[pass] Append --no-secmem-warning?
Jason A. Donenfeld
Jason at zx2c4.com
Wed May 14 00:10:13 CEST 2014
Milki suggests we add this option to GPG_OPTS.
--no-secmem-warning
Suppress the warning about "using insecure memory".
It would make the output more consistent, and make reencryption work on
FreeBSD.
Thoughts?
Forwarded conversation
Subject: I've made pass bsd friendly
------------------------
From: *milki* <milki at freebsd.org>
Date: Mon, May 5, 2014 at 6:33 AM
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
sysutils/tree to 1.7.0 patch has been submitted and is awaiting for
approval.
These re-encryption tests don't pass on FreeBSD from master:
ok 1 - Setup initial key and git
not ok 2 - Root key encryption
#
# "$PASS" insert -e folder/cred1 <<<"$INITIAL_PASSWORD" &&
# [[ $(canonicalize_gpg_keys "$KEY1") ==
"$(gpg_keys_from_encrypted_file "$PASSWORD_STORE_DIR/folder/cred1.gpg")" ]]
#
not ok 3 - Reencryption root single key
#
# "$PASS" init $KEY2 &&
# [[ $(canonicalize_gpg_keys "$KEY2") ==
"$(gpg_keys_from_encrypted_file "$PASSWORD_STORE_DIR/folder/cred1.gpg")" ]]
#
not ok 4 - Reencryption root multiple key
#
# "$PASS" init $KEY2 $KEY3 $KEY1 &&
# [[ $(canonicalize_gpg_keys $KEY2 $KEY3 $KEY1) ==
"$(gpg_keys_from_encrypted_file "$PASSWORD_STORE_DIR/folder/cred1.gpg")" ]]
#
not ok 5 - Reencryption root multiple key with string
#
# "$PASS" init $KEY2 $KEY3 $KEY1 "pass test key 4" &&
# [[ $(canonicalize_gpg_keys $KEY2 $KEY3 $KEY1 $KEY4) ==
"$(gpg_keys_from_encrypted_file "$PASSWORD_STORE_DIR/folder/cred1.gpg")" ]]
#
not ok 6 - Reencryption root group
#
# "$PASS" init group1 &&
# [[ $(gpg_keys_from_group group1) ==
"$(gpg_keys_from_encrypted_file "$PASSWORD_STORE_DIR/folder/cred1.gpg")" ]]
#
not ok 7 - Reencryption root group with spaces
#
# "$PASS" init "big group" &&
# [[ $(gpg_keys_from_group "big group") ==
"$(gpg_keys_from_encrypted_file "$PASSWORD_STORE_DIR/folder/cred1.gpg")" ]]
#
not ok 8 - Reencryption root group with spaces and other keys
#
# "$PASS" init "big group" $KEY3 $KEY1 $KEY2 &&
# [[ $(canonicalize_gpg_keys $KEY3 $KEY1 $KEY2
$(gpg_keys_from_group "big group")) == "$(gpg_keys_from_encrypted_file
"$PASSWORD_STORE_DIR/folder/cred1.gpg")" ]]
#
not ok 9 - Reencryption root group and other keys
#
# "$PASS" init group2 $KEY3 $KEY1 $KEY2 &&
# [[ $(canonicalize_gpg_keys $KEY3 $KEY1 $KEY2
$(gpg_keys_from_group group2)) == "$(gpg_keys_from_encrypted_file
"$PASSWORD_STORE_DIR/folder/cred1.gpg")" ]]
#
not ok 10 - Reencryption root group to identical individual with no file
change
#
#
oldfile="$SHARNESS_TRASH_DIRECTORY/$RANDOM.$RANDOM.$RANDOM.$RANDOM.$RANDOM"
&&
# "$PASS" init group1 &&
# cp "$PASSWORD_STORE_DIR/folder/cred1.gpg" "$oldfile" &&
# "$PASS" init $KEY4 $KEY2 &&
# test_cmp "$PASSWORD_STORE_DIR/folder/cred1.gpg" "$oldfile"
#
not ok 11 - Reencryption subfolder multiple keys, copy
#
# "$PASS" init -p anotherfolder $KEY3 $KEY1 &&
# "$PASS" cp folder/cred1 anotherfolder/ &&
# [[ $(canonicalize_gpg_keys $KEY1 $KEY3) ==
"$(gpg_keys_from_encrypted_file
"$PASSWORD_STORE_DIR/anotherfolder/cred1.gpg")" ]]
#
not ok 12 - Reencryption subfolder multiple keys, move, deinit
#
# "$PASS" init -p anotherfolder2 $KEY3 $KEY4 $KEY2 &&
# "$PASS" mv -f anotherfolder anotherfolder2/ &&
# [[ $(canonicalize_gpg_keys $KEY1 $KEY3) ==
"$(gpg_keys_from_encrypted_file
"$PASSWORD_STORE_DIR/anotherfolder2/anotherfolder/cred1.gpg")" ]] &&
# "$PASS" init -p anotherfolder2/anotherfolder "" &&
# [[ $(canonicalize_gpg_keys $KEY3 $KEY4 $KEY2) ==
"$(gpg_keys_from_encrypted_file
"$PASSWORD_STORE_DIR/anotherfolder2/anotherfolder/cred1.gpg")" ]]
#
ok 13 - Password lived through all transformations
ok 14 - Git picked up all changes throughout
# failed 11 among 14 test(s)
--
milki
----------
From: *Jason A. Donenfeld* <Jason at zx2c4.com>
Date: Mon, May 5, 2014 at 1:33 PM
To: milki <milki at freebsd.org>
On Mon, May 5, 2014 at 6:33 AM, milki <milki at freebsd.org> wrote:
>
>
> These re-encryption tests don't pass on FreeBSD from master:
Could you run:
gmake test PASS_TEST_OPTS=-v
And send me the output of that?
