Fix GetGpgId: walk up from credential path to StoreRoot per GNU Pass behaviour

Copilot · marekzmyslowski · Copilot · commit 29f16b367c81 · 2026-03-03T10:05:05.000Z
Co-authored-by: marekzmyslowski &lt;1062877+marekzmyslowski@users.noreply.github.com&gt;
diff --git a/src/shared/Core.Tests/Interop/Posix/GnuPassCredentialStoreTests.cs b/src/shared/Core.Tests/Interop/Posix/GnuPassCredentialStoreTests.cs
@@ -120,6 +120,56 @@ public void GnuPassCredentialStore_ReadWriteDelete_GpgIdInSubdirectory()
             }
         }
 
+        [PosixFact]
+        public void GnuPassCredentialStore_WriteCredential_MultipleGpgIds_UsesNearestGpgId()
+        {
+            // Verify that when two subdirectories each have their own .gpg-id, encrypting a credential
+            // under one subdirectory uses that subdirectory's GPG identity, not the other one.
+            var fs = new TestFileSystem();
+            var gpg = new TestGpg(fs);
+
+            string homePath = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
+            string storePath = Path.Combine(homePath, ".password-store");
+
+            const string personalUserId = "personal@example.com";
+            const string workUserId = "work@example.com";
+
+            // Only register the personal key; if the wrong (work) key is picked, EncryptFile will throw.
+            gpg.GenerateKeys(personalUserId);
+
+            string personalSubDir = Path.Combine(storePath, "personal");
+            string workSubDir = Path.Combine(storePath, "work");
+
+            fs.Directories.Add(storePath);
+            fs.Directories.Add(personalSubDir);
+            fs.Directories.Add(workSubDir);
+            fs.Files[Path.Combine(personalSubDir, ".gpg-id")] = Encoding.UTF8.GetBytes(personalUserId);
+            fs.Files[Path.Combine(workSubDir, ".gpg-id")] = Encoding.UTF8.GetBytes(workUserId);
+
+            // Use "personal" namespace so credentials are stored under storePath/personal/...
+            var collection = new GpgPassCredentialStore(fs, gpg, storePath, "personal");
+
+            string service = $"https://example.com/{Guid.NewGuid():N}";
+            const string userName = "john.doe";
+            const string password = "letmein123"; // [SuppressMessage("Microsoft.Security", "CS001:SecretInline", Justification="Fake credential")]
+
+            try
+            {
+                // Write - should pick personal/.gpg-id (personalUserId), not work/.gpg-id (workUserId)
+                collection.AddOrUpdate(service, userName, password);
+
+                ICredential outCredential = collection.Get(service, userName);
+
+                Assert.NotNull(outCredential);
+                Assert.Equal(userName, outCredential.Account);
+                Assert.Equal(password, outCredential.Password);
+            }
+            finally
+            {
+                collection.Remove(service, userName);
+            }
+        }
+
         private static string InitializePasswordStore(TestFileSystem fs, TestGpg gpg)
         {
             string homePath = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
diff --git a/src/shared/Core/Interop/Posix/GpgPassCredentialStore.cs b/src/shared/Core/Interop/Posix/GpgPassCredentialStore.cs
@@ -21,18 +21,30 @@ public GpgPassCredentialStore(IFileSystem fileSystem, IGpg gpg, string storeRoot
 
         protected override string CredentialFileExtension => ".gpg";
 
-        private string GetGpgId()
+        private string GetGpgId(string credentialFullPath)
         {
-            // Search for a .gpg-id file anywhere under the store root.
-            // This handles configurations where .gpg-id is in a subdirectory
-            // (e.g., a git submodule) rather than the store root itself.
-            foreach (string gpgIdPath in FileSystem.EnumerateFiles(StoreRoot, ".gpg-id"))
+            // Walk up from the credential's directory to the store root, looking for a .gpg-id file.
+            // This mimics the behaviour of GNU Pass, which uses the nearest .gpg-id in the directory hierarchy.
+            string dir = Path.GetDirectoryName(credentialFullPath);
+            while (dir != null)
             {
-                using (var stream = FileSystem.OpenFileStream(gpgIdPath, FileMode.Open, FileAccess.Read, FileShare.Read))
-                using (var reader = new StreamReader(stream))
+                string gpgIdPath = Path.Combine(dir, ".gpg-id");
+                if (FileSystem.FileExists(gpgIdPath))
                 {
-                    return reader.ReadLine();
+                    using (var stream = FileSystem.OpenFileStream(gpgIdPath, FileMode.Open, FileAccess.Read, FileShare.Read))
+                    using (var reader = new StreamReader(stream))
+                    {
+                        return reader.ReadLine();
+                    }
                 }
+
+                // Stop after checking the store root
+                if (FileSystem.IsSamePath(dir, StoreRoot))
+                {
+                    break;
+                }
+
+                dir = Path.GetDirectoryName(dir);
             }
 
             throw new Exception($"Cannot find GPG ID in password store at '{StoreRoot}'; run `pass init <gpg-id>` to initialize the store.");
@@ -70,7 +82,7 @@ protected override bool TryDeserializeCredential(string path, out FileCredential
 
         protected override void SerializeCredential(FileCredential credential)
         {
-            string gpgId = GetGpgId();
+            string gpgId = GetGpgId(credential.FullPath);
 
             var sb = new StringBuilder(credential.Password);
             sb.AppendFormat("{1}service={0}{1}", credential.Service, Environment.NewLine);
