From judd at jpilot.org Fri Jan 13 03:13:03 2023 From: judd at jpilot.org (Judd Montgomery) Date: Fri, 13 Jan 2023 03:13:03 +0000 Subject: pass show --clip bug Message-ID: <32cbd3fb-37c8-b69e-750b-a2d5f7533ccf@jpilot.org> Hi, I have a secret that is over 1000 lines long and each line is on average 24 characters.? I noticed that the pass show -c[line-number] option only works when trying to clip lines numbers greater than 850 or so.? Any line number less than this fails with a return code of 141.? I suspect this will vary depending on Linux kernel versions, tuning and buffer sizes and I will try to explain why. The error code 141 that gets returned in this case is pipefail. At the top of the pass script is a "set -o pipefail" and that causes the script to exit in this case.? This happens because the output of a tail command is piped into a head -n 1 which closes the read pipe as soon as it reads one line.? If the tail command is not done writing then it fails with a pipefail (141) because its writing to a closed pipe.? Normally this is not noticed or unexpected behavior.? When I show/clip lines near the end of the file it succeeds because tail is done writing.? If I show/clip lines early in the file then the tail command gets its pipe "rudely" shutdown ;-) I am attaching a patch that I tested.? I didn't write a test. Here is an explanation I initially found https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141 Judd -------------- next part -------------- A non-text attachment was scrubbed... Name: password-store.sh-pipefile.patch Type: text/x-patch Size: 1154 bytes Desc: not available URL: From pws at fermi.franken.de Sat Jan 14 09:58:03 2023 From: pws at fermi.franken.de (Wolfgang Schildbach) Date: Sat, 14 Jan 2023 10:58:03 +0100 Subject: Best practice for multiple-client use keys Message-ID: Hello, I would like to use pass in a situation where a number of PCs/laptops all have access to the keystore, as well as one or two mobile devices. We can assume the laptops to be a mix of linux and windows. The mobile devices are Android. I have a git server running in my home network. My question is what are best practices when it comes to (pgp) key management in this situation, and the documentation seems fairly light in this respect. From what I can see, there are two options. 1) Create a different public/private key pair for each machine, and encrypt the store for all of them (i.e. pass init with multiple keys). I have successfully done this but it is a N? problem -- every time a new machine is added, its public key needs to be distributed to all the different machines. This becomes unwieldy very soon, specifically if you take into account that the public keys should really be signed by a master key. And if you forget to do a pass git pull/push around the operations and need to merge -- specifically with the .gpg-id file -- then things become a bit scary. I have toyed with the idea of setting up a keyserver but discarded that for now as it seemed to be more complexity than I was ready for. 2) Stick with one key pair, and distribute the private key to all machines. This avoids the N? problem and seems operationally easier all around. However, there appear to be two different problems with this approach: a) Shipping private keys around is generally frowned upon. It runs counter the entire public/private key setup at the heart of pgp. Also, the keys still somehow need to be verified so the process can't be quite automated. b) It seems easy enough to build a script with scp/ssh to do the key distribution to a new machine, but there is no straightforward way to do the same with a mobile device, or even with a windows laptop. So my question is, how are others handling this situation, and am I overlooking an option? Should I be looking at 1) with a keyserver? Thanks for your help, - Wolfgang From danolo at danoloan.es Sat Jan 14 10:14:03 2023 From: danolo at danoloan.es (danolo at danoloan.es) Date: Sat, 14 Jan 2023 11:14:03 +0100 (CET) Subject: Best practice for multiple-client use keys In-Reply-To: References: Message-ID: I'm doing 1, with around 5 devices. The N2 is not still a problem for me but it is a problem regardless. A solution would be to extend pass (and other clients) to support creation of private keys