From ayush at fastmail.in Wed Sep 15 17:17:27 2021 From: ayush at fastmail.in (Ayush Agarwal) Date: Wed, 15 Sep 2021 22:47:27 +0530 Subject: [PATCH] replace 'which' with POSIX equivalent 'command -v' Message-ID: <20210915171727.41572-1-ayush@fastmail.in> The 'which' command is an external command that must be called each and every time pass is used. 'which' is also not mentioned in the README as one of the dependencies that might be needed to run pass. Instead of 'which', we can use the POSIX compatible and shell built-in 'command -v'. It saves pass from making an external call and is, arguably, more reliable than using 'which' as mentioned in the following link. --- src/password-store.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index a0dcf2e..f3963e2 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -9,7 +9,7 @@ set -o pipefail GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" ) GPG="gpg" export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}" -which gpg2 &>/dev/null && GPG="gpg2" +command -v gpg2 &>/dev/null && GPG="gpg2" [[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch" "--use-agent" ) PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}" -- 2.33.0 From quoiceehoh-20180826 at yxejamir.net Sun Sep 19 08:51:13 2021 From: quoiceehoh-20180826 at yxejamir.net (Amir Yalon) Date: Sun, 19 Sep 2021 11:51:13 +0300 Subject: [PATCH] replace 'which' with POSIX equivalent 'command -v' In-Reply-To: <20210915171727.41572-1-ayush@fastmail.in> References: <20210915171727.41572-1-ayush@fastmail.in> Message-ID: <69e0de6c-dd38-4c05-9f82-f86ba0317338@www.fastmail.com> I am in favour of incorporating this patch, LGTM. Just curious: what motivated you to make this change? Did your try to run pass in an environment without `which`, or did `which` exit with an erroneous success status for you? On Wed, 15 Sep 2021, at 20:17, Ayush Agarwal wrote: > The 'which' command is an external command that must be called each and > every time pass is used. 'which' is also not mentioned in the README as > one of the dependencies that might be needed to run pass. > > Instead of 'which', we can use the POSIX compatible and shell built-in > 'command -v'. It saves pass from making an external call and is, > arguably, more reliable than using 'which' as mentioned in the following > link. > > From ayush at fastmail.in Sun Sep 19 09:59:21 2021 From: ayush at fastmail.in (Ayush Agarwal) Date: Sun, 19 Sep 2021 15:29:21 +0530 Subject: [PATCH] replace 'which' with POSIX equivalent 'command -v' In-Reply-To: <69e0de6c-dd38-4c05-9f82-f86ba0317338@www.fastmail.com> References: <20210915171727.41572-1-ayush@fastmail.in> <69e0de6c-dd38-4c05-9f82-f86ba0317338@www.fastmail.com> Message-ID: Hi Amir, > what motivated you to make this change? Did your try to run pass in an environment without `which`, or did `which` exit with an erroneous success status for you? Nah, nothing of the sort. I was just going through the source code of password-store and thought that using `which` was unnecessary and can be replaced with `command -v` without making any significant changes. I'm also in the process of writing my own password store extensions and scripts as a learning experience so sending a patch here was part of the process as well. Ayush ----- Original message ----- From: Amir Yalon To: Ayush Agarwal , password-store at lists.zx2c4.com Subject: Re: [PATCH] replace 'which' with POSIX equivalent 'command -v' Date: Sunday, September 19, 2021 2:21 PM I am in favour of incorporating this patch, LGTM. Just curious: what motivated you to make this change? Did your try to run pass in an environment without `which`, or did `which` exit with an erroneous success status for you? On Wed, 15 Sep 2021, at 20:17, Ayush Agarwal wrote: > The 'which' command is an external command that must be called each and > every time pass is used. 'which' is also not mentioned in the README as > one of the dependencies that might be needed to run pass. > > Instead of 'which', we can use the POSIX compatible and shell built-in > 'command -v'. It saves pass from making an external call and is, > arguably, more reliable than using 'which' as mentioned in the following > link. > > From ayush at fastmail.in Mon Sep 20 22:29:28 2021 From: ayush at fastmail.in (Ayush Agarwal) Date: Tue, 21 Sep 2021 03:59:28 +0530 Subject: =?UTF-8?Q?pass-tessen:_a_pass_extension_to_copy_everything, _including_pa?= =?UTF-8?Q?sswords_and_metadata,_on_Xorg/X11_and_Wayland?