From t-passwd at girst.at Fri Apr 5 16:29:56 2024 From: t-passwd at girst.at (Tobias Girstmair) Date: Fri, 5 Apr 2024 18:29:56 +0200 Subject: A one-liner GPG passphrase prompt? In-Reply-To: References: <1406302158.2043431.1709397625690.ref@mail.yahoo.com> <1406302158.2043431.1709397625690@mail.yahoo.com> Message-ID: hi all, recently i wrote the following on this list: On Sat, Mar 02, 2024 at 06:29:34PM +0100, Tobias Girstmair wrote: >some time ago, i attempted to write a small shell script >querying $DISPLAY to switch between the tty and gtk pinentry programs >on the fly, but that did not work (the environment variable was always >unset). maybe someone else has a solution to that (i'm fairly sure it >should be possible - pinentry-gtk-2 falls back to its own curses based >TUI when needed). I figured this out, btw. ~ % cat .gnupg/gpg-agent.conf enable-ssh-support pinentry-program /usr/local/bin/pinentry-ttygtk ~ % cat /usr/local/bin/pinentry-ttygtk #!/bin/sh case "$*" in *--display*) exec /usr/bin/pinentry-gnome3 "$@" ;; *) exec /usr/bin/pinentry-tty "$@" ;; esac this gives me a nice gtk3 based gui when available, and a tiny (non-curses!) cli interface when not (e.g. remotely over ssh). hope that's useful to someone, tobi From asmadeus at codewreck.org Tue Apr 9 12:47:38 2024 From: asmadeus at codewreck.org (Dominique Martinet) Date: Tue, 9 Apr 2024 21:47:38 +0900 Subject: [PATCH RESENT] init: allow using without gpg-id to reencrypt directory Message-ID: <20240409124738.161903-1-asmadeus@codewreck.org> When using gpg groups in .gpg-id (through gpg.conf), it is useful to periodically re-encrypt the whole password store without changing the .gpg-id files in it. The reencrypt_path helper already expands groups and correctly identifies when group contents changed to only reencrypt on an as-need basis, but the function is not otherwise exposed (except through two mv or cp...) so having this functionality in init would be quite useful. --- This is a resend of a patch I sent in March last year that got no reply: https://lists.zx2c4.com/pipermail/password-store/2023-March/004746.html We're using pass as a team in a shared git and such command would be useful after we add people to a directory. Happy to address any feedback as said last time. man/pass.1 | 5 +++-- src/password-store.sh | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/man/pass.1 b/man/pass.1 index a555dcb26bc6..eccb3b7faa9c 100644 --- a/man/pass.1 +++ b/man/pass.1 @@ -58,7 +58,7 @@ password names in .SH COMMANDS .TP -\fBinit\fP [ \fI--path=sub-folder\fP, \fI-p sub-folder\fP ] \fIgpg-id...\fP +\fBinit\fP [ \fI--path=sub-folder\fP, \fI-p sub-folder\fP ] [ \fIgpg-id...\fP ] Initialize new password storage and use .I gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each @@ -72,7 +72,8 @@ intervention. If \fI--path\fP or \fI-p\fP is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. If only one \fIgpg-id\fP is given, and it is an empty string, then the current \fI.gpg-id\fP file for the specified \fIsub-folder\fP (or root if -unspecified) is removed. +unspecified) is removed. If no \fIgpg-id\fP are given, the directory is reencrypted +without modifying the \fI.gpg-id\fP file. .TP \fBls\fP \fIsubfolder\fP List names of passwords inside the tree at diff --git a/src/password-store.sh b/src/password-store.sh index 22e818fd548a..5415f40faf3a 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -328,7 +328,7 @@ cmd_init() { --) shift; break ;; esac done - [[ $err -ne 0 || $# -lt 1 ]] && die "Usage: $PROGRAM $COMMAND [--path=subfolder,-p subfolder] gpg-id..." + [[ $err -ne 0 ]] && die "Usage: $PROGRAM $COMMAND [--path=subfolder,-p subfolder] gpg-id..." [[ -n $id_path ]] && check_sneaky_paths "$id_path" [[ -n $id_path && ! -d $PREFIX/$id_path && -e $PREFIX/$id_path ]] && die "Error: $PREFIX/$id_path exists but is not a directory." @@ -343,7 +343,7 @@ cmd_init() { git_commit "Deinitialize ${gpg_id}${id_path:+ ($id_path)}." fi rmdir -p "${gpg_id%/*}" 2>/dev/null - else + elif [[ $# -ge 1 ]]; then mkdir -v -p "$PREFIX/$id_path" printf "%s\n" "$@" > "$gpg_id" local id_print="$(printf "%s, " "$@")" -- 2.44.0 From igor at c4llv07e.xyz Tue Apr 16 20:30:13 2024 From: igor at c4llv07e.xyz (c4llv07e) Date: Tue, 16 Apr 2024 23:30:13 +0300 Subject: [PATCH 0/2] Add