and fetching the missing public keys from a keyserver. I've not had the time to try and implement this extension myself yet. 14 ene 2023, 9:58 por pws at fermi.franken.de: > Hello, > > I would like to use pass in a situation where a number of PCs/laptops all have access to the keystore, as well as one or two mobile devices. We can assume the laptops to be a mix of linux and windows. The mobile devices are Android. I have a git server running in my home network. > > My question is what are best practices when it comes to (pgp) key management in this situation, and the documentation seems fairly light in this respect. > > From what I can see, there are two options. > > 1) Create a different public/private key pair for each machine, and encrypt the store for all of them (i.e. pass init with multiple keys). > > I have successfully done this but it is a N? problem -- every time a new machine is added, its public key needs to be distributed to all the different machines. This becomes unwieldy very soon, specifically if you take into account that the public keys should really be signed by a master key. And if you forget to do a pass git pull/push around the operations and need to merge -- specifically with the .gpg-id file -- then things become a bit scary. > > I have toyed with the idea of setting up a keyserver but discarded that for now as it seemed to be more complexity than I was ready for. > > 2) Stick with one key pair, and distribute the private key to all machines. > > This avoids the N? problem and seems operationally easier all around. However, there appear to be two different problems with this approach: > > a) Shipping private keys around is generally frowned upon. It runs counter the entire public/private key setup at the heart of pgp. Also, the keys still somehow need to be verified so the process can't be quite automated. > > b) It seems easy enough to build a script with scp/ssh to do the key distribution to a new machine, but there is no straightforward way to do the same with a mobile device, or even with a windows laptop. > > > So my question is, how are others handling this situation, and am I overlooking an option? Should I be looking at 1) with a keyserver? > > Thanks for your help, > > - Wolfgang > From zach at aoede.xyz Sat Jan 14 16:23:36 2023 From: zach at aoede.xyz (Zach) Date: Sat, 14 Jan 2023 09:23:36 -0700 Subject: Best practice for multiple-client use keys In-Reply-To: References: Message-ID: <20230114162336.7l4w4kenf3nykjqx@linux-box> On 2023-01-14 10:58am, Wolfgang Schildbach wrote: >I would like to use pass in a situation where a number of PCs/laptops >all have access to the keystore, as well as one or two mobile devices. >We can assume the laptops to be a mix of linux and windows. The mobile >devices are Android. I have a git server running in my home network. > ? >So my question is, how are others handling this situation, and am I >overlooking an option? Should I be looking at 1) with a keyserver? I am using syncthing[1] to synchronize the pass keystore and my PGP keys. I just sync the `.gnupg` and `.password-store` directories (along with a plethora of other useful stuff like ssh keys and dotfiles). It's been chugging along in the background of my workflows for almost a decade. From what you wrote, it seems this could fit your requirement. [1] https://syncthing.net/ From lundberg.emil at gmail.com Mon Jan 16 09:35:40 2023 From: lundberg.emil at gmail.com (Emil Lundberg) Date: Mon, 16 Jan 2023 10:35:40 +0100 Subject: Best practice for multiple-client use keys In-Reply-To: <20230114162336.7l4w4kenf3nykjqx@linux-box> References: <20230114162336.7l4w4kenf3nykjqx@linux-box> Message-ID: <08c03abe-ca61-0a19-f31e-4d45c28f2daf@gmail.com> I too use Syncthing to sync the key store, but not the keys. Instead I have my PGP keys on a YubiKey, so I just need to plug in the YubiKey whenever I need to decrypt a secret and I can safely use the same key on all my clients (because I'm not copying the private key, just moving the smart card). It takes a bit of effort to properly set up a GPG smart card without making it impossible to create backups of your master key and encryption keys, but there are good guides for that available online. /Emil On 1/14/23 17:23, Zach wrote: > On 2023-01-14 10:58am, Wolfgang