From axel at tripier.fr Fri Jul 2 16:56:38 2021 From: axel at tripier.fr (Axel Tripier) Date: Fri, 2 Jul 2021 18:56:38 +0200 Subject: [PATCH] Add missing local variable declaration Message-ID: Note: the declaration `local gpg_id` is repeated later in the function `set_gpg_recipients()`, so I don't know if you want to have it in two places (like in this patch) or in a single declaration at the top of the function (and remove it from later in the function). --- src/password-store.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/src/password-store.sh b/src/password-store.sh index a0dcf2e..79b7c72 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -72,6 +72,7 @@ set_gpg_recipients() { GPG_RECIPIENTS=( ) if [[ -n $PASSWORD_STORE_KEY ]]; then + local gpg_id for gpg_id in $PASSWORD_STORE_KEY; do GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" ) GPG_RECIPIENTS+=( "$gpg_id" ) -- 2.31.1 From axel at tripier.fr Fri Jul 2 17:40:44 2021 From: axel at tripier.fr (Axel Tripier) Date: Fri, 2 Jul 2021 19:40:44 +0200 Subject: [PATCH] Exclude `*/.extensions` from grep/reencrypt Message-ID: The `.extensions` directory can contain extensions code, for example as git submodules, that have `.gpg` files as part of their code but that are not files encrypted with the PGP keys of our password store. One example is `pass-tomb`, that contains `.gpg` files in `tests/gnupg`, but there are more, like `pass-update`, `pass-otp`, etc. However those `.gpg` files in the `.extensions` directory are currently processed by the `grep` and `reencrypt` functions of `pass`. At best this can cause errors to be shown to the user when grepping/reencrypting, and at worst it can cause files in the `.extensions` directory to be decrypted and returned as part of a search, or reencrypted with the incorrect PGP keys. This patch tries to mitigate that issue by removing the `*/.extensions` directories from the list of processed `.gpg` files for the grep/reencrypt functions. However this patch is not perfect as it does not take into account the fact that the `.extensions` directory can be renamed to something else using `PASSWORD_STORE_EXTENSIONS_DIR`. But knowing if this `PASSWORD_STORE_EXTENSIONS_DIR` is inside the `PREFIX` or not and formatting the path exclusion for `find` accordingly could require a fair bit of additional logic that I am not sure how you want to implement. --- src/password-store.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/password-store.sh b/src/password-store.sh index a0dcf2e..3bf0391 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -137,7 +137,7 @@ reencrypt_path() { mv "$passfile_temp" "$passfile" || rm -f "$passfile_temp" fi prev_gpg_recipients="${GPG_RECIPIENTS[*]}" - done < <(find "$1" -path '*/.git' -prune -o -iname '*.gpg' -print0) + done < <(find "$1" -path '*/.git' -prune -o -path '*/.extensions' -prune -o -iname '*.gpg' -print0) } check_sneaky_paths() { local path @@ -430,7 +430,7 @@ cmd_grep() { passfile="${passfile##*/}" printf "\e[94m%s\e[1m%s\e[0m:\n" "$passfile_dir" "$passfile" echo "$grepresults" - done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname '*.gpg' -print0) + done < <(find -L "$PREFIX" -path '*/.git' -prune -o -path '*/.extensions' -prune -o -iname '*.gpg' -print0) } cmd_insert() { -- 2.31.1 From nils at nilsand.re Fri Jul 16 22:14:11 2021 From: nils at nilsand.re (Nils Andre) Date: Fri, 16 Jul 2021 23:14:11 +0100 Subject: Sync store to Firefox Message-ID: <20210716221411.txpa4rqh7vnzetod@nixos> Hi everyone, Over the weekend, I'd like to work on a tool that would sync passwords between a pass store to Firefox (using Firefox Accounts). Motivations (non-exhaustive): 1. Improve the UX of inputting passwords on Firefox 2. Security (https://lock.cmpxchg8b.com/passmgrs.html) However, before I start, I'd like to make sure that any such tools do not already exist and get some advice/opinions. So if you are aware of that being the case, and/or have anything to say (ideas, feedback, opinions, implementation details, what have you), then I'd love to