[pass] New version with new features

Matthew King mking at monnsta.net
Sat Dec 7 22:20:42 CET 2013


I feel really bad about writing a new version of pass, but I just kept on
hacking and it sort of happened. I emailed Jason before uploading this to
github but I got bored and hacked on it some more so I feel like I
shouldn't keep it to myself any more as I've not heard back from him.

It takes basically the same filesystem structure as pass (the gpg key is
now stored in .keyids) and the command-line interface should be compatible,
but it changes the gpg interaction to add new features:

Multiple destination keys. The keys to encrypt to can be set on a
(recursively) per-directory and per-password level, and on the command-line.
Thorough audit trail (optional).
Signable passwords (still quite hacky and entirely unused).
Git made entirely optional.
Splittable into API and CLI.
Insert/get/edit/delete multiple keys in one invocation.
Pretty-print output. If each password requested is a YAML document,
multiple passwords are returned as a YAML stream.

I have already used these features to add a key to my password store
locally:

laptop$ echo $TESTSERVER_GNUPG_KEYID >
$PASSWORD_STORE_DIR/server/test/.keyids
laptop$ pass generate server/test/root
<doesn't echo without -e|--echo>

Distribute it normally through git

(...actually I just used scp...)

And read it on the new server, with its gpg key:

test# pass show server/test/root
<server's gpg key has no passphrase>
UzjzmmkiLSa1

And on my laptop, as me:

laptop$ pass show server/test/root
<gpg agent asks for my passphrase>
UzjzmmkiLSa1


With all that, however, it is a far less tested and documented project
(it's less than a week old), there are features I have yet to implement
(especially portability), and I have already noticed more bugs pass has
already fixed. I'm definitely not recommending people use another-pass
until it is more thoroughly vetted, but perhaps as a proof-of-concept.

It's available on github at https://github.com/ChoHag/another-pass.

As for forking, development, licensing, etc., as far as I'm concerned what
I've written is licensed under the WTFPL 2. It's code, you can do what you
like with it. Effectively this means that for inclusion in pass it can be
licensed under the GPL2, and I'm not making any claim to any code which
isn't mine. pass's source code was open in the other terminal while I was
writing another-pass. No doubt ideas leaked. So that's licensing over.

I have no desire to replace the work done by the pass developers. There's a
reason why I copied *this* project. My original plan was to write the new
features and import them into the existing pass but by the time I realised
what I had it was mostly finished (as far as the overall shape) so I just
carried on. I have plans personally to make a password manager with all the
features I need, mostly what's listed in the project's README & TODO files,
though I will do whatever I can to accommodate the wishes of this project -
you, in short, were here first.

Thanks, and sorry!

Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20131207/c0d1434b/attachment.html>


More information about the Password-Store mailing list