Schildbach wrote: > >> I would like to use pass in a situation where a number of PCs/laptops >> all have access to the keystore, as well as one or two mobile >> devices.? We can assume the laptops to be a mix of linux and windows. >> The mobile devices are Android. I have a git server running in my >> home network. > >> ? > >> So my question is, how are others handling this situation, and am I >> overlooking an option? Should I be looking at 1) with a keyserver? > > I am using syncthing[1] to synchronize the pass keystore and my PGP > keys. I just sync the `.gnupg` and `.password-store` directories > (along with a plethora of other useful stuff like ssh keys and > dotfiles). It's been chugging along in the background of my workflows > for almost a decade. From what you wrote, it seems this could fit your > requirement. > > [1] https://syncthing.net/ From pass-maillinglist at artursterz.de Wed Jan 18 09:16:20 2023 From: pass-maillinglist at artursterz.de (pass-maillinglist at artursterz.de) Date: Wed, 18 Jan 2023 10:16:20 +0100 Subject: Changing encryption backend (discussion) References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> Message-ID: <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> Hello to all, the other day I was thinking about whether it might be time to replace GPG with another backend. age [1] is written in Go, seems to follow a similar philosophy as e.g. WireGuard (reasonable algorithms, no unnecessary configuration, ...) and is accepted by the community (about 12.7k stars on Github, if that means anything) and is open source and free. In the past, there have been two discussions on this mailing list about replacing GPG [2, 3]. At that time the discussion was stopped due to lack of alternatives. Now we have an alternative. A project that is 100% compatible with pass and has age as an optional backend is gopass [4]. However, in my opinion, the developers of gopass have overdone it and developed a software monolith that is far too complex. So: what do you think about the idea of replacing GPG with age as an encryption backend? P.S.: when age was designed, one of the goals of the developers was to become a backend of pass [5] :) (but I'm not sure how actual this goal is today). [1] https://github.com/FiloSottile/age [2] https://lists.zx2c4.com/pipermail/password-store/2019-August/003732.html [3] https://lists.zx2c4.com/pipermail/password-store/2020-October/004280.html [4] https://www.gopass.pw/ [5] https://docs.google.com/document/d/11yHom20CrsuX8KQJXBBw04s80Unjv8zCg_A7sPAX_9Y/view From kjetil.homme at redpill-linpro.com Wed Jan 18 12:52:16 2023 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Wed, 18 Jan 2023 13:52:16 +0100 Subject: Best practice for multiple-client use keys In-Reply-To: References: Message-ID: Den 14/01/2023 10:58, skreiv Wolfgang Schildbach: > My question is what are best practices when it comes to (pgp) key > management in this situation, and the documentation seems fairly light > in this respect. > > From what I can see, there are two options. > > 1) Create a different public/private key pair for each machine, and > encrypt the store for all of them (i.e. pass init with multiple keys). > > I have successfully done this but it is a N? problem -- every time a new > machine is added, its public key needs to be distributed to all the > different machines. This becomes unwieldy very soon, specifically if you > take into account that the public keys should really be signed by a > master key. And if you forget to do a pass git pull/push around the > operations and need to merge -- specifically with the .gpg-id file -- > then things become a bit scary. > > I have toyed with the idea of setting up a keyserver but discarded that > for now as it seemed to be more complexity than I was ready for. There is a simpler version: Add the public key to your pass Git repo so it can be easily imported on all the other hosts. Whether you trust the new key explicitly on each host or you sign it using your trusted master key is up to you, I guess it will depend on how many hosts there are. You need the full set of public keys to do a new pass init, but they need to be trusted. -- Kjetil T. Homme Redpill Linpro - Changing the game From louis at bettens.info Wed Jan 18 13:00:27 2023 From: louis at bettens.info (Louis Bettens) Date: Wed, 18 Jan 2023 14:00:27 +0100 Subject: Changing encryption backend (discussion) In-Reply-To: <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> Message-ID: Hi, There already exists a fork of Pass that uses age as a backend.