Fix error handling of credential loading

pkg/secrethub/client.go

@@ -121,11 +121,11 @@ func (i AppInfo) ValidateName() error {
 // If no key credential could be found, a Client is returned that can only be used for unauthenticated routes.
 func NewClient(with ...ClientOption) (*Client, error) {
 	client := &Client{
-		httpClient:              http.NewClient(),
-		repoIndexKeys:           make(map[api.RepoPath]*crypto.SymmetricKey),
-		appInfo:                 []*AppInfo{},
-		defaultPassphraseReader: credentials.FromEnv("SECRETHUB_CREDENTIAL_PASSPHRASE"),
+		httpClient:    http.NewClient(),
+		repoIndexKeys: make(map[api.RepoPath]*crypto.SymmetricKey),
+		appInfo:       []*AppInfo{},
 	}
+
 	err := client.with(with...)
 	if err != nil {
 		return nil, err
@@ -157,10 +157,8 @@ func NewClient(with ...ClientOption) (*Client, error) {
 		}
 
 		err := client.with(WithCredentials(provider))
-		// nolint: staticcheck
 		if err != nil {
-			// TODO: log that default credential was not loaded.
-			// Do go on because we want to allow an unauthenticated client.
+			return nil, err
 		}
 	}
 

pkg/secrethub/credentials/key.go

@@ -85,6 +85,9 @@ func ImportKey(credentialReader, passphraseReader Reader) (Key, error) {
 		if envPassphrase != "" {
 			credential, err := decryptKey([]byte(envPassphrase), encoded)
 			if err != nil {
+				if crypto.IsWrongKey(err) {
+					err = ErrCannotDecryptCredential
+				}
 				return Key{}, fmt.Errorf("decrypting credential with passphrase read from $%s: %v", credentialPassphraseEnvVar, err)
 			}
 			return Key{key: credential}, nil