diff --git a/bin/update_sops.sh b/bin/update_sops.sh
index 0f61109..f7df50d 100755
--- a/bin/update_sops.sh
+++ b/bin/update_sops.sh
@@ -57,6 +57,7 @@ function fn_sops_generate_config(){
   # sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
   # CAVEAT: dirty hacks, as DRY as feasible within bash
 
+  >&2 echo "# RUN: generate SOPS config"
   # hack: 2D list workaround, i.e. difficult to have list-of-lists
   fpr_list=()
   uid_list=()
@@ -107,6 +108,7 @@ fn_sops_updatekeys_and_verify(){
   test -e "${sops_enc_file}" || exit 1
 
   # "update the keys of SOPS files using the config file"
+  >&2 echo "# RUN: sops updatekeys ${sops_enc_file}"
   sops updatekeys "${sops_enc_file}"
 
   # verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
@@ -212,7 +214,8 @@ function main(){
   if [[ "${#secrets_file_list[@]}" != "0" ]]; then
     # import keys
     pushd "${keyfiles_dir}" > /dev/null 2>&1
-    gpg --import *.gpg.pub
+    >&2 echo "# RUN: gpg --import *.gpg.pub"
+    gpg_out="$(gpg --import *.gpg.pub 2>&1)"
     popd > /dev/null 2>&1
     # update
     for secrets_file in "${secrets_file_list[@]}"; do