From josey at josey.org.uk Sun Apr 3 00:15:19 2022 From: josey at josey.org.uk (Josey Smith) Date: Sun, 3 Apr 2022 01:15:19 +0100 Subject: [PATCH] clip: add option PASSWORD_STORE_PASTE_ONCE In-Reply-To: <20220329170508.13441-1-grmat@sub.red> References: <20220329170508.13441-1-grmat@sub.red> Message-ID: I'm pretty new here, but I just wanted to say that I think this is an excellent feature, which I would use. Josey On 3/29/22, Matthias Gro? wrote: > If this environment variable is set to "true", the clipboard is cleared > immediately after pasting. > > --- > I've send this in before but the first try was a bit chaotic and I never > got feedback. I still consider it a useful feature and rebased it onto > master. However, if silence meant "no", sorry for the noise. > > man/pass.1 | 4 ++++ > src/password-store.sh | 7 +++++++ > 2 files changed, 11 insertions(+) > > diff --git a/man/pass.1 b/man/pass.1 > index a555dcb..5930cdd 100644 > --- a/man/pass.1 > +++ b/man/pass.1 > @@ -429,6 +429,10 @@ for more info. > Specifies the number of seconds to wait before restoring the clipboard, by > default > \fI45\fP seconds. > .TP > +.I PASSWORD_STORE_PASTE_ONCE > +If this variable is set to \fItrue\fP, the clipboard is cleared immediately > after the copied > +password has been pasted. > +.TP > .I PASSWORD_STORE_UMASK > Sets the umask of all files modified by pass, by default \fI077\fP. > .TP > diff --git a/src/password-store.sh b/src/password-store.sh > index 22e818f..ab13a78 100755 > --- a/src/password-store.sh > +++ b/src/password-store.sh > @@ -16,6 +16,7 @@ PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}" > EXTENSIONS="${PASSWORD_STORE_EXTENSIONS_DIR:-$PREFIX/.extensions}" > X_SELECTION="${PASSWORD_STORE_X_SELECTION:-clipboard}" > CLIP_TIME="${PASSWORD_STORE_CLIP_TIME:-45}" > +PASTE_ONCE="${PASSWORD_STORE_PASTE_ONCE:-false}" > GENERATED_LENGTH="${PASSWORD_STORE_GENERATED_LENGTH:-25}" > CHARACTER_SET="${PASSWORD_STORE_CHARACTER_SET:-[:punct:][:alnum:]}" > CHARACTER_SET_NO_SYMBOLS="${PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS:-[:alnum:]}" > @@ -162,11 +163,17 @@ clip() { > copy_cmd+=( --primary ) > paste_cmd+=( --primary ) > fi > + if [[ $PASTE_ONCE == true ]]; then > + copy_cmd+=( --paste-once ) > + fi > local display_name="$WAYLAND_DISPLAY" > elif [[ -n $DISPLAY ]] && command -v xclip &> /dev/null; then > local copy_cmd=( xclip -selection "$X_SELECTION" ) > local paste_cmd=( xclip -o -selection "$X_SELECTION" ) > local display_name="$DISPLAY" > + if [[ $PASTE_ONCE == true ]]; then > + copy_cmd+=( -loops 1 ) > + fi > else > die "Error: No X11 or Wayland display and clipper detected" > fi > -- > 2.35.1 > > From maxschillinger at web.de Sun Apr 3 21:03:27 2022 From: maxschillinger at web.de (Max Schillinger) Date: Sun, 3 Apr 2022 23:03:27 +0200 Subject: pass extension: pass-tmuxclip Message-ID: Hi all, maybe you know this situation: You work on a Linux system with no X11 installed (or not running) or you access your Linux system via SSH from Windows (with no X server like VcXsrv running). Then `pass [show] -c pass-name` just doesn't work. That's why I made this extension for pass: [pass-tmuxclip][1] If you use [tmux][2] (as I always do, even when I work locally in dwm), this extension helps you copying passwords directly into tmux's paste buffer (that's like tmux's internal clipboard for stuff you copy in copy mode). Just use `pass tmuxclip pass-name` to copy a password. And paste it anywhere in tmux using *Ctrl-b Ctrl-]*. The password will be deleted from the tmux buffer after 45 seconds. I hope this is useful for anybody. Best regards, Max Schillinger [1]: https://github.com/MaxGyver83/pass-tmuxclip [2]: https://github.com/tmux/tmux From tom at whi.tw Mon Apr 4 13:33:59 2022 From: tom at whi.tw (Tom Whitwell) Date: Mon, 4 Apr 2022 14:33:59 +0100 Subject: [PATCH] Improve zsh completion for multiple repositories Message-ID: <20220404133359.17673-1-tom@whi.tw> Rather than stripping the called program from $curcontext, keep it and append the pass command to it. The `zstyle` command can then be amended with a wildcard, so all completions have the 'prefix' context. Without this, subcommand completion still operates against the 'main' password store repo. --- src/completion/pass.zsh-completion | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/completion/pass.zsh-completion b/src/completion/pass.zsh-completion index d911e12..71d215a 100644 --- a/src/completion/pass.zsh-completion +++ b/src/completion/pass.zsh-completion @@ -12,7 +12,7 @@ # If you use multiple repositories, you can configure completion like this: # # compdef _pass workpass -# zstyle ':completion::complete:workpass::' prefix "$HOME/work/pass" +# zstyle ':completion::complete:workpass:*:' prefix "$HOME/work/pass" # workpass() { # PASSWORD_STORE_DIR=$HOME/work/pass pass $@ # } @@ -23,7 +23,7 @@ _pass () { if (( CURRENT > 2)); then cmd=${words[2]} # Set the context for the subcommand. - curcontext="${curcontext%:*:*}:pass-$cmd" + curcontext="${curcontext%:*}:pass-$cmd" # Narrow the range of words we are looking at to exclude `pass' (( CURRENT-- )) shift words -- 2.32.0 (Apple Git-132) From kjetil.homme at redpill-linpro.com Wed Apr 6 13:19:55 2022 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Wed, 6 Apr 2022 15:19:55 +0200 Subject: [PATCH] clip: add option PASSWORD_STORE_PASTE_ONCE In-Reply-To: <20220329170508.13441-1-grmat@sub.red> References: <20220329170508.13441-1-grmat@sub.red> Message-ID: <7de403e2-e817-6750-45e9-1c1a4848bd1d@redpill-linpro.com> Den 