----------
From: *milki* <milki at freebsd.org>
Date: Mon, May 5, 2014 at 5:54 PM
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
On 13:33 Mon 05 May , Jason A. Donenfeld wrote:
> Could you run:
>
> gmake test PASS_TEST_OPTS=-v
>
> And send me the output of that?
Attached.
--
milki
----------
From: *Jason A. Donenfeld* <Jason at zx2c4.com>
Date: Tue, May 6, 2014 at 5:44 PM
To: milki <milki at freebsd.org>
I cant seem to reproduce:
*[zx2c4 at freebsdvm ~]$ uname -a*FreeBSD freebsdvm 10.0-RELEASE-p1 FreeBSD
10.0-RELEASE-p1 #0: Tue Apr 8 06:45:06 UTC 2014
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
*[zx2c4 at freebsdvm ~]$ bash --version*
GNU bash, version 4.3.11(2)-release (amd64-portbld-freebsd10.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
*[zx2c4 at freebsdvm ~]$ gpg --version*
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ?, ?
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
*[zx2c4 at freebsdvm ~]$ git clone git://git.zx2c4.com/password-store
<http://git.zx2c4.com/password-store>*Cloning into 'password-store'...
remote: Counting objects: 1537, done.
remote: Compressing objects: 100% (1376/1376), done.
remote: Total 1537 (delta 851), reused 195 (delta 115)
Receiving objects: 100% (1537/1537), 271.90 KiB | 0 bytes/s, done.
Resolving deltas: 100% (851/851), done.
Checking connectivity... done.
*[zx2c4 at freebsdvm ~]$ cd password-store/ [zx2c4 at freebsdvm
~/password-store]$ gmake test*ok 1 - Make sure we can run pass
ok 2 - Make sure we can initialize our test store
# passed all 2 test(s)
1..2
ok 1 - Test "generate" command
ok 2 - Test replacement of first line
# passed all 2 test(s)
1..2
ok 1 - Test "show" command
ok 2 - Test "show" command with spaces
ok 3 - Test "show" of nonexistant password
# passed all 3 test(s)
1..3
ok 1 - Basic move command
ok 2 - Directory creation
ok 3 - Directory creation with file rename and empty directory removal
ok 4 - Directory rename
ok 5 - Directory move into new directory
ok 6 - Multi-directory creation and multi-directory empty removal
ok 7 - Password made it until the end
ok 8 - Git is consistent
# passed all 8 test(s)
1..8
ok 1 - Test "rm" command
ok 2 - Test "rm" command with spaces
ok 3 - Test "rm" of non-existent password
# passed all 3 test(s)
1..3
ok 1 - Test "insert" command
# passed all 1 test(s)
1..1
ok 1 - Test "edit" command
# passed all 1 test(s)
1..1
ok 1 - Setup initial key and git
ok 2 - Root key encryption
ok 3 - Reencryption root single key
ok 4 - Reencryption root multiple key
ok 5 - Reencryption root multiple key with string
ok 6 - Reencryption root group
ok 7 - Reencryption root group with spaces
ok 8 - Reencryption root group with spaces and other keys
ok 9 - Reencryption root group and other keys
ok 10 - Reencryption root group to identical individual with no file change
ok 11 - Reencryption subfolder multiple keys, copy
ok 12 - Reencryption subfolder multiple keys, move, deinit
ok 13 - Password lived through all transformations
ok 14 - Git picked up all changes throughout
# passed all 14 test(s)
1..14
ok 1 - Make sure grep prints normal lines
# passed all 1 test(s)
1..1
ok 1 - Make sure find resolves correct files
# passed all 1 test(s)
1..1
I can also confirm the non-broken behavior in gpg1:
[zx2c4 at freebsdvm ~/password-store]$ gpg --version
gpg (GnuPG) 1.4.16
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
----------
From: *milki* <milki at rescomp.berkeley.edu>
Date: Sat, May 10, 2014 at 6:56 AM
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
Cc: milki <milki at freebsd.org>
On 17:44 Tue 06 May , Jason A. Donenfeld wrote:
> I cant seem to reproduce:
>
>
> *[zx2c4 at freebsdvm ~]$ uname -a*FreeBSD freebsdvm 10.0-RELEASE-p1 FreeBSD
> 10.0-RELEASE-p1 #0: Tue Apr 8 06:45:06 UTC 2014
I'm on 8.4-RELEASE and 9.2-RELEASE
>
> This is free software; you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> *[zx2c4 at freebsdvm ~]$ gpg --version*
> gpg (GnuPG) 2.0.22
> libgcrypt 1.5.3
Same versions as well, but the my output seems different. After sort,
theres an extra newline. I've attached the patch I needed to make the
test suite pass. There must be a discrepency somewhere.
