From andrew.thorp.dev at gmail.com Mon Nov 4 15:17:11 2019 From: andrew.thorp.dev at gmail.com (Andrew Thorp) Date: Mon, 04 Nov 2019 09:17:11 -0500 Subject: MIgrating gpg keys? Message-ID: <1572877031.2082.0@smtp.gmail.com> Hello, I am in the process of migrating GPG keys, and I couldn't find documentation on the best way to go about adding or changing the key used for encryption in the pass database. Does anyone have any experience with this? Thanks! Andrew Thorp -------------- next part -------------- An HTML attachment was scrubbed... URL: From contact at eddiebarraco.fr Mon Nov 4 15:31:34 2019 From: contact at eddiebarraco.fr (Eddie Barraco) Date: Mon, 04 Nov 2019 15:31:34 +0100 Subject: MIgrating gpg keys? In-Reply-To: <1572877031.2082.0@smtp.gmail.com> Message-ID: Hello ! > I am in the process of migrating GPG keys, and I couldn't find > documentation > on the best way to go about adding or changing the key used for > encryption > in the pass database. Does anyone have any experience with this? Yes you probably just have to pass init YOUR_NEW_GPG_KEY The pass manual is not so clear about all this right. Tell us if this now work as expected. Kiss From mkesper at schokokeks.org Mon Nov 4 15:33:55 2019 From: mkesper at schokokeks.org (Michael Kesper) Date: Mon, 4 Nov 2019 15:33:55 +0100 Subject: MIgrating gpg keys? In-Reply-To: <1572877031.2082.0@smtp.gmail.com> References: <1572877031.2082.0@smtp.gmail.com> Message-ID: Hi Andrew, On 04.11.19 15:17, Andrew Thorp wrote: > Hello, > > I am in the process of migrating GPG keys, and I couldn't find documentation > on the best way to go about adding or changing the key used for encryption? > in the pass database. Does anyone have any experience with this? pass init will do that. Be sure to use the ID you get by running gpg --list-key as only that will be unique. For checking, create a temporary gnupg setup containing only your new key but not the old one and try to decrypt your secrets. pass itself is a little bit low/level here and doesn't really give you much support here. Best wishes Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: From contact at eddiebarraco.fr Mon Nov 4 15:39:15 2019 From: contact at eddiebarraco.fr (Eddie Barraco) Date: Mon, 04 Nov 2019 15:39:15 +0100 Subject: MIgrating gpg keys? In-Reply-To: Message-ID: > pass init will do that. > Be sure to use the ID you get by running > gpg --list-key > as only that will be unique. As I know you can use the global keyring id (gpg2 -K) or the encryption subkey (gpg2 -K --with-subkey-fingerprint). This allow to migrate to a new subkey when the old expires. Stacy From cmskog at gmail.com Mon Nov 4 17:06:50 2019 From: cmskog at gmail.com (Carl Michael Skog) Date: Mon, 4 Nov 2019 17:06:50 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys Message-ID: When encrypting with a gpg key that has multiple encryption subkeys ONLY the newest encryption subkey is used when encrypting. This leads to potential problems in pass when using such a key. Consider this scenario: Let's say we are using a key K with encryption subkey A. We set up two password stores(S1 and S2) plus a git repository(G) with this key. All fine so far. Let's say now that S1 adds a encryption subkey(B) to K. S2 is still unchanged. S1 then adds a new password P, and pushes this to G, which S2 then pulls. When S2 tries to read password P it will get an error message from gpg: "gpg: decryption failed: No secret key". Even more dangerous: if S1 after adding the key does a "pass init" with K, S2 will not be able to read a single password, if it pulls this change. Patch 1,2,3 is just some tests exposing the problem. The actual fix is in patch 4. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-an-init-test-with-a-key-with-multiple-subkeys.patch Type: text/x-diff Size: 10502 bytes Desc: not available URL: From cmskog at gmail.com Mon Nov 4 17:08:28 2019 From: cmskog at gmail.com (Carl Michael Skog) Date: Mon, 4 Nov 2019 17:08:28 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: References: Message-ID: And of the rest of the patches also.... Den m?n 4 nov. 2019 kl 17:06 skrev Carl Michael Skog : > When encrypting with a gpg key that has multiple encryption subkeys ONLY > the newest encryption subkey is used when encrypting. > This leads to potential problems in pass when using such a key. > > Consider this scenario: > Let's say we are using a key K with encryption subkey A. > We set up two password stores(S1 and S2) plus a git repository(G) with > this key. > All fine so far. > Let's say now that S1 adds a encryption subkey(B) to K. > S2 is still unchanged. > S1 then adds a new password P, and pushes this to G, which S2 then pulls. > When S2 tries to read password P it will get an error message from gpg: > "gpg: decryption failed: No secret key". > Even more dangerous: if S1 after adding the key does a "pass init" with K, > S2 will not be able to read a single password, if it pulls this change. > > Patch 1,2,3 is just some tests exposing the problem. > The actual fix is in patch 4. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Test-for-multisubkey-group-reinit.patch Type: text/x-diff Size: 1611 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-Add-a-test-for-init-ing-with-multiple-subkey-key.patch Type: text/x-diff Size: 15237 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Fixes-for-having-keys-with-multiple-subkeys.patch Type: text/x-diff Size: 6035 bytes Desc: not available URL: From contact at eddiebarraco.fr Mon Nov 4 17:20:05 2019 From: contact at eddiebarraco.fr (Eddie Barraco) Date: Mon, 04 Nov 2019 17:20:05 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: Message-ID: Hey ! > When encrypting with a gpg key that has multiple encryption subkeys ONLY > the newest encryption subkey is used when encrypting. Notes that you can use the subkey fingerprint Reed From contact at eddiebarraco.fr Mon Nov 4 17:21:14 2019 From: contact at eddiebarraco.fr (Eddie Barraco) Date: Mon, 04 Nov 2019 17:21:14 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: Message-ID: Hey > When encrypting with a gpg key that has multiple encryption subkeys ONLY > the newest encryption subkey is used when encrypting. Notes that you can use the encryption subkey fingerprint displayed with gpg2 -K --with-subkey-fingerprint From cmskog at gmail.com Mon Nov 4 17:37:49 2019 From: cmskog at gmail.com (Carl Michael Skog) Date: Mon, 4 Nov 2019 17:37:49 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: References: Message-ID: Den m?n 4 nov. 2019 kl 17:21 skrev Eddie Barraco : > Hey > > > When encrypting with a gpg key that has multiple encryption subkeys ONLY > > the newest encryption subkey is used when encrypting. > > Notes that you can use the encryption subkey fingerprint displayed with > gpg2 -K --with-subkey-fingerprint > Yes, I suppose you could do "pass init" manually with all subkey fingerprints(with an ampersand appended), which is what the patch is doing... Regards, Carl Michael Skog -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmskog at gmail.com Mon Nov 4 17:42:32 2019 From: cmskog at gmail.com (Carl Michael Skog) Date: Mon, 4 Nov 2019 17:42:32 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: References: Message-ID: Disregard my answer... You were obviously answering in the "Migrating gpg keys ?" discussion... Den m?n 4 nov. 2019 kl 17:37 skrev Carl Michael Skog : > Den m?n 4 nov. 2019 kl 17:21 skrev Eddie Barraco >: > >> Hey >> >> > When encrypting with a gpg key that has multiple encryption subkeys ONLY >> > the newest encryption subkey is used when encrypting. >> >> Notes that you can use the encryption subkey fingerprint displayed with >> gpg2 -K --with-subkey-fingerprint >> > > Yes, I suppose you could do "pass init" manually with all subkey > fingerprints(with an ampersand appended), which is what the patch is > doing... > > Regards, > Carl Michael Skog > -------------- next part -------------- An HTML attachment was scrubbed... URL: From contact at eddiebarraco.fr Mon Nov 4 17:55:56 2019 From: contact at eddiebarraco.fr (Eddie Barraco) Date: Mon, 4 Nov 2019 17:55:56 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: References: Message-ID: <20191104165556.pmziq4squxatufvy@green-medusa> > > > When encrypting with a gpg key that has multiple encryption subkeys ONLY > > > the newest encryption subkey is used when encrypting. > > > > Notes that you can use the encryption subkey fingerprint displayed with > > gpg2 -K --with-subkey-fingerprint > > > > Yes, I suppose you could do "pass init" manually with all subkey > fingerprints(with an ampersand appended), which is what the patch is > doing... In fact I'm questioning the point. IMHO: If you are using subkeys, you just have to specify the subkey id. Then you can add as many subkeys you want, pass will still be using the specified one. It is also usefull to give sort of access permissions on some pc that have or not have some subkeys. I don't really see the point on giving pass the mind behind the subkey selection. It is strongly probable that I'm missing something. I'm sorry if this is the case. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From cmskog at gmail.com Mon Nov 4 18:14:12 2019 From: cmskog at gmail.com (Carl Michael Skog) Date: Mon, 4 Nov 2019 18:14:12 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: <20191104165556.pmziq4squxatufvy@green-medusa> References: <20191104165556.pmziq4squxatufvy@green-medusa> Message-ID: Den m?n 4 nov. 2019 kl 17:56 skrev Eddie Barraco : > > In fact I'm questioning the point. > > IMHO: > > If you are using subkeys, you just have to specify the subkey id. > Then you can add as many subkeys you want, pass will still be using the > specified one. It is also usefull to give sort of access permissions on > some pc that have or not have some subkeys. > > I don't really see the point on giving pass the mind behind the subkey > selection. > > It is strongly probable that I'm missing something. I'm sorry if this is > the case. > Look for example at "pass init". It explicitly claims to be reencrypting with all subkeys(It even prints them out). "Claims" is the keyword here, because it doesn't. It reencrypts in the normal gpg way(ONLY with the latest encryption subkey). There is also tests in the test suite that checks that all subkeys are used. There is just no keys with more than one subkey. Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmskog at gmail.com Mon Nov 4 18:32:12 2019 From: cmskog at gmail.com (Carl Michael Skog) Date: Mon, 4 Nov 2019 18:32:12 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: References: <20191104165556.pmziq4squxatufvy@green-medusa> Message-ID: > Den m?n 4 nov. 2019 kl 17:56 skrev Eddie Barraco >: > >> >> In fact I'm questioning the point. > > In fact, you seem to have been bitten by this exact flaw in an earlier message("Re-encryption with another rsa gpg subkey" at Sep 18). Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From contact at eddiebarraco.fr Mon Nov 4 18:45:34 2019 From: contact at eddiebarraco.fr (Eddie Barraco) Date: Mon, 4 Nov 2019 18:45:34 +0100 Subject: [PATCH] Fix for some flaws when using a key with multiple subkeys In-Reply-To: References: <20191104165556.pmziq4squxatufvy@green-medusa>

Message-ID: <20191104174534.ufm4fatjilkgzn2c@flying-jesusraptor> > >> In fact I'm questioning the point. > > > > > In fact, you seem to have been bitten by this exact flaw in an earlier > message("Re-encryption with another rsa gpg subkey" at Sep 18). Totaly true. And so I learned to use the subkey id. And in fact, I think this is the best way to do it. The next time I'll have to "roll" my subkey, this problem will not occurs again. I didn't know there was a lack in the tests. So It's always a good things to fill thoses buguy lacks :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From grmat at sub.red Tue Nov 19 13:03:33 2019 From: grmat at sub.red (grmat) Date: Tue, 19 Nov 2019 13:03:33 +0100 Subject: Wayland status Message-ID: <53170c87-c226-990b-54e7-e1b8ddd205d2@sub.red> Hi there, I have two concerns regarding wayland: 1. the wl-clipboard patch has been upstream since February, but no stable release happened since. As distributions already roll Wayland by default, I think it would be reasonable to make a release to make pass+wayland functionality hit the distribution repos. 2. wl-clipboard has a --paste-once option that clears the clipboard immediately after pasting. I think it would make sense for pass to use this feature, but make it configurable. I could send a patch but I'm not sure if it's an option for upstream, so here are my ideas first: a) introduce a new env var, PASSWORD_STORE_PASTE_ONCE. If set, use the option. Problem: xclip doesn't have the feature, hence the config wouldn't work under X. b) activate it without an extra variable, e.g. by setting PASSWORD_STORE_CLIP_TIME to 0. What do you think? Matt