From jean.rblt at gmail.com Wed Apr 1 11:17:37 2020 From: jean.rblt at gmail.com (J Rt) Date: Wed, 1 Apr 2020 11:17:37 +0200 Subject: [PATCH bash ordered autocomplete] Order the autocompletion in bash In-Reply-To: <20200331171209.z7uyefzwso4sbgll@terminator> References: <20200330083431.24522-1-jean.rblt@gmail.com> <20200331171209.z7uyefzwso4sbgll@terminator> Message-ID: Interestingly on my machine: - the version I sent last time works. - the version with the local var taken away and the "" protection works: _append_to_compreply () { local IFS=" " for word in "$(_sort_entries_string "$1")"; do COMPREPLY+=($word) done } - this does not work (with uncommented IFS it works as shown on the previous point), so I think the IFS var is needed. : _append_to_compreply () { #local IFS=" " for word in "$(_sort_entries_string "$1")"; do COMPREPLY+=($word) done } I agree with you, it is weird that IFS is needed. Not sure why (though I have good hints below). Actually, when I implemented this solution using string instead of arrays following your 1st code review, it took me half an hour debugging to find that IFS was needed there otherwise it does not work. Maybe I should have written to you about that. I really did not understand initially why IFS is needed there, as running a small test snippet on a new terminal on my machine shows I have not 'broken' my environment (this is well space tab newline in hex): $ echo -n "$IFS" | xxd 00000000: 2009 0a .. By contrast this: _append_to_compreply () { echo " " echo "IFS before" echo -n "$IFS" | xxd local IFS=" " echo "IFS after" echo -n "$IFS" | xxd for word in "$(_sort_entries_string "$1")"; do COMPREPLY+=($word) done } gives the following: jrlab at jrlab-ThinkPad-T490:~$ echo -n "$IFS" | xxd 00000000: 2009 0a .. jrlab at jrlab-ThinkPad-T490:~$ pass IFS before 00000000: 0a . IFS after 00000000: 20 ^C jrlab at jrlab-ThinkPad-T490:~$ echo -n "$IFS" | xxd 00000000: 2009 0a .. so it looks that even just calling pass TAB changes IFS to newline. I looked in the code, IFS is set at quite a few places: $ grep -n IFS pass.bash-completion 12: local IFS=" " 26: local IFS=$'\n' 82: local IFS=$'\n' 97: local IFS=$'\n' $ grep -n IFS password-store.sh 125: IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190 358: git_add_file "$gpg_id.sig" "Signing new GPG id with ${key//[$IFS]/,}." 413: IFS="," eval 'echo "Search Terms: $*"' I think this can explain things. I would have expected that 1) this has nothing to do with password-store.sh as it is not called, only the autocomplete script, and this fits well (though IFS instead of local IFS is used in password-store.sh, it does not look like it gets set to /n anyways), 2) the use of local protects IFS in pass.bash-completion, where IFS does get set to /n a few times, but it is possible that even using local does not help when IFS is already present from before? Looking on SO: https://unix.stackexchange.com/questions/393928/global-local-variable-assignment " One way to think of it is to imagine that the local var1="local 1" has the effect of saving the current value of var1, with a promise that at the end of the function it will be restored, and then setting it to "local 1". With this mental model you can then think of all variables as global, and variables being restored at the end of functions. " So this may explain maybe that in functions that set a local IFS different from the global one, calling the _append_to_compreply function that relies on IFS is tricky, since the global IFS would be restored only when exiting function? I think this is well what is happening: bash-4.4$ VAR="global" bash-4.4$ print_var(){ > echo "$VAR" > } bash-4.4$ set_var(){ > print_var > local VAR="local" > print_var > } bash-4.4$ print_var global bash-4.4$ set_var global local bash-4.4$ print_var global So local is tricky to use, and may give a false sense of security when using local on a global variable, as the global value seems to be restored only when exiting the function at the end of it, not when entering a function inside the function.... I originally picked this up in order to train a bit and improve my bash scripting level, I guess the more I write some bash, the more I get afraid of further using it for slightly complex projects, it is so tricky on many places. On Tue, Mar 31, 2020 at 7:12 PM Reed Wade wrote: > > > --- a/src/completion/pass.bash-completion > > +++ b/src/completion/pass.bash-completion > > @@ -4,7 +4,21 @@ > > # Brian Mattern . All Rights Reserved. > > # This file is licensed under the GPLv2+. Please see COPYING for more information. > > > > +_sort_entries_string () { > > + echo $1 | tr ' ' '\n' | sort | tr '\n' ' ' > > Be carreful and almost always enquote your variables usages in shell > scripts. > > > +} > > + > > +_append_to_compreply () { > > + sorted_crrt_compreply_entries=$(_sort_entries_string $1) > > enquote $(_sort_entries_string $1) > > > + local IFS=" " > > Is it really necessary? Unset IFS is equal to spaces, tab and newline. > > > + for word in ${sorted_crrt_compreply_entries}; do > > You could probably remove the tmp variable and directly call > _sort_entries_string here. > > rest lgtm From jean.rblt at gmail.com Wed Apr 1 11:41:43 2020 From: jean.rblt at gmail.com (J Rt) Date: Wed, 1 Apr 2020 11:41:43 +0200 Subject: bug: blocking the whole computer in some cases Message-ID: Dear all, I found a blocking behavior in pass. Infos about my system at the bottom of this email. To reproduce: - I am using a smartcard for holding my private GPG key - when calling pass grep without the card, my system is blocked, I can do nothing to exit. - both clicking ok and cancel in the question box asking if I can insert smartard do not help. - only way to exit is to 1) insert the smartcard or 2) wait for quite a while (there seems to be a timeout kicking in after a while (?) ). cancel, CTRL-C CTRL-D do not help. - by contrast when doing a pass show for example without the card, choosing cancel on the box asking to insert the card aborts and I get my system back. bash-4.4$ bash --version GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. bash-4.4$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.4 LTS Release: 18.04 Codename: bionicbash-4.4$ gpg --version gpg (GnuPG) 2.2.4 libgcrypt 1.8.1 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. From passlist at oern.de Wed Apr 1 12:09:14 2020 From: passlist at oern.de (=?UTF-8?Q?Bj=c3=b6rn_Fries?=) Date: Wed, 1 Apr 2020 12:09:14 +0200 Subject: bug: blocking the whole computer in some cases In-Reply-To: References: Message-ID: <8c927f93-ba40-3969-c227-cb04857118e9@oern.de> Am 01.04.20 um 11:41 schrieb J Rt: > - I am using a smartcard for holding my private GPG key same here > - when calling pass grep without the card, my system is blocked, I can > do nothing to exit. > - both clicking ok and cancel in the question box asking if I can > insert smartard do not help. 'pass grep' opens every encrypted file to look for the searched pattern. pass doesn't know you use a smartcard for your private key. Every time you cancel the question box, pass invokes gpg for the next file and gpg asks again for your card. > - by contrast when doing a pass show for example without the card, > choosing cancel on the box asking to insert the card aborts and I get > my system back. Because pass then only invokes gpg once. Perhaps pass grep should stop after the first failure to decrypt a file, but I think this would be wrong, as it could be intented that in a shared passwordstore some files are not encrypted for a part of the different users. I would say [WONTFIX]. From jean.rblt at gmail.com Wed Apr 1 12:17:00 2020 From: jean.rblt at gmail.com (J Rt) Date: Wed, 1 Apr 2020 12:17:00 +0200 Subject: bug: blocking the whole computer in some cases In-Reply-To: <8c927f93-ba40-3969-c227-cb04857118e9@oern.de> References: <8c927f93-ba40-3969-c227-cb04857118e9@oern.de> Message-ID: Ok, makes sense. A 'more sophisticated' way would be to ask only once per key / smartcard. But I guess this may be too much hazzle to implement compared with the gain. On Wed, Apr 1, 2020 at 12:10 PM Bj?rn Fries wrote: > > Am 01.04.20 um 11:41 schrieb J Rt: > > - I am using a smartcard for holding my private GPG key > > same here > > > - when calling pass grep without the card, my system is blocked, I can > > do nothing to exit. > > - both clicking ok and cancel in the question box asking if I can > > insert smartard do not help. > > 'pass grep' opens every encrypted file to look for the searched pattern. > pass doesn't know you use a smartcard for your private key. Every time > you cancel the question box, pass invokes gpg for the next file and gpg > asks again for your card. > > > - by contrast when doing a pass show for example without the card, > > choosing cancel on the box asking to insert the card aborts and I get > > my system back. > > Because pass then only invokes gpg once. > > Perhaps pass grep should stop after the first failure to decrypt a file, > but I think this would be wrong, as it could be intented that in a > shared passwordstore some