--
milki
----------
From: *Jason A. Donenfeld* <Jason at zx2c4.com>
Date: Sat, May 10, 2014 at 6:08 PM
To: milki <milki at rescomp.berkeley.edu>
Cc: milki <milki at freebsd.org>
I don't understand why this fixes anything. The following script behaves
the same way on GNU and on FreeBSD 9.2-RELEASE.
Can you make a simple test case of how behavior differs on GNU and on old
FreeBSD, and show a compatible fix?
zx2c4 at thinkpad ~ $ cat bsd-sorting.sh
#!/bin/sh
echo "== sort -u =="
printf
'millsite\nsubterraneously\ntetrakaidecahedron\nsegregational\nentozoology\nsegregational\nPhilanthus\nPhilanthus\nsegregational\ncelestite\navicolous\ncelestite\nentozoology\nunridiculed\nsegregational\nPhilanthus\nantonym\ntheanthropical\nprotransfer\nsegregational\nprotransfer\nsubterraneously\ntetrakaidecahedron\nultraenthusiastic\nantonym\n'
| sort -u
echo
echo "== sort | uniq =="
printf
'millsite\nsubterraneously\ntetrakaidecahedron\nsegregational\nentozoology\nsegregational\nPhilanthus\nPhilanthus\nsegregational\ncelestite\navicolous\ncelestite\nentozoology\nunridiculed\nsegregational\nPhilanthus\nantonym\ntheanthropical\nprotransfer\nsegregational\nprotransfer\nsubterraneously\ntetrakaidecahedron\nultraenthusiastic\nantonym\n'
| sort | uniq
echo
echo "== sort -u | tail -n +2 "
printf
'millsite\nsubterraneously\ntetrakaidecahedron\nsegregational\nentozoology\nsegregational\nPhilanthus\nPhilanthus\nsegregational\ncelestite\navicolous\ncelestite\nentozoology\nunridiculed\nsegregational\nPhilanthus\nantonym\ntheanthropical\nprotransfer\nsegregational\nprotransfer\nsubterraneously\ntetrakaidecahedron\nultraenthusiastic\nantonym\n'
| sort -u | tail -n +2
echo
----------
From: *milki* <milki at rescomp.berkeley.edu>
Date: Sat, May 10, 2014 at 6:57 PM
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
On 18:08 Sat 10 May , Jason A. Donenfeld wrote:
> I don't understand why this fixes anything.
I'm not suggesting this as an actual fix. I'm still investigating why
there's a newline at all in the input.
I was simply printing out the output of gpg_keys_from_encrypted_file
and discovered there was an unexpected blank line. I intend to continue
looking into this.
In the meantime, sysutils/tree 1.7.0 was committed to ports.
--
milki
----------
From: *Jason A. Donenfeld* <Jason at zx2c4.com>
Date: Sat, May 10, 2014 at 7:31 PM
To: milki <milki at rescomp.berkeley.edu>
Sorry for the screenshot, but I'm doing this in a VM...
It works for me:
[image: Inline image 1]
I installed 9.2 from the boot cd. I went to /usr/src/ports and make
install'd portmaster. Then I ran "portmaster shells/bash sysutils/tree
security/gnupg misc/getopt sysutils/pwgen devel/git devel/gmake". Then I
git cloned the git repo. Then I ran the test. It worked.
----------
From: *milki* <milki at rescomp.berkeley.edu>
Date: Mon, May 12, 2014 at 9:29 AM
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
TESTTESTTESTTESTTESTTESTTESTTESTTESTTEST
Warning: using insecure memory!
gpg: public key is 2EE5CDCE9B368A49
gpg: public key is 4137F8355122C2A5
gpg: public key is BEDE59896B2B2DF9
2EE5CDCE9B368A49
4137F8355122C2A5
BEDE59896B2B2DF9
TESTTESTTESTTESTTESTTESTTESTTESTTESTTEST
So the Warning is showing up in the output of gpg of course. I wonder
why your tests aren't seeing this empty line that results from it then.
I did this patch to look at the gpg output.
--
milki
----------
From: *milki* <milki at rescomp.berkeley.edu>
Date: Mon, May 12, 2014 at 9:48 AM
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
gnupg provides an option to disable the secmem warning!
https://github.com/milki/password-store/tree/no_secmem
If this option is cross-platform, this should fix this statement.
--
milki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140514/657cdd10/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 26709 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140514/657cdd10/attachment-0001.png>
More information about the Password-Store
mailing list