*#136 GnuPG2 2.2 vs 2.1 conflicts in keybox format
## Summary
A new internal public key storage format that avoids forwards compatibility issues between GPG releases. This proposal will keep forwards compatibility with older versions of git-secret.
GPG maintains backwards compatibility but not forwards compatibility. Running a new GPG version can and will upgrade the keyring storage files in a way that is not recognised by older versions of GPG. This is not normally a problem for typical GPG usage. Users only upgrade and rarely downgrade. It is a problem for git-secret as the keyring storage is committed to git and shared between users. Someone using an older version of GPG can no longer open the upgraded keyring file.
git-secret will move away from using the keyring format as shared storage of public keys. Instead it will store public keys as separate files. The export format is stable and forwards compatible. It is normal for GPG users to be running different versions and to exchange keys successfully. Any future bugs that effect git-secret's ability to use the files will affect typical GPG key exchange usage. Such bugs are likely to be fixed by the wider GPG community.
git-secret may need to store and process meta-data about keys to make it efficient to work with keys that are individually stored. It will use the machine-readable ["colon listings format"](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS) for this purpose.
1. Keys will be stored in `~/.gitsecret/keys` in `gpg --armor --export` format. The use of ASCII armour rather than binary format is to make debugging of key issues easier. The filename of the key will be the "64-bit keyid" (field 5 of the `colon listings` format) `<keyid>.pub.gpg`
1. Key meta data will be stored alongside the key file in the `gpg --keyid-format long --with-colons` format. The file name will be `<keyid>.gpg.colon`
1. A "keyring cache" will be created at `~/.gitsecret/cache` and this folder will be added to `.gitignore`. At this location, a public keyring will be maintained on a per user bases and it won't be shared by users.
1. A tombstone marker file with <keyid>`.killed` will be created at `~/.gitsecret/keys` by git-secret-killperson to mark a user as killed.
1. If the told identity isn't listed run `gpg --armor --export` against the users `$HOME` keyring. Run `--keyid-format long --with-colons` of the exported key. The result being two new files `<key-id>.pub.gpg` and `<key-id>.gpg.colon` in `~/.gitsecret/keys`
1. The list of "64-bit keyid"s who are told will be computed from the `.gpg.colon` files. This will be checked against the list of "64-bit keyid"s in the "keyring cache" at `~/.gitsecret/cache`. Any missing keys are imported into the "keyring cache". It is anticipated that `grep` and `gawk` will be sufficient to perform this calculation. The code then runs as before using the "keyring cache".
Backwards compatibility will the old keyring storage approach will be maintained as follows:
1. For each changed command a guard will be added that checks for the existence of the .gitsecret/cache
1. If the folder exists it proceeds as normal.
1. If it does not exist it will report that the repo was initialised by an older version of git-secret and tell the user to run git-secret-migrate
Forwards compatibility with older versions of git-secret will be maintained as follows.
git-secret-hide will:
1. Have a guard that will check for the existence of the old keyring. If it exists it will check it for any new public keys and extract them into the new format prior to running.
git-secret-tell will:
1. Will check for the existence of the old keyring. If it exists it will load the new public key into it.
To maintain forward compatibility the approach requires the existing logic to kept working for a period of time. We can give a deprecated warning if the forwards compatibility logic is running. The warning can be suppressed using a command-line flag.
What is the impact of not doing this? Team members are locked out of secrets when only one other team member upgrades GPG. This can go undetected until the victim needs the secrets in a hurry for production support. Bad things then happen.
