[PATCH] Do not add newline at the end of the password

Daniel Mach daniel.mach at suse.com
Thu Apr 14 13:30:34 UTC 2022

On 14. 04. 22 14:54, Johannes Altmanninger wrote:
> On Thu, Apr 14, 2022 at 02:19:10PM +0200, Daniel Mach wrote:
>> On 14. 04. 22 13:50, Johannes Altmanninger wrote:
>>> On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote:
>>>> SaltStack strips leading/trailing whitespaces from the password [1],
>>>> because pass adds a newline when entering passwords interactively.
>>> SaltStack is removing too much. They should use the equivalent of
>>> pass_show_output.removesuffix("\n").
>> That's right. I'm planning to address this by sending a pull-request to
>> SaltStack.
> Good
>> On the other hand, if you store a multiline/binary password in pass, it can
>> end with a newline, which still would end as an invalid password in
>> SaltStack.
> It sounds like you're suggesting that there is a flaw in pass that prevents
> you from storing arbitrary data. I fail to see such a flaw.  Just make
> sure to add the trailing newline when you insert into the password store
> and remove the same newline when you read from it.
> (of course "pass generate" and "pass insert" will add the newline automatically)

Adding the trailing newline is certainly doable, but far from 
convenient. If pass is used by several admins to manage the secrets, 
they all need to know about adding the newline. I was simply hoping in a 
code change so nobody has to think of this special case.

I take it that my patch is not aligned with project best practices and I 
will either somehow enforce the trailing newline or use a special prefix 
to distinguish between base64 encoded content and plain text.

More information about the Password-Store mailing list