hear about them. Thanks, Nils From mailinglist at chiraag.me Fri Jul 16 22:51:40 2021 From: mailinglist at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Fri, 16 Jul 2021 22:51:40 +0000 Subject: Sync store to Firefox In-Reply-To: <20210716221411.txpa4rqh7vnzetod@nixos> References: <20210716221411.txpa4rqh7vnzetod@nixos> Message-ID: 12021/04/36 07:59.85 ?????, Nils Andre ??????: > Hi everyone, > > Over the weekend, I'd like to work on a tool that would sync passwords > between a pass store to Firefox (using Firefox Accounts). > > Motivations (non-exhaustive): > > 1. Improve the UX of inputting passwords on Firefox > 2. Security (https://lock.cmpxchg8b.com/passmgrs.html) > > However, before I start, I'd like to make sure that any such tools do > not already exist and get some advice/opinions. > > So if you are aware of that being the case, and/or have anything to say > (ideas, feedback, opinions, implementation details, what have you), then > I'd love to hear about them. > > Thanks, > > Nils Hi Nils! If you want to store your passwords within Firefox, I guess I don't quite understand why the solution isn't just to use Lockwise. Is there something I'm missing? To your proposal, I suspect you'd have to do some sync between pass and Firefox's password store, which might be messy and prone to errors, to be honest. Personally, I open up a terminal and copy the password using `pass -c`, since Firefox is sandboxed using firejail and doesn't have access to my password store (and it will *never* have access to my password store). I think it's somewhat dangerous to expose the single riskiest program on your computer to your password store. Browsers are extremely complex and are already dealing with tons of untrusted input from malicious or compromised websites. Giving that program access to as little data as possible seems to be a good policy, in my opinion. Cheers! - Chiraag -- ?????? ?????? Pronouns: he/him/his -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - mailinglist at chiraag.me - b0c8d720.asc Type: application/pgp-keys Size: 713 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From aclopte at gmail.com Fri Jul 16 23:51:02 2021 From: aclopte at gmail.com (Johannes Altmanninger) Date: Sat, 17 Jul 2021 01:51:02 +0200 Subject: Sync store to Firefox In-Reply-To: <20210716221411.txpa4rqh7vnzetod@nixos> References: <20210716221411.txpa4rqh7vnzetod@nixos> Message-ID: <20210716235102.pm5dtohu4fsi5q6s@gmail.com> > Over the weekend, I'd like to work on a tool that would sync passwords > between a pass store to Firefox (using Firefox Accounts). > > Motivations (non-exhaustive): > > 1. Improve the UX of inputting passwords on Firefox > 2. Security (https://lock.cmpxchg8b.com/passmgrs.html) > > However, before I start, I'd like to make sure that any such tools do > not already exist and get some advice/opinions. Just making sure - are you aware of browserpass: https://github.com/browserpass/browserpass-extension It doesn't sync with Firefox Accounts, but there are plenty of ways to sync the password store. From matt at connell.tech Sun Jul 18 03:01:29 2021 From: matt at connell.tech (Matt Connell) Date: Sat, 17 Jul 2021 23:01:29 -0400 Subject: Sync store to Firefox In-Reply-To: <20210716235102.pm5dtohu4fsi5q6s@gmail.com> References: <20210716221411.txpa4rqh7vnzetod@nixos> <20210716235102.pm5dtohu4fsi5q6s@gmail.com> Message-ID: <7c22089fc7db284d3adbeaa4620d75cbf171a64b.camel@connell.tech> On Sat, 2021-07-17 at 01:51 +0200, Johannes Altmanninger wrote: > > However, before I start, I'd like to make sure that any such tools > > do not already exist and get some advice/opinions. > > there are plenty of ways to sync the password store. git support is built in. git provides versioning, history, synchronization, and more. Why reinvent a single part of the wheel? -- Matt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 858 bytes Desc: This is a digitally signed message part URL: From patrik.keller at uibk.ac.at Wed Jul 21 11:54:30 2021 From: patrik.keller at uibk.ac.at (Patrik Keller) Date: Wed, 21 Jul 2021 13:54:30 +0200 Subject: pass edit leaking secrets Message-ID: Dear all, it's probably no news for you, but running `pass edit secret` might leak information to persistent storage if `$EDITOR` is not configured properly. I got hit by this after switching from vim to neovim. The latter defaults to storing swap, undo, and backup files in the user's home directory [0]. My personal thoughts on this are: 1. Neovim should not have changed the default. 