files are not encrypted for a part of the > different users. > > I would say [WONTFIX]. From mail at lenzw.de Wed Apr 1 12:20:16 2020 From: mail at lenzw.de (Lenz Weber) Date: Wed, 1 Apr 2020 12:20:16 +0200 Subject: bug: blocking the whole computer in some cases In-Reply-To: References: <8c927f93-ba40-3969-c227-cb04857118e9@oern.de> Message-ID: The "asking" is done by gpg, pass has no way to check (or prevent) if any asking is done. On 4/1/20 12:17 PM, J Rt wrote: > Ok, makes sense. > > A 'more sophisticated' way would be to ask only once per key / > smartcard. But I guess this may be too much hazzle to implement > compared with the gain. > > On Wed, Apr 1, 2020 at 12:10 PM Bj?rn Fries wrote: >> Am 01.04.20 um 11:41 schrieb J Rt: >>> - I am using a smartcard for holding my private GPG key >> same here >> >>> - when calling pass grep without the card, my system is blocked, I can >>> do nothing to exit. >>> - both clicking ok and cancel in the question box asking if I can >>> insert smartard do not help. >> 'pass grep' opens every encrypted file to look for the searched pattern. >> pass doesn't know you use a smartcard for your private key. Every time >> you cancel the question box, pass invokes gpg for the next file and gpg >> asks again for your card. >> >>> - by contrast when doing a pass show for example without the card, >>> choosing cancel on the box asking to insert the card aborts and I get >>> my system back. >> Because pass then only invokes gpg once. >> >> Perhaps pass grep should stop after the first failure to decrypt a file, >> but I think this would be wrong, as it could be intented that in a >> shared passwordstore some files are not encrypted for a part of the >> different users. >> >> I would say [WONTFIX]. From kjetil.homme at redpill-linpro.com Wed Apr 1 12:54:50 2020 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Wed, 1 Apr 2020 12:54:50 +0200 Subject: bug: blocking the whole computer in some cases In-Reply-To: References: <8c927f93-ba40-3969-c227-cb04857118e9@oern.de> Message-ID: <3dad224f-ba8b-33e9-b6d0-81dbb2520135@redpill-linpro.com> On 01/04/2020 12.20, Lenz Weber wrote: > The "asking" is done by gpg, pass has no way to check (or prevent) if > any asking is done. well, pass knows the decrypt failed, so it could ask the user whether it should go on to the next file after N failures. > On 4/1/20 12:17 PM, J Rt wrote: >> Ok, makes sense. >> >> A 'more sophisticated' way would be to ask only once per key / >> smartcard. But I guess this may be too much hazzle to implement >> compared with the gain. >> >> On Wed, Apr 1, 2020 at 12:10 PM Bj?rn Fries wrote: >>> Am 01.04.20 um 11:41 schrieb J Rt: >>>> - I am using a smartcard for holding my private GPG key >>> same here >>> >>>> - when calling pass grep without the card, my system is blocked, I can >>>> do nothing to exit. >>>> - both clicking ok and cancel in the question box asking if I can >>>> insert smartard do not help. >>> 'pass grep' opens every encrypted file to look for the searched pattern. >>> pass doesn't know you use a smartcard for your private key. Every time >>> you cancel the question box, pass invokes gpg for the next file and gpg >>> asks again for your card. >>> >>>> - by contrast when doing a pass show for example without the card, >>>> choosing cancel on the box asking to insert the card aborts and I get >>>> my system back. >>> Because pass then only invokes gpg once. >>> >>> Perhaps pass grep should stop after the first failure to decrypt a file, >>> but I think this would be wrong, as it could be intented that in a >>> shared passwordstore some files are not encrypted for a part of the >>> different users. >>> >>> I would say [WONTFIX]. -- Kjetil T. Homme Redpill Linpro - Changing the Game From keeperotphones at gmail.com Wed Apr 1 15:51:21 2020 From: keeperotphones at gmail.com (Victor Goff) Date: Wed, 1 Apr 2020 09:51:21 -0400 Subject: auto completion with tab: separate commands and tree structure In-Reply-To: <87ftds9ooj.fsf@arch2.laptop.juraszek.xyz> References: <20200328075012.6ohei6lq3dbpia3x@terminator> <20200328173204.ztuvwsqh7lwqutcl@terminator> <20200328192716.w3xuf43mgq463pjl@terminator> <87ftds9ooj.fsf@arch2.laptop.juraszek.xyz> Message-ID: <20200401135121.GD9406@SinequixCKO> On Sat, Mar 28, 2020 at 10:04:12PM +0100, Artur Juraszek wrote: > > > The tutorial shows: > > > > git send-email --to="~sircmpwn/email-test-drive at lists.sr.ht" HEAD^ > > > > This slash is actually not a feature of git nor posting patches in > general, but a detail of how mailing list addresses on lists.sr.ht > service are constructued - internal namespacing, one could say. This is just an e-mail, valid as per the e-mail RFC, nothing special going on there. > From thecofee at gmail.com Fri Apr 3 19:18:48 2020 From: thecofee at gmail.com (David Izquierdo) Date: Fri, 3 Apr 2020 19:18:48 +0200 Subject: XDG Base Directory Specification In-Reply-To: <20200330095244.4495b652@DaemONX> References: <20200329133744.1f667950@DaemONX> <20200329201823.GA2243@gurke> <20200329224704.44cbec32@DaemONX> <20200329211712.GB2243@gurke> <20200330095244.4495b652@DaemONX> Message-ID: <3e5f212c-9a64-9463-7733-c44bfe4f954f@gmail.com> On 30/03/2020 09:52, Serpent7776 wrote: > That's why I would not pollute global env just for single application. (Apologies for the inevitable mangling my email client is about to perform) Some distributions work around this by having binary-specific wrappers. I'm thinking NixOS in particular: it's a common pattern, when looking under each package's `/bin/` directory, to find the original binary as `.binary-wrapped`, and have a shell script named `binary` instead that calls the real binary with modified variables, parameters and arguments. In this context, you may want to have a script somewhere on your PATH (as long as it's in a directory with a higher priority than where default pass is) which adds your variable/argument to the real pass. If you're worried about having to call two bashes, I think `source`ing the real pass instead should work? From steve at i-db.com Sat Apr 4 12:42:51 2020 From: steve at i-db.com (Steve Harriss) Date: Sat, 04 Apr 2020 11:42:51 +0100 Subject: Calculate Linux Message-ID: Frustrating time with setting up pass on a new Calculate Linux (Gentoo based) laptop. Everything is working apart from filename completion! I use zsh, as I do on all my other PC's without issue. Pass find and search will bring up relevant entries but - pass startoffile just brings up the error 'No matches for: `file'' This comes from my .zshrc file. Can anyone point out where/how I can rectify this issue. .zshrc #!/bin/zsh [ -f ~/.fzf.zsh ] && source ~/.fzf.zsh export PATH=$PATH:/home/steveh/.cargo/bin # Completion autoload -U promptinit && promptinit autoload -U compinit compdef && compinit # Prompt prompt gentoo # Reverse search bindkey -v # Correction setopt correctall setopt autocd setopt autopushd setopt pushdignoredups setopt extendedglob setopt histreduceblanks setopt histignorespace setopt histignorealldups setopt alwaystoend # History [ -z "$HISTFILE" ] && HISTFILE="$HOME/.history" HISTSIZE=50000 SAVEHIST=10000 zstyle ':completion::complete:*' use-cache 1 zstyle ':completion:*:descriptions' format '%U%B%d%b%u' zstyle ':completion:*:warnings' format '%F{RED}No matches for:''%F{YELLOW} %d'$DEFAULT TIA Steve From nathan at nixpulvis.com Sun Apr 5 22:23:45 2020 From: nathan at nixpulvis.com (Nathan Lilienthal) Date: Sun, 5 Apr 2020 16:23:45 -0400 Subject: GPG ID Set Outside of `.gpg-id`? Message-ID: As I understand things `~/.password-store/.gpg-id` file is used to determine which GPG ID/fingerprint to use for encryption/decryption of pass contents. However, while testing things out, I've both emptied, and deleted the `.gpg-id` file (and verified no other `.gpg-id` files exist on my system), and yet `pass` still prompts me for a password for a GPG key of the correct ID. Is `~/.password-store/.gpg-id` (and mentioned subdirectories) the only place this ID is supposed to be set? How is it possible things continue to work after deleting this file? Or are only *new* passwords using this file? I've noticed I cannot create new passwords in this state. - N8 From jaccarmac at gmail.com Mon Apr 6 00:09:07 2020 From: jaccarmac at gmail.com (Jacob MacDonald) Date: Sun, 5 Apr 2020 17:09:07 -0500 Subject: GPG ID Set Outside of `.gpg-id`? In-Reply-To: References: Message-ID: As I understand it, GPG-encrypted files contain the ID of the secret key needed to decrypt them. Thus, if that key is in your keyring you don't need to tell GPG to use it explicitly. Jacob. From nathan at nixpulvis.com Mon Apr 6 01:15:10 2020 From: nathan at nixpulvis.com (Nathan Lilienthal) Date: Sun, 5 Apr 2020 19:15:10 -0400 Subject: GPG ID Set Outside of `.gpg-id`? In-Reply-To: References: Message-ID: That makes a lot of sense, thanks for clearing this up for me. I was hoping to have a way to reliably configure which GPG ID it prompts me about first, since I would like to have a PIN activated smartcard first (if plugged in), then fall back to another on device key, with