git-annex/doc/bugs/GPG_subkeys.mdwn
Joey Hess ed701667aa
fix gpg subkey support typo
initremote, enableremote: Really support gpg subkeys suffixed with an
exclamation mark, which forces gpg to use a specific subkey. (Previous try
had a bug.)

This commit was sponsored by Jake Vosloo on Patreon.
2017-12-05 13:58:53 -04:00

47 lines
2.6 KiB
Markdown

### Please describe the problem.
Despite the very fast, much appreciated, and excellent response to my initial question [here](http://git-annex.branchable.com/encryption/#comment-cb9c20121e570f80fcd799c1619ced69), I still can't get encryption working with subkeys.
I have a few different machines, each with its own subkey and each configured with the master key stripped out. I'm hoping to be able to encrypt and decrypt from the same special remotes with each of them.
The issue is that git-annex consistently tries to encrypt with the master key, which is not available, and so encryption and the `initremote` fail.
I'm submitting a bug report but I should say that I'm not sure this is the intended (or documented) way to use GPG subkeys and it may not be a git-annex concern. The [Debian Wiki](https://wiki.debian.org/Subkeys) does say that it won't work but the [password store](https://lists.zx2c4.com/pipermail/password-store/2014-September/001131.html) project has implemented it.
Side note: this is not working in gcrypt either.
### What steps will reproduce the problem?
I've tried the following in a few different combinations, with both short and long KEYIDs, and with or without the appended '!' that's supposed to tell gpg which key to use for encryption:
`git annex initremote cloud type=S3 encryption=hybrid keyid=EFEFEFE host=storage.googleapis.com port=80`
In each case I get the same error:
`gpg: decryption failed: No secret key`
`git-annex: user error (/usr/local/bin/gpg ["--quiet","--trust-model","always","--decrypt"] exited 2)`
`failed`
### What version of git-annex are you using? On what operating system?
`git-annex version: 6.20171109`
OS X 10.10.5
### Please provide any additional information below.
### Have you had any luck using git-annex before? (Sometimes we get tired of reading bug reports all day and a lil' positive end note does wonders)
I love git annex. Thank you for your work on it.
> Yeah, so I had that working before but then I tightened the
> code to determine what is a forced subkey and broke it.
>
> [Fixed now; use a "!" at the _end_ to force subkey use:
joey@darkstar:~/tmp/a>git annex initremote testing type=directory directory=../d encryption=hybrid keyid='A4FEC0B5F031BA70!'
initremote testing (encryption setup) gpg: A4FEC0B5F031BA70!: skipped: Unusable public key
gpg: [stdin]: encryption failed: Unusable public key
> It failed to use that subkey because it is a sign-only key,
> and git-annex needs to encrypt, but that certainly shows I got
> git-annex to use the subkey..
>
> I made an encrypt-only subkey, and git-annex is able to use it,
> and it fully works as far as I can tell.
>
> [[done]] --[[Joey]]