option to use dmenu alternatives in passmenu Message-ID: <20240416203017.27802-1-igor@c4llv07e.xyz> I can't use passmenu from my repo because it uses dmenu-wl that I couldn't find. It would be nice to use more popular wmenu and also give users ability to select prefered launcher. c4llv07e (2): Replace `dmenu-wl` with `wmenu` in passmenu script. Add environment variables to configure passmenu. contrib/dmenu/README.md | 10 ++++++++-- contrib/dmenu/passmenu | 10 +++++++++- 2 files changed, 17 insertions(+), 3 deletions(-) -- 2.44.0 From igor at c4llv07e.xyz Tue Apr 16 20:30:14 2024 From: igor at c4llv07e.xyz (c4llv07e) Date: Tue, 16 Apr 2024 23:30:14 +0300 Subject: [PATCH 1/2] Replace `dmenu-wl` with `wmenu` in passmenu script. In-Reply-To: <20240416203017.27802-1-igor@c4llv07e.xyz> References: <20240416203017.27802-1-igor@c4llv07e.xyz> Message-ID: <20240416203017.27802-2-igor@c4llv07e.xyz> --- Wmenu is gradually becoming a standard alternative to dmenu on Wayland compositors[1]. Shouldn't it be used in passmenu as well? This would also make it more accessible, since dmenu-wl can be found in a much smaller number of repositories than wmenu (11 versus 38 packages on repology). [1] dwl: https://codeberg.org/dwl/dwl/pulls/589 sway: https://github.com/swaywm/sway/pull/7384 contrib/dmenu/README.md | 4 ++-- contrib/dmenu/passmenu | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/dmenu/README.md b/contrib/dmenu/README.md index 8a196cb..c261023 100644 --- a/contrib/dmenu/README.md +++ b/contrib/dmenu/README.md @@ -4,7 +4,7 @@ clipboard without having to open up a terminal window if you don't already have one open. If `--type` is specified, the password is typed using [xdotool][] instead of copied to the clipboard. -On wayland [dmenu-wl][] is used to replace dmenu and [ydotool][] to replace xdotool. +On wayland [wmenu][] is used to replace dmenu and [ydotool][] to replace xdotool. Note that the latter requires access to the [uinput][] device, so you'll probably need to add an extra udev rule or similar to give certain non-root users permission. @@ -15,6 +15,6 @@ need to add an extra udev rule or similar to give certain non-root users permiss [dmenu]: http://tools.suckless.org/dmenu/ [xdotool]: http://www.semicomplete.com/projects/xdotool/ [pass]: http://www.zx2c4.com/projects/password-store/ -[dmenu-wl]: https://github.com/nyyManni/dmenu-wayland +[wmenu]: https://git.sr.ht/~adnano/wmenu [ydotool]: https://github.com/ReimuNotMoe/ydotool [uinput]: https://www.kernel.org/doc/html/v4.12/input/uinput.html diff --git a/contrib/dmenu/passmenu b/contrib/dmenu/passmenu index 76d92ab..e7b6309 100755 --- a/contrib/dmenu/passmenu +++ b/contrib/dmenu/passmenu @@ -9,7 +9,7 @@ if [[ $1 == "--type" ]]; then fi if [[ -n $WAYLAND_DISPLAY ]]; then - dmenu=dmenu-wl + dmenu=wmenu xdotool="ydotool type --file -" elif [[ -n $DISPLAY ]]; then dmenu=dmenu -- 2.44.0 From igor at c4llv07e.xyz Tue Apr 16 20:30:15 2024 From: igor at c4llv07e.xyz (c4llv07e) Date: Tue, 16 Apr 2024 23:30:15 +0300 Subject: [PATCH 2/2] Add environment variables to configure passmenu. In-Reply-To: <20240416203017.27802-1-igor@c4llv07e.xyz> References: <20240416203017.27802-1-igor@c4llv07e.xyz> Message-ID: <20240416203017.27802-3-igor@c4llv07e.xyz> Passmenu now allows to replace `dmenu` and `xdotool` executables with user's choice using `PASSMENU_DMENU` and `PASSMENU_XDOTOOL` environment variables --- There are too many dmenu-like launchers on Linux. Let users choose one instead of using the default one. But it has some problems. I couldn't find a good way to pass arguments through environment variables without using `sh -c` and `eval`. Therefore, users would have to create a custom script in the PATH to customize it. I couldn't think of a better names for this variables. Maybe it sould use `PASS_` namespace, but I don't know. contrib/dmenu/README.md | 6 ++++++ contrib/dmenu/passmenu | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/contrib/dmenu/README.md b/contrib/dmenu/README.md index c261023..bc99547 100644 --- a/contrib/dmenu/README.md +++ b/contrib/dmenu/README.md @@ -12,6 +12,12 @@ need to add an extra udev rule or similar to give certain non-root users permiss passmenu [--type] [dmenu arguments...] +# Configuration + + `PASSMENU_DMENU` - The executable