gopass sync: Pull and Push the Secret Store
gopass sync pulls and pushes every configured store against its Git remote and re-encrypts entries for the current recipient set.
Because gopass stores are Git repos, a CI runner needs to sync before reading so it has the latest secrets. gopass sync wraps the git pull/push and recipient bookkeeping.
What it does
gopass sync runs git pull then git push for each mounted store and re-encrypts any entries whose GPG recipient set changed. It is the safe way to bring the store up to date rather than raw git commands.
Common usage
gopass sync
# sync only one mounted store
gopass sync --store teamOptions
| Flag | What it does |
|---|---|
| --store <name> | Sync only the named mounted store |
| GNUPGHOME | Directory holding the imported GPG keyring for the runner |
In CI
A runner starts with no store, so clone or restore it and run gopass sync (or a plain git pull) before any gopass show. Provide the Git remote credentials (deploy key or token) and the GPG private key so both the pull and later decryption succeed.
Common errors in CI
"git pull ... Permission denied (publickey)" means the runner lacks credentials for the store remote; add a deploy key or token. A merge conflict aborts the sync; the store must be reconciled. "gpg: decryption failed: No secret key" during re-encryption means the runner GPG key is not among the recipients.