= Message-ID: Hey everyone, I've made a pass extension called `pass-tessen` to copy everything in a pass file, including password and metadata (key-value pairs in the format mentioned on www.passwordstore.org), on both Xorg/X11 and Wayland. https://github.com/ayushnix/pass-tessen It uses fzf, xclip if you're on Xorg/X11, and wl-clipboard if you're using Wayland. Although this is my first project, I've tried to write code that focuses on being easy to read, is secure, and has no dependencies besides what's necessary. Any critique or review of `pass-tessen` is welcome. Regards, Ayush From ayush at fastmail.in Mon Sep 20 22:35:15 2021 From: ayush at fastmail.in (Ayush Agarwal) Date: Tue, 21 Sep 2021 04:05:15 +0530 Subject: =?UTF-8?Q?Re:_pass-tessen:_a_pass_extension_to_copy_everything, __includi?= =?UTF-8?Q?ng_passwords_and_metadata,_on_Xorg/X11_and_Wayland?= In-Reply-To: References: Message-ID: I'm sorry but I have no idea why the subject of the email is all mangled up. I did send this mail using plain text format. Have I made a mistake somewhere? ----- Original message ----- From: Ayush Agarwal To: password-store at lists.zx2c4.com Subject: pass-tessen: a pass extension to copy everything, including passwords and metadata, on Xorg/X11 and Wayland Date: Tuesday, September 21, 2021 3:59 AM Hey everyone, I've made a pass extension called `pass-tessen` to copy everything in a pass file, including password and metadata (key-value pairs in the format mentioned on www.passwordstore.org), on both Xorg/X11 and Wayland. https://github.com/ayushnix/pass-tessen It uses fzf, xclip if you're on Xorg/X11, and wl-clipboard if you're using Wayland. Although this is my first project, I've tried to write code that focuses on being easy to read, is secure, and has no dependencies besides what's necessary. Any critique or review of `pass-tessen` is welcome. Regards, Ayush From pass.maillist at fryorcraken.xyz Tue Sep 21 04:46:37 2021 From: pass.maillist at fryorcraken.xyz (Fry Or Craken) Date: Tue, 21 Sep 2021 04:46:37 +0000 Subject: `.gpg` file In-Reply-To: References: Message-ID: Hi, I have ended up in a strange situation where I somehow created a `.gpg` fi= le at the root of my password store folder. It only contained a password so I guess either hostpass-ff or fat fingers = created generated file. When this happens, the `pass ls` command returns the content of the `.gpg`= file instead of listing all password available. I am keen to write a patch for that. I see several solutions: 1. Prevent the creation of a `.gpg` file. 2. Ensure that `pass ls` with no argument list all files instead of showin= g the content of `.gpg` if it exists. 3. Both above. What does the list think? Cheers, Fry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: From reto at labrat.space Tue Sep 21 06:00:41 2021 From: reto at labrat.space (Reto) Date: Tue, 21 Sep 2021 08:00:41 +0200 Subject: `.gpg` file In-Reply-To: References:

Message-ID: <20210921060041.rulvz6dzw56cjnga@feather> On Tue, Sep 21, 2021 at 04:46:37AM +0000, Fry Or Craken wrote: > What does the list think? There's quite some prior art: May 2020: <20200524142957.2826524-1-zx2c4.com at holgerdell.com> Jul 2019: <20190712154954.46862-1-remi.lapeyre at henki.fr> Sep 2018: (low effort approach though) Have a look in the archives. Those are just the threads marked as "patch" too, didn't bother to collect the troubleshooting ones. Cheers, Reto From sylvain at opensource-expert.com Thu Sep 23 11:51:34 2021 From: sylvain at opensource-expert.com (Sylvain Viart) Date: Thu, 23 Sep 2021 13:51:34 +0200 Subject: [discussion] Secure Item in clipboard manager - non disclosure of password value Message-ID: <41faadda-4e1f-8800-f07e-deb21d637765@opensource-expert.com> Hi, Recently, I forked xfce4 clipman (clipboard manager) to start a PoC of Secure Item + a cli to drive clipman via DBus call, that I also added to the forked code. This email is mostly a post is about security or non-disclosure of password. The Secure Item concept I introduced in clipman, try to hide the password all the time, until it is ultimately stored as clear text in the clipboard, and then delete after a short period ~30s. Example and code can be found and explained here: https://gitlab.xfce.org/Sylvain/xfce4-clipman-plugin/-/blob/secure_item_dbus/README.md I also added a small obfuscation to avoid to reveal password in log, or DBus may be, or debug log, etc. As the PoC is only to test the idea it's sufficient but it could be crypted. I also hide the password that way during testing and developing the software, as I may still need to copy some password while using the clipboard manager in debug mode. How do you secure password fields (non-disclosure) in pass? I mean, what special effort did you add to ensure that clear password are avoided outside where it's expected. I also saw that the pass code hold some dbus call for org.kde.klipper. I will look how they handle that too in klipper code. Actually I'm testing the PoC and exploring how I