removeperson fails, claims there is a secret key

[gpadres]

When running removeperson, I am getting an error from gpg (see below) stating that the key should be deleted first. But I don't see any keys in my public ring.

What are the steps to reproduce this issue?

On macOS 12.2.1, gpg (GnuPG) 2.4.0, git secret version 0.5.0 with homebrew (/opt/homebrew/bin/git-secret), git version 2.32.1

1. Get a public key
2. Add public key to gpg keyring
3. git secret tell [email protected]
4. Delete public key from gpg keyring
5. git secret removeperson [email protected]

What happens?

Error from gpg claiming there is a secret key for [email protected], although neither gpg --list-keys and gpg --list-secret-keyscontains a key for [email protected]

Output terminal:

git secret removeperson [email protected]
gpg: error running '/opt/homebrew/Cellar/gnupg/2.4.0/bin/gpg-agent': exit status 2
gpg: failed to start gpg-agent '/opt/homebrew/Cellar/gnupg/2.4.0/bin/gpg-agent': General error
gpg: can't connect to the gpg-agent: General error
gpg: there is a secret key for public key "[email protected]"!
gpg: use option "--delete-secret-keys" to delete it first.

What were you expecting to happen?

I expected the key to be taken away. For some reason key is not being removed.

[matzino]

+1

[joshrabinowitz]

@gpadres @matzino I believe it is complaining about a secret key in the gpg keyring associated with your git-secret repo, not your personal keyring. (The git-secret keyring shouldnt contain any private keys)

To get gpg to operate on a non-standard keyring (IE, the one in your repo's .gitsecret directory) you can use the --keyring or --secret-keyring option followed by the path to the keyring file.

[joshrabinowitz]

Also you show gpg complaining that you cannot connect to the gpg-agent which may indicate another type of error.

[gpadres]

@joshrabinowitz I tried deleting the secret keys in the repos keyring, with no success (seems gpg has problems with targeting specific keyring files). Eitherway I decided to save the secret keys and delete them from the keyring. Afterwards gpg --list-secret-keys is empty (for both public keyring and the specific repo keyring). Still same error, "there is a secret key for public key "[email protected]". So no solution.
I believe gpg complains on that it cannot connect to gpg-agent because of the secret key issue. I might be mistaken here, but gpg is working fine otherwise...

[joshrabinowitz]

@gpadres what command were you using to try to remove the private key from your repos key ring?

[gpadres]

@joshrabinowitz gpg --keyring <PATH TO REPOS KEYRING> --delete-secret-keys <KEY ID>
As I wrote, this command deletes the secret key in the personal key ring as well.

[gpadres]

@joshrabinowitz Following up on this one, I think you might be correct that it is a problem with the gpg-agent not starting in the path. For some strange reason, the gpg agent sockets do not appear in the keys subfolder as I believe they should.
I have cloned the repository that holds the secrets on different paths, and in some git secret removeperson works fine, but in others don't. By different paths I mean random folder names, everything else equal, sometimes work sometimes don't.