a longer password. Is there a way to get GPG to do this? Thanks again. On Sun, Apr 5, 2020 at 6:13 PM Jacob MacDonald wrote: > > As I understand it, GPG-encrypted files contain the ID of the secret > key needed to decrypt them. Thus, if that key is in your keyring you > don't need to tell GPG to use it explicitly. > > Jacob. From jaccarmac at gmail.com Mon Apr 6 01:32:06 2020 From: jaccarmac at gmail.com (Jacob MacDonald) Date: Sun, 5 Apr 2020 18:32:06 -0500 Subject: GPG ID Set Outside of `.gpg-id`? In-Reply-To: References: Message-ID: > That makes a lot of sense, thanks for clearing this up for me. No problem! > I was hoping to have a way to reliably configure which GPG ID it > prompts me about first Still for decryption? I would assume that the prompt order for a multi-recipient message is the order of the headers. I haven't confirmed this, though. I did just encrypt a message with --recipient flags in different orders, and the resulting files seemed to contain the signatures in the order I passed them. However, I'm not sure if that's specified behavior or just the way my GPG install works. > I would like to have a PIN activated > smartcard first (if plugged in), then fall back to another on device > key, with a longer password. I'm afraid I'm unfamiliar with smartcards, as I don't use one myself. Best of luck, Jacob. From password-store at storiepvtride.it Mon Apr 6 09:06:16 2020 From: password-store at storiepvtride.it (password-store at storiepvtride.it) Date: Mon, 6 Apr 2020 09:06:16 +0200 Subject: GPG ID Set Outside of `.gpg-id`? In-Reply-To: References: Message-ID: Am 06.04.20 um 01:15 schrieb Nathan Lilienthal: > I was hoping to have a way to reliably configure which GPG ID it > prompts me about first, since I would like to have a PIN activated > smartcard first (if plugged in), then fall back to another on device > key, with a longer password. Hi, could you perhaps set a passphrase on the GPG key you use to encrypt your files? You can then configure GPG to always ask for the passphrase instead of caching it, see "--default-cache-ttl": https://www.gnu.org/software/emacs/manual/html_node/pgg/Caching-passphrase.html Or, but perhaps not exactly the workflow that you described: you can encrypt your .gpg pass files using a private key that is stored on a smartcard (such as a Yubikey). From now on you will need the smardcard to be plugged into your computer to decrypt files. You can configure the smartcard to have a PIN. The first time you will try to decrypt a file, you will be prompted for this PIN and the passphrase you might have set for the GPG key. By default the Yubikey asks for a PIN only the first time after being plugged. If you remove it and plug it again you will be prompted for the PIN again. Maybe it can be configured to ask for the PIN everytime, if this is your usecase. Clearly, the smartcard will now be essential to decrypt your files. If you lose it or forget the passphrase, you can throw away all your encrypted pass files. If you need a generic PIN prompt from a smartcard but you don't want to store the GPG private key on it, I think you might need another authentication layer behind pass (a sort of "login" auth system). Hope this helps, Regards From reedwade at misterbanal.net Tue Apr 7 15:48:59 2020 From: reedwade at misterbanal.net (Reed Wade) Date: Tue, 7 Apr 2020 15:48:59 +0200 Subject: [PATCH bash ordered autocomplete] Order the autocompletion in bash In-Reply-To: References: <20200330083431.24522-1-jean.rblt@gmail.com> <20200331171209.z7uyefzwso4sbgll@terminator> Message-ID: <20200407134859.dctgehucjzkv3i3q@terminator> Hello back ! Sorry for big delay, Migadu got problems with imap access cause of recent events. > - the version I sent last time works. cool ! > - the version with the local var taken away and the "" protection works: cool ! > _append_to_compreply () { > local IFS=" " > for word in "$(_sort_entries_string "$1")"; do > COMPREPLY+=($word) > done > } > > - this does not work (with uncommented IFS it works as shown on the > previous point), so I think the IFS var is needed. : > > bla bla bla Aha yup. I just discovered some days ago bash actualy use something called "dynamic scopes". In short, if a var is define outside of the scope, bash update this variable value. Except if "local" is used ofc. Is it possible to add "local IFS" where needed ? This will make the _append_to_compreply IFS useless right ? From jean.rblt at gmail.com Wed Apr 8 14:05:56 2020 From: jean.rblt at gmail.com (J Rt) Date: Wed, 8 Apr 2020 14:05:56 +0200 Subject: [PATCH bash ordered autocomplete] Order the autocompletion in bash In-Reply-To: <20200407134859.dctgehucjzkv3i3q@terminator> References: <20200330083431.24522-1-jean.rblt@gmail.com> <20200331171209.z7uyefzwso4sbgll@terminator> <20200407134859.dctgehucjzkv3i3q@terminator> Message-ID: No wories :) . I guess that putting local on IFS everywhere may solve the problem, but I had been playing a bit around without managing to get it to work. Guess I was missing an IFS somewhere. On Tue, Apr 7, 2020 at 3:49 PM Reed Wade wrote: > > Hello back ! > > Sorry for big delay, Migadu got problems with imap access cause of > recent events. > > > - the version I sent last time works. > > cool ! > > > - the version with the local var taken away and the "" protection works: > > cool ! > > > _append_to_compreply () { > > local IFS=" " > > for word in "$(_sort_entries_string "$1")"; do > > COMPREPLY+=($word) > > done > > } > > > > - this does not work (with uncommented IFS it works as shown on the > > previous point), so I think the IFS var is needed. : > > > > bla bla bla > > Aha yup. I just discovered some days ago bash actualy use something > called "dynamic scopes". In short, if a var is define outside of the > scope, bash update this variable value. Except if "local" is used ofc. > > Is it possible to add "local IFS" where needed ? This will make the > _append_to_compreply IFS useless right ? From jean.rblt at gmail.com Wed Apr 8 14:28:21 2020 From: jean.rblt at gmail.com (J Rt) Date: Wed, 8 Apr 2020 14:28:21 +0200 Subject: pass migrate Message-ID: Dear all, Is there a way to easily 'migrate' pass from a GPG key to another? Something like: - I have a pass store encoded with GPG key ID1. - For some reason I want to move from GPG key ID1 to GPG key ID2. For example, I lost my private key backup for ID1, and I only have 1 GPG smartcard containing the secret key ID1. As I will loose it / it will break some day in the future, I then need to 'migrate' to GPG key ID2. - I therefore want to issue a command like "pass migrate ID1 ID2". - After this is done, pass store is now encoded with GPG key ID2 instead of ID1. My question is then: is there such a command allowing to perform the 'migrate' step without hazzle? Cheers, Jean From artur at juraszek.xyz Wed Apr 8 14:39:46 2020 From: artur at juraszek.xyz (Artur Juraszek) Date: Wed, 08 Apr 2020 14:39:46 +0200 Subject: pass migrate In-Reply-To: References: Message-ID: <875zeaw3ql.fsf@arch2.laptop.juraszek.xyz> > My question is then: is there such a command allowing to perform the > 'migrate' step without hazzle? There is! Surprisingly it's what 'pass init' can do, copy-pasting an excerpt from the manpage: init [ --path=sub-folder, -p sub-folder ] gpg-id... Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If the specified gpg-id is differ- ent from the key used in any existing files, these files will be reencrypted to use the new id. Note that use of gpg-agent(1) is recommended so that the batch decryp- tion does not require as much user intervention. If --path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. If only one gpg-id is given, and it is an empty string, then the current .gpg-id file for the specified sub-folder (or root if un- specified) is removed. -- Artur Juraszek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available URL: From jean.rblt at gmail.com Wed Apr 8 14:48:32 2020 From: jean.rblt at gmail.com (J Rt) Date: Wed, 8 Apr 2020 14:48:32 +0200 Subject: pass migrate In-Reply-To: <875zeaw3ql.fsf@arch2.laptop.juraszek.xyz> References: <875zeaw3ql.fsf@arch2.laptop.juraszek.xyz> Message-ID: Oooh, sorry I missed this, my bad, and thank you for pointing to this :) . I think this is exactly what you said: a bit surprising this is done by the init command. Do you think it would be reasonable to write a 'thin wrapper' on the init command and call if for example migrate, with a very easy / rigid syntax, so that n00bs like me do not get confused and get confident about exactly what they do / how they migrate? :) On Wed, Apr 8, 2020 at 2:40 PM Artur Juraszek wrote: > > > > My question is then: is there such a command allowing to perform the > > 'migrate' step without hazzle? > > There is! > Surprisingly it's what 'pass init' can do, copy-pasting an excerpt from the manpage: > > init [ --path=sub-folder, -p sub-folder ] gpg-id... > Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may > be specified, in order to encrypt each password with multiple ids. This command must > be run first before a password store