Package: pass Version: 1.7.4-5 Followup-For: Bug #1016118 X-Debbugs-Cc: eingousef+debb...@rhizogen.es.eu.org
After a playing with pass a bit more I think I understand why it doesn't set the `diff.gpg.* ` options for secondary clients. If I use a custom "team split" pass tree, such as the one used in https://zwyx.medium.com/multiple-shared-password-stores-with-unix-pass-a4367fc8861 , where different pass repos, with different `.gpg-id`, are put into subdirs under a single git repo, and a user who only has access to one of the subdirs tries to run `pass git log -p`, the command will break when it reaches a commit related to a subdir the user doesn't have access to. For example, let's suppose there are two subdirs, `sys/` and `dev/`, with the gpg key of our user being able to decrypt what's in `dev`, but not what's in `sys/`, here's the kind of output we can get : commit 2244c20708709292b722056c4e9b819d3cf9609f (HEAD -> master, origin/master, origin/HEAD) Author: joe <j...@example.net> Date: Tue Aug 2 13:24:06 2022 +0200 Add given password for dev/apps/gitlab/root to store. diff --git a/dev/apps/gitlab/root.gpg b/dev/apps/gitlab/root.gpg new file mode 100644 index 0000000..4c6396d --- /dev/null +++ b/dev/apps/gitlab/root.gpg @@ -0,0 +1 @@ +gitlab commit c844ac0bf85a076c037176182b34c90d19b64bef Author: joe <j...@example.net> Date: Tue Aug 2 13:23:27 2022 +0200 Add given password for sys/apps/awx/awx to store. diff --git a/sys/apps/awx/awx.gpg b/sys/apps/awx/awx.gpg new file mode 100644 index 0000000..67426c4 gpg: decryption failed: No secret key fatal: unable to read files to diff One workaround would be to have a different .gitattributes file in the two subdirs, but that would mean every user would have to write their own set of .gitattributes files on their own local repo. An other possibility would be to replace the `gpg2 -d --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent` (value of `diff.gpg.textconv`) by a program which would check if the .gpg file can be decrypted, show the clear text if it can, show the encrypted (binary or armored) data instead (but that would display the data in the `git log -p` output anyway, not the usual "Binary files X and Y differ" line). Regards,
