Allow gnupg key fingerprints for tell and removeperson (#1216)

joshrabinowitz · web-flow · commit 5de8d7176e72 · 2026-03-01T16:13:53.000-05:00
* Allow GPG keys to be specified by fingerprint in addition to email

Add support for identifying GPG keys by fingerprint (8+ hex characters)
in the 'tell' and 'removeperson' commands. Previously, only email
addresses were accepted.

Changes:
- Add _is_gpg_fingerprint() to detect fingerprint vs email input
- Add _check_fingerprint_in_keyring() to verify fingerprint in keyring
- Update _assert_keyring_emails() to handle fingerprint validation
- Update error messages and documentation to mention fingerprints
- Add tests for tell/removeperson with fingerprints
diff --git a/man/man1/git-secret-removeperson.1.md b/man/man1/git-secret-removeperson.1.md
@@ -3,11 +3,11 @@ git-secret-removeperson - removes user's public key from repo keyring.
 
 ## SYNOPSIS
 
-    git secret removeperson <emails>...
+    git secret removeperson <emails or fingerprints>...
 
 
 ## DESCRIPTION
-`git-secret-removeperson` - removes public keys for passed email addresses from repo's `git-secret` keyring.
+`git-secret-removeperson` - removes public keys for passed email addresses or GPG fingerprints from repo's `git-secret` keyring.
 
 This command is used to begin the process of disallowing a user from encrypting and decrypting secrets with `git-secret`.
 
diff --git a/man/man1/git-secret-tell.1.md b/man/man1/git-secret-tell.1.md
@@ -3,7 +3,7 @@ git-secret-tell - adds person who can access private data.
 
 ## SYNOPSIS
 
-    git secret tell [-m] [-d dir] [emails]...
+    git secret tell [-m] [-d dir] [emails or fingerprints]...
 
 
 ## DESCRIPTION
@@ -14,12 +14,14 @@ but will not immediately be able to decrypt existing files, which were encrypted
 Files should be re-encrypted with the new keyring by someone who already has access
 in order for the new user to be able to decrypt the files.
 
-`git-secret tell` works only with email addresses, and will exit with an error if you have
+`git-secret tell` works with email addresses or GPG key fingerprints, and will exit with an error if you have
 multiple keys in your keyring with specified email addresses, or if one of the specified emails
 is already associated with a key in the `git-secret` repo's keyring.
 
 Under the hood, `git-secret-tell` searches in the current user's `gnupg` keyring for public key(s) of passed
-email(s), then imports the corresponding public key(s) into your `git-secret` repo's keyring.
+email(s) or fingerprint(s), then imports the corresponding public key(s) into your `git-secret` repo's keyring.
+
+Fingerprints should be specified as a hex string of 8 or more characters (e.g., full 40-character fingerprints).
 
 Versions of `git-secret tell` after `0.3.2` will warn about keys that are expired, revoked, or otherwise invalid.
 It will also warn if multiple keys are found for a single email address.
diff --git a/src/_utils/_git_secret_tools.sh b/src/_utils/_git_secret_tools.sh
@@ -638,6 +638,37 @@ function _assert_keyring_contains_emails_at_least_once {
 
 
 
+function _is_gpg_fingerprint {
+  # Returns 0 if the input looks like a GPG fingerprint or key ID
+  # (8+ hex characters), 1 otherwise.
+  local input="$1"
+  local clean_input
+  clean_input=$(echo "$input" | tr -d ' ')
+  if [[ "$clean_input" =~ ^[A-Fa-f0-9]{8,}$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+
+function _check_fingerprint_in_keyring {
+  # Checks if a key matching the given fingerprint exists in the keyring.
+  # Returns 0 if found, 1 if not found.
+  local homedir="$1"
+  local fingerprint="$2"
+
+  local args=()
+  if [[ -n "$homedir" ]]; then
+    args+=( "--homedir" "$homedir" )
+  fi
+
+  # 3>&- closes fd 3 for bats
+  $SECRETS_GPG_COMMAND "${args[@]}" --no-permission-warning --list-keys "$fingerprint" > /dev/null 2>&1 3>&-
+  return $?
+}
+
+
 function _assert_keyring_emails {
   local homedir="$1"
   local keyring_name="$2"
@@ -651,27 +682,40 @@ function _assert_keyring_emails {
   local gpg_uids
   gpg_uids=$(_get_users_in_gpg_keyring "$homedir")
   for email in "${emails[@]}"; do
-    if [[ $email != *"@"* ]]; then
-      _abort "does not appear to be an email: $email"
-    fi
-    local emails_found=0
-    for uid in $gpg_uids; do
-      if [[ "$uid" == "$email" ]]; then
-        emails_found=$((emails_found+1))
-      fi
-    done
-    if [[ $expected -eq 1 ]]; then
-        if [[ $emails_found -eq 0 ]]; then
-          _abort "no key found in gpg $keyring_name for: $email"
-        elif [[ $emails_found -gt 1 ]]; then
-          if [[ $allow_duplicates -ne 1 ]]; then
-            _abort "$emails_found keys found in gpg $keyring_name for: $email"
-          fi
+    if _is_gpg_fingerprint "$email"; then
+      # For fingerprints, check directly with gpg
+      if [[ $expected -eq 1 ]]; then
+        if ! _check_fingerprint_in_keyring "$homedir" "$email"; then
+          _abort "no key found in gpg $keyring_name for fingerprint: $email"
+        fi
+      else
+        if _check_fingerprint_in_keyring "$homedir" "$email"; then
+          _abort "key already exists in gpg $keyring_name for fingerprint: $email"
         fi
+      fi
     else
-        if [[ $emails_found -gt 0 ]]; then
-          _abort "$emails_found keys found in gpg $keyring_name for: $email"
+      if [[ $email != *"@"* ]]; then
+        _abort "does not appear to be an email or fingerprint: $email"
+      fi
+      local emails_found=0
+      for uid in $gpg_uids; do
+        if [[ "$uid" == "$email" ]]; then
+          emails_found=$((emails_found+1))
         fi
+      done
+      if [[ $expected -eq 1 ]]; then
+          if [[ $emails_found -eq 0 ]]; then
+            _abort "no key found in gpg $keyring_name for: $email"
+          elif [[ $emails_found -gt 1 ]]; then
+            if [[ $allow_duplicates -ne 1 ]]; then
+              _abort "$emails_found keys found in gpg $keyring_name for: $email"
+            fi
+          fi
+      else
+          if [[ $emails_found -gt 0 ]]; then
+            _abort "$emails_found keys found in gpg $keyring_name for: $email"
+          fi
+      fi
     fi
 
