make sure ubuntu and brew versions of git-secret interoperate, because we've seen a report that they didn't

[joshrabinowitz]

In #758 's changes, @FanchenBao wrote about a current (2022-01-17) interoperability issue between OSX's Brew setup of git-secret, and "latest Ubuntu", this quotes him below:

To be specific, apt-get install gnupg points to version 2.2.20, yet brew install gnupg points to version 2.3.4 (as of 2022-01-17).

Thus a git-secret encrypted file on macOS using the latest gpg installed from brew cannot be decrypted on Ubuntu (e.g. GitHub Actions' latest Ubuntu machine) using the latest gpg installed from apt-get.

The work-around for this specific case is to downgrade gpg on brew with brew install [email protected].

[joshrabinowitz]

@FanchenBao , what version of Ubuntu are you using?

According to https://packages.ubuntu.com/search?keywords=gnupg , it looks like Ubuntu 21.04 and 21.10 currently use gnupg 2.2.20; 20.04 (the LTS version) uses gnupg 2.2.19

Can anyone replicate that there is an interoperability issue between gnupg on (some) Ubuntu's and brew?

[FanchenBao]

The Ubuntu I was using was from GitHub Actions's ubuntu-latest, which is 20.04. And I can confirm that the latest gnupg version there is 2.2.19.

[joshrabinowitz]

@FanchenBao above you're saying ubuntu-latest installs 2.2.19; in your original text about this (top of issue) you said apt-get install gnupg points to version 2.2.20.

But I'm more concerned with this overall gnupg interoperability issue that surfaces occasionally.

@sobolevn , do you think that we should specifically recommend that people use "matching" versions of gnupg, like perhaps all 2.2.* or 2.3.* ?

[sobolevn]

Maybe we can even get gnupg version that was used for encryption and warn user that their version does not match it?

[FanchenBao]

@joshrabinowitz In the doc, I was referring to the most up-to-date Ubuntu, which has gnupg version 2.2.20. I was trying to be more general, not specific to the case of GitHub Actions. Apparently the ubuntu-latest used by GitHub Actions is not the most up-to-date Ubuntu.

@sobolevn I think that is a great idea, as it will produce clear error message when decryption fails due to the mismatch of gnupg version.

[sobolevn]

I have no idea if this is actually possible 🤔

[sobolevn]

But, even if it is not possible we can write .gitsecret/VERSION file with gpg version.

[FanchenBao]

Yes, that will work. I think we can update the VERSION file each time user run git secret hide, and verify against VERSION each time user run git secret cat or git secret reveal.

[sobolevn]

@FanchenBao do you want to give this a spin? 🙂
PR is very welcome!

[FanchenBao]

Sure thing.

[dkonopka]

This is something really needed, because in terms of users with macOS, and CI/CI on Ubuntu there is no way to configure git-secret properly with different versions of gpg.. :(

[joshrabinowitz]

Can you try the workaround specified above, using brew to install a matching version as on Ubuntu?

[joshrabinowitz]

See
https://packages.ubuntu.com/search?keywords=gnupg
and
https://formulae.brew.sh/formula/gnupg

[dkonopka]

@joshrabinowitz its tricky thing, because installing git-secret via brew, then installing [email protected] it's not working for me (even older version installed, git-secret is using a newer one) or maybe I don't know how to do it properly :)

[joshrabinowitz]

@dkonopka can you please try uninstalling git-secret and gnupg using brew, then installing gnupg at the desired version from brew, then installing git-secret from brew too? Please let us know if this installs the expected versions and works.

I appreciate this report and feedback, I haven't had a chance to try this on an osx/brew system yet. Thank you!

[dkonopka]

@joshrabinowitz sure thing, it helped 🚀 🚀 🚀

brew uninstall git-secret
brew uninstall gpg
brew cleanup
brew install [email protected]
brew install git-secret

brew install git-secret               10.7s  Fri May 13 15:14:01 2022
==> Downloading https://ghcr.io/v2/homebrew/core/gnupg/manifests/2.3.6
Already downloaded: /Users/XXX/Library/Caches/Homebrew/downloads/5efa7b8948df6378968f8a8e3f508a1e7948b619ed42edc2f28199396a4169fb--gnupg-2.3.6.bottle_manifest.json
==> Downloading https://ghcr.io/v2/homebrew/core/gnupg/blobs/sha256:fc2af0a
Already downloaded: /Users/XXX/Library/Caches/Homebrew/downloads/02a32ac7b63f3a56dfabc1e993c4a856b3b52ba0fd2f56b6774f6b70d87f18db--gnupg--2.3.6.monterey.bottle.tar.gz
==> Downloading https://ghcr.io/v2/homebrew/core/git-secret/manifests/0.4.0
Already downloaded: /Users/XXX/Library/Caches/Homebrew/downloads/b035a3114609f62609081d5986a65cb4c2d9e63373b4b7e7a1d0883921172b3d--git-secret-0.4.0.bottle_manifest.json
==> Downloading https://ghcr.io/v2/homebrew/core/git-secret/blobs/sha256:67
Already downloaded: /Users/XXX/Library/Caches/Homebrew/downloads/61d00e3ad8f8a44152db154c193913abd9f603f286e8f85c009f703c950ce72e--git-secret--0.4.0.monterey.bottle.tar.gz
==> Installing dependencies for git-secret: gnupg
==> Installing git-secret dependency: gnupg
==> Pouring gnupg--2.3.6.monterey.bottle.tar.gz
Error: The `brew link` step did not complete successfully
The formula built, but is not symlinked into /usr/local
Could not symlink bin/gpg-agent
Target /usr/local/bin/gpg-agent
already exists. You may want to remove it:
  rm '/usr/local/bin/gpg-agent'

To force the link and overwrite all conflicting files:
  brew link --overwrite gnupg

To list all files that would be deleted:
  brew link --overwrite --dry-run gnupg

Possible conflicting files are:
/usr/local/bin/gpg-agent -> /usr/local/MacGPG2/bin/gpg-agent
==> Summary
🍺  /usr/local/Cellar/gnupg/2.3.6: 149 files, 13.3MB
==> Installing git-secret
==> Pouring git-secret--0.4.0.monterey.bottle.tar.gz
🍺  /usr/local/Cellar/git-secret/0.4.0: 20 files, 99.8KB
==> Running `brew cleanup git-secret`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).

and then:

gpg --version
                     
gpg (GnuPG/MacGPG2) 2.2.34
libgcrypt 1.8.9
Copyright (C) 2022 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/XXXXX/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

[joshrabinowitz]

Hm you didn't show uninstalling the latest version of gnupg. Are you sure it wasn't still lingering around?

Also look at the env var that lets you specify a particular path to gpg (I forget the var name right now sorry)

[dkonopka]

@joshrabinowitz edited my previous comment, I just properly reinstalled gpg, by adding brew cleanup :)

[joshrabinowitz]

So this is resolved for you? Looks like you're getting 2.2.xx version of gnupg

[dkonopka]

@joshrabinowitz yup, it is finally working for me (however versions are a bit different):

MacOS (dev environment):

gpg --version

gpg (GnuPG/MacGPG2) 2.2.34
libgcrypt 1.8.9

Ubuntu (ci environment)

gpg --version

Tigpg (GnuPG) 2.2.19
libgcrypt 1.8.5

[joshrabinowitz]

Closing:

• it is confirmed that at this point the default Ubuntu and Brew versions of gnupg do not interoperate well,
• we have documented the issue and how to install matching versions in the docs.
• We also moved suggested code changes to track the versions of gnupg used to help users avoid problems using different versions of gnupg with git-secret repos #893