can be used. If the specified gpg-id is differ- > ent from the key used in any existing files, these files will be reencrypted to use > the new id. Note that use of gpg-agent(1) is recommended so that the batch decryp- > tion does not require as much user intervention. If --path or -p is specified, along > with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific > sub folder of the password store. If only one gpg-id is given, and it is an empty > string, then the current .gpg-id file for the specified sub-folder (or root if un- > specified) is removed. > > -- > Artur Juraszek From jean.rblt at gmail.com Wed Apr 8 15:36:27 2020 From: jean.rblt at gmail.com (J Rt) Date: Wed, 8 Apr 2020 15:36:27 +0200 Subject: pass migrate In-Reply-To: References: <875zeaw3ql.fsf@arch2.laptop.juraszek.xyz> Message-ID: If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id. This means that you cannot migrate specifically files encrypted with 1 GPG ID1 to another GPG ID2, right? Does this well mean that all files encrypted with anything other than GPG ID2 will be re-encrypted to GPG ID2? In this case, migrate would do a slightly different task? On Wed, Apr 8, 2020 at 2:48 PM J Rt wrote: > > Oooh, sorry I missed this, my bad, and thank you for pointing to this > :) . I think this is exactly what you said: a bit surprising this is > done by the init command. Do you think it would be reasonable to write > a 'thin wrapper' on the init command and call if for example migrate, > with a very easy / rigid syntax, so that n00bs like me do not get > confused and get confident about exactly what they do / how they > migrate? :) > > On Wed, Apr 8, 2020 at 2:40 PM Artur Juraszek wrote: > > > > > > > My question is then: is there such a command allowing to perform the > > > 'migrate' step without hazzle? > > > > There is! > > Surprisingly it's what 'pass init' can do, copy-pasting an excerpt from the manpage: > > > > init [ --path=sub-folder, -p sub-folder ] gpg-id... > > Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may > > be specified, in order to encrypt each password with multiple ids. This command must > > be run first before a password store can be used. If the specified gpg-id is differ- > > ent from the key used in any existing files, these files will be reencrypted to use > > the new id. Note that use of gpg-agent(1) is recommended so that the batch decryp- > > tion does not require as much user intervention. If --path or -p is specified, along > > with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific > > sub folder of the password store. If only one gpg-id is given, and it is an empty > > string, then the current .gpg-id file for the specified sub-folder (or root if un- > > specified) is removed. > > > > -- > > Artur Juraszek From congdanhqx at gmail.com Wed Apr 8 15:47:01 2020 From: congdanhqx at gmail.com (Danh Doan) Date: Wed, 8 Apr 2020 20:47:01 +0700 Subject: pass migrate In-Reply-To: References: <875zeaw3ql.fsf@arch2.laptop.juraszek.xyz> Message-ID: <20200408134701.GA15107@danh.dev> On 2020-04-08 15:36:27+0200, J Rt wrote: > If the specified gpg-id is different from the key used in any existing > files, these files will be reencrypted to use the new id. > > This means that you cannot migrate specifically files encrypted with 1 > GPG ID1 to another GPG ID2, right? Does this well mean that all files > encrypted with anything other than GPG ID2 will be re-encrypted to GPG > ID2? In this case, migrate would do a slightly different task? Please don't top-posting. Re-encrypting everything with gpg-id-2 is a simple solutions (no need to check which gpg-id was used to encrypt the file). If you have password-store with multiple gpg-id, it's better to organise them into sub-directory. (top) |-> subdir-with-gpg-id-1 |-> subdir-with-gpg-id-2 |... |-> subdir-with-gpg-id-n then pass init -p Or, you could encrypt them with multiple gpg-id pass init -p -- Danh From kjetil.homme at redpill-linpro.com Wed Apr 8 15:49:26 2020 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Wed, 8 Apr 2020 15:49:26 +0200 Subject: pass migrate In-Reply-To: References: <875zeaw3ql.fsf@arch2.laptop.juraszek.xyz> Message-ID: On 08/04/2020 14.48, J Rt wrote: > Oooh, sorry I missed this, my bad, and thank you for pointing to this > :) . I think this is exactly what you said: a bit surprising this is > done by the init command. Do you think it would be reasonable to write > a 'thin wrapper' on the init command and call if for example migrate, > with a very easy / rigid syntax, so that n00bs like me do not get > confused and get confident about exactly what they do / how they > migate? :) > I suggested a patch to implement "pass reencrypt" in January: Subject: [PATCH] add "pass reencrypt" sub command Date: Tue, 7 Jan 2020 17:33:56 +0100 it is just slightly different from pass init - ie. it will use existing .gpg-id files. so in your case, you would have to update .gpg-id manually before running the command. whether this is better/more convenient than just running "pass init" I will leave for you to decide. in our usecase, we have dozens of keys (belonging to members of our team) which give varying access to subfolders, so using "pass init" is very awkward when we get a new hire :-) -- Kjetil T. Homme Redpill Linpro - Changing the Game From jean.rblt at gmail.com Fri Apr 10 14:34:51 2020 From: jean.rblt at gmail.com (J Rt) Date: Fri, 10 Apr 2020 14:34:51 +0200 Subject: dump all content Message-ID: Dear all, I would like to dump a complete copy of my password store for printing on paper and archiving in my safe, in full text / un-encrypted format. I know this may seem a bit risky but I am not a specially interesting target, and this will be in my safe anyways. Is there a way to do that? For example, I can issue: pass show and this shows the full pass tree: $ pass show Password Store ??? Github.com ? ??? ID ? ??? pass ??? gmail ? ??? pass ? ??? username Would it be possible to have a command like for example pass show all and it would show: $ pass show all Password Store ??? Github.com ? ??? ID blabla ? ??? pass blabla2 ??? gmail ? ??? pass blabla3 ? ??? username blabla4 etc? I think this would be very useful for the 'casual' user who is not under much threat. As this reveals a lot of information, I guess this command could print a warning and ask for confirmation, something like: $ pass show all This is going to decrypt and show all your data, are you sure you want to continue? [yes/no] Cheers, JR From congdanhqx at gmail.com Fri Apr 10 14:41:01 2020 From: congdanhqx at gmail.com (Danh Doan) Date: Fri, 10 Apr 2020 19:41:01 +0700 Subject: dump all content In-Reply-To: References: Message-ID: <20200410124101.GA7706@danh.dev> On 2020-04-10 14:34:51+0200, J Rt wrote: > Dear all, > > I would like to dump a complete copy of my password store for printing > on paper and archiving in my safe, in full text / un-encrypted format. > I know this may seem a bit risky but I am not a specially interesting > target, and this will be in my safe anyways. > > Is there a way to do that? > > Would it be possible to have a command like for example > > pass show all > > and it would show: > > $ pass show all > Password Store > ??? Github.com > ? ??? ID blabla > ? ??? pass blabla2 > ??? gmail > ? ??? pass blabla3 > ? ??? username blabla4 It isn't in the format you want. But, you can try: pass grep . -- Danh From hackan at gmail.com Fri Apr 10 16:06:17 2020 From: hackan at gmail.com (HacKan) Date: Fri, 10 Apr 2020 11:06:17 -0300 Subject: dump all content In-Reply-To: References: Message-ID: <3b732976-4fde-bd50-d494-1c772a7c2def@gmail.com> Well, I can't give you that command but here's a "oneliner" that loops through your pass files and decrypts them: if mount | grep "on /tmp" | grep "type tmpfs" >/dev/null; then tmpdir="$(mktemp -d)"; chmod 0700 "$tmpdir"; printf "WARNING: Storing ALL your passwords DECRYPTED in %s\n" "$tmpdir"; for file in ${files[@]}; do path="${file##/home/$USER/\.password-store/}"; pass_path="${path%%.gpg}"; printf "Decrypting %s...\n" "$pass_path"; printf "%s\n" "$pass_path" >> "$tmpdir/decrypted.txt"; pass "$pass_path" >> "$tmpdir/decrypted.txt" 2>&1; done; printf "Here's your DECRYPTED passwords (delete %s afterwards!):\n\n\n" "$tmpdir"; cat "$tmpdir/decrypted.txt"; else printf "Not a tmpfs! Aborting...