could use it. I wrote a small shell wrapper for testing it: https://gitlab.xfce.org/Sylvain/xfce4-clipman-plugin/-/blob/secure_item_dbus/pass_clip.sh I suppose I should write a pass-extension plugin in order to use clipman-cli. I will think about it. could be: pass clipman add PASS_ENTRY pass clipman delete ID pass clipman clear_secure etc. Actually clipman_cli wrapper supports: # Usage: ./clipman_cli.sh add [-s] TEXT_ITEM_VALUE #??????? ./clipman_cli.sh list #??????? ./clipman_cli.sh del ITEM_ID #??????? ./clipman_cli.sh get ITEM_ID #??????? ./clipman_cli.sh get_secure ITEM_ID #??????? ./clipman_cli.sh clear #??????? ./clipman_cli.sh clear_secure #??????? ./clipman_cli.sh set_secure? ITEM_ID #??????? ./clipman_cli.sh set_clear_text ITEM_ID #??????? ./clipman_cli.sh collect_secure [NUM_COLLECTED_ITEM_TO_SECURE] # # Arguments: #?? TEXT_ITEM_VALUE?????????????? string to add to history. #?? ITEM_ID?????????????????????? uint16 a clipman history ID (use list or add #???????????????????????????????? to retreive it). #?? NUM_COLLECTED_ITEM_TO_SECURE? uint16 the next collected item from clipboard #???????????????????????????????? will be set secured by clipman automatically. #???????????????????????????????? Useful for keyboard shortcut before copying #???????????????????????????????? [default: 1] My plan is to create a Merge Request in the main clipman code in order to publish something useful. Thanks for your attention, Remarks are welcome, Regards, Sylvain. -- Sylvain Viart - GNU/Linux Sysadmin/Developer/DevOps - France From santiago at zarate.co Thu Sep 23 12:45:43 2021 From: santiago at zarate.co (Santiago Zarate) Date: Thu, 23 Sep 2021 14:45:43 +0200 Subject: [PATCH] Default to xclip if wl-clip is not found Message-ID: In the strange case that the user is jumping back and forth from X11 to Wayland and viceversa, xclip might be installed but wl-clip might not, and in such combination user might end up with the -c opion not working. https://bugzilla.opensuse.org/show_bug.cgi?id=1185984 --- src/password-store.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/password-store.sh b/src/password-store.sh index a0dcf2e..710f258 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -155,7 +155,7 @@ check_sneaky_paths() { # clip() { - if [[ -n $WAYLAND_DISPLAY ]]; then + if [[ -n $WAYLAND_DISPLAY ]] && command -v wl-copy > /dev/null; then local copy_cmd=( wl-copy ) local paste_cmd=( wl-paste -n ) if [[ $X_SELECTION == primary ]]; then @@ -163,7 +163,7 @@ clip() { paste_cmd+=( --primary ) fi local display_name="$WAYLAND_DISPLAY" - elif [[ -n $DISPLAY ]]; then + elif [[ -n $DISPLAY ]] && command -v xclip > /dev/null; then local copy_cmd=( xclip -selection "$X_SELECTION" ) local paste_cmd=( xclip -o -selection "$X_SELECTION" ) local display_name="$DISPLAY" -- 2.31.1 From Jason at zx2c4.com Thu Sep 23 21:22:46 2021 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Thu, 23 Sep 2021 15:22:46 -0600 Subject: [PATCH] Default to xclip if wl-clip is not found In-Reply-To: References: Message-ID: Applied, thanks. From Jason at zx2c4.com Thu Sep 23 21:26:08 2021 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Thu, 23 Sep 2021 15:26:08 -0600 Subject: [PATCH] replace 'which' with POSIX equivalent 'command -v' In-Reply-To: <20210915171727.41572-1-ayush@fastmail.in> References: <20210915171727.41572-1-ayush@fastmail.in> Message-ID: Applied, thanks for the patch. From Jason at zx2c4.com Thu Sep 23 21:27:40 2021 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Thu, 23 Sep 2021 15:27:40 -0600 Subject: [PATCH] Add missing local variable declaration In-Reply-To: References: Message-ID: Applied, thanks. From Jason at zx2c4.com Thu Sep 23 21:29:22 2021 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Thu, 23 Sep 2021 15:29:22 -0600 Subject: [PATCH] Exclude `*/.extensions` from grep/reencrypt In-Reply-To: References: Message-ID: Applied, thanks. On Fri, Jul 2, 2021 at 11:41 AM Axel Tripier wrote: > However this patch is not perfect as it does not take into account the > fact that the `.extensions` directory can be renamed to something else > using `PASSWORD_STORE_EXTENSIONS_DIR`. But knowing if this > `PASSWORD_STORE_EXTENSIONS_DIR` is inside the `PREFIX` or not and > formatting the path exclusion for `find` accordingly could require a > fair bit of additional logic that I am not sure how you want to > implement. I think that's an okay tradeoff. Jason From Jason at zx2c4.com Thu Sep 23 21:30:51 2021 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Thu, 23 Sep 2021 15:30:51 -0600 Subject: [PATCH] Fix unecessary reencryptions on MacOS In-Reply-To: <20210626225748.84150-1-sam@wlcx.cc> References: <20210626225748.84150-1-sam@wlcx.cc> Message-ID: Nice find. Thanks. Applied.