Skip to content
Latchkey

gopass sync: Pull and Push the Secret Store

gopass sync pulls and pushes every configured store against its Git remote and re-encrypts entries for the current recipient set.

Because gopass stores are Git repos, a CI runner needs to sync before reading so it has the latest secrets. gopass sync wraps the git pull/push and recipient bookkeeping.

What it does

gopass sync runs git pull then git push for each mounted store and re-encrypts any entries whose GPG recipient set changed. It is the safe way to bring the store up to date rather than raw git commands.

Common usage

Terminal
gopass sync
# sync only one mounted store
gopass sync --store team

Options

FlagWhat it does
--store <name>Sync only the named mounted store
GNUPGHOMEDirectory holding the imported GPG keyring for the runner

In CI

A runner starts with no store, so clone or restore it and run gopass sync (or a plain git pull) before any gopass show. Provide the Git remote credentials (deploy key or token) and the GPG private key so both the pull and later decryption succeed.

Common errors in CI

"git pull ... Permission denied (publickey)" means the runner lacks credentials for the store remote; add a deploy key or token. A merge conflict aborts the sync; the store must be reconciled. "gpg: decryption failed: No secret key" during re-encryption means the runner GPG key is not among the recipients.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →