Poor setup experience with age: unable to decrypt secrets

[mykter]

Summary

After setting up a new installation with the age backend, I am unable to decrypt any secrets, with the error:

❌ Decryption failed: open /Users/mykter/.ssh: no such file or directory

Error: failed to retrieve secret "test": failed to decrypt

Indeed, I have no .ssh directory.

Steps To Reproduce

$ brew install gopass
$ gopass setup -crypto age

Interlude to hit, find, and fix #1879

$ gopass insert test
$ gopass show test
<enter password>

Expected behavior

I can decrypt my entries.

Environment

• OS: macOS Monterey
• OS version: 21.6.0
• gopass Version: gopass 1.14.5 go1.19 darwin arm64 <root> - age 1.0.0 - gitfs 2.32.1
• Installation method: brew

Additional context

I have not installed or used age previously on this machine.

[dominikschulz]

I'm afraid but I'm not sure what's wrong with your setup. I couldn't reproduce (on Linux).

The error message indicates that it's trying to use your SSH keys. Not sure why.
Maybe a MacOS quirk. I'll try to repro on Mac later.

You might want to enable debug logging and - if it's a test store - share the log with us?

Just set GOPASS_DEBUG_LOG=/some/file/path.log.

$ ./gopass setup -crypto age

   __     _    _ _      _ _   ___   ___
 /'_ '\ /'_'\ ( '_'\  /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__  |'\___/'| ,__/''\__,_)(____/(____/
( )_) |       | |
 \___/'       (_)

🌟 Welcome to gopass!
🌟 Initializing a new password store ...
🔐 No useable cryptographic keys. Generating new key pair
🧪 Creating cryptographic key pair (age) ...
⚠ Do you want to enter a passphrase? (otherwise we generate one for you) [y/N/q]: y
Enter passphrase for your new keypair: 
Retype passphrase for your new keypair: 
✅ Key pair generated
⚠ 🔐 We need to unlock your newly created private key now! Please enter the passphrase you just generated.
✅ Key pair validated
🔐 Cryptographic keys generated
🌟 Configuring your password store ...
❓ Do you want to add a git remote? [y/N/q]: 
✅ Configuration written to /tmp/gp1/.local/share/gopass/stores/root

$ ./gopass generate test
🚥 Syncing with all remotes ...
[<root>] 
   gitfs pull and push ... Skipped (no remote)
✅ All done
How long should the password be? (q to abort) [24]: 
✅ Password for entry "test" generated
Not printing secrets by default. Use 'gopass show test' to display the password.

$ ./gopass show test
⚠ Parsing is enabled. Use -n to disable.
Secret: test

Uf5XmiezIFEuHqlXtTTsGh6S

[dominikschulz]

@mykter Please provide more information (e.g. your debug log) or we'll have to close this as not-reproducible.

[ghost]

@dominikschulz, I'm able to reproduce the issue on Linux. Here is full bug report:

Steps To Reproduce

export GOPASS_DEBUG=1
export GOPASS_DEBUG_LOG=~/gopass.log
gopass setup --crypto age --storage fs
gopass generate test
gopass show test

Environment

• OS: Tails 5.4
• OS version: Linux amnesia 5.10.0-17-amd64 #1 SMP Debian 5.10.136-1 (2022-08-13) x86_64 GNU/Linux
• gopass Version: gopass 1.14.7 go1.19 linux amd64
• Installation method: GitHub Releases i.e. downloaded gopass_1.14.7_linux_amd64.deb and extracted to "~/.local/bin", which is in $PATH.

Additional Context

gopass setup --crypto age --storage fs

   __     _    _ _      _ _   ___   ___
 /'_ '\ /'_'\ ( '_'\  /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__  |'\___/'| ,__/''\__,_)(____/(____/
( )_) |       | |
 \___/'       (_)

🌟 Welcome to gopass!
🌟 Initializing a new password store ...
🔐 No useable cryptographic keys. Generating new key pair
🧪 Creating cryptographic key pair (age) ...
⚠ Do you want to enter a passphrase? (otherwise we generate one for you) [y/N/q]: 
✅ Key pair generated
Passphrase: frays scarcity postal duplex
⚠ You need to remember this very well!
⚠ 🔐 We need to unlock your newly created private key now! Please enter the passphrase you just generated.
✅ Key pair validated
🔐 Cryptographic keys generated
🌟 Configuring your password store ...
✅ Configuration written to /home/amnesia/.local/share/gopass/stores/root

gopass generate test

How long should the password be? (q to abort) [24]: 
✅ Password for entry "test" generated
Not printing secrets by default. Use 'gopass show test' to display the password.

