bug: Password is encrypted with multiple gpg keys. .gpg-id is ignored. about gopass HOT 2 OPEN

I'm not sure I follow your report.

You are saying that gopass incorrectly used a sub-keyid as a recipient for a secret outside of that folder?

Can you please provide more details information and steps to reproduce?
Please set GOPASS_DEBUG_LOG=/tmp/gopass.log (or simliar), GOPASS_HOMEDIR=/tmp/gopass and then execute all the steps necessary from the shell where these variables are set. This should allow you to operate in an isolated password store. Please provide the exact commands used and the log file.

from gopass.

@dominikschulz recreating from zero on emtpy user

• adduser testuser

• sudo usermod -a -G sudo testuser

• su - user

• apt install screen

• script /dev/null

• screen (and press enter), just su user does not have right to use gpg, we use screen to go around this problem

• gpg --full-generate-key (picking default, default, default, name: mykey1) first key. optionally making it passworded by better visibility of a bug, but not necessary

• pass init mykey1 create pass storage

• gpg --full-generate-key create second gpg key, named mykey2

• pass init --path=api mykey2 creating subfolder

$ cat /home/testuser/.password-store/.gpg-id
mykey1
$ cat /home/testuser/.password-store/api/.gpg-id
mykey2

• pass insert smth1
• cd /home/testuser/.password-store/

$ gpg -d smth1.gpg
gpg: encrypted with 3072-bit RSA key, ID CB6FC1F250432CDC, created 2024-07-30
"mykey1 [email protected]"
123
// All is good, encrypted with one key.

$ sudo snap install go --classic
$ go install github.com/gopasspw/gopass@latest
$ ~/go/bin/gopass
gopass> insert smth2
gopass> quit

$ gpg -d smth2.gpg
gpg: encrypted with 3072-bit RSA key, ID CB6FC1F250432CDC, created 2024-07-30
"mykey1 [email protected]"
123123

// :thinking: okay one key is used

$ ~/go/bin/gopass
gopass> insert api/smth3
gopass> insert smth4
gopass> quit

$ gpg -d api/smth3.gpg
gpg: encrypted with 3072-bit RSA key, ID CB6FC1F250432CDC, created 2024-07-30
"mykey1 [email protected]"
gpg: encrypted with 3072-bit RSA key, ID 1B8A2CABDBA7ACB1, created 2024-07-30
"mykey2"
123123

// :exclamation: aha. bug is reproduced partially from zero. i expected seeing only mykey2 here, but we see both keys used to encrypt api/smth3.gpg

$ gpg -d smth4.gpg
gpg: encrypted with 3072-bit RSA key, ID CB6FC1F250432CDC, created 2024-07-30
"mykey1 [email protected]"
123123

// okay, this one still encrypted with mykey1 only, but i had bug before where both mykey1 and mykey2 shown for non root path
// this time i only caught where subfolder inserted record (with gopass) for some reason acquired mykey1 and mykey2 keys both at the same time, while it should have used mykey2 only

$ pass insert api/smth5
Enter password for api/smth5:
Retype password for api/smth5:
$ gpg -d api/smth5.gpg
gpg: encrypted with 3072-bit RSA key, ID 1B8A2CABDBA7ACB1, created 2024-07-30
"mykey2"
123

// as u can see pass encrypts only with one key in subfolder
TLDR: this is instruction for partial bug reproduction, but my original issue was that double gpg key was used for non subfolder inserted keys too. that was issue.
This reproducing instruction a similar uncovered situation where double gpg key (instead of one) is used to encrypt stuff for subfolder

We can note here that those are issues for using gopass with basically stuff from pass

$ pass version
============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.7.4                  =
=                                          =
=             Jason A. Donenfeld           =
=               [email protected]            =
=                                          =
=      http://www.passwordstore.org/       =
============================================

from gopass.