[1] Thus there's no point in reinventing that in our branch. I will add that although Age has a lot going for it, I like my setup and will keep using OpenPGP and thus GPG pass for the foreseeable future. Therefore I will follow and contribute to a GPG branch. Feel free to try out passage though. [1] https://github.com/FiloSottile/passage On 18.01.23 10:16, pass-maillinglist at artursterz.de wrote: > Hello to all, > > the other day I was thinking about whether it might be time to replace > GPG with > another backend. age [1] is written in Go, seems to follow a similar > philosophy > as e.g. WireGuard (reasonable algorithms, no unnecessary > configuration, ...) and > is accepted by the community (about 12.7k stars on Github, if that means > anything) and is open source and free. In the past, there have been two > discussions on this mailing list about replacing GPG [2, 3]. At that > time the > discussion was stopped due to lack of alternatives. Now we have an > alternative. > A project that is 100% compatible with pass and has age as an optional > backend > is gopass [4]. However, in my opinion, the developers of gopass have > overdone it > and developed a software monolith that is far too complex. > > So: what do you think about the idea of replacing GPG with age as an > encryption > backend? > > P.S.: when age was designed, one of the goals of the developers was to > become a > backend of pass [5] :) (but I'm not sure how actual this goal is today). > > [1] https://github.com/FiloSottile/age > [2] > https://lists.zx2c4.com/pipermail/password-store/2019-August/003732.html > [3] > https://lists.zx2c4.com/pipermail/password-store/2020-October/004280.html > [4] https://www.gopass.pw/ > [5] > https://docs.google.com/document/d/11yHom20CrsuX8KQJXBBw04s80Unjv8zCg_A7sPAX_9Y/view -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xDFE1D4A017337E2A.asc Type: application/pgp-keys Size: 5138 bytes Desc: OpenPGP public key URL: From kjetil.homme at redpill-linpro.com Wed Jan 18 16:07:34 2023 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Wed, 18 Jan 2023 17:07:34 +0100 Subject: pass show --clip bug In-Reply-To: <32cbd3fb-37c8-b69e-750b-a2d5f7533ccf@jpilot.org> References: <32cbd3fb-37c8-b69e-750b-a2d5f7533ccf@jpilot.org> Message-ID: <757dfd54-19c3-d05d-6923-10075156147a@redpill-linpro.com> Den 13/01/2023 04:13, skreiv Judd Montgomery: > Hi, > > I have a secret that is over 1000 lines long and each line is on average > 24 characters.? I noticed that the pass show -c[line-number] option only > works when trying to clip lines numbers greater than 850 or so.? Any > line number less than this fails with a return code of 141.? I suspect > this will vary depending on Linux kernel versions, tuning and buffer > sizes and I will try to explain why. > > The error code 141 that gets returned in this case is pipefail. At the > top of the pass script is a "set -o pipefail" and that causes the script > to exit in this case.? This happens because the output of a tail command > is piped into a head -n 1 which closes the read pipe as soon as it reads > one line.? If the tail command is not done writing then it fails with a > pipefail (141) because its writing to a closed pipe.? Normally this is > not noticed or unexpected behavior.? When I show/clip lines near the end > of the file it succeeds because tail is done writing.? If I show/clip > lines early in the file then the tail command gets its pipe "rudely" > shutdown ;-) > > I am attaching a patch that I tested.? I didn't write a test. > > Here is an explanation I initially found > https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141 > the patch looks good to me, much simpler and safer, and guaranteed to not trigger EPIPE. you should however move your comments from the patch into a commit message, I don't think we want history like that in the script itself. -- Kjetil T. Homme Redpill Linpro - Changing the game From judd at jpilot.org Wed Jan 18 17:22:59 2023 From: judd at jpilot.org (Judd