git-ecosystem · marekzmyslowski · Mar 16, 2026 · Feb 27, 2026 · Feb 27, 2026 · Feb 27, 2026
@@ -86,6 +86,40 @@ public void GnuPassCredentialStore_Remove_NotFound_ReturnsFalse()
             Assert.False(result);
         }
 
+        [PosixFact]
+        public void GnuPassCredentialStore_ReadWriteDelete_GpgIdInSubdirectory()
+        {
+            var fs = new TestFileSystem();
+            var gpg = new TestGpg(fs);
+            string storeRoot = InitializePasswordStoreWithGpgIdInSubdirectory(fs, gpg, TestNamespace);
+
+            var collection = new GpgPassCredentialStore(fs, gpg, storeRoot, TestNamespace);
+
+            // Create a service that is guaranteed to be unique
+            string uniqueGuid = Guid.NewGuid().ToString("N");
+            string service = $"https://example.com/{uniqueGuid}";
+            const string userName = "john.doe";
+            const string password = "letmein123"; // [SuppressMessage("Microsoft.Security", "CS001:SecretInline", Justification="Fake credential")]
+
+            try
+            {
+                // Write
+                collection.AddOrUpdate(service, userName, password);
+
+                // Read
+                ICredential outCredential = collection.Get(service, userName);
+
+                Assert.NotNull(outCredential);
+                Assert.Equal(userName, outCredential.Account);
+                Assert.Equal(password, outCredential.Password);
+            }
+            finally
+            {
+                // Ensure we clean up after ourselves even in case of 'get' failures
+                collection.Remove(service, userName);
+            }
+        }
+
         private static string InitializePasswordStore(TestFileSystem fs, TestGpg gpg)
         {
             string homePath = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
@@ -102,5 +136,27 @@ private static string InitializePasswordStore(TestFileSystem fs, TestGpg gpg)
 
             return storePath;
         }
+
+        private static string InitializePasswordStoreWithGpgIdInSubdirectory(TestFileSystem fs, TestGpg gpg, string subdirectory)
+        {
+            string homePath = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile);
+            string storePath = Path.Combine(homePath, ".password-store");
+            string userId = "gcm-test@example.com";
+
+            // Place .gpg-id only in the namespace subdirectory (not the store root),
+            // simulating a pass store where the root has no .gpg-id but submodules do.
+            string subDirPath = Path.Combine(storePath, subdirectory);
+            string gpgIdPath = Path.Combine(subDirPath, ".gpg-id");
+
+            // Ensure we have a GPG key for use with testing
+            gpg.GenerateKeys(userId);
+
+            // Init the password store with .gpg-id only in the subdirectory
+            fs.Directories.Add(storePath);
+            fs.Directories.Add(subDirPath);
+            fs.Files[gpgIdPath] = Encoding.UTF8.GetBytes(userId);
+
+            return storePath;
+        }
     }
 }
@@ -291,18 +291,6 @@ private void ValidateGpgPass(out string storeRoot, out string execPath)
                 storeRoot = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".password-store");
             }
 
-            // Check we have a GPG ID to sign credential files with
-            string gpgIdFile = Path.Combine(storeRoot, ".gpg-id");
-            if (!_context.FileSystem.FileExists(gpgIdFile))
-            {
-                var format =
-                    "Password store has not been initialized at '{0}'; run `pass init <gpg-id>` to initialize the store.";
-                var message = string.Format(format, storeRoot);
-                _context.Trace2.WriteError(message);
-                throw new Exception(message + Environment.NewLine +
-                                    $"See {Constants.HelpUrls.GcmCredentialStores} for more information."
-                );
-            }
         }
 
         private void ValidateCredentialCache(out string options)

@@ -23,17 +23,19 @@ public GpgPassCredentialStore(IFileSystem fileSystem, IGpg gpg, string storeRoot
 
         private string GetGpgId()
         {
-            string gpgIdPath = Path.Combine(StoreRoot, ".gpg-id");
-            if (!FileSystem.FileExists(gpgIdPath))
+            // Search for a .gpg-id file anywhere under the store root.
+            // This handles configurations where .gpg-id is in a subdirectory
+            // (e.g., a git submodule) rather than the store root itself.
+            foreach (string gpgIdPath in FileSystem.EnumerateFiles(StoreRoot, ".gpg-id"))
             {
-                throw new Exception($"Cannot find GPG ID in '{gpgIdPath}'; password store has not been initialized");
+                using (var stream = FileSystem.OpenFileStream(gpgIdPath, FileMode.Open, FileAccess.Read, FileShare.Read))
+                using (var reader = new StreamReader(stream))
+                {
+                    return reader.ReadLine();
+                }
             }
 
-            using (var stream = FileSystem.OpenFileStream(gpgIdPath, FileMode.Open, FileAccess.Read, FileShare.Read))
-            using (var reader = new StreamReader(stream))
-            {
-                return reader.ReadLine();
-            }
+            throw new Exception($"Cannot find GPG ID in password store at '{StoreRoot}'; run `pass init <gpg-id>` to initialize the store.");
         }
 
         protected override bool TryDeserializeCredential(string path, out FileCredential credential)