that will be used instead of dmenu. + + `PASSMENU_XDOTOOL` - The executable that will be used to type a password. + [dmenu]: http://tools.suckless.org/dmenu/ [xdotool]: http://www.semicomplete.com/projects/xdotool/ [pass]: http://www.zx2c4.com/projects/password-store/ diff --git a/contrib/dmenu/passmenu b/contrib/dmenu/passmenu index e7b6309..44ebb05 100755 --- a/contrib/dmenu/passmenu +++ b/contrib/dmenu/passmenu @@ -19,6 +19,14 @@ else exit 1 fi +if [[ -n ${PASSMENU_DMENU} ]]; then + dmenu=${PASSMENU_DMENU} +fi + +if [[ -n $PASSMENU_XDOTOOL ]]; then + xdotool=${PASSMENU_XDOTOOL} +fi + prefix=${PASSWORD_STORE_DIR-~/.password-store} password_files=( "$prefix"/**/*.gpg ) password_files=( "${password_files[@]#"$prefix"/}" ) -- 2.44.0 From casselt at luis.uni-hannover.de Wed Apr 17 15:05:27 2024 From: casselt at luis.uni-hannover.de (Torsten Casselt) Date: Wed, 17 Apr 2024 17:05:27 +0200 Subject: Large files lead to pipefail Message-ID: <47dad0b3ae1350bbf59f7a143ca5197f6d04cda3.camel@luis.uni-hannover.de> Hi, we found a bug with large files resulting in pipefail. Fix is attached. Thanks, Torsten -------------- next part -------------- A non-text attachment was scrubbed... Name: large-file-pipefail-fix.patch Type: text/x-patch Size: 891 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7679 bytes Desc: not available URL: From aclopte at gmail.com Wed Apr 24 05:47:33 2024 From: aclopte at gmail.com (Johannes Altmanninger) Date: Wed, 24 Apr 2024 07:47:33 +0200 Subject: Large files lead to pipefail In-Reply-To: <47dad0b3ae1350bbf59f7a143ca5197f6d04cda3.camel@luis.uni-hannover.de> References: <47dad0b3ae1350bbf59f7a143ca5197f6d04cda3.camel@luis.uni-hannover.de> Message-ID: On Wed, Apr 17, 2024 at 05:05:27PM +0200, Torsten Casselt wrote: > Hi, > > we found a bug with large files resulting in pipefail. Fix is attached. > diff --git a/src/password-store.sh b/src/password-store.sh > --- a/src/password-store.sh > +++ b/src/password-store.sh > @@ -367,7 +367,7 @@ > echo "$pass" | $BASE64 -d > else > [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." > - pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? > + pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | cut -d $'\n' -f ${selected_line})" || exit $? Confirmed that this command sometimes leads to a pipestatus of 141 (SIGPIPE) for "tail": bash -c 'seq 10000 | tail -n +10 | head -1; echo pipestatus: ${PIPESTATUS[@]}' Personally I'd use sed. It's interesting to learn that cut do this pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | sed -n ${selected_line}p)" || exit $? I also wonder if pipefail really pulls its weight, maybe better to disable it > [[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}." > if [[ $clip -eq 1 ]]; then > clip "$pass" "$path" From casselt at luis.uni-hannover.de Wed Apr 24 10:22:57 2024 From: casselt at luis.uni-hannover.de (Torsten Casselt) Date: Wed, 24 Apr 2024 12:22:57 +0200 Subject: [extern] Re: Large files lead to pipefail In-Reply-To: References: <47dad0b3ae1350bbf59f7a143ca5197f6d04cda3.camel@luis.uni-hannover.de> Message-ID: <0b30d6b37330c524d9e840b86cfa4005c7ba3bc2.camel@luis.uni-hannover.de> Hi Johannes, Am Mittwoch, dem 24.04.2024 um 07:47 +0200 schrieb Johannes Altmanninger: > Personally I'd use sed. It's interesting to learn that cut do this > > pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | sed -n > ${selected_line}p)" || exit $? cut is slightly faster (even faster than the original tail/head approach), that?s why I decided to use cut for this. Regards Torsten -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7679 bytes Desc: not available URL: From dnlcrwfrd at gmail.com Wed Apr 24 18:15:03 2024 From: dnlcrwfrd at gmail.com (Dan Crawford) Date: Wed, 24 Apr 2024 21:15:03 +0300 Subject: [PATCH] Extend --clip/--qrcode to support copying/displaying non-password fields Message-ID: Given a passfile of the format field1: key1 field2: key2 one can copy the password with -c1, the second line with -c2, and so on. Copying the second line simply copies the whole line, including the `field: ` section. This renders copying these lines essentially pointless, as the values cannot be pasted as-is into some field. For example, I might have a password for some website, and also an API token, in the same