Montgomery) Date: Wed, 18 Jan 2023 17:22:59 +0000 Subject: pass show --clip bug In-Reply-To: <757dfd54-19c3-d05d-6923-10075156147a@redpill-linpro.com> References: <32cbd3fb-37c8-b69e-750b-a2d5f7533ccf@jpilot.org> <757dfd54-19c3-d05d-6923-10075156147a@redpill-linpro.com> Message-ID: On 1/18/23 11:07, Kjetil Torgrim Homme wrote: > Den 13/01/2023 04:13, skreiv Judd Montgomery: >> Hi, >> >> I have a secret that is over 1000 lines long and each line is on average >> 24 characters.? I noticed that the pass show -c[line-number] option only >> works when trying to clip lines numbers greater than 850 or so.? Any >> line number less than this fails with a return code of 141.? I suspect >> this will vary depending on Linux kernel versions, tuning and buffer >> sizes and I will try to explain why. >> >> The error code 141 that gets returned in this case is pipefail. At the >> top of the pass script is a "set -o pipefail" and that causes the script >> to exit in this case.? This happens because the output of a tail command >> is piped into a head -n 1 which closes the read pipe as soon as it reads >> one line.? If the tail command is not done writing then it fails with a >> pipefail (141) because its writing to a closed pipe.? Normally this is >> not noticed or unexpected behavior.? When I show/clip lines near the end >> of the file it succeeds because tail is done writing.? If I show/clip >> lines early in the file then the tail command gets its pipe "rudely" >> shutdown ;-) >> >> I am attaching a patch that I tested.? I didn't write a test. >> >> Here is an explanation I initially found >> https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141 >> > the patch looks good to me, much simpler and safer, and guaranteed to > not trigger EPIPE. you should however move your comments from the patch > into a commit message, I don't think we want history like that in the > script itself. Is there a way to commit?? I read the contributing section from https://www.passwordstore.org/. I expected whomever was going to commit it to remove the comments and only add the line with the sed. Contributing This is a very active project with a healthy dose of contributors . The best way to contribute to the password store is to join the mailing list and send git formatted patches. You may also join the discussion in |#pass| on Libera.Chat. Judd From kjetil.homme at redpill-linpro.com Wed Jan 18 19:31:03 2023 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Wed, 18 Jan 2023 20:31:03 +0100 Subject: pass show --clip bug In-Reply-To: References: <32cbd3fb-37c8-b69e-750b-a2d5f7533ccf@jpilot.org> <757dfd54-19c3-d05d-6923-10075156147a@redpill-linpro.com> Message-ID: Den 18/01/2023 18:22, skreiv Judd Montgomery: > >> the patch looks good to me, much simpler and safer, and guaranteed to >> not trigger EPIPE. you should however move your comments from the patch >> into a commit message, I don't think we want history like that in the >> script itself. > > Is there a way to commit?? I read the contributing section from > https://www.passwordstore.org/. I expected whomever was going to commit > it to remove the comments and only add the line with the sed. there is no way to commit/push or make a merge request/pull request, no. > Contributing > > This is a very active project with a healthy dose of contributors > . The best > way to contribute to the password store is to join the mailing list > and send > git formatted patches. in other words, commit to your local clone, use git show --pretty=email COMMITID and include it in your e-mail. IIRC Jason prefers the patches to be posted inline in the message rather than as attachments. -- Kjetil T. Homme Redpill Linpro - Changing the game From judd at jpilot.org Wed Jan 18 22:46:23 2023 From: judd at jpilot.org (Judd Montgomery) Date: Wed, 18 Jan 2023 22:46:23 +0000 Subject: [PATCH] The pipe to a tail and then head -1 can fail due to a, pipefail., https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141, Since sed is used elsewhere in the script, using sed seems simpler and more, performant. Message-ID: <32b7b6bc-afc5-6b61-293c-9d21d5fa29e3@jpilot.org> From 4b547b5332110c19ebdc8802d1cd628979ade59a Mon Sep 17 00:00:00 2001 From: Judd Montgomery Date: Wed, 18 Jan 2023 17:32:56 -0500 Subject: [PATCH] The pipe