gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc
    safecontent: false
    usesymbols: false
    notifications: true
  prefixformount/verysecret-access:
    askformore: false
    autoclip: true
    autoimport: false
    autosync: false
    cliptimeout: 45
    editrecipients: false
    nocolor: true
    noconfirm: false
    nopager: false
    path: gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access
    safecontent: false
    usesymbols: false
    notifications: true
version: 1.7.0

1. Adding new recipient Someone < [email protected] >:

# GOPASS_DEBUG=TRUE gopass recipients add --store prefixformount/access [email protected]
[DEBUG] Loaded config: Config[Root:StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-noop-fs+file:///root/.password-store,SafeContent:false,UseSymbols:false],Mounts(prefixformount/access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access,SafeContent:false,UseSymbols:false]prefixformount/enable=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable,SafeContent:false,UseSymbols:false]prefixformount/misc=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc,SafeContent:false,UseSymbols:false]prefixformount/verysecret-access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access,SafeContent:false,UseSymbols:false]),Version:1.7.0]
[DEBUG] Loaded config from /root/.config/gopass/config.yml: Config[Root:StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-noop-fs+file:///root/.password-store,SafeContent:false,UseSymbols:false],Mounts(prefixformount/access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access,SafeContent:false,UseSymbols:false]prefixformount/enable=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable,SafeContent:false,UseSymbols:false]prefixformount/misc=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc,SafeContent:false,UseSymbols:false]prefixformount/verysecret-access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access,SafeContent:false,UseSymbols:false]),Version:1.7.0]
Do you want to add '0x0123456789ABCDEF - Someone <[email protected]>' as an recipient to the store 'prefixformount/access'? [y/N/q]: y
Enter passphrase for key '/root/.ssh/id_rsa':
Enter passphrase for key '/root/.ssh/id_rsa':
Reencrypting existing secrets. This may take some time ...
1 of 121 secrets reencrypted                                                                                         [#>-------------------------------------------------------------------------------------------------------]   0.83%Failed to get current value for prefixformount/access/subdirA/secret1: Entry is not in the password store
Failed to get current value for prefixformount/access/subdirA/secret2: Entry is not in the password store
...
...
...
Failed to get current value for prefixformount/access/subdirZ/secret119: Entry is not in the password store
Failed to get current value for prefixformount/access/subdirZ/secret120: Entry is not in the password store
121 of 121 secrets reencrypted                                                                                       [#########################################################################################################] 100.00%Failed to get current value for prefixformount/access/subdirZ/secret121: Entry is not in the password store

Error: failed to add recipient '[email protected]': failed to commit changes to git: git has nothing to commit

Note the request for ssh's password input before Reencrypting existing secrets.

Even if Error message was displayed as red, I checked remote git server and the related commits were there after command in step 3.

The next command was in local new server (described in step 2):

# cd /usr/local/prefixformount/gopass/access; git log --pretty=oneline | head -n 10
1fc95d91d0210b46ca89cd8ced1bec7025fceae4 Exported Public Keys 0x0123456789ABCDEF
a069394bca0b322e17788bd0d1f60f2b91194fba Exported Public Keys <initial commiter GPG key>
f8555c607d7ea189002350399321ccf18a06755c Added Recipient 0x0123456789ABCDEF
85d739962461361f693fa41eec225369cea84c0a Last commit before adding new recipient (used 1.6.10)

(0x0123456789ABCDEF is gpg key for Someone < [email protected] >)

I didn't use gopass recipients rm --store ... in step 3 as requested in previous interation. I used gopass recipients add --store ... but the reported issue itself is the same.

# gopass recipients
Hint: run 'gopass sync' to import any missing public keys
gopass
├── prefixformount
│   ├── access (/usr/local/prefixformount/gopass/access)
│   │   ├── 0x0123456789ABCDEF - Someone <[email protected]>
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   ├── enable (/usr/local/prefixformount/gopass/enable)
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   ├── misc (/usr/local/prefixformount/gopass/misc)
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   └── verysecret-access (/usr/local/prefixformount/gopass/verysecret-access)
│       └── 0x<initial commiter GPG key> - Initial Commiter
└── 0x<initial commiter GPG key> - Initial Commiter

So the issue itself is that, even if config for root and each mount/store are set to autosync: false, adding/removing recipients using --store parameter pushes commits to remote git server.

Is there any other info that needs to be provided to analyze how to proceed?

I'm not sure if I understand correctly, but having the commits show up in
cd /usr/local/prefixformount/gopass/access; git log --pretty=oneline | head -n 10
makes sense because this location is configured as the working directory of prefixformount/access.

Unfortunately you seem to have removed most of the relevant GOPASS_DEBUG output, but you should see no git push commands in there.

Unfortunately you seem to have removed most of the relevant GOPASS_DEBUG output, but you should see no git push commands in there.

About the quoted part, I only removed repeated Failed to get entries with ... and masqueraded real paths. Other than that, I put the full output. It may also indicate a missing GOPASS_DEBUG output, but the git push itself was done somehow.

I'm not sure if I understand correctly, but having the commits show up in
cd /usr/local/prefixformount/gopass/access; git log --pretty=oneline | head -n 10
makes sense because this location is configured as the working directory of prefixformount/access.

It does make sense locally, but not remotely, which was done. I didn't put the remote output, but the remote history is the same as the local one, so a git push was done.

Ok, I'll try to reproduce.

Just an update: I'm reading the code in master branch and cross-compiled today from macOS to Linux and the issue still persists (tested both by using remote repo access as ssh and as https and both tries to pull before reencrypting secrets).