\n"; fi; Huge WARNING: it stores them in a file under a new "random" directory in /tmp, checking if /tmp is tmpfs first so as to make sure that we are not writing plain passwords in permanent storage (this is very important!). Remember to remove said directory once done. Hope it helps you, cheers! On 4/10/20 9:34 AM, J Rt wrote: > Dear all, > > I would like to dump a complete copy of my password store for printing > on paper and archiving in my safe, in full text / un-encrypted format. > I know this may seem a bit risky but I am not a specially interesting > target, and this will be in my safe anyways. > > Is there a way to do that? > > For example, I can issue: > > pass show > > and this shows the full pass tree: > > $ pass show > Password Store > ??? Github.com > ? ??? ID > ? ??? pass > ??? gmail > ? ??? pass > ? ??? username > > Would it be possible to have a command like for example > > pass show all > > and it would show: > > $ pass show all > Password Store > ??? Github.com > ? ??? ID blabla > ? ??? pass blabla2 > ??? gmail > ? ??? pass blabla3 > ? ??? username blabla4 > > etc? > > I think this would be very useful for the 'casual' user who is not > under much threat. As this reveals a lot of information, I guess this > command could print a warning and ask for confirmation, something > like: > > $ pass show all > This is going to decrypt and show all your data, are you sure you want > to continue? [yes/no] > > Cheers, > > JR -- HacKan || Iv?n GPG: 0x35710D312FDE468B From r.bergoin at openium.fr Fri Apr 10 16:35:43 2020 From: r.bergoin at openium.fr (Bergoin Richard) Date: Fri, 10 Apr 2020 16:35:43 +0200 Subject: Bug : 100% under macOS if /usr/local/bin is not in the PATH Message-ID: <5E7D6A86-7B13-414A-B9E3-4A8FCB9615AF@openium.fr> Hi, First of all, thanks for this simple and easy way to securely share password across our team (and have an inventory of them) I spotted a bug that makes bash hitting 100% cpu to reproduce this issue : export PATH=/usr/bin:/bin:/usr/sbin:/sbin /usr/local/bin/pass ls /usr/local/bin/pass: line 350: /usr/local/bin/getopt: No such file or directory # 100 % cpu Killed: 9 adding a `set -x` points me to : /usr/local/bin/pass: line 352: /usr/local/bin/getopt: No such file or directory so I fixed the getopt PATH in src/platform/darwin.sh (as `brew --prefix gnu-getopt` returns : "/usr/local/opt/gnu-getopt?, but as brew isn?t in the PATH...): -GETOPT="$(brew --prefix gnu-getopt 2>/dev/null || { which port &>/dev/null && echo /opt/local; } || echo /usr/local)/bin/getopt" +GETOPT="$(brew --prefix gnu-getopt 2>/dev/null || { which port &>/dev/null && echo /opt/local; } || echo /usr/local/opt/gnu-getopt)/bin/getopt? Launched `/usr/local/bin/pass ls` again : /usr/local/bin/pass: line 385: tree: command not found same issue with gpg not in the PATH: /usr/local/bin/pass show lists.zx2c4.com/r.bergoin at openium.fr /usr/local/bin/pass: line 367: gpg: command not found Fixed by adding a TREE var to password-store.sh, and fixing them by adding in src/platform/darwin.sh : +GPG="$(which gpg)" +[[ -z "$TREE" ]] && TREE="/usr/local/bin/gpg" +TREE="$(which tree)" +[[ -z "$TREE" ]] && TREE="/usr/local/bin/tree? Regards -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-infinite-loop-on-darwin.patch Type: application/octet-stream Size: 2441 bytes Desc: not available URL: -------------- next part -------------- From jean.rblt at gmail.com Fri Apr 10 17:39:29 2020 From: jean.rblt at gmail.com (J Rt) Date: Fri, 10 Apr 2020 17:39:29 +0200 Subject: [PATCH bash ordered autocomplete] Order the autocompletion in bash In-Reply-To: References: <20200330083431.24522-1-jean.rblt@gmail.com> <20200331171209.z7uyefzwso4sbgll@terminator> <20200407134859.dctgehucjzkv3i3q@terminator> Message-ID: What do you think about this? Should this be merged in master or not? I am slightly reluctant to start 'messing up' with IFS in all the codebase, I would be afraid to introduce bugs etc. On Wed, Apr 8, 2020 at 2:05 PM J Rt wrote: > > No wories :) . > > I guess that putting local on IFS everywhere may solve the problem, > but I had been playing a bit around without managing to get it to > work. Guess I was missing an IFS somewhere. > > > On Tue, Apr 7, 2020 at 3:49 PM Reed Wade wrote: > > > > Hello back ! > > > > Sorry for big delay, Migadu got problems with imap access cause of > > recent events. > > > > > - the version I sent last time works. > > > > cool ! > > > > > - the version with the local var taken away and the "" protection works: > > > > cool ! > > > > > _append_to_compreply () { > > > local IFS=" " > > > for word in "$(_sort_entries_string "$1")"; do > > > COMPREPLY+=($word) > > > done > > > } > > > > > > - this does not work (with uncommented IFS it works as shown on the > > > previous point), so I think the IFS var is needed. : > > > > > > bla bla bla > > > > Aha yup. I just discovered some days ago bash actualy use something > > called "dynamic scopes". In short, if a var is define outside of the > > scope, bash update this variable value. Except if "local" is used ofc. > > > > Is it possible to add "local IFS" where needed ? This will make the > > _append_to_compreply IFS useless right ? From jean.rblt at gmail.com Fri Apr 10 19:57:13 2020 From: jean.rblt at gmail.com (J Rt) Date: Fri, 10 Apr 2020 19:57:13 +0200 Subject: dump all content In-Reply-To: <3b732976-4fde-bd50-d494-1c772a7c2def@gmail.com> References: <3b732976-4fde-bd50-d494-1c772a7c2def@gmail.com> Message-ID: Ok, so we have basically 2 options so far if I understand correctly: 1) $ pass grep . and probably some $ pass grep . > SOME_FILE and then print SOME_FILE if one wants to print it out. This works perfectly. The format is a bit different, but this is no worries at all. I suppose pass grep . is safe 'by design' as it goes straight into terminal (?). Then people may do whatever they want with this, including dumping to a file on permanent storage for printing unfortunately which may be unsafe. So for somebody wanting to print the passwords, that may be easy but also quite unsafe especially if the home folder is not encrypted, right? 2) the script provided, that should create a tmpfs storage for safety. I have a problem with this on my machine to get it to work as is as my tmp is not a tmpfs, but I could of course fix it. It looks a bit redundant with the grep . on several aspects though. Therefore, it seems that there is not real satisfactory solution at the moment that make it easy for the user to take 'safe' choices if they want to dump to a file the passwords for printing, right? Would it then be a good idea maybe to create a new command to dump to file? Something that would 1) create a new tmpfs partition 2) dump there 3) delete automatically the partition after a while to make sure it disappears? What about something like (this may be bad / very naive, feedback welcome): $ pass dump doing something in this kind: mkdir /tmp/password-store-dump sudo mount -t tmpfs -o size=128m tmpfs /tmp/password-store-dump pass grep . > /tmp/password-store-dump/dump.txt echo "dump available at: /tmp/password-store-dump/dump.txt; will be cleaned in 15 minutes" (sleep 900; sudo umount -l /tmp/password-store-dump) & Would it be reasonable to provide a function in this kind to the user? Then would it be safe to just open the file and print it (of course the user still needs to remember to reset / clean the printers memory, but this is another story)? From hackan at gmail.com Sat Apr 11 22:18:07 2020 From: hackan at gmail.com (HacKan) Date: Sat, 11 Apr 2020 17:18:07 -0300 Subject: dump all content In-Reply-To: References: <3b732976-4fde-bd50-d494-1c772a7c2def@gmail.com> Message-ID: <17fccc80-7fe4-4eeb-53c6-b3508e3f3444@gmail.com> Well, printing plaintext is the definition of not secure... However, it's not too hard to create a plugin/add-on/script for this. One would argue that you could print b64 encoded encrypted password ("armored" in gpg terminology). And then recover them using OCR, but I wouldn't trust such thing as a good backup. All in all, I would go for creating the plugin for pass dump as you said. Cheers! On 4/10/20 2:57 PM, J Rt wrote: > Ok, so we have basically 2 options so far if I understand correctly: > > 1) > > $ pass grep . > > and probably some $ pass grep . > SOME_FILE and then print SOME_FILE > if one wants to print it out. > > This works perfectly. The format is a bit different, but this is no > worries at all. I suppose pass grep . is safe 'by design' as it goes > straight into terminal (?). Then people may do whatever they want with > this, including dumping to a file on permanent storage for printing > unfortunately which may be unsafe. So for somebody wanting to print > the passwords, that may be easy but also quite unsafe especially if > the home folder is not encrypted, right? > > 2) > > the script provided, that should create a tmpfs storage for safety. I > have a problem with this on my machine to get it to work as is as my > tmp is not a tmpfs, but I could of course fix it. It looks a bit > redundant with the grep . on several aspects though. > > Therefore, it seems that there is not real satisfactory solution at > the moment that make it easy for the user to take 'safe' choices if > they want to dump to a file the passwords for printing, right? > > Would it then be a good idea maybe to create a new command to dump to > file? Something that would 1) create a new tmpfs partition 2) dump > there 3) delete automatically the partition after a while to make sure > it disappears? What about something like (this may be bad / very > naive, feedback welcome): > > $ pass dump > > doing something in this kind: > > mkdir /tmp/password-store-dump > sudo mount -t tmpfs -o size=128m tmpfs /tmp/password-store-dump > pass grep . > /tmp/password-store-dump/dump.txt > echo "dump available at: /tmp/password-store-dump/dump.txt; will be > cleaned in 15 minutes" > (sleep 900; sudo umount -l /tmp/password-store-dump) & > > Would it be reasonable to provide a function in this kind to the user? > Then would it be safe to just open the file and print it (of course > the user still needs to remember to reset / clean the printers memory, > but this is another story)? -- HacKan || Iv?n GPG: 0x35710D312FDE468B From vnctdj at laposte.net Mon Apr 13 10:29:40 2020 From: vnctdj at laposte.net (vnctdj) Date: Mon, 13 Apr 2020 10:29:40 +0200 Subject: [PATCH] Use GPG_OPTS when verifying .gpg-id signature Message-ID: <20200413082940.12839-1-vnctdj@laposte.net> I use a pass-specific gpg home directory. I tell pass about it by using PASSWORD_STORE_GPG_OPTS="--homedir dir". I also tell pass to sign files with PASSWORD_STORE_SIGNING_KEY. However "pass init" returns "Signing of .gpg_id unsuccessful." because we forgot to hand it GPG_OPTS. This patch fixes that oversight. Also fixes a typo in two related error messages. --- src/password-store.