[PATCH] Do not add newline at the end of the password

Daniel Mach daniel.mach at suse.com
Thu Apr 14 11:26:47 UTC 2022 

SaltStack strips leading/trailing whitespaces from the password [1],
because pass adds a newline when entering passwords interactively.

Pass is capable of storing multiline passwords which are stored as
provided. That includes storing binary data as well. If such password
has leading/traling whitespaces, they get stripped in SaltStack
and the password becomes invalid.

This change fixes the inconsistency by always storing the passwords
as provided, with no extra characters added.

To retain good user experience, a newline is printed to stderr after
printing a password.

[1] https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3
---
 src/password-store.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/password-store.sh b/src/password-store.sh
index 22e818f..48b3a79 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -385,7 +385,8 @@ cmd_show() {
 	if [[ -f $passfile ]]; then
 		if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then
 			pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $?
-			echo "$pass" | $BASE64 -d
+			echo -n "$pass" | $BASE64 -d
+			echo >&2
 		else
 			[[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number."
 			pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $?
@@ -468,7 +469,7 @@ cmd_insert() {
 			read -r -p "Retype password for $path: " -s password_again || exit 1
 			echo
 			if [[ $password == "$password_again" ]]; then
-				echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
+				echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
 				break
 			else
 				die "Error: the entered passwords do not match."
@@ -477,7 +478,7 @@ cmd_insert() {
 	else
 		local password
 		read -r -p "Enter password for $path: " -e password
-		echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
+		echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
 	fi
 	git_add_file "$passfile" "Add given password for $path to store."
 }
-- 
2.35.1

More information about the Password-Store mailing list