2. `pass edit` should warn about the potential leakage. 3. I want to set the password editor independent of `$EDITOR`. I could imagine the following workflow for `pass edit`: 1. Prefer `$PASS_EDITOR` over `$EDITOR` over `vi`. 2. If `$PASS_EDITOR` is not set print a warning about the potential leakage and ask for confirmation. 3. Proceed as before. Do you know a better solution? Maybe one that works w/o changing pass? Best Patrik 0: https://github.com/neovim/neovim/issues/4481 From stefan.kerman.gehr at fau.de Wed Jul 21 12:49:57 2021 From: stefan.kerman.gehr at fau.de (Stefan Gehr) Date: Wed, 21 Jul 2021 14:49:57 +0200 Subject: pass edit leaking secrets In-Reply-To: References: Message-ID: <20210721124957.orh63u6uat5lkf2t@geher-pc> On 2021-07-21T13:54:30+0200, Patrik Keller wrote: > Dear all, > > it's probably no news for you, but running `pass edit secret` might leak > information to persistent storage if `$EDITOR` is not configured properly. I > got hit by this after switching from vim to neovim. The latter defaults to > storing swap, undo, and backup files in the user's home directory [0]. > > My personal thoughts on this are: > 1. Neovim should not have changed the default. > 2. `pass edit` should warn about the potential leakage. > 3. I want to set the password editor independent of `$EDITOR`. > > I could imagine the following workflow for `pass edit`: > 1. Prefer `$PASS_EDITOR` over `$EDITOR` over `vi`. > 2. If `$PASS_EDITOR` is not set print a warning about the potential leakage > and ask for confirmation. > 3. Proceed as before. > > Do you know a better solution? Maybe one that works w/o changing pass? > > Best > Patrik > > 0: https://github.com/neovim/neovim/issues/4481 Hi, pass comes with the vim script contrib/vim/redact_pass.vim. https://git.zx2c4.com/password-store/tree/contrib/vim/redact_pass.vim Just source that file in your (neo)vim config and you're fine. Best regards Stefan From mailinglist at chiraag.me Wed Jul 21 12:57:58 2021 From: mailinglist at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Wed, 21 Jul 2021 12:57:58 +0000 Subject: pass edit leaking secrets In-Reply-To: References: Message-ID: 12021/05/01 03:29.51 ?????, Patrik Keller ??????: > Dear all, > > it's probably no news for you, but running `pass edit secret` might leak > information to persistent storage if `$EDITOR` is not configured > properly. I got hit by this after switching from vim to neovim. The > latter defaults to storing swap, undo, and backup files in the user's > home directory [0]. > > My personal thoughts on this are: > 1. Neovim should not have changed the default. > 2. `pass edit` should warn about the potential leakage. > 3. I want to set the password editor independent of `$EDITOR`. > > I could imagine the following workflow for `pass edit`: > 1. Prefer `$PASS_EDITOR` over `$EDITOR` over `vi`. > 2. If `$PASS_EDITOR` is not set print a warning about the potential > leakage and ask for confirmation. > 3. Proceed as before. > > Do you know a better solution? Maybe one that works w/o changing pass? > > Best > Patrik > > 0: https://github.com/neovim/neovim/issues/4481 The pass extension tail-edit opens up everything except for the first line (which is assumed to contain the password) and then prepends the password before saving to the password store: https://github.com/palortoff/pass-extension-tail HTH! - Chiraag -- ?????? ?????? Pronouns: he/him/his -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - mailinglist at chiraag.me - b0c8d720.asc Type: application/pgp-keys Size: 713 