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/password-store.sh b/src/password-store.sh index 77f3eda..56903f0 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -352,9 +352,9 @@ cmd_init() { for key in $PASSWORD_STORE_SIGNING_KEY; do signing_keys+=( --default-key $key ) done - $GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --detach-sign "$gpg_id" || die "Could not sign .gpg_id." - key="$($GPG --verify --status-fd=1 "$gpg_id.sig" "$gpg_id" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .* \([A-F0-9]\{40\}\)$/\1/p')" - [[ -n $key ]] || die "Signing of .gpg_id unsuccessful." + $GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --detach-sign "$gpg_id" || die "Could not sign $gpg_id." + key="$($GPG "${GPG_OPTS[@]}" --verify --status-fd=1 "$gpg_id.sig" "$gpg_id" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .* \([A-F0-9]\{40\}\)$/\1/p')" + [[ -n $key ]] || die "Signing of $gpg_id unsuccessful." git_add_file "$gpg_id.sig" "Signing new GPG id with ${key//[$IFS]/,}." fi fi -- 2.24.0 From hackan at gmail.com Mon Apr 13 20:37:08 2020 From: hackan at gmail.com (HacKan) Date: Mon, 13 Apr 2020 15:37:08 -0300 Subject: dump all content In-Reply-To: References: <3b732976-4fde-bd50-d494-1c772a7c2def@gmail.com> <17fccc80-7fe4-4eeb-53c6-b3508e3f3444@gmail.com> Message-ID: If you print them, make sure to use an ink printer! Laser last way less time. If you store an ink printed paper as QR code (which even has data redundancy) in some sort of folder or plastic content safe from heat and moist, it should last for decades. How long is of course unknown. Cryptocurrency people does several things like this to store secret keys, like printing and plasticizing it or even engraving in metal (wont do for GPG encrypted content, even using ED would yield a very long ciphertext). But all of this means you never rotate your passwords, which is also not good :P I usually rotate all of my passwords every year or every other year at most. So old backups wont matter to me. This is just saying as an example that each one of us has different needs and wants so there's no single fit-all solution. As you stated, QR seems a good solution for your needs and perhaps using it might let you keep your data encrypted. Otherwise, printing plaintext and storing it in a bank safe or so could be OK too. Cheers! On 4/12/20 5:30 AM, J Rt wrote: > Ok, thanks.? > > I am not really sure that it is so bad. Like, if I use a RPi off > network for nothing but 'high security' use, and I connect it to a USB > printer and archive the printed passwords in a safe, I guess this is > quite ok. The problem is, I need a form of reliable backup for my > passwords, and I think that paper is still best. > > Another solution would be to dump to paper the full password-store and > encrypted gpg key. That comes with some challenges (starts to be quite > large files, how to load it back in the computer?). I have started to > work on a small tool for this (qrdump, for dumping a few 10s to 100s > of kB as a series of qr codes, if you are > interested:?https://github.com/jerabaul29/qrdump ), but still, is > there any guarantees that I will be able to scan and assemble this > back in 10 years? I don't know. By contrast the paper dump of raw > passwords should be ok in all cases. > > l?r. 11. apr. 2020, 22:18 skrev HacKan >: > > Well, printing plaintext is the definition of not secure... However, > it's not too hard to create a plugin/add-on/script for this. > > One would argue that you could print b64 encoded encrypted password > ("armored" in gpg terminology). And then recover them using OCR, but I > wouldn't trust such thing as a good backup. > > All in all, I would go for creating the plugin for pass dump as > you said. > > Cheers! > > On 4/10/20 2:57 PM, J Rt wrote: > > Ok, so we have basically 2 options so far if I understand correctly: > > > > 1) > > > > $ pass grep . > > > > and probably some $ pass grep . > SOME_FILE and then print SOME_FILE > > if one wants to print it out. > > > > This works perfectly. The format is a bit different, but this is no > > worries at all. I suppose pass grep . is safe 'by design' as it goes > > straight into terminal (?). Then people may do whatever they > want with > > this, including dumping to a file on permanent storage for printing > > unfortunately which may be unsafe. So for somebody wanting to print > > the passwords, that may be easy but also quite unsafe especially if > > the home folder is not encrypted, right? > > > > 2) > > > > the script provided, that should create a tmpfs storage for > safety. I > > have a problem with this on my machine to get it to work as is as my > > tmp is not a tmpfs, but I could of course fix it. It looks a bit > > redundant with the grep . on several aspects though. > > > > Therefore, it seems that there is not real satisfactory solution at > > the moment that make it easy for the user to take 'safe' choices if > > they want to dump to a file the passwords for printing, right? > > > > Would it then be a good idea maybe to create a new command to > dump to > > file? Something that would 1) create a new tmpfs partition 2) dump > > there 3) delete automatically the partition after a while to > make sure > > it disappears? What about something like (this may be bad / very > > naive, feedback welcome): > > > > $ pass dump > > > > doing something in this kind: > > > > mkdir /tmp/password-store-dump > > sudo mount -t tmpfs -o size=128m tmpfs /tmp/password-store-dump > > pass grep . > /tmp/password-store-dump/dump.txt > > echo "dump available at: /tmp/password-store-dump/dump.txt; will be > > cleaned in 15 minutes" > > (sleep 900; sudo umount -l /tmp/password-store-dump) & > > > > Would it be reasonable to provide a function in this kind to the > user? > > Then would it be safe to just open the file and print it (of course > > the user still needs to remember to reset / clean the printers > memory, > > but this is another story)? > > -- > HacKan || Iv?n > GPG: 0x35710D312FDE468B > > -- HacKan || Iv?n GPG: 0x35710D312FDE468B From michal.klempa at gmail.com Tue Apr 14 18:20:07 2020 From: michal.klempa at gmail.com (Michal Klempa) Date: Tue, 14 Apr 2020 18:20:07 +0200 Subject: [PATCH] Adding command match - list matching passwords and as if print Message-ID: <20200414162006.1424-1-michal.klempa@gmail.com> Hello, I was wondering if command searching through passwords in store and immediately asking whether to print desired password would be useful. Tried a little and I came with small code as a draft for discussion and proposal. The idea is to provide pass match .com which would ask for each password matching (just like in find/search), whether to print. Example output: Search Terms: .com Business/some-silly-business-site.com [y/N]: Email/donenfeld.com [y/N]: y sup3rh4x3rizmynam3 Email/zx2c4.com [y/N]: n works with current dependencies (find, tree, sh). Based on grep code. I am aware that complete fix would probably require to do some adjustments: - clip and qrencode for matching password - testing on other platforms - de-duplication of code So take this as a start for discussion, if something like this would find its users, we can together work out, how to provide also clip/qrencode without duplicating the code. Best regards, Michal --- man/pass.1 | 22 ++++++++++++++++++++++ src/password-store.sh | 23 +++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/man/pass.1 b/man/pass.1 index a555dcb..cda6acc 100644 --- a/man/pass.1 +++ b/man/pass.1 @@ -94,6 +94,11 @@ List names of passwords inside the tree that match \fIpass-names\fP by using the .BR tree (1) program. This command is alternatively named \fBsearch\fP. .TP +\fBmatch\fP \fIpass-names\fP... +Like in \fBfind\fP goes through names of passwords inside the tree that match \fIpass-names\fP by using the +.BR find (1) +program. For each matched password, user is asked whether to decrypt and print the password. +.TP \fBshow\fP [ \fI--clip\fP[=\fIline-number\fP], \fI-c\fP[\fIline-number\fP] ] [ \fI--qrcode\fP[=\fIline-number\fP], \fI-q\fP[\fIline-number\fP] ] \fIpass-name\fP