passfile. I want an easy way to copy both values. This patch extends --clip (and incidentally, --qrcode) to support either copying arbitrary lines (with the existing syntax), or copying the value of some field. Given the above passfile, --clip="field1" or -c"field1" will add `key1` to the clipboard. Let me know if there are any comments on the implementation or similar. diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..5b3e940 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -365,6 +364,16 @@ cmd_init() { git_add_file "$PREFIX/$id_path" "Reencrypt password store using new GPG id ${id_print%, }${id_path:+ ($id_path)}." } +trim() { + # https://stackoverflow.com/a/3352015 + local var="$*" + # remove leading whitespace characters + var="${var#"${var%%[![:space:]]*}"}" + # remove trailing whitespace characters + var="${var%"${var##*[![:space:]]}"}" + printf '%s' "$var" +} + cmd_show() { local opts selected_line clip=0 qrcode=0 opts="$($GETOPT -o q::c:: -l qrcode::,clip:: -n "$PROGRAM" -- "$@")" @@ -387,9 +396,27 @@ cmd_show() { pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $? echo "$pass" | $BASE64 -d else - [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." - pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? - [[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}." + if [[ "$selected_line" =~ ^[0-9]+$ ]]; then + pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? + [[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}." + else + pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile")" + mapfile -t -s 1 <<<"$pass" + found=false + for value in "${MAPFILE[@]}"; do + mapfile -td ": " kv <<<"$value" + key=$(trim "${kv[0]}") + value=$(trim "${kv[1]}") + if [ "$key" == "$selected_line" ]; then + pass="$value" + found=true + fi + done + if [ $found = false ]; then + die "Selected clip '$selected_line' not in passfile." + fi + fi + if [[ $clip -eq 1 ]]; then clip "$pass" "$path" elif [[ $qrcode -eq 1 ]]; then From minshall at umich.edu Thu Apr 25 05:51:12 2024 From: minshall at umich.edu (Greg Minshall) Date: Thu, 25 Apr 2024 08:51:12 +0300 Subject: [PATCH] Extend --clip/--qrcode to support copying/displaying non-password fields In-Reply-To: References: Message-ID: <21222.1714024272@archlinux> Dan, looks nice, and i could see using your patch. but i'm being maybe petty here: > Given the above passfile, --clip="field1" or -c"field1" will add > `key1` to the clipboard. i would like: - --clip="field1" - --clip "field1" - -c "field1" to be recognized. i would *not* like - -c"field1" to be recognized. (just for my sense of how command line arguments should be written.) cheers, Greg From dnlcrwfrd at gmail.com Thu Apr 25 07:30:30 2024 From: dnlcrwfrd at gmail.com (Dan Crawford) Date: Thu, 25 Apr 2024 10:30:30 +0300 Subject: [PATCH] Extend --clip/--qrcode to support copying/displaying non-password fields In-Reply-To: <21222.1714024272@archlinux> References: <21222.1714024272@archlinux> Message-ID: Thanks. Yes, I actually agree: -c "field" makes more sense. However, getopt mandates that optional arguments always have the form -c"field" --c="field". On the other hand, required arguments can be used as either -c "field" or -c"field". From the man page: A simple short option is a '-' followed by a short option character. If the option has a required argument, it may be written directly after the option character or as the next parameter (i.e., separated by whitespace on the command line). If the option has an optional argument, it must be written directly after the option character if present. I don't think there's a simple way around this --- but of course if anyone has any suggestions that would be great. Cheers From minshall at umich.edu Thu Apr 25 13:29:55 2024 From: minshall at umich.edu (Greg Minshall) Date: Thu, 25 Apr 2024 16:29:55 +0300 Subject: [PATCH] Extend --clip/--qrcode to support copying/displaying non-password fields In-Reply-To: References: <21222.1714024272@archlinux> Message-ID: <39092.1714051795@archlinux> Dan, thanks, i'd not noticed that the argument is optional (of course, it is). my aesthetics would opt for only allowing the long form, either - --c="field1" - --c "field1" but, i see the option you are suggesting is blessed! :) sorry for the noise. cheers, Greg