29/03/2022 19:05, skreiv Matthias Gro?: > If this environment variable is set to "true", the clipboard is cleared > immediately after pasting. > > --- > I've send this in before but the first try was a bit chaotic and I never > got feedback. I still consider it a useful feature and rebased it onto > master. However, if silence meant "no", sorry for the noise. I'm just wondering if this should look at the operation somehow and adjust behaviour accordingly. When doing `pass generate`, you usually have to paste the new password twice into the dialog. -- Kjetil T. Homme Redpill Linpro - Changing the game From burnedfaceless at gmail.com Sat Apr 9 12:07:53 2022 From: burnedfaceless at gmail.com (Brian Abbott) Date: Sat, 9 Apr 2022 08:07:53 -0400 Subject: Bash Completion on Mac Message-ID: Hi, I have been using pass on Linux and I was issued a Mac for work. This computer came installed with Mac 12.3 Monterey. Zshell was the default shell. So I set bash as the default shell. I believe I was missing a .bashrc and a bash_profile. So I created those. I installed pass through homebrew. Bash completion did not work with pass. I found this post through Google https://lists.zx2c4.com/pipermail/password-store/2014-December/001241.html I followed the instructions here to install bash completion: https://sourabhbajaj.com/mac-setup/BashCompletion/. Bash completion seems to work but not on pass. If someone could help me get bash completion working I would appreciate it. I'm really grateful for open source and people that contribute to it. This password manager gives us control over the security of our passwords. I've been using it since 2018 and it's been great. Brian -- From jens.troeger at light-speed.de Sat Apr 9 22:57:37 2022 From: jens.troeger at light-speed.de (Jens =?iso-8859-15?Q?Tr=F6ger?=) Date: Sun, 10 Apr 2022 00:57:37 +0200 Subject: Bash Completion on Mac In-Reply-To: References: Message-ID: Hello Brian, I?m run `pass` on Mac using MacPorts and bash, and my .bashrc contains the following lines: # Bash completion for pass. if [ -f /opt/local/etc/profile.d/bash_completion.sh ]; then . /opt/local/etc/profile.d/bash_completion.sh fi [[ -r "/opt/local/share/bash-completion/completions/pass" ]] && source "/opt/local/share/bash-completion/completions/pass" Homebrew?s base pass is different but other than adjusting that base path, I hope this helps? With many greetings, Jens On Sat, Apr 09, 2022 at 08:07:53AM -0400, Brian Abbott wrote: > Hi, > > I have been using pass on Linux and I was issued a Mac for work. This > computer came installed with Mac 12.3 Monterey. Zshell was the default > shell. > > So I set bash as the default shell. I believe I was missing a .bashrc > and a bash_profile. So I created those. > > I installed pass through homebrew. Bash completion did not work with pass. > > I found this post through Google > https://lists.zx2c4.com/pipermail/password-store/2014-December/001241.html > > I followed the instructions here to install bash completion: > https://sourabhbajaj.com/mac-setup/BashCompletion/. > > Bash completion seems to work but not on pass. > > If someone could help me get bash completion working I would appreciate it. > > I'm really grateful for open source and people that contribute to it. > This password manager gives us control over the security of our > passwords. I've been using it since 2018 and it's been great. > > Brian -- Jens Tr?ger https://savage.light-speed.de/ From jamie.couture at gmail.com Sun Apr 10 13:01:54 2022 From: jamie.couture at gmail.com (Jamie Couture) Date: Sun, 10 Apr 2022 08:01:54 -0500 Subject: Bash Completion on Mac In-Reply-To: References: Message-ID: Hi Brian, Depending on your preferences, you have a couple options to install pass. Jens provided a MacPorts option. I'll expand on that to provide some other options for you: Assuming you install through homebrew, you can update FPATH and make sure compinit is loaded; try the following to your .zshrc: FPATH=$(brew --prefix)/share/zsh/site-functions:$FPATH command -v compinit &>/dev/null || autoload -U compinit && compinit If you manually installed pass, you'll update $FPATH similarly, but point it to your repo's path or copy it manually somewhere in onf of the usual FPATH directories. Make sure compinit is called, then you should be fine. If you use oh-my-zsh, you can specify the pass plugin; however, without all that overhead the above should get you on the right track. Regards, Jamie On Sat, Apr 9, 2022 at 7:09 AM Brian Abbott wrote: > > Hi, > I have been using pass on Linux and I was issued a Mac for work. This > computer came installed with Mac 12.3 Monterey. Zshell was the default > shell. > > So I set bash as the default shell. I believe I was missing a .bashrc > and a bash_profile. So I created those. > > I installed pass through homebrew. Bash completion did not work with pass. > > I found this post through Google > https://lists.zx2c4.com/pipermail/password-store/2014-December/001241.html > > I followed the instructions here to install bash completion: > https://sourabhbajaj.com/mac-setup/BashCompletion/. > > Bash completion seems to work but not on pass. > > If someone could help me get bash completion working I would appreciate it. > > I'm really grateful for open source and people that contribute to it. > This password manager gives us control over the security of our > passwords. I've been using it since 2018 and it's been great. > > Brian > > -- From esharakan at gmail.com Sun Apr 10 15:24:43 2022 From: esharakan at gmail.com (Eric Sharakan) Date: Sun, 10 Apr 2022 11:24:43 -0400 Subject: Bash Completion on Mac In-Reply-To: References:

