sops-install-secrets: also write out pubring to make gnupg happy

pkgs/sops-install-secrets/main.go

@@ -605,11 +605,20 @@ func pruneGenerations(secretsMountPoint, secretsDir string, keepGenerations int)
 
 func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) error {
 	secringPath := filepath.Join(gpgHome, "secring.gpg")
+	pubringPath := filepath.Join(gpgHome, "pubring.gpg")
 
 	secring, err := os.OpenFile(secringPath, os.O_WRONLY|os.O_CREATE, 0o600)
 	if err != nil {
 		return fmt.Errorf("Cannot create %s: %w", secringPath, err)
 	}
+	defer secring.Close()
+
+	pubring, err := os.OpenFile(pubringPath, os.O_WRONLY|os.O_CREATE, 0o600)
+	if err != nil {
+		return fmt.Errorf("Cannot create %s: %w", pubringPath, err)
+	}
+	defer pubring.Close()
+
 	for _, p := range keyPaths {
 		sshKey, err := os.ReadFile(p)
 		if err != nil {
@@ -627,6 +636,11 @@ func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) erro
 			continue
 		}
 
+		if err := gpgKey.Serialize(pubring); err != nil {
+			fmt.Fprintf(os.Stderr, "Cannot write pubring: %s\n", err)
+			continue
+		}
+
 		if logcfg.KeyImport {
 			fmt.Printf("%s: Imported %s as GPG key with fingerprint %s\n", path.Base(os.Args[0]), p, hex.EncodeToString(gpgKey.PrimaryKey.Fingerprint[:]))
 		}