gopass setup: inconsistent behaviour and merge failure because of "unrelated histories"

[exquisitus]

Summary

Hello, I have some questions on using "gopass setup", firstly to create a store with a remote at location A, and later to initialize a store from a remote (using git) at location B.

Steps To Reproduce

Location A:

  #   I can set up a fresh repository from location A using:
  $ gopass --yes setup --remote [email protected]:cgitsis/secrets.git --create --name "user1" --email "[email protected]"
    🚥 Syncing with all remotes ...
    [<root>]
       gitfs pull and push ... Skipped (no remote)
    ✅ All done
  $  gopass git remote -v
    ⚠ Running 'git remote -v' in /home/christos/.local/share/gopass/stores/root... # BUT: no remote has been added -- why? no error was thrown
  $ rm -rf ~/.local/share/gopass/ ~/.config/gopass/                                # Start again, in interactive mode
  #########################
  $ gopass setup
  .. ❓ Do you want to add a git remote? [y/N/q]: y
    Configuring the git remote ...
  $ gopass git remote -v
    ⚠ Running 'git remote -v' in /home/christos/.local/share/gopass/stores/root...
    origin  [email protected]:cgitsis/secrets.git (fetch)
    origin  [email protected]:cgitsis/secrets.git (push)
  $ cd ~/.local/share/gopass/stores/root/
  $ git log --oneline
    3d04983 (HEAD -> master, origin/master) Add current content of password store
    df4795e Configure git repository for gpg file diff.
  # Now it works
  # I see the repository in the GitLab UI (in the master branch of the above repository) as expected
  # I can insert a key, gopass does its sync

So this is the first question: gopass setup only behaves as expected in interactive mode? otherwise it silently skips adding a remote.

Location B:

  # The real problems start when I try setting up and using the store from another location B
  # I have generated a gpg key there (name "user2" --email "[email protected]")
  Case 1:
    $ gopass setup # (interactive)
    # when asked whether I want to add a remote, I say yes, and give the following: https://cgitsis:[email protected]/cgitsis/secrets.git
      2024/01/22 17:38:51 failed to setup git remote: failed to push to git remote: exit status 1: To https://gitlab.com/cgitsis/secrets.git
       ! [rejected]        master -> master (non-fast-forward)
      error: failed to push some refs to 'https://gitlab.com/cgitsis/secrets.git'
      hint: Updates were rejected because the tip of your current branch is behind
      hint: its remote counterpart. Integrate the remote changes (e.g.
      hint: 'git pull ...') before pushing again.
      hint: See the 'Note about fast-forwards' in 'git push --help' for details.
    # So a remote is added, but the sync fails
    # I think it is because the git pull fails (gopass still tries to push later, without real hope, as I see it)
    # I think git pull fails because it refuses to merge unrelated histories
    $ cd .local/share/gopass/stores/root
    $ git log --oneline
      d297fcc (HEAD -> master) Add current content of password store
      7d56aa2 Configure git repository for gpg file diff.
  Case 2: (setup non-interactive)
    $ gopass --yes setup --remote https://cgitsis:[email protected]/cgitsis/secrets.git --name "User" --email "[email protected]"
    # the gopass store is created locally, but no remote exists: gopass git remote -v returns nothing
    $ gopass git remote add origin https://cgitsis:[email protected]/cgitsis/secrets.git # adds the remote repository manually
    $ gopass sync # fails at git pull, as in Case 1 -- now I will attempt a manual repair
    $ cd .local/share/gopass/stores/root
    $ git branch --set-upstream-to=origin/master master
    $ git pull
      fatal: refusing to merge unrelated histories
    $ git pull --allow-unrelated # attempts to merge, but fails because of conflicts in .gpg-id. Indeed, every copy has one different key in that file
      CONFLICT (add/add): Merge conflict in .gpg-id
      Automatic merge failed; fix conflicts and then commit the result.
    $ edit .gpg-id
      It looks like this
        0x22A8A361FB7D9EAB
        <<<<<<< HEAD
        =======
        0x8FFE9A785748C575
        >>>>>>> 80747492454e30de37c33161125cc19ddac53d01
    $ git add .gpg-id
    $ git commit -m "Fixed conflicting gpg ids"
    $ git pull # Already up to date
    $ git log --oneline # still shows that origin/master is three commits behind HEAD
      b3b65b3 (HEAD -> master) Fixed conflicting gpg ids
      1928f78 Add current content of password store
      c47b8de Configure git repository for gpg file diff.
      3d04983 (origin/master) Add current content of password store
      df4795e Configure git repository for gpg file diff.
    $ gopass sync # succeeds
      🚥 Syncing with all remotes ...
      [<root>]
         gitfs pull and push ... OK (no changes)Do you want to import the public key "0xE3F32B1CA90EDC8B" (Names: [user1 <[email protected]>]) into your keyring? [y/N/q]: y
      Imported public key for 0xE3F32B1CA90EDC8B into Keyring
         done
      ✅ All done
    $ git log --oneline
      b3b65b3 (HEAD -> master, origin/master) Fixed conflicting gpg ids
      1928f78 Add current content of password store
      c47b8de Configure git repository for gpg file diff.
      3d04983 Add current content of password store
      df4795e Configure git repository for gpg file diff.