Message-ID: <516F08C5-C4B3-4712-A76F-0D10BAE46F15@gmail.com> Hi, the homebrew installed path to the bash completion script is: /usr/local/Cellar/pass/1.7.4/etc/bash_completion.d/pass I don't see any symlink in /usr/local/share/ that points there. BTW, I don't use bash as my shell; I'm just pointing out what I found my poking around in /usr/local/Cellar/pass/. -Eric P.S. I run tcsh as my shell. I hacked together a tcsh completion script if anyone is interested. It's a bit rough around the edges, but does the job for me. On 9 Apr 2022, at 18:57, Jens Tr?ger wrote: > Hello Brian, > > I?m run `pass` on Mac using MacPorts and bash, and my .bashrc contains > the following lines: > > # Bash completion for pass. > if [ -f /opt/local/etc/profile.d/bash_completion.sh ]; then > . /opt/local/etc/profile.d/bash_completion.sh > fi > [[ -r "/opt/local/share/bash-completion/completions/pass" ]] && source "/opt/local/share/bash-completion/completions/pass" > > Homebrew?s base pass is different but other than adjusting that base > path, I hope this helps? > > With many greetings, > Jens > > > On Sat, Apr 09, 2022 at 08:07:53AM -0400, Brian Abbott wrote: >> Hi, >> >> I have been using pass on Linux and I was issued a Mac for work. This >> computer came installed with Mac 12.3 Monterey. Zshell was the default >> shell. >> >> So I set bash as the default shell. I believe I was missing a .bashrc >> and a bash_profile. So I created those. >> >> I installed pass through homebrew. Bash completion did not work with pass. >> >> I found this post through Google >> https://lists.zx2c4.com/pipermail/password-store/2014-December/001241.html >> >> I followed the instructions here to install bash completion: >> https://sourabhbajaj.com/mac-setup/BashCompletion/. >> >> Bash completion seems to work but not on pass. >> >> If someone could help me get bash completion working I would appreciate it. >> >> I'm really grateful for open source and people that contribute to it. >> This password manager gives us control over the security of our >> passwords. I've been using it since 2018 and it's been great. >> >> Brian > > -- > Jens Tr?ger > https://savage.light-speed.de/ From tailsnow at protonmail.com Sun Apr 10 16:16:42 2022 From: tailsnow at protonmail.com (TailSnow) Date: Sun, 10 Apr 2022 16:16:42 +0000 Subject: Bash Completion on Mac In-Reply-To: References: Message-ID: Hi Brian, I had a similar issue with pass not autocompleting, although my problem was with ZSH and not Bash. I think the problem started after upgrading MacOS from Big Sur to Monterey. Unfortunately, the only solution that worked was to completely reinstall macOS (Monterey). Once I had a fresh operating system, installing pass through Homebrew worked fine and I was able to use autocomplete as normal. I'll admit it's not the most elegant solution, but it's what worked for me. Good luck! Tails. ------- Original Message ------- On Saturday, April 9th, 2022 at 08:07, Brian Abbott wrote: > > > Hi, > I have been using pass on Linux and I was issued a Mac for work. This > computer came installed with Mac 12.3 Monterey. Zshell was the default > shell. > > So I set bash as the default shell. I believe I was missing a .bashrc > and a bash_profile. So I created those. > > I installed pass through homebrew. Bash completion did not work with pass. > > I found this post through Google > https://lists.zx2c4.com/pipermail/password-store/2014-December/001241.html > > I followed the instructions here to install bash completion: > https://sourabhbajaj.com/mac-setup/BashCompletion/. > > Bash completion seems to work but not on pass. > > If someone could help me get bash completion working I would appreciate it. > > I'm really grateful for open source and people that contribute to it. > This password manager gives us control over the security of our > passwords. I've been using it since 2018 and it's been great. > > Brian > > -- From nickkouk at gmail.com Tue Apr 12 11:57:30 2022 From: nickkouk at gmail.com (Nikos Koukis) Date: Tue, 12 Apr 2022 12:57:30 +0100 Subject: Add albert pass plugin to main page Message-ID: <36a0119b-3bf3-75d8-6a0f-c95f6e1084b7@gmail.com> Hi there, Thanks for this great software! I have created an Albert plugin for interacting with Pass on Linux. Albert is a popular keyboard launcher (https://github.com/albertlauncher/albert) You can find more details about my plugin here: https://github.com/bergercookie/awesome-albert-plugins/tree/master/plugins/pass_rlded Could this be included in the main page of Pass so that users can find it more easily? https://www.passwordstore.org/ Thanks, Nikos -- Nikos Koukis https://bergercookie.dev -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xB8EFFAB606E169A1.asc Type: application/pgp-keys Size: 4671 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From z at zagdul.de Tue Apr 12 13:08:31 2022 From: z at zagdul.de (Zack) Date: Tue, 12 Apr 2022 15:08:31 +0200 Subject: Pass index extension Message-ID: <31EE48C7-4717-4BCF-97A9-EB2F8B84E1B4@zagdul.de> Hi, I added a pass extension that speeds up search a lot. It creates an index file where you can easily grep / search for matching entries. Works a lot faster. It is implemented in a way, that you should use an alias pass=pass index in order to avoid a stale index file. It should work on all supported OSs, but was mainly tested on