# GOPASS_DEBUG=TRUE gopass recipients add --store prefixformount/access [email protected]
[DEBUG] Trying to load config from /root/.config/gopass/config.yml
[DEBUG] Loaded config: Config[Root:StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-noop-fs+file:///root/.password-store,SafeContent:false,UseSymbols:false],Mounts(prefixformount/access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access,SafeContent:false,UseSymbols:false]prefixformount/enable=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable,SafeContent:false,UseSymbols:false]prefixformount/misc=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc,SafeContent:false,UseSymbols:false]prefixformount/verysecret-access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access,SafeContent:false,UseSymbols:false]),Version:1.7.2-git+HEAD]
[DEBUG] Loaded config from /root/.config/gopass/config.yml: Config[Root:StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-noop-fs+file:///root/.password-store,SafeContent:false,UseSymbols:false],Mounts(prefixformount/access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access,SafeContent:false,UseSymbols:false]prefixformount/enable=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable,SafeContent:false,UseSymbols:false]prefixformount/misc=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc,SafeContent:false,UseSymbols:false]prefixformount/verysecret-access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access,SafeContent:false,UseSymbols:false]),Version:1.7.2-git+HEAD]
Do you want to add '0x0123456789ABCDEF - Someone <[email protected]>' as an recipient to the store 'prefixformount/access'? [y/N/q]: y
[DEBUG] Saved config to /root/.config/gopass/config.yml: Config[Root:StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-noop-fs+file:///root/.password-store,SafeContent:false,UseSymbols:false],Mounts(prefixformount/access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access,SafeContent:false,UseSymbols:false]prefixformount/enable=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable,SafeContent:false,UseSymbols:false]prefixformount/misc=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc,SafeContent:false,UseSymbols:false]prefixformount/verysecret-access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access,SafeContent:false,UseSymbols:false]),Version:1.7.2-git+HEAD]
Password for 'https://[email protected]:443': Failed to pull before git push: signal: interrupt

Error: failed to add recipient '[email protected]': failed to save recipients: failed to push changes to git: context canceled

Currently, I am trying to find where such pull occurs, given that it happens between

Do you want to add '0x0123456789ABCDEF - Someone <[email protected]>' as an recipient to the store 'prefixformount/access'? [y/N/q]:
https://github.com/gopasspw/gopass/blob/master/pkg/action/recipients.go#L105

and

Reencrypting existing secrets. This may take some time ...
https://github.com/gopasspw/gopass/blob/master/pkg/store/sub/recipients.go#L57

(based on the output of step 3 in third comment of this issue)

Ok, thanks a lot for these pointers. Now I found the place where the push/pull occurs: https://github.com/gopasspw/gopass/blob/master/pkg/store/sub/recipients.go#L252

Probably another place where the config isn't properly propagated. Will try to investigate/fix tomorrow.

@ayharano Could you please check out if the changes in #848 fix your issue?

@dominikschulz

Using
# GOPASS_DEBUG=TRUE gopass recipients add --store prefixformount/access [email protected]
went all fine without syncing.

However, the commited code seems to introduce a bug in removal:

# GOPASS_DEBUG=TRUE gopass recipients rm --store prefixformount/access [email protected]
[DEBUG] Trying to load config from /root/.config/gopass/config.yml
[DEBUG] Loaded config: Config[Root:StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-noop-fs+file:///root/.password-store,SafeContent:false,UseSymbols:false],Mounts(prefixformount/access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access,SafeContent:false,UseSymbols:false]prefixformount/enable=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable,SafeContent:false,UseSymbols:false]prefixformount/misc=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc,SafeContent:false,UseSymbols:false]prefixformount/verysecret-access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access,SafeContent:false,UseSymbols:false]),Version:1.7.2-git+HEAD]
[DEBUG] Loaded config from /root/.config/gopass/config.yml: Config[Root:StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-noop-fs+file:///root/.password-store,SafeContent:false,UseSymbols:false],Mounts(prefixformount/access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/access,SafeContent:false,UseSymbols:false]prefixformount/enable=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/enable,SafeContent:false,UseSymbols:false]prefixformount/misc=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/misc,SafeContent:false,UseSymbols:false]prefixformount/verysecret-access=>StoreConfig[AskForMore:false,AutoClip:true,AutoImport:false,AutoSync:false,ClipTimeout:45,Concurrency:1,EditRecipients:false,NoColor:true,NoConfirm:false,NoPager:false,Notifications:true,Path:gpgcli-gitcli-fs+file:///usr/local/prefixformount/gopass/verysecret-access,SafeContent:false,UseSymbols:false]),Version:1.7.2-git+HEAD]

Error: failed to remove recipient '[email protected]': recipient not in store

Key for Someone < [email protected] > exists both in mount's .gpg-id file and is listed in gpg2 --list-keys.

# gopass recipients
Hint: run 'gopass sync' to import any missing public keys
gopass
├── prefixformount
│   ├── access (/usr/local/prefixformount/gopass/access)
│   │   ├── 0x0123456789ABCDEF - Someone <[email protected]>
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   ├── enable (/usr/local/prefixformount/gopass/enable)
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   ├── misc (/usr/local/prefixformount/gopass/misc)
│   │   └── 0x<initial commiter GPG key> - Initial Commiter
│   └── verysecret-access (/usr/local/prefixformount/gopass/verysecret-access)
│       └── 0x<initial commiter GPG key> - Initial Commiter
└── 0x<initial commiter GPG key> - Initial Commiter

tl;dr: to add a recipient into a mount without syncing is ok. To remove a recipient from a mount, it does NOT find existing key to remove.

Ah, thanks a lot. Actually this isn't a new bug, but a rather old one.
Nevertheless I'm glad you found it. Should be fixed once #850 is merged.