Having multiple stores with different recipients configured, sometimes copying/moving secrets from one store to another does not re-encrypt the secrets with the destination store gpg keys.

How to reproduce

Having two stores:

• root - the default gopass store, accessible by only one gpg key (XXXXXXXXXX)
• gitlab.foo - a (remote, on a github server) store accessible by the key above plus a second one (YYYYYYYYYY)

$ gopass recipients

gopass
├── 0xXXXXXXXXXX
├── gitlab.foo (~/.local/share/gopass/stores/gitlab.foo)
│   ├── 0xXXXXXXXXXX
│   └── 0xYYYYYYYYYY

1. Create a new secret in root

$ gopass generate bar

2. By checking with gpg -d the resulting file, the gpg key(s) used is as expected

# result (CORRECT):
====================> ~/.local/share/gopass/stores/root/bar.gpg <===================
gpg: encrypted with rsa4096 key, ID XXXXXXXXXX

3. Then, I move this secret to the second store, expecting that it is re-encrypted with both gpg keys

$ gopass mv bar gitlab.foo/

# result (WRONG):
====================> ~/.local/share/gopass/stores/gitlab.foo/bar.gpg <===================
gpg: encrypted with rsa4096 key, ID XXXXXXXXXX

4. By editing the secret it is re-encrypted correctly, getting the expected initial result

$ gopass edit gitlab.foo/bar

# result (CORRECT):
====> ~/.local/share/gopass/stores/gitlab.foo/bar.gpg <====
gpg: encrypted with rsa4096 key, ID YYYYYYYYYY
gpg: encrypted with rsa4096 key, ID XXXXXXXXXX

Funny enough, this behaviour is not fully consistent. Most of the times I get the results above, however trying to reproduce it multiple times (also with folders, filenames having spaces in their names etc.), sometimes it works as expected.
I was not able to find a pattern that leads to one result or the other.

Additional test, mixed results

I then moved a new folder foo with three secrets in it from the root store to gitlab.foo. The three resulting secrets got mixed results in the gpg keys used:

$ gopass mv foo/ gitlab.foo/
$ gopass ls -f gitlab.foo 
gitlab.foo/foo/bar
gitlab.foo/foo/bar baz
gitlab.foo/foo/baz quux

# result (MIXED)
====> ~/.local/share/gopass/stores/gitlab.foo/foo/bar.gpg <====
gpg: encrypted with rsa4096 key, ID YYYYYYYYYY
gpg: encrypted with rsa4096 key, ID XXXXXXXXXX
====> ~/.local/share/gopass/stores/gitlab.foo/foo/bar baz.gpg <====
gpg: encrypted with rsa4096 key, ID XXXXXXXXXX
====> ~/.local/share/gopass/stores/gitlab.foo/foo/baz quux.gpg <====
gpg: encrypted with rsa4096 key, ID XXXXXXXXXX

$ gopass mv gitlab.foo/foo/ gitlab.foo/
gitlab.foo/gitlab.foo/foo/bar
gitlab.foo/gitlab.foo/foo/bar baz
gitlab.foo/gitlab.foo/foo/baz quux

Notes

1. please note that the above mv command wrongly created a full path in the destination store instead of just copying the contents of the source folder. This has been reported in issue 2912

Environment

• OS: Ubuntu 24.04.4 LTS
• gopass Version:gopass 1.16.1 (b2fb8ba9) go1.25.5 linux amd64
• Installation method: apt (from gopass' repo )