macos. have a look here: https://github.com/sboesebeck/pass-index Cheers, Stephan From craig at theagricolas.org Tue Apr 12 23:49:55 2022 From: craig at theagricolas.org (Craig B Agricola) Date: Tue, 12 Apr 2022 19:49:55 -0400 Subject: No subject Message-ID: <20220412234955.GA32557@han.home.theagricolas.org> >From 0367e9cdddd5acca789521c2e102ca59e497b65b Mon Sep 17 00:00:00 2001 From: "Craig B. Agricola" Date: Tue, 12 Apr 2022 19:25:36 -0400 Subject: [PATCH] Fix handling of SIGPIPE in 'pass show --clip' When 'pass show' is used with the '--clip' option (or '--qrcode'), the decrypted password file is piped to tail and then head to extract just the first line. If the password entry file is long enough, then the pipe is closed before the whole GPG output pipe has been consumed, leading to a SIGPIPE. This SIGPIPE causes the code to exit with a return value of 141 (128 plus the numerical signal number for SIGPIPE). It is appropriate to exit, passing out the return value from the pipe, in case there is an actual problem. That said, because it is intentional that the pipe is being abandoned when head gets what it needs, the appropriate fix seems to be to turn off the 'pipefail' shell option, just for this particular pipeline. --- src/password-store.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..cb11dfb 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -388,7 +388,7 @@ cmd_show() { echo "$pass" | $BASE64 -d else [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." - pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? + pass="$(set +o pipefail; $GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? [[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}." if [[ $clip -eq 1 ]]; then clip "$pass" "$path" -- 2.27.0 From craig at theagricolas.org Tue Apr 12 23:56:22 2022 From: craig at theagricolas.org (Craig B. Agricola) Date: Tue, 12 Apr 2022 19:56:22 -0400 Subject: [PATCH] Fix handling of SIGPIPE in 'pass show --clip' Message-ID: <20220412235622.GB5941@han.home.theagricolas.org> When 'pass show' is used with the '--clip' option (or '--qrcode'), the decrypted password file is piped to tail and then head to extract just the first line. If the password entry file is long enough, then the pipe is closed before the whole GPG output pipe has been consumed, leading to a SIGPIPE. This SIGPIPE causes the code to exit with a return value of 141 (128 plus the numerical signal number for SIGPIPE). It is appropriate to exit, passing out the return value from the pipe, in case there is an actual problem. That said, because it is intentional that the pipe is being abandoned when head gets what it needs, the appropriate fix seems to be to turn off the 'pipefail' shell option, just for this particular pipeline. --- src/password-store.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..cb11dfb 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -388,7 +388,7 @@ cmd_show() { echo "$pass" | $BASE64 -d else [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." - pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? + pass="$(set +o pipefail; $GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? [[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}." if [[ $clip -eq 1 ]]; then clip "$pass" "$path" -- 2.27.0 From craig at theagricolas.org Tue Apr 12 23:57:32 2022 From: craig at theagricolas.org (Craig B Agricola) Date: Tue, 12 Apr 2022 19:57:32 -0400 Subject: My apologies for the mis-fire on the patch sent with an empty Subject Message-ID: <20220412235732.GC5941@han.home.theagricolas.org> My apologies for allowing mutt to prematurely fire off the previous message without a Subject. Also, I intended to mark up that this is an intended solution for a bug report made by Vaile Martiniuc back in 2020 [1]. -Craig [1] https://lists.zx2c4.com/pipermail/password-store/2020-July/004221.html From daniel.mach at suse.com Thu Apr 14 11:26:47 2022 From: daniel.mach at suse.com (Daniel Mach) Date: Thu, 14 Apr 2022 13:26:47 +0200 Subject: [PATCH] Do not add newline at the end of the password Message-ID: <20220414112647.4451-1-daniel.mach@suse.com> SaltStack strips leading/trailing whitespaces from the password [1], because pass adds a newline when entering passwords interactively. Pass is capable of storing multiline passwords which are stored as provided. That includes storing binary data as well. If such password has leading/traling whitespaces, they get stripped in SaltStack and the password becomes invalid. This change fixes the inconsistency by always storing the passwords as provided, with no extra characters added. To retain good user experience, a newline is printed to stderr after printing a password. [1] https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3 --- src/password-store.