   done
diff --git a/src/commands/git_secret_removeperson.sh b/src/commands/git_secret_removeperson.sh
@@ -22,7 +22,7 @@ function removeperson {
   local emails=( "$@" )
 
   if [[ ${#emails[@]} -eq 0 ]]; then
-    _abort "at least one email is required for removeperson."
+    _abort "at least one email or fingerprint is required for removeperson."
   fi
   # Getting the local git-secret `gpg` key directory:
   local secrets_dir_keys
diff --git a/src/commands/git_secret_tell.sh b/src/commands/git_secret_tell.sh
@@ -64,7 +64,7 @@ function tell {
   if [[ "${#emails[@]}" -eq 0 ]]; then
     # If after possible addition of git_email, emails are still empty,
     # we should raise an exception.
-    _abort "you must use -m or provide at least one email address."
+    _abort "you must use -m or provide at least one email address or fingerprint."
   fi
 
   local secrets_dir_keys
diff --git a/tests/_test_base.bash b/tests/_test_base.bash
@@ -148,6 +148,17 @@ function get_gpg_fingerprint_by_email {
 }
 
 
+function get_gpg_public_fingerprint_by_email {
+  local email="$1"
+  local fingerprint
+
+  fingerprint=$(_gpgtest --with-fingerprint \
+                         --with-colon \
+                         --list-keys "$email" | gawk "$AWK_GPG_GET_FP")
+  echo "$fingerprint"
+}
+
+
 function install_fixture_key {
   local public_key="$BATS_TMPDIR/public-${1}.key"
 
diff --git a/tests/test_removeperson.bats b/tests/test_removeperson.bats
@@ -111,3 +111,19 @@ function teardown {
   [ "$status" -eq 1 ]
 }
 
+
+@test "run 'removeperson' with fingerprint" {
+  local fingerprint
+  fingerprint=$(get_gpg_public_fingerprint_by_email "$TEST_DEFAULT_USER")
+
+  run git secret removeperson "$fingerprint"
+  [ "$status" -eq 0 ]
+
+  # Testing output:
+  [[ "$output" == *"removed keys"* ]]
+
+  # Then whoknows must return an error with status code 1:
+  run git secret whoknows
+  [ "$status" -eq 1 ]
+}
+
diff --git a/tests/test_tell.bats b/tests/test_tell.bats
@@ -249,3 +249,40 @@ function teardown {
   cd "$current_dir"
   rm -r "$root_dir"
 }
+
+
+@test "run 'tell' with fingerprint" {
+  local fingerprint
+  fingerprint=$(get_gpg_public_fingerprint_by_email "$TEST_DEFAULT_USER")
+
+  run git secret tell -d "$TEST_GPG_HOMEDIR" "$fingerprint"
+  [ "$status" -eq 0 ]
+
+  # Testing that now user is found:
+  run _user_required
+  [ "$status" -eq 0 ]
+
+  # Testing that now user is in the list of people who knows the secret:
+  run git secret whoknows
+  [[ "$output" == *"$TEST_DEFAULT_USER"* ]]
+}
+
+
+@test "run 'tell' with fingerprint on the same key twice" {
+  local fingerprint
+  fingerprint=$(get_gpg_public_fingerprint_by_email "$TEST_DEFAULT_USER")
+
+  # first time should succeed
+  git secret tell -d "$TEST_GPG_HOMEDIR" "$fingerprint"
+
+  # second time should fail because the key is already in the keyring
+  run git secret tell -d "$TEST_GPG_HOMEDIR" "$fingerprint"
+  [ "$status" -ne 0 ]
+}
+
+
+@test "run 'tell' with invalid fingerprint" {
+  # A hex string that doesn't match any key
+  run git secret tell -d "$TEST_GPG_HOMEDIR" "DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF"
+  [ "$status" -eq 1 ]
+}