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From dyn+zx2c4 at dahlberg.cologne Thu Jul 22 13:39:53 2021 From: dyn+zx2c4 at dahlberg.cologne (David Dahlberg) Date: Thu, 22 Jul 2021 13:39:53 +0000 Subject: Restrict sed expression to basic RE Message-ID: <967163dd50d378c6a70d42131a41261edc70d8bc.camel@dahlberg.cologne> Hi Jason/all, '+' is part of POSIX extended regular expressions, not basic RE. Attached patch replaces '+' by '{1,}' from basic RE and makes t0300- reencryption.sh happy on OpenBSD. The other way would be to switch to "sed -E" (but that would require other changes to the RE). David -------------- next part -------------- A non-text attachment was scrubbed... Name: patch-src_password-store.sh Type: application/x-shellscript Size: 1026 bytes Desc: not available URL: From tino.calancha at gmail.com Fri Jul 23 15:31:45 2021 From: tino.calancha at gmail.com (Tino Calancha) Date: Fri, 23 Jul 2021 17:31:45 +0200 (CEST) Subject: Restrict sed expression to basic RE In-Reply-To: <967163dd50d378c6a70d42131a41261edc70d8bc.camel@dahlberg.cologne> References: <967163dd50d378c6a70d42131a41261edc70d8bc.camel@dahlberg.cologne> Message-ID: Hi David, your patch looks good to me. May I suggest you to send it again embedded as text in the body of your message? You can use git-format-patch. Many folks in this list only look at patches sent like that. Tino On Thu, 22 Jul 2021, David Dahlberg wrote: > Hi Jason/all, > > '+' is part of POSIX extended regular expressions, not basic RE. > > Attached patch replaces '+' by '{1,}' from basic RE and makes t0300- > reencryption.sh happy on OpenBSD. The other way would be to switch to > "sed -E" (but that would require other changes to the RE). > > David > From brett at i--b.com Fri Jul 23 16:57:01 2021 From: brett at i--b.com (Brett Cornwall) Date: Fri, 23 Jul 2021 09:57:01 -0700 Subject: Restrict sed expression to basic RE In-Reply-To: References: <967163dd50d378c6a70d42131a41261edc70d8bc.camel@dahlberg.cologne> Message-ID: <20210723165700.ksyo7oq7w22p5vil@faun.localdomain> On 2021-07-23 17:31, Tino Calancha wrote: > >Hi David, >your patch looks good to me. > >May I suggest you to send it again embedded as text in the body of >your message? You can use git-format-patch. > >Many folks in this list only look at patches sent like that. git-send-email(1) is preferred so that the myriad pitfalls of sending patches via email are avoided. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From nicolai at dagestad.fr Sat Jul 24 16:21:50 2021 From: nicolai at dagestad.fr (Nicolai Dagestad) Date: Sat, 24 Jul 2021 18:21:50 +0200 Subject: Restrict sed expression to basic RE In-Reply-To: <20210723165700.ksyo7oq7w22p5vil@faun.localdomain> References: <967163dd50d378c6a70d42131a41261edc70d8bc.camel@dahlberg.cologne> <20210723165700.ksyo7oq7w22p5vil@faun.localdomain> Message-ID: On Fri Jul 23, 2021 at 6:57 PM CEST, Brett Cornwall wrote: > git-send-email(1) is preferred so that the myriad pitfalls of sending > patches via email are avoided. And https://git-send-email.io/ is a got introduction on how to use it for beginners ? From dyn+zx2c4 at dahlberg.cologne Mon Jul 26 13:57:49 2021 From: dyn+zx2c4 at dahlberg.cologne (David Dahlberg) Date: Mon, 26 Jul 2021 13:57:49 +0000 Subject: [PATCH] remove GNU-ism and make sed expression adhere to basic regexp Message-ID: <20210726135748.21769-1-dyn+zx2c4@dahlberg.cologne> Repost of patch using git-send-email as requested on ML (sixth attempt) --- src/password-store.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index a0dcf2e..d3c909e 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -129,7 +129,7 @@ reencrypt_path() { done gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^idr:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" fi - current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)" + current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\{1,\}\)$/\1/p' | LC_ALL=C sort -u)" if [[ $gpg_keys != "$current_keys" ]]; then echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }" -- 2.32.0