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..48b3a79 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -385,7 +385,8 @@ cmd_show() { if [[ -f $passfile ]]; then if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $? - echo "$pass" | $BASE64 -d + echo -n "$pass" | $BASE64 -d + echo >&2 else [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? @@ -468,7 +469,7 @@ cmd_insert() { read -r -p "Retype password for $path: " -s password_again || exit 1 echo if [[ $password == "$password_again" ]]; then - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." break else die "Error: the entered passwords do not match." @@ -477,7 +478,7 @@ cmd_insert() { else local password read -r -p "Enter password for $path: " -e password - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." fi git_add_file "$passfile" "Add given password for $path to store." } -- 2.35.1 From aclopte at gmail.com Thu Apr 14 11:50:57 2022 From: aclopte at gmail.com (Johannes Altmanninger) Date: Thu, 14 Apr 2022 13:50:57 +0200 Subject: [PATCH] Do not add newline at the end of the password In-Reply-To: <20220414112647.4451-1-daniel.mach@suse.com> References: <20220414112647.4451-1-daniel.mach@suse.com> Message-ID: <20220414115057.dzkgfb4v3ewet3cx@gmail.com> On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote: > SaltStack strips leading/trailing whitespaces from the password [1], > because pass adds a newline when entering passwords interactively. SaltStack is removing too much. They should use the equivalent of pass_show_output.removesuffix("\n"). > > Pass is capable of storing multiline passwords which are stored as > provided. That includes storing binary data as well. If such password > has leading/traling whitespaces, they get stripped in SaltStack > and the password becomes invalid. > > This change fixes the inconsistency by always storing the passwords > as provided, with no extra characters added. > > To retain good user experience, a newline is printed to stderr after > printing a password. > > [1] https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3 > --- > src/password-store.sh | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/src/password-store.sh b/src/password-store.sh > index 22e818f..48b3a79 100755 > --- a/src/password-store.sh > +++ b/src/password-store.sh > @@ -385,7 +385,8 @@ cmd_show() { > if [[ -f $passfile ]]; then > if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then > pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $? > - echo "$pass" | $BASE64 -d > + echo -n "$pass" | $BASE64 -d > + echo >&2 > else > [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." > pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? > @@ -468,7 +469,7 @@ cmd_insert() { > read -r -p "Retype password for $path: " -s password_again || exit 1 > echo > if [[ $password == "$password_again" ]]; then > - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > break > else > die "Error: the entered passwords do not match." > @@ -477,7 +478,7 @@ cmd_insert() { > else > local password > read -r -p "Enter password for $path: " -e password > - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > fi > git_add_file "$passfile" "Add given password for $path to store." > } > -- > 2.35.1 > From b at torresjrjr.com Thu Apr 14 11:52:30 2022 From: b at torresjrjr.com (Byron Torres) Date: Thu, 14 Apr 2022 12:52:30 +0100 Subject: [PATCH] Do not add newline at the end of the password In-Reply-To: <20220414112647.4451-1-daniel.mach@suse.com> References: <20220414112647.4451-1-daniel.mach@suse.com> Message-ID: On Thu Apr 14, 2022 at 12:26 PM BST, Daniel Mach wrote: ->%- > - echo "$pass" | $BASE64 -d > + echo -n "$pass" | $BASE64 -d > + echo >&2 ->%- > - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." ->%- > - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." It should be noted that echo is notoriously buggy and unpredictable when it comes to '-x' options like '-n' or '-e'. Some echo implementations ignore or misused them. It is much more reliable to use printf. printf '%s' "$pass" | $BASE64 -d printf '\n' >&2 printf '%s' "$password" | $GPG ... I'm not familiar with the source code, but I'd imagine virtually all instances of echo shouldn't be there, and should instead be printf statements. Perhaps pass(1) relies on the usage of specific shells, specific versions of said shells, and specific builtin implementations of POSIX utilities, namely bash and it's builtin echo. I'd say that isn't good. I digress. And worth noting, if one is to use certain non-POSIX syntax in printf, like '\xNN' hexadecimal representations, it is wise to use the installed printf, not the shell builtin printf. env printf '\x1b[31mRED TEXT\x1b[m\n' From daniel.mach at suse.com Thu Apr 14 12:19:10 2022 From: daniel.mach at suse.com (Daniel Mach) Date: Thu, 14 Apr 2022 14:19:10 +0200 Subject: [PATCH] Do not add newline at the end of the password In-Reply-To: <20220414115057.dzkgfb4v3ewet3cx@gmail.com> References: <20220414112647.4451-1-daniel.mach@suse.com> <20220414115057.dzkgfb4v3ewet3cx@gmail.com> Message-ID: <4e101799-6d22-95fd-26ea-d6e7797aa103@suse.com> On 14. 04. 22 13:50, Johannes Altmanninger wrote: > On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote: >> SaltStack strips leading/trailing whitespaces from the password [1], >> because pass adds a newline when entering passwords interactively. > SaltStack is removing too much. They should use the equivalent of > pass_show_output.removesuffix("\n"). That's right. I'm planning to address this by sending a pull-request to SaltStack. On the other hand, if you store a multiline/binary password in pass, it can end with a newline, which still would end as an invalid password in SaltStack. I hope I'm not abusing pass too much by storing binary keys in it, but it's quite convenient to have all secrets in one place... > >> Pass is capable of storing multiline passwords which are stored as >> provided. That includes storing binary data as well. If such password >> has leading/traling whitespaces, they get stripped in SaltStack >> and the password becomes invalid. >> >> This change fixes the inconsistency by always storing the passwords >> as provided, with no extra characters added. >> >> To retain good user