Decrypt and print a password named \fIpass-name\fP. If \fI--clip\fP or \fI-c\fP is specified, do not print the password but instead copy the first (or otherwise specified) @@ -238,6 +243,23 @@ Search Terms: .com .br Alternatively, "\fBpass search .com\fP". .TP +Loop through all passwords matching .com in store and ask if they should be printed +.B zx2c4 at laptop ~ $ pass match .com +.br +Search Terms: .com +.br +Business/some-silly-business-site.com [y/N]: +.br +Email/donenfeld.com [y/N]: y +.br +sup3rh4x3rizmynam3 +.br +Email/zx2c4.com [y/N]: n +.br + +.br +Notice that loop continues with next matching password, even if user requested print. +.TP Show existing password .B zx2c4 at laptop ~ $ pass Email/zx2c4.com .br diff --git a/src/password-store.sh b/src/password-store.sh index 77f3eda..6ccfb85 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -415,6 +415,28 @@ cmd_find() { tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs --ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' } +cmd_match() { + [[ $# -eq 0 ]] && die "Usage: $PROGRAM $COMMAND pass-name" + IFS="," eval 'echo "Search Terms: $*"' + local terms="*$(printf '%s*|*' "$@")" + local passfile passfile_orig results + while read -r -d "" passfile_orig; do + [[ $? -ne 0 ]] && continue + passfile="${passfile_orig%.gpg}" + passfile="${passfile#$PREFIX/}" + local passfile_dir="${passfile%/*}/" + [[ $passfile_dir == "${passfile}/" ]] && passfile_dir="" + passfile="${passfile##*/}" + printf "\e[94m%s\e[1m%s\e[0m [y/N]:" "$passfile_dir" "$passfile" + read -r response References: <20200414162006.1424-1-michal.klempa@gmail.com> Message-ID: <20200414171515.GA22521@girst.at> On Tue, Apr 14, 2020 at 06:20:07PM +0200, Michal Klempa wrote: >I was wondering if command searching through passwords in store and >immediately asking whether to print desired password would be useful. >Tried a little and I came with small code as a draft for discussion and >proposal. In my opinion, this doesn't feel like a proper pass/UNIX behaviour, with it asking for user input repeatedly. There has been the proposal in the past to make pass find show complete paths [1], which would allow you to put it into primary selection and pasting it very easily, but I remember this not going anywhere. That said, I'm following this mail up with such a patch. [1]: either based on find(1), or using something like `tree -Ffi | grep -v '/$'` From t-passwd at girst.at Tue Apr 14 19:24:24 2020 From: t-passwd at girst.at (Tobias Girstmair) Date: Tue, 14 Apr 2020 19:24:24 +0200 Subject: [PATCH] --fullpath option for find subcommand Message-ID: <20200414172424.GA31655@girst.at> --- I know that this has been discussed in the past; apologies if it's inappropriate to bring it up again. I believe this patch is an improvement over previous iterations, as it does not duplicate the call to tree (or introduce a call to find). I'm not sure if $PREFIX should be escaped (how?) in the regular expression -- open for ideas. src/password-store.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/password-store.sh b/src/password-store.sh index 77f3eda..ce8e14d 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -409,10 +409,19 @@ cmd_show() { } cmd_find() { - [[ $# -eq 0 ]] && die "Usage: $PROGRAM $COMMAND pass-names..." + local opts extra_args="" + opts="$($GETOPT -o f -l fullpath -n "$PROGRAM" -- "$@")" + local err=$? + eval set -- "$opts" + while true; do case $1 in + -f|--fullpath) extra_args="$extra_args -Ffi"; shift ;; + --) shift; break ;; + esac done + + [[ $err -ne 0 || $# -eq 0 ]] && die "Usage: $PROGRAM $COMMAND [--fullpath,-f] pass-names..." IFS="," eval 'echo "Search Terms: $*"' local terms="*$(printf '%s*|*' "$@")" - tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs --ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' + tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs --ignore-case $extra_args "$PREFIX" | tail -n +2 | sed -E -e 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' -e "s@^$PREFIX/?@@" -e '/\/$/d' } cmd_grep() { -- 2.21.1 From michal.klempa at gmail.com Tue Apr 14 20:24:07 2020 From: michal.klempa at gmail.com (Michal Klempa) Date: Tue, 14 Apr 2020 20:24:07 +0200 Subject: [PATCH] Adding command match - list matching passwords and as if =?iso-8859-1?Q?print?= In-Reply-To: <20200414171515.GA22521@girst.at> References: <20200414162006.1424-1-michal.klempa@gmail.com> <20200414171515.GA22521@girst.at> Message-ID: <32248756-a4c5-439d-ace2-5d3e2a555d70@gmail.com> Well, I am not a fan of asking user, too. Other thing that came in to my mind when designing was: - if there is exactly one password matching, descrypt - otherwise print all matches and exit. That would not need any new 'sub-command'. It would be alteration of find command. What I did not want to do, is decrypting everything. Also the aim is - to provide password faster, if user knows what to search for. On utorok 14. apr?la 2020 19:15:15 CEST, Tobias Girstmair wrote: > On Tue, Apr 14, 2020 at 06:20:07PM +0200, Michal Klempa wrote: >> I was wondering if command searching through passwords in >> store and immediately asking whether to print desired password >> would be useful. Tried a little and I came with small code as a >> draft for discussion and proposal. > > In my opinion, this doesn't feel like a proper pass/UNIX > behaviour, with it asking for user input repeatedly. There has > been the proposal in the past to make pass find show complete > paths [1], which would allow you to put it into primary > selection and pasting it very easily, but I remember this not > going anywhere. That said, I'm following this mail up with such > a patch. > > [1]: either based on find(1), or using something like `tree > -Ffi | grep -v '/$'` > > From nils at nilsand.re Tue Apr 14 20:28:17 2020 From: nils at nilsand.re (Nils Andre) Date: Tue, 14 Apr 2020 19:28:17 +0100 Subject: [PATCH] --fullpath option for find subcommand In-Reply-To: <20200414172424.GA31655@girst.at> References: <20200414172424.GA31655@girst.at> Message-ID: <20200414182817.nq7mgm6thfapvunp@nixos> On Tue, Apr 14, 2020 at 07:24:24PM +0200, Tobias Girstmair wrote: > - [[ $# -eq 0 ]] && die "Usage: $PROGRAM $COMMAND pass-names..." > + local opts extra_args="" > + opts="$($GETOPT -o f -l fullpath -n "$PROGRAM" -- "$@")" > + local err=$? > + eval set -- "$opts" > + while true; do case $1 in > + -f|--fullpath) extra_args="$extra_args -Ffi"; shift ;; > + --) shift; break ;; > + esac done I think it would be best to have cmd_find as a wrapper around tree similarly to how it works with git rather than like this where we translate `-f|--fullpath` to something else. > - tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs --ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' > + tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs --ignore-case $extra_args "$PREFIX" | tail -n +2 | sed -E -e 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' -e "s@^$PREFIX/?@@" -e '/\/$/d' `-P` and `-I` (passed to tree) could maybe be used instead, to filter. From t-passwd at girst.at Tue Apr 14 20:57:30 2020 From: t-passwd at girst.at (Tobias Girstmair) Date: Tue, 14 Apr 2020 20:57:30 +0200 Subject: [PATCH] --fullpath option for find subcommand In-Reply-To: <20200414182817.nq7mgm6thfapvunp@nixos> References: <20200414172424.GA31655@girst.at> <20200414182817.nq7mgm6thfapvunp@nixos> Message-ID: <20200414185730.GA20565@girst.at> On Tue, Apr 14, 2020 at 07:28:17PM +0100, Nils Andre wrote: >I think it would be best to have cmd_find as a wrapper around tree >similarly to how it works with git rather than like this where we >translate `-f|--fullpath` to something else. I'm not sure what you mean. like pass all the flags right through to tree(1)? That would probably also mean removing the specialized sed expressions. This would then require the user to add a `|grep -v '/$'` > `-P` and `-I` (passed to tree) could maybe be used instead, to filter. I tried `-I '*/'` (and various variations), but to no avail From me at cosmoborsky.com Thu Apr 16 05:52:31 2020 From: me at cosmoborsky.com (Cosmo Borsky) Date: Wed, 15 Apr 2020 23:52:31 -0400 Subject: Next release? Message-ID: Hope all is well across the list given the current pandemic. That being said, > Not a bad idea. It's probably time I collect the best ideas from the > mailing list and churn one out. I'm traveling for the next two weeks. If > this slides by and I miss it coming back, please don't hesitate to poke > me again. Poke ?? Feel free to ask for help implementing ideas or reviewing patches to make it into the next `pass` version. https://lists.zx2c4.com/pipermail/password-store/2020-February/003931.html From anka.213 at gmail.com Sat Apr 18 18:50:07 2020 From: anka.213 at gmail.com (=?UTF-8?q?Andreas=20K=C3=A4llberg?=) Date: Sat, 18 Apr 2020 18:50:07 +0200 Subject: [PATCH] clip: sleep may require argv[0] to be sleep on darwin and cygwin too Message-ID: <20200418165007.41844-1-anka.213@gmail.com> From: Andreas K?llberg This is the patch b08781e2a6e183986eb1c24f51cdeff879b7a6af applied to the darwin and cygwin platforms. I ran into this bug after installing gnu corutils on my mac. It silently failed to copy without any error message. --- src/platform/cygwin.sh | 2 +- src/platform/darwin.