git-secret reveal causes changes to pubring.kbx file - Why?

Question

I'm trying to understand the git-secret workflow.

This was the scenario:

Teammate added my gpg key via git-secret tell and re-encrypted the secret files + pushed them.
I can reveal these files, reencrypt them via git-secret hide and see that after reencryption (hide) that other teammates should be able to access these files because they are listed in git-secret whoknows -> works nicely!

I noticed that just after executing git-secret reveal the pubring.kbx changed. I dont understand why this would be the case. Am i not just decrypting files?

Why would revealing information cause changes to the keyring? Do i need to commit these changes?

score 0 · Accepted Answer · answered Nov 06 '20 at 12:58

We figured different git-secret versions might be the cause of this. When inspecting the kbx file with kbxutils (https://www.gnupg.org/documentation/manuals/gnupg/kbxutil.html) we could see there were only changes to the header - an empty blob was removed. The keys inside were unchanged.

So commiting should be okay and not cause any conflict, but different git-secret versions by other teammates may cause the keyring to be changed again.

git-secret reveal causes changes to pubring.kbx file - Why?

1 Answers1