experience, a newline is printed to stderr after >> printing a password. >> >> [1] https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3 >> --- >> src/password-store.sh | 7 ++++--- >> 1 file changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/src/password-store.sh b/src/password-store.sh >> index 22e818f..48b3a79 100755 >> --- a/src/password-store.sh >> +++ b/src/password-store.sh >> @@ -385,7 +385,8 @@ cmd_show() { >> if [[ -f $passfile ]]; then >> if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then >> pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $? >> - echo "$pass" | $BASE64 -d >> + echo -n "$pass" | $BASE64 -d >> + echo >&2 >> else >> [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." >> pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? >> @@ -468,7 +469,7 @@ cmd_insert() { >> read -r -p "Retype password for $path: " -s password_again || exit 1 >> echo >> if [[ $password == "$password_again" ]]; then >> - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." >> + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." >> break >> else >> die "Error: the entered passwords do not match." >> @@ -477,7 +478,7 @@ cmd_insert() { >> else >> local password >> read -r -p "Enter password for $path: " -e password >> - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." >> + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." >> fi >> git_add_file "$passfile" "Add given password for $path to store." >> } >> -- >> 2.35.1 >> From daniel.mach at suse.com Thu Apr 14 12:20:44 2022 From: daniel.mach at suse.com (Daniel Mach) Date: Thu, 14 Apr 2022 14:20:44 +0200 Subject: [PATCH] Do not add newline at the end of the password In-Reply-To: References: <20220414112647.4451-1-daniel.mach@suse.com> Message-ID: On 14. 04. 22 13:52, Byron Torres wrote: > On Thu Apr 14, 2022 at 12:26 PM BST, Daniel Mach wrote: > ->%- >> - echo "$pass" | $BASE64 -d >> + echo -n "$pass" | $BASE64 -d >> + echo >&2 > ->%- >> - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." >> + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > ->%- >> - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." >> + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > It should be noted that echo is notoriously buggy and unpredictable when > it comes to '-x' options like '-n' or '-e'. Some echo implementations > ignore or misused them. > > It is much more reliable to use printf. > > printf '%s' "$pass" | $BASE64 -d > printf '\n' >&2 > > printf '%s' "$password" | $GPG ... > > I'm not familiar with the source code, but I'd imagine virtually all > instances of echo shouldn't be there, and should instead be printf > statements. Perhaps pass(1) relies on the usage of specific shells, > specific versions of said shells, and specific builtin implementations > of POSIX utilities, namely bash and it's builtin echo. I'd say that > isn't good. I digress. > > And worth noting, if one is to use certain non-POSIX syntax in printf, > like '\xNN' hexadecimal representations, it is wise to use the installed > printf, not the shell builtin printf. > > env printf '\x1b[31mRED TEXT\x1b[m\n' > I think this is out of scope of my patch, because pass uses 'echo -n' in several other places already and I'd have to change them as well. From craig at theagricolas.org Thu Apr 14 12:44:47 2022 From: craig at theagricolas.org (Craig B Agricola) Date: Thu, 14 Apr 2022 08:44:47 -0400 Subject: [PATCH] Do not add newline at the end of the password In-Reply-To: <4e101799-6d22-95fd-26ea-d6e7797aa103@suse.com> References: <20220414112647.4451-1-daniel.mach@suse.com> <20220414115057.dzkgfb4v3ewet3cx@gmail.com> <4e101799-6d22-95fd-26ea-d6e7797aa103@suse.com> Message-ID: <20220414124447.GH301@han.home.theagricolas.org> I'm new around here (being subscribed to the mailing list, that is; not new to using password-store), so take this with the grain of salt that it's due... I think that pass is inherently assumed to be line-oriented, human-readable storage. As you note, you can have multi-line password entries, which are typically used to keep track of multiple fields (username, password, URL, and maybe data used by extensions, like an OTP URI) and/or notes. I think breaking this expected behavior by not having the first line terminate with a newline is likely to spider into a lot of assumptions made by consumers of password-store (user written scripts), as well as probably existing wrappers and extensions. I'd actually suggest that the solution to your problem of wanting to store binary keys and keys with leading/trailing whitespace is to uuencode/base64-encode your key before you put it into pass. Then you'll get exactly the behavior that you want, and you keep the semantics that what is stored in a password-store encrypted entry is human readable... -Craig On Thu, Apr 14, 2022 at 02:19:10PM +0200, Daniel Mach wrote: > > On 14. 04. 