gopass show test

❌ Decryption failed: open /home/amnesia/.ssh: no such file or directory


Error: failed to retrieve secret "test": failed to decrypt

env

SHELL=/bin/bash
SESSION_MANAGER=local/amnesia:@/tmp/.ICE-unix/8486,unix/amnesia:/tmp/.ICE-unix/8486
SOCKS5_SERVER=127.0.0.1:9050
QT_ACCESSIBILITY=1
COLORTERM=truecolor
HISTCONTROL=ignoreboth
XDG_MENU_PREFIX=gnome-
GNOME_DESKTOP_SESSION_ID=this-is-deprecated
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
XDG_DATA_HOME=/home/amnesia/.local/share
XDG_CONFIG_HOME=/home/amnesia/.config
XMODIFIERS=@im=ibus
ONIONSHARE_HIDE_TOR_SETTINGS=1
DESKTOP_SESSION=gnome-xorg
GTK_MODULES=gail:atk-bridge
PWD=/home/amnesia
LOGNAME=amnesia
XDG_SESSION_DESKTOP=gnome-xorg
XDG_SESSION_TYPE=x11
GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1
XAUTHORITY=/run/user/1000/gdm/Xauthority
TAILS_WIKI_SUPPORTED_LANGUAGES=en de es fr it pt ru
QT_STYLE_OVERRIDE=adwaita
WINDOWPATH=2
GDM_LANG=en_US.UTF-8
HOME=/home/amnesia
USERNAME=amnesia
LANG=en_US.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
XDG_CURRENT_DESKTOP=GNOME
VTE_VERSION=6203
GNOME_TERMINAL_SCREEN=/org/gnome/Terminal/screen/b0fa44e0_ab40_4961_b742_7322bfb37b9e
XDG_CACHE_HOME=/home/amnesia/.cache
SOCKS_SERVER=127.0.0.1:9050
LESSCLOSE=/usr/bin/lesspipe %s %s
XDG_SESSION_CLASS=user
TERM=xterm-256color
LESSOPEN=| /usr/bin/lesspipe %s
USER=amnesia
GNOME_TERMINAL_SERVICE=:1.130
DISPLAY=:1
SHLVL=1
QT_IM_MODULE=ibus
XDG_STATE_HOME=/home/amnesia/.local/state
XDG_RUNTIME_DIR=/run/user/1000
NODE_PATH=/usr/local/lib/nodejs
XDG_DATA_DIRS=/usr/share/gnome:/usr/local/share/:/usr/share/
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
GDMSESSION=gnome-xorg
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
_=/usr/bin/env

I also attached gopass.log file that was generated during the process. Let me know if you need any additional informations.

[dominikschulz]

@zptvreqxyeddzdpa Thanks a lot. This should help me to narrow this down a bit and at least provide some possible mitigations. But I'll need a bit to dive through the logs and see how far I can reproduce it.

[dominikschulz]

With the debug.log it seems obvious that the implementation assumes that every user has a .ssh directory in their home directory. That's very common but apparently not universally true. I'll relax the check to not make it fail.

[ghost]

@dominikschulz I created empty "~/.ssh" directory and I'm not able to reproduce this bug anymore. For now ignoring lack of "~/.ssh" could be good mitigation, but I think the issue should be resolved at module level i.e. in age itself, so other projects will not face the same issue in future.

[dominikschulz]

I don't think we could blame age here. It's all in our code.

I've now been able to reproduce and verify the fix. Thanks for your help!

[ghost]

Isn't gopass using age as a module? If yes, then age should ignore lack of "~/.ssh" directory if it's not essential.

You're welcome. I'm glad you fixed it so fast, thank you.

[dominikschulz]

When we started using age it didn't have .ssh handling that was useful for us so we built our own.
Maybe that has changed. TBH I didn't check. Feel free to look at the PR with the fix if you want to know more.

[ghost]

Thank you for the clarification.