[PATCH] Do not add newline at the end of the password

Craig B Agricola craig at theagricolas.org
Thu Apr 14 12:44:47 UTC 2022 

I'm new around here (being subscribed to the mailing list, that is; not new to
using password-store), so take this with the grain of salt that it's due...

I think that pass is inherently assumed to be line-oriented, human-readable
storage.  As you note, you can have multi-line password entries, which are
typically used to keep track of multiple fields (username, password, URL, and
maybe data used by extensions, like an OTP URI) and/or notes.

I think breaking this expected behavior by not having the first line terminate
with a newline is likely to spider into a lot of assumptions made by consumers
of password-store (user written scripts), as well as probably existing wrappers
and extensions.

I'd actually suggest that the solution to your problem of wanting to store
binary keys and keys with leading/trailing whitespace is to
uuencode/base64-encode your key before you put it into pass.  Then you'll get
exactly the behavior that you want, and you keep the semantics that what is
stored in a password-store encrypted entry is human readable...

 -Craig

On Thu, Apr 14, 2022 at 02:19:10PM +0200, Daniel Mach wrote:
> 
> On 14. 04. 22 13:50, Johannes Altmanninger wrote:
> > On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote:
> > > SaltStack strips leading/trailing whitespaces from the password [1],
> > > because pass adds a newline when entering passwords interactively.
> > SaltStack is removing too much. They should use the equivalent of
> > pass_show_output.removesuffix("\n").
> 
> That's right. I'm planning to address this by sending a pull-request to
> SaltStack.
> 
> On the other hand, if you store a multiline/binary password in pass, it can
> end with a newline, which still would end as an invalid password in
> SaltStack.
> 
> I hope I'm not abusing pass too much by storing binary keys in it, but it's
> quite convenient to have all secrets in one place...
> 
> > 
> > > Pass is capable of storing multiline passwords which are stored as
> > > provided. That includes storing binary data as well. If such password
> > > has leading/traling whitespaces, they get stripped in SaltStack
> > > and the password becomes invalid.
> > > 
> > > This change fixes the inconsistency by always storing the passwords
> > > as provided, with no extra characters added.
> > > 
> > > To retain good user experience, a newline is printed to stderr after
> > > printing a password.
> > > 
> > > [1] https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3
> > > ---
> > >   src/password-store.sh | 7 ++++---
> > >   1 file changed, 4 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/src/password-store.sh b/src/password-store.sh
> > > index 22e818f..48b3a79 100755
> > > --- a/src/password-store.sh
> > > +++ b/src/password-store.sh
> > > @@ -385,7 +385,8 @@ cmd_show() {
> > >   	if [[ -f $passfile ]]; then
> > >   		if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then
> > >   			pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $?
> > > -			echo "$pass" | $BASE64 -d
> > > +			echo -n "$pass" | $BASE64 -d
> > > +			echo >&2
> > >   		else
> > >   			[[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number."
> > >   			pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $?
> > > @@ -468,7 +469,7 @@ cmd_insert() {
> > >   			read -r -p "Retype password for $path: " -s password_again || exit 1
> > >   			echo
> > >   			if [[ $password == "$password_again" ]]; then
> > > -				echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
> > > +				echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
> > >   				break
> > >   			else
> > >   				die "Error: the entered passwords do not match."
> > > @@ -477,7 +478,7 @@ cmd_insert() {
> > >   	else
> > >   		local password
> > >   		read -r -p "Enter password for $path: " -e password
> > > -		echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
> > > +		echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
> > >   	fi
> > >   	git_add_file "$passfile" "Add given password for $path to store."
> > >   }
> > > -- 
> > > 2.35.1
> > > 
>

More information about the Password-Store mailing list