Pass <-> Android Password Store incompatibility
Steps to highlight a compatibility issue between pass and Android-Password-Store.
Steps
- Create GPG Key (
gpg-key-9FFAABCC1F7D00CE40A1EE1FED31C0DBA11F5155.asc
) - Add two (2) encrypting subkeys, so the GPG key has a total of three encryption capable keys:
elg3072/7F51EC6D028FE1FD
(new)rsa3072/6E7B4FAC4385056B
(new)rsa3072/50D676A945F7873F
(from creation)
- Setup and create pass password store
> export PASSWORD_STORE_DIR=$PWD/password-store
> pass init 9FFAABCC1F7D00CE40A1EE1FED31C0DBA11F5155
- (At this point pass sees the git repo and starts creating commits too)
- Add an entry to the pass store
> echo "abc 123" | pass insert -m test-BA11F5155
- Ask GPG about the stored password file
password-store/test-BA11F5155.gpg
> gpg --list-packets password-store/test-BA11F5155.gpg
gpg: encrypted with 3072-bit RSA key, ID 6E7B4FAC4385056B, created 2022-08-01 "Android Password Store Reproduction <VolatileDream@users.noreply.github.com>" # off=0 ctb=85 tag=1 hlen=3 plen=396 :pubkey enc packet: version 3, algo 1, keyid 6E7B4FAC4385056B data: [3070 bits] # off=399 ctb=d2 tag=18 hlen=2 plen=57 new-ctb :encrypted data packet: length: 57 mdc_method: 2 # off=420 ctb=cb tag=11 hlen=2 plen=14 new-ctb :literal data packet: mode b (62), created 1659372432, name="", raw data: 8 bytes
- Notice the file was encrypted to one (1) key by GPG:
6E7B4FAC4385056B
- Attempt to make pass encrypt to all the encryption subkeys for
A11F5155
> echo -e '50D676A945F7873F\n6E7B4FAC4385056B\n7F51EC6D028FE1FD' > password-store/.gpg-id
> echo test-multi-key | pass insert -m test-three-key
> gpg --list-packets password-store/test-three-key.gpg
gpg: encrypted with 3072-bit RSA key, ID 6E7B4FAC4385056B, created 2022-08-01 "Android Password Store Reproduction <VolatileDream@users.noreply.github.com>" # off=0 ctb=85 tag=1 hlen=3 plen=396 :pubkey enc packet: version 3, algo 1, keyid 6E7B4FAC4385056B data: [3072 bits] # off=399 ctb=d2 tag=18 hlen=2 plen=64 new-ctb :encrypted data packet: length: 64 mdc_method: 2 # off=420 ctb=cb tag=11 hlen=2 plen=21 new-ctb :literal data packet: mode b (62), created 1659373364, name="", raw data: 15 bytes
- Notice that this has not worked, and only one key was used:
6E7B4FAC4385056B
- Investigate GPG behaviour when specifying multiple subkeys
> gpg -r 50D676A945F7873F -r 6E7B4FAC4385056B -r 7F51EC6D028FE1FD --encrypt README.md
gpg: 6E7B4FAC4385056B: skipped: public key already present gpg: 50D676A945F7873F: skipped: public key already present
> gpg --list-packets README.md.gpg
gpg: encrypted with 3072-bit RSA key, ID 6E7B4FAC4385056B, created 2022-08-01 "Android Password Store Reproduction <VolatileDream@users.noreply.github.com>" # off=0 ctb=85 tag=1 hlen=3 plen=396 :pubkey enc packet: version 3, algo 1, keyid 6E7B4FAC4385056B data: [3072 bits] # off=399 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb :encrypted data packet: length: unknown mdc_method: 2 # off=420 ctb=a3 tag=8 hlen=1 plen=0 indeterminate :compressed packet: algo=2 # off=422 ctb=ad tag=11 hlen=3 plen=2845 :literal data packet: mode b (62), created 1659373837, name="README.md", raw data: 2830 bytes
- Notice, still only one (1) encryption key was used:
6E7B4FAC4385056B
> rm README.md.gpg
(cleanup)
- Figure out forcing GPG to encrypt to all subkeys and update
password-store/.gpg-id
- Stack Overflow Answer
> echo -e '50D676A945F7873F!\n6E7B4FAC4385056B!\n7F51EC6D028FE1FD!' > password-store/.gpg-id
> echo "this time?" | pass insert -m force-gpg
> gpg --list-packets README.md.gpg
gpg: encrypted with 3072-bit ELG key, ID 7F51EC6D028FE1FD, created 2022-08-01 "Android Password Store Reproduction <VolatileDream@users.noreply.github.com>" gpg: encrypted with 3072-bit RSA key, ID 6E7B4FAC4385056B, created 2022-08-01 "Android Password Store Reproduction <VolatileDream@users.noreply.github.com>" gpg: encrypted with 3072-bit RSA key, ID 50D676A945F7873F, created 2022-08-01 "Android Password Store Reproduction <VolatileDream@users.noreply.github.com>" # off=0 ctb=85 tag=1 hlen=3 plen=396 :pubkey enc packet: version 3, algo 1, keyid 50D676A945F7873F data: [3071 bits] # off=399 ctb=85 tag=1 hlen=3 plen=396 :pubkey enc packet: version 3, algo 1, keyid 6E7B4FAC4385056B data: [3071 bits] # off=798 ctb=85 tag=1 hlen=3 plen=782 :pubkey enc packet: version 3, algo 16, keyid 7F51EC6D028FE1FD data: [3071 bits] data: [3070 bits] # off=1583 ctb=d2 tag=18 hlen=2 plen=60 new-ctb :encrypted data packet: length: 60 mdc_method: 2 # off=1604 ctb=cb tag=11 hlen=2 plen=17 new-ctb :literal data packet: mode b (62), created 1659374308, name="", raw data: 11 bytes
- Notice, this is encrypted to all three (3) encryption subkeys
- Add this repo to Android-Password-Store
- Attempt to add new entry to the repo
Found .gpg-id , but it contains an invalid key ID, fingerprint or user ID
- Look at GPG Identifier parsing code
- Android-Password-Store does not support
!
as a key suffix.
- Android-Password-Store does not support