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/platform/cygwin.sh b/src/platform/cygwin.sh index 5a8d5ea..5859d24 100644 --- a/src/platform/cygwin.sh +++ b/src/platform/cygwin.sh @@ -7,7 +7,7 @@ clip() { local before="$($BASE64 < /dev/clipboard)" echo -n "$1" > /dev/clipboard ( - ( exec -a "$sleep_argv0" sleep "$CLIP_TIME" ) + ( exec -a "$sleep_argv0" bash <<<"trap 'kill %1' TERM; sleep '$CLIP_TIME' & wait" ) local now="$($BASE64 < /dev/clipboard)" [[ $now != $(echo -n "$1" | $BASE64) ]] && before="$now" echo "$before" | $BASE64 -d > /dev/clipboard diff --git a/src/platform/darwin.sh b/src/platform/darwin.sh index 342ecce..6b1412a 100644 --- a/src/platform/darwin.sh +++ b/src/platform/darwin.sh @@ -7,7 +7,7 @@ clip() { local before="$(pbpaste | $BASE64)" echo -n "$1" | pbcopy ( - ( exec -a "$sleep_argv0" sleep "$CLIP_TIME" ) + ( exec -a "$sleep_argv0" bash <<<"trap 'kill %1' TERM; sleep '$CLIP_TIME' & wait" ) local now="$(pbpaste | $BASE64)" [[ $now != $(echo -n "$1" | $BASE64) ]] && before="$now" echo "$before" | $BASE64 -d | pbcopy -- 2.23.0 From filippo at ml.filippo.io Mon Apr 20 01:05:24 2020 From: filippo at ml.filippo.io (Filippo Valsorda) Date: Sun, 19 Apr 2020 19:05:24 -0400 Subject: [PATCH] Two macOS UX improvements Message-ID: Two simple patches: one drops using ImageMagick to show the QR, as that involves XQuartz and the UTF-8 QRs work great, and the other shaves more than 2s (!!) from every invocation by not running "brew --prefix" if the prefix is the default one. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-platform-darwin-drop-using-display-to-show-QR-codes.patch Type: application/octet-stream Size: 1192 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-platform-darwin-don-t-invoke-brew-for-the-default-pr.patch Type: application/octet-stream Size: 1132 bytes Desc: not available URL: From Jason at zx2c4.com Mon Apr 20 07:37:18 2020 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Sun, 19 Apr 2020 23:37:18 -0600 Subject: [PATCH] Two macOS UX improvements In-Reply-To: References: Message-ID: Applied, thanks. -Jason From richard.towers at digital.cabinet-office.gov.uk Fri Apr 24 18:27:32 2020 From: richard.towers at digital.cabinet-office.gov.uk (Richard Towers) Date: Fri, 24 Apr 2020 17:27:32 +0100 Subject: [PATCH] Allow comments in .gpg-id Message-ID: Hi list, I wanted to add a +1 for Kjetil's proposed patch to handle comments in .gpg-id [0] We're using passwordstore to manage a keyring with 45 people in, and having trailing comments makes the file much easier to track in version control. So much so that we've ended up committing .gpg-id files with comments, and then written some horrible scripts to work around the fact that they trip passwordstore up. What do people think about merging the patch? (Attached again for convenience) Thanks, Richard [0] - https://lists.zx2c4.com/pipermail/password-store/2019-December/003842.html From richard.towers at digital.cabinet-office.gov.uk Fri Apr 24 18:31:33 2020 From: richard.towers at digital.cabinet-office.gov.uk (Richard Towers) Date: Fri, 24 Apr 2020 17:31:33 +0100 Subject: [PATCH] Allow comments in .gpg-id In-Reply-To: References: Message-ID: This time with the patch attached. On Fri, 24 Apr 2020 at 17:27, Richard Towers wrote: > > Hi list, > > I wanted to add a +1 for Kjetil's proposed patch to handle comments in > .gpg-id [0] > > We're using passwordstore to manage a keyring with 45 people in, and > having trailing comments makes the file much easier to track in > version control. So much so that we've ended up committing .gpg-id > files with comments, and then written some horrible scripts to work > around the fact that they trip passwordstore up. > > What do people think about merging the patch? (Attached again for convenience) > > Thanks, > Richard > > [0] - https://lists.zx2c4.com/pipermail/password-store/2019-December/003842.html -------------- next part -------------- A non-text attachment was scrubbed... Name: passwordstore-comments.patch Type: application/octet-stream Size: 363 bytes Desc: not available URL: From richard.towers at digital.cabinet-office.gov.uk Fri Apr 24 18:34:44 2020 From: richard.towers at digital.cabinet-office.gov.uk (Richard Towers) Date: Fri, 24 Apr 2020 17:34:44 +0100 Subject: [PATCH] Allow comments in .gpg-id In-Reply-To: References: Message-ID: On Fri, 24 Apr 2020 at 17:31, Richard Towers wrote: > > This time with the patch attached. > > On Fri, 24 Apr 2020 at 17:27, Richard Towers > wrote: > > > > Hi list, > > > > I wanted to add a +1 for Kjetil's proposed patch to handle comments in > > .gpg-id [0] > > > > We're using passwordstore to manage a keyring with 45 people in, and > > having trailing comments makes the file much easier to track in > > version control. So much so that we've ended up committing .gpg-id > > files with comments, and then written some horrible scripts to work > > around the fact that they trip passwordstore up. > > > > What do people think about merging the patch? (Attached again for convenience) > > > > Thanks, > > Richard > > > > [0] - https://lists.zx2c4.com/pipermail/password-store/2019-December/003842.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Strip-trailing-comments-from-.gpg-id-lines.patch Type: application/octet-stream Size: 681 bytes Desc: not available URL: From hackan at gmail.com Fri Apr 24 21:29:09 2020 From: hackan at gmail.com (HacKan) Date: Fri, 24 Apr 2020 16:29:09 -0300 Subject: [PATCH] Allow comments in .gpg-id In-Reply-To: References: Message-ID: looks like a neat patch and a good idea :) On 4/24/20 1:34 PM, Richard Towers wrote: > On Fri, 24 Apr 2020 at 17:31, Richard Towers > wrote: >> This time with the patch attached. >> >> On Fri, 24 Apr 2020 at 17:27, Richard Towers >> wrote: >>> Hi list, >>> >>> I wanted to add a +1 for Kjetil's proposed patch to handle comments in >>> .gpg-id [0] >>> >>> We're using passwordstore to manage a keyring with 45 people in, and >>> having trailing comments makes the file much easier to track in >>> version control. So much so that we've ended up committing .gpg-id >>> files with comments, and then written some horrible scripts to work >>> around the fact that they trip passwordstore up. >>> >>> What do people think about merging the patch? (Attached again for convenience) >>> >>> Thanks, >>> Richard >>> >>> [0] - https://lists.zx2c4.com/pipermail/password-store/2019-December/003842.html -- HacKan || Iv?n GPG: 0x35710D312FDE468B From a at ajgrf.com Tue Apr 28 20:52:11 2020 From: a at ajgrf.com (Alex Griffin) Date: Tue, 28 Apr 2020 18:52:11 +0000 Subject: [PATCH] emacs: Fix asynchronous get operations Message-ID: <-4wFmpWG-YseAqYjOTe_Esh8Wb2SToKZAhlXB9Fd3oKx954UB1tV3oE6jVaFyK3aFErokK2pFF2KenCVDG6TdPNlBjYYnIid-lvKKrmunQk=@ajgrf.com> Currently `password-store-get' and `password-store-get-field' both block, even when provided with a callback. This is because `auth-source-pass-get' is synchronous, and it gets called before the functions even check if a callback was provided. Fixing this without using synchronous functions was a little hairy, and I ended up using internal auth-source-pass functions. If you'd rather avoid that, I think it would be necessary to reimplement entry parsing, because none of the "user-facing" functions in auth-source-pass would work. --- contrib/emacs/password-store.el | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/contrib/emacs/password-store.el b/contrib/emacs/password-store.el index ca8ae40..e051edb 100644 --- a/contrib/emacs/password-store.el +++ b/contrib/emacs/password-store.el @@ -232,25 +232,25 @@ ENTRY is the name of a password-store entry." Returns the first line of the password data. When CALLBACK is non-`NIL', call CALLBACK with the first line instead." - (let* ((inhibit-message t) - (secret (auth-source-pass-get 'secret entry))) - (if (not callback) secret - (password-store--run-show - entry - (lambda (_) (funcall callback secret)))))) + (password-store-get-field entry 'secret callback)) ;;;###autoload (defun password-store-get-field (entry field &optional callback) "Return FIELD for ENTRY. -FIELD is a string, for instance \"url\". +FIELD is a string, for instance \"url\". When CALLBACK is non-`NIL', call it with the line associated to FIELD instead. If FIELD equals to symbol secret, then this function reduces to `password-store-get'." - (let* ((inhibit-message t) - (secret (auth-source-pass-get field entry))) - (if (not callback) secret + (let ((inhibit-message t)) + (if (not callback) + (auth-source-pass-get field entry) (password-store--run-show entry - (lambda (_) (and secret (funcall callback secret))))))) + (lambda (file-contents) + (let* ((data (cons `(secret . ,(auth-source-pass--parse-secret + file-contents)) + (auth-source-pass--parse-data file-contents))) + (secret (auth-source-pass--get-attr field data))) + (and secret (funcall callback secret)))))))) ;;;###autoload -- 2.26.2