22 13:50, Johannes Altmanninger wrote: > > On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote: > > > SaltStack strips leading/trailing whitespaces from the password [1], > > > because pass adds a newline when entering passwords interactively. > > SaltStack is removing too much. They should use the equivalent of > > pass_show_output.removesuffix("\n"). > > That's right. I'm planning to address this by sending a pull-request to > SaltStack. > > On the other hand, if you store a multiline/binary password in pass, it can > end with a newline, which still would end as an invalid password in > SaltStack. > > I hope I'm not abusing pass too much by storing binary keys in it, but it's > quite convenient to have all secrets in one place... > > > > > > Pass is capable of storing multiline passwords which are stored as > > > provided. That includes storing binary data as well. If such password > > > has leading/traling whitespaces, they get stripped in SaltStack > > > and the password becomes invalid. > > > > > > This change fixes the inconsistency by always storing the passwords > > > as provided, with no extra characters added. > > > > > > To retain good user experience, a newline is printed to stderr after > > > printing a password. > > > > > > [1] https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3 > > > --- > > > src/password-store.sh | 7 ++++--- > > > 1 file changed, 4 insertions(+), 3 deletions(-) > > > > > > diff --git a/src/password-store.sh b/src/password-store.sh > > > index 22e818f..48b3a79 100755 > > > --- a/src/password-store.sh > > > +++ b/src/password-store.sh > > > @@ -385,7 +385,8 @@ cmd_show() { > > > if [[ -f $passfile ]]; then > > > if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then > > > pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $? > > > - echo "$pass" | $BASE64 -d > > > + echo -n "$pass" | $BASE64 -d > > > + echo >&2 > > > else > > > [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." > > > pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? > > > @@ -468,7 +469,7 @@ cmd_insert() { > > > read -r -p "Retype password for $path: " -s password_again || exit 1 > > > echo > > > if [[ $password == "$password_again" ]]; then > > > - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > > > + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > > > break > > > else > > > die "Error: the entered passwords do not match." > > > @@ -477,7 +478,7 @@ cmd_insert() { > > > else > > > local password > > > read -r -p "Enter password for $path: " -e password > > > - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > > > + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." > > > fi > > > git_add_file "$passfile" "Add given password for $path to store." > > > } > > > -- > > > 2.35.1 > > > > From t-passwd at girst.at Thu Apr 14 12:48:28 2022 From: t-passwd at girst.at (Tobias Girstmair) Date: Thu, 14 Apr 2022 14:48:28 +0200 Subject: [PATCH] Do not add newline at the end of the password In-Reply-To: <20220414112647.4451-1-daniel.mach@suse.com> References: <20220414112647.4451-1-daniel.mach@suse.com> Message-ID: On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote: >SaltStack strips leading/trailing whitespaces from the password [1], >because pass adds a newline when entering passwords interactively. > >Pass is capable of storing multiline passwords which are stored as >provided. That includes storing binary data as well. If such password >has leading/traling whitespaces, they get stripped in SaltStack >and the password becomes invalid. > >This change fixes the inconsistency by always storing the passwords >as provided, with no extra characters added. > >To retain good user experience, a newline is printed to stderr after >printing a password. this looks like a bad idea to me, sorry to say. the data format described on passwordstore.org is textual, not binary. also, printing a newline on stderr unconditionally is a bit unelegant (when stdout was redirected somewhere, a newline is still printed to the terminal). two admittedly contrived examples: printf "fetching password ..." >&2 foo="$(pass show foo)" printf "done\n" >&2 # note how the status message now has a line break in it. would even # worse when the program uses printf "\r" for a loading bar. pass show foo | cat - /etc/hostname # note that instead of two lines, cat returns both items on a single # line now. AFAICT, pass insert -m does not add an extra line terminator. doesn't this suffice for your usecase? personally, i base64 encode all binary blobs i store in pass. this has the added benefit of (1) making it clear that these are bytes and (2) i can add metadata in the usual http-header-like format below it, still. From aclopte at gmail.com Thu Apr 14 12:54:55 2022 From: aclopte at gmail.com (Johannes Altmanninger) Date: Thu, 14 Apr 2022 14:54:55 +0200 Subject: [PATCH] Do not add newline at the end of the password In-Reply-To: <4e101799-6d22-95fd-26ea-d6e7797aa103@suse.com> References: <20220414112647.4451-1-daniel.mach@suse.com> <20220414115057.dzkgfb4v3ewet3cx@gmail.com> <4e101799-6d22-95fd-26ea-d6e7797aa103@suse.com> Message-ID: <20220414125455.irpkonhbpqv2k7ww@gmail.com> On Thu, Apr 14, 2022 at 02:19:10PM +0200, Daniel Mach wrote: > > On 14. 04. 22 13:50, Johannes Altmanninger wrote: > > On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote: > > > SaltStack strips leading/trailing whitespaces from the password [1], > > > because pass adds a newline when entering passwords interactively. > > SaltStack is removing too much. They should use the equivalent of > > pass_show_output.removesuffix("\n"). > > That's right. I'm planning to address this by sending a pull-request to > SaltStack. Good > > On the other hand, if you store a multiline/binary password in pass, it can > end with a newline, which still would end as an invalid password in > SaltStack. It sounds like you're suggesting that there is a flaw in pass that prevents you from storing arbitrary data. I fail to see such a flaw. Just make sure to add the trailing newline when you insert into the password store and remove the same newline when you read from it. (of course "pass generate" and "pass insert" will add the newline automatically) From daniel.mach at suse.com Thu Apr 14 13:30:34 2022 From: daniel.mach at suse.com (Daniel Mach) Date: Thu, 14 Apr 2022 15:30:34 +0200 Subject: [PATCH] Do not add newline at the end of the password In-Reply-To: <20220414125455.irpkonhbpqv2k7ww@gmail.com> References: <20220414112647.4451-1-daniel.mach@suse.com> <20220414115057.dzkgfb4v3ewet3cx@gmail.com> <4e101799-6d22-95fd-26ea-d6e7797aa103@suse.com> <20220414125455.irpkonhbpqv2k7ww@gmail.com> Message-ID: <9e298c26-f962-d1af-a6b3-1d0d283ff3b3@suse.com> On 14. 