Expected behavior

So summing up:

• both with the --create option and without it, gopass setup behaves differently when called interactively (it can add a remote) and non-interactively (it silently ignores the remote I give it).
• without the --create option: gopass cannot do its git pull --merge, because git refuses to merge unrelated histories. Of course, git push, gopass sync later fail as well. A manual fix is to perform a git pull --allow-unrelated and then to fix the conflicts manually.

Alternative gopass clone instead of gopass setup

Case 3: (clone instead of setup)

    $ gopass clone https://cgitsis:[email protected]/cgitsis/secrets.git (interactive, needs my name, email)
    this succeeds
      🚶 What is your name? []: user2
      📧 What is your email? []: [email protected]
    $ gopass ls # works and after adding user2 as a recipient at location A, I can also decrypt the passwords
    $ gopass git remote -v
      ⚠ Running 'git remote -v' in /home/randagast/.local/share/gopass/stores/root...
      origin  https://cgitsis:[email protected]/cgitsis/secrets.git (fetch)
      origin  https://cgitsis:[email protected]/cgitsis/secrets.git (push)
    $ git log --oneline
    $ gopass git log --oneline
      ⚠ Running 'git log --oneline' in /home/randagast/.local/share/gopass/stores/root...
      b63b10a (HEAD -> master, origin/master, origin/HEAD) Added Recipient [email protected]
      59dfe3a Added Recipient [email protected]
      ee4e9ce Updated exported Public Keys
      33600c3 Merge branch 'master' of gitlab.com:cgitsis/secrets
      90441db Save secret to key1: Inserted user supplied password
      b3b65b3 Fixed conflicting gpg ids
      1928f78 Add current content of password store
      c47b8de Configure git repository for gpg file diff.
      3d04983 Add current content of password store
      df4795e Configure git repository for gpg file diff.

gopass clone seems to work better for my use case, but it always requires interactive input, and some extra manual steps to add user2 as a recipient, if I understand correctly.

Environment on both locations

• OS: Debian 12
• gopass Version: gopass 1.15.11 go1.21.4 linux amd64
• Installation method: DEB from https://packages.gopass.pw/repos/gopass

[dominikschulz]

That's a number of different issues. Let me start with the first one: gopass setup ignoring --remote.
That should work, let me try to fix that and then look at the other issues.

[dominikschulz]

I think for your use-case you should use gopass clone but if that requires interactive input and the fact that gopass setup do not provide a hint to use gopass clone (at least) are issues I'd want to fix.