I try to add passwords to the "pass" password manager. But my attempts fail with "no public key" GPG errors. Why?

Question

I am trying to install Pass: the standard Unix password manager, however, when I try to add passwords to the appliation I get these errors

gpg: Kelly's Passwords: skipped: No public key
gpg: [stdin]: encryption failed: No public key

GPG Public Keys?

When I type in the command gpg --list-keys I get:

/home/khays/.gnupg/pubring.gpg
------------------------------
pub   2048R/64290B2D 2012-11-05
uid                  Kelly Hays <hays.kelly@gmail.com>
sub   2048R/0DF57DA8 2012-11-05

I am a little lost of how to remedy this, any ideas?

Answer 1

How did you create the password store? pass init "Kelly's Passwords"? If so, this is wrong, you should have called pass init 64290B2D.

And if then pass insert foo will fail with:

gpg: fooo: skipped: public key not found
gpg: [stdin]: encryption failed: public key not found

then you have to trust your own key first (gpg --edit-key 64290B2D, trust, 5, save).

Answer 2

With the same indications, if anyone stumbles across this issue, the solution may be bit different. Your pass is using gpg2 instead of gpg, you might have used to generate/manage your keys (or, vice-versa). Verify with:

bash -x $(which pass) insert foo

Answer 3

This is a rollup of the above information as I used it for pass with gpg2 on Kubuntu 20.04 (Ubuntu Linux v 20.04 with KDE desktop)

pass is the Linux CLI password manager.

High Level View: pass requires that you have a public gpg key. gpg is a Linux CLI encryption program. There are several versions. Kubuntu 20.04 uses gpg2 but just calls it "gpg".

You will first have to create a gpg key. Then you pass the key-id to pass as an argument. After which it should work.

Generate the key:

~$ gpg --gen-key

Have a look at your shiny new key:

~$ gpg --list-keys

pub   rsa3072 2022-07-17 [SC] [expires: 2024-07-16]
      YourKey (a bunch of letters and numbers)
uid           [trust-level] yourName <yourAddress@email.com>
sub   rsa3072 2022-07-17 [E] [expires: 2024-07-16]

You have to tell your machine to trust your new key:

gpg --edit-key yourName yourAddress@email.com, trust, 5, save)

(this step actually wasn't necessary for me, because the trust was automatically set to [ultimate] - but doing this step didn't hurt me.)

From this point forward you can move forward with the pass page at: https://www.passwordstore.org/

------ this is what it looked like for me setting up a password for docker in a folder called 'dev' -------------------

Initialize the password store:

~$ pass init yourAddress@email.com
Password store initialized for yourAddress@email.com

Create the password store:

~$ pass insert dev/docker
mkdir: created directory '/home/$USER/.password-store/dev'
Enter password for dev/docker: 
Retype password for dev/docker:

Did I enter the correct password? -

~$ pass dev/docker
thisIsTheWrongPassword!

Remove the wrong password -

~$ pass rm dev/docker
Are you sure you would like to delete dev/docker? [y/N] y
removed '/home/$USER/.password-store/dev/docker.gpg'

Enter the correct password

~$ pass insert dev/docker
mkdir: created directory '/home/$USER/.password-store/dev'
Enter password for dev/docker: 
Retype password for dev/docker:

Check if password is correct second time-

~$ pass dev/docker
doNotExposeYourPasswordOnStackExchange!

I can use pass to login to Docker Hub via CLI

pass dev/docker | login -u myUserName --password-stdin

This pipes the password directly to Docker Hub without printing it to screen.

Answer 4

I got the same error for while, running the bash in debug is helping. ( bash -x ), I then realized that pass had listed a non-existing gpg-key in .password-store/.gpg-id

Answer 5

Remember pass init <gpg-id> used to Initialize new password storage and use gpg-id for encryption. Which you only generate for the first time only.

Whereas pass add <folder/file> is used to add a new password inside the above password storage.

$ pass init tsabunkar (storage-manager should be done first time only)
$ pass add personal/gmail (adding my gmail creds)

Now If you want to add another credential, but rather than :

$ pass add personal/linux

Now again you want to add another credentials, but this time you had used init command instead of add

$ pass init personal/aws/root

but later you realized that option should have been add

$ pass add personal/aws/root

Error Message:

Enter password for personal/aws/root: 
Retype password for personal/aws/root: 
gpg: personal/aws/root: skipped: No public key
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.

I guess now you understand this is because you are referencing to wrong password-store which should have been tsabunkar but not personal/aws/root Therefore to re-referencing back to the correct password-store solves this issue:

$ pass init tsabunkar
$ pass add personal/aws/root

Answer 6

I got the same error, but checking with gpg2 --list-keys gives me

pub   rsa4096/0x12345678 2016-11-22 [SC] [expired: 2018-11-26]

So my solution is to

gpg --edit-key 0x12345678
gpg> expire
...
gpg> save

See https://unix.stackexchange.com/a/177310/14315

If you have to renew subkeys use this:

> e.g. if the subkey whose validity you want to extend is the first listed
> subkey, or if it is the only listed subkey, then the  command would be
> Command> key 1
> this will put a * after the word sub, indicating that this particular
> subkey has been selected. then
> Command> expire
> and follow the prompts.

Source https://lists.gnupg.org/pipermail/gnupg-users/2005-June/026063.html

If you get another error while using expire like:

part of private key missing

Try using gpg2 instead of gpg.