04. 22 14:54, Johannes Altmanninger wrote: > On Thu, Apr 14, 2022 at 02:19:10PM +0200, Daniel Mach wrote: >> On 14. 04. 22 13:50, Johannes Altmanninger wrote: >>> On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote: >>>> SaltStack strips leading/trailing whitespaces from the password [1], >>>> because pass adds a newline when entering passwords interactively. >>> SaltStack is removing too much. They should use the equivalent of >>> pass_show_output.removesuffix("\n"). >> That's right. I'm planning to address this by sending a pull-request to >> SaltStack. > Good > >> On the other hand, if you store a multiline/binary password in pass, it can >> end with a newline, which still would end as an invalid password in >> SaltStack. > It sounds like you're suggesting that there is a flaw in pass that prevents > you from storing arbitrary data. I fail to see such a flaw. Just make > sure to add the trailing newline when you insert into the password store > and remove the same newline when you read from it. > > (of course "pass generate" and "pass insert" will add the newline automatically) Adding the trailing newline is certainly doable, but far from convenient. If pass is used by several admins to manage the secrets, they all need to know about adding the newline. I was simply hoping in a code change so nobody has to think of this special case. I take it that my patch is not aligned with project best practices and I will either somehow enforce the trailing newline or use a special prefix to distinguish between base64 encoded content and plain text. From pzorin at math.uni-bonn.de Tue Apr 26 16:00:01 2022 From: pzorin at math.uni-bonn.de (Pavel Zorin-Kranich) Date: Tue, 26 Apr 2022 18:00:01 +0200 Subject: [PATCH] cmd_edit: decrypt only once Message-ID: <20220426160001.121704-1-pzorin@math.uni-bonn.de> Keep a second temporary copy of the decrypted file to check whether the password was changed. This is useful if gpg-agent times out during editing. --- src/password-store.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..65cd707 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -494,15 +494,18 @@ cmd_edit() { tmpdir #Defines $SECURE_TMPDIR local tmp_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt" + local tmp_original_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt" local action="Add" + touch "$tmp_original_file" # diff returns 2 if a file does not exist if [[ -f $passfile ]]; then $GPG -d -o "$tmp_file" "${GPG_OPTS[@]}" "$passfile" || exit 1 + cp "$tmp_file" "$tmp_original_file" action="Edit" fi ${EDITOR:-vi} "$tmp_file" [[ -f $tmp_file ]] || die "New password not saved." - $GPG -d -o - "${GPG_OPTS[@]}" "$passfile" 2>/dev/null | diff - "$tmp_file" &>/dev/null && die "Password unchanged." + diff "$tmp_file" "$tmp_original_file" &>/dev/null && die "Password unchanged." while ! $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" "$tmp_file"; do yesno "GPG encryption failed. Would you like to try again?" done -- 2.34.1 From tgyurci at gmail.com Thu Apr 28 07:14:25 2022 From: tgyurci at gmail.com (=?UTF-8?Q?Teubel_Gy=C3=B6rgy?=) Date: Thu, 28 Apr 2022 09:14:25 +0200 Subject: [PATCH] cmd_edit: decrypt only once In-Reply-To: <20220426160001.121704-1-pzorin@math.uni-bonn.de> References: <20220426160001.121704-1-pzorin@math.uni-bonn.de> Message-ID: Hi! You could use cmp -s instead of diff and check the existence of "$tmp_original_file" instead of always creating it: if [ -f "$tmp_orginal_file" ] && cmp -s "$tmp_file" "$tmp_original_file"; then die "Password unchanged." fi Gy. Pavel Zorin-Kranich ezt ?rta (id?pont: 2022. ?pr. 26., K, 18:02): > > Keep a second temporary copy of the decrypted file to check whether the > password was changed. > > This is useful if gpg-agent times out during editing. > --- > src/password-store.sh | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/password-store.sh b/src/password-store.sh > index 22e818f..65cd707 100755 > --- a/src/password-store.sh > +++ b/src/password-store.sh > @@ -494,15 +494,18 @@ cmd_edit() { > > tmpdir #Defines $SECURE_TMPDIR > local tmp_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt" > + local tmp_original_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt" > > local action="Add" > + touch "$tmp_original_file" # diff returns 2 if a file does not exist > if [[ -f $passfile ]]; then > $GPG -d -o "$tmp_file" "${GPG_OPTS[@]}" "$passfile" || exit 1 > + cp "$tmp_file" "$tmp_original_file" > action="Edit" > fi > ${EDITOR:-vi} "$tmp_file" > [[ -f $tmp_file ]] || die "New password not saved." > - $GPG -d -o - "${GPG_OPTS[@]}" "$passfile" 2>/dev/null | diff - "$tmp_file" &>/dev/null && die "Password unchanged." > + diff "$tmp_file" "$tmp_original_file" &>/dev/null && die "Password unchanged." > while ! $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" "$tmp_file"; do > yesno "GPG encryption failed. Would you like to try again?" > done > -- > 2.34.1 >