gopass secrets not automatically reencrypted after added recipient

Thanks for reporting this issue. Unfortunately I'm unable to reproduce this.

Pretty sure I've replicated this issue. I had an existing password store with a single recipient and ~50 objects. I added a second recipient through the wizard gopass recipients add and selected the public key. It then appeared that gopass re-encrypted the entire store. However, when I cloned the repository on the remote host (phone) I was not able to decrypt any of the entries using the newly added key.

In checking one of the entries in the store manually with GPG I found this:

$ gpg --list-only -v -d $ENTRY
gpg: public key is 0x0000000000000000
gpg: public key is 0x0000000000000000
gpg: encrypted with RSA key, ID 0x0000000000000000
gpg: encrypted with RSA key, ID 0x0000000000000000

I then decided to attempt the gopass fsck and found that it reported many of the entries in the store did NOT have recipients:

Checking store integrity ...
1 of 52 objects checked                 [#>---------------------------]   1.92%
[] Missing recipients on $ENTRY: [...]

However, even after it says that it fixed it and pushed to the repository, a subsequent gopass fsck run produces the same errors for the same entries, and claims to have fixed them.

However, I'm still not able to view any of the entries I've tested using the new recipient key. I've tried freshly cloning the repository after the gopass fsck

$ gopass version
gopass 1.8.5 (2019-03-13 17:51:51) go1.12 linux amd64
<root>     - gpg 2.2.15 - git 2.21.0 -   fs 0.1.0
Available Crypto Backends: gpgcli, openpgp, plain, xc
Available RCS Backends: gitcli, noop
Available Storage Backends: fs, inmem

@jamincollins did you solve that? i am in exactly that situation and haven't been able to fix it yet...
@dominikschulz ^ i have repro'd, what do you need?

@dominikschulz i resolved the issue that i and (i think) @jamincollins were having. it was due to gpg being configured with hidden recipients:

~/.gnupg/gpg.conf
...
# Disable putting recipient key IDs into messages
throw-keyids

gopass itself still works _fine_ with anonymous recipients since it's delegating to gpg. the issue is that some other pass-compatible clients use pgp implementations that can't deal with this (notably, on Android, OpenKeychain fails here).

while the UX around this could potentially be better, it doesn't look like it's really a gopass issue and perhaps not even actually related to issue raised by the OP here. sorry for the false alarm!

Thanks for investigating further!
Not sure there is much we can do about this.
In the long term I'd like to get rid of shelling out to GPG, or even GPG entirely, but that opens up another can of worms.