to a tail and then head -1 can fail due to a ?pipefail. ?https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141 ?Since sed is used elsewhere in the script, using sed seems simpler and more ?performant. diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..8ea4d65 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -388,7 +388,7 @@ cmd_show() { ??????????????????????? echo "$pass" | $BASE64 -d ??????????????? else ??????????????????????? [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." -?????????????????????? pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? +?????????????????????? pass=$("$GPG" -d "${GPG_OPTS[@]}" "$passfile" | sed -n "${selected_line}"p) ??????????????????????? [[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}." ??????????????????????? if [[ $clip -eq 1 ]]; then ??????????????????????????????? clip "$pass" "$path" From kjetil.homme at redpill-linpro.com Thu Jan 19 00:43:29 2023 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Thu, 19 Jan 2023 01:43:29 +0100 Subject: [PATCH] The pipe to a tail and then head -1 can fail due to a, pipefail., https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141, Since sed is used elsewhere in the script, using sed seems simpler and more, performant. In-Reply-To: <32b7b6bc-afc5-6b61-293c-9d21d5fa29e3@jpilot.org> References: <32b7b6bc-afc5-6b61-293c-9d21d5fa29e3@jpilot.org> Message-ID: <6f22b0f6-c30d-cac4-3646-b01b0d12c37d@redpill-linpro.com> Den 18/01/2023 23:46, skreiv Judd Montgomery: > From 4b547b5332110c19ebdc8802d1cd628979ade59a Mon Sep 17 00:00:00 2001 > From: Judd Montgomery > Date: Wed, 18 Jan 2023 17:32:56 -0500 > Subject: [PATCH] The pipe to a tail and then head -1 can fail due to a > ?pipefail. > ?https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141 > ?Since sed is used elsewhere in the script, using sed seems simpler and > more > ?performant. > > > diff --git a/src/password-store.sh b/src/password-store.sh > index 22e818f..8ea4d65 100755 > --- a/src/password-store.sh > +++ b/src/password-store.sh > @@ -388,7 +388,7 @@ cmd_show() { > ??????????????????????? echo "$pass" | $BASE64 -d > ??????????????? else > ??????????????????????? [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip > location '$selected_line' is not a number." > -?????????????????????? pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | > tail -n +${selected_line} | head -n 1)" || exit $? > +?????????????????????? pass=$("$GPG" -d "${GPG_OPTS[@]}" "$passfile" | > sed -n "${selected_line}"p) > ??????????????????????? [[ -n $pass ]] || die "There is no password to > put on the clipboard at line ${selected_line}." > ??????????????????????? if [[ $clip -eq 1 ]]; then > ??????????????????????????????? clip "$pass" "$path" > > > I'm sorry to say your e-mail client really chewed that up and spat it out in mangled pieces. those are no-break-spaces for the indentation, random line breaks thrown in, etc. -- Kjetil T. Homme Redpill Linpro - Changing the game From judd at jpilot.org Thu Jan 19 02:29:58 2023 From: judd at jpilot.org (Judd Montgomery) Date: Thu, 19 Jan 2023 02:29:58 +0000 Subject: [PATCH] The pipe to a tail and then head -1 can fail due to a pipefail. https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141 Since sed is used elsewhere in the script, using sed seems simpler and more performant. Message-ID: diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..8ea4d65 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -388,7 +388,7 @@ cmd_show() { echo "$pass" | $BASE64 -d else [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." - pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? + pass=$("$GPG" -d "${GPG_OPTS[@]}" "$passfile" | sed -n "${selected_line}"p) [[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}." if [[ $clip -eq 1 ]]; then clip "$pass" "$path" From judd at jpilot.org Thu Jan 19 02:45:03 2023 From: judd at jpilot.org (Judd Montgomery) Date: Thu, 19 Jan 2023 02:45:03 +0000 Subject: [PATCH] The pipe to a tail and then head -1 can fail due to a, pipefail., https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141, Since sed is used elsewhere in the script, using sed seems simpler and more, performant. In-Reply-To: <6f22b0f6-c30d-cac4-3646-b01b0d12c37d@redpill-linpro.com> References: <32b7b6bc-afc5-6b61-293c-9d21d5fa29e3@jpilot.org> <6f22b0f6-c30d-cac4-3646-b01b0d12c37d@redpill-linpro.com> Message-ID: On 1/18/23 19:43, Kjetil Torgrim Homme wrote: > Den 18/01/2023 23:46, skreiv Judd Montgomery: >> From 4b547b5332110c19ebdc8802d1cd628979ade59a Mon Sep 17 00:00:00 2001 >> From: Judd Montgomery >> Date: Wed, 18 Jan 2023 17:32:56 -0500 >> Subject: [PATCH] The pipe to a tail and then head -1 can fail due to a >> ?pipefail. >> ?https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141 >> ?Since sed is used elsewhere in the script, using sed seems simpler and >> more >> ?performant. >> >> >> diff --git a/src/password-store.sh b/src/password-store.sh >> index 22e818f..8ea4d65 100755 >> --- a/src/password-store.sh >> +++ b/src/password-store.sh >> @@ -388,7 +388,7 @@ cmd_show() { >> ??????????????????????? echo "$pass" | $BASE64 -d >> ??????????????? else >> ??????????????????????? [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip >> location '$selected_line' is not a number." >> -?????????????????????? pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | >> tail -n +${selected_line} | head -n 1)" || exit $? >> +?????????????????????? pass=$("$GPG" -d "${GPG_OPTS[@]}" "$passfile" | >> sed -n "${selected_line}"p) >> ??????????????????????? [[ -n $pass ]] || die "There is no password to >> put on the clipboard at line ${selected_line}." >> ??????????????????????? if [[ $clip -eq 1 ]]; then >> ??????????????????????????????? clip "$pass" "$path" >> >> >> > I'm sorry to say your e-mail client really chewed that up and spat it > out in mangled pieces. those are no-break-spaces for the indentation, > random line breaks thrown in, etc. That is exactly what I expected to happen.? I tried to send it in HTML first and it was rejected. > -- > Kjetil T. Homme > Redpill Linpro - Changing the game > Finding the bug and fixing it... maybe 1 hour. Figuring out how to contribute my work upstream... maybe 4 hours... Judd From sadeep at asciimx.com Thu Jan 19 07:46:21 2023 From: sadeep at asciimx.com (Sadeep Madurange) Date: Thu, 19 Jan 2023 15:46:21 +0800 Subject: Changing encryption backend (discussion) In-Reply-To: <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> Message-ID: <20230119074621.oa4qjtlakzkwcbes@dviant.localdomain> On 2023-01-18 10:16:20, pass-maillinglist at artursterz.de wrote: > the other day I was thinking about whether it might be time to > replace GPG with another backend. age [1] Even if Pass were to support Age as an alternate backend, why replace GPG? None of the reasons given is compelling enough for those already using GPG to switch. -- Best regards, SM GPG: 103BF9E3E750BF7E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: not available URL: From wuzhenyu at ustc.edu Thu Jan 19 09:18:45 2023 From: wuzhenyu at ustc.edu (Wu Zhenyu) Date: Thu, 19 Jan 2023 17:18:45 +0800 Subject: No subject Message-ID: <20230119091845.2hoyji3bsijactz7@desktop> From: Wu Zhenyu To: password-store at lists.zx2c4.com Subject: [PATCH] feat: support more clippers Date: Thu, 19 Jan 2023 17:18:44 +0800 Message-Id: <20230119091844.3148981-1-wuzhenyu at ustc.edu> X-Mailer: git-send-email 2.39.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Refer https://github.com/neovim/neovim/blob/db407010facc55c19b5ebdf881225ac39cb29d01/runtime/autoload/provider/clipboard.vim#L69-L158 --- src/password-store.sh | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..64652f4 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -163,12 +163,35 @@ clip() { paste_cmd+=( --primary ) fi local display_name="$WAYLAND_DISPLAY" - elif [[ -n $DISPLAY ]] && command -v xclip &> /dev/null; then - local copy_cmd=( xclip -selection "$X_SELECTION" ) - local paste_cmd=( xclip -o -selection "$X_SELECTION" ) + elif [[ -n $DISPLAY ]]; then + if command -v xsel &> /dev/null; then + local copy_cmd=( xsel -i "--$X_SELECTION" ) + local paste_cmd=( xsel -o "--$X_SELECTION" ) + elif command -v xclip &> /dev/null; then + local copy_cmd=( xclip -selection "$X_SELECTION" ) + local paste_cmd=( xclip -o -selection "$X_SELECTION" ) + fi local display_name="$DISPLAY" + elif command -v pbcopy &> /dev/null; then + local copy_cmd=( pbcopy ) + local paste_cmd=( pbpaste ) + elif command -v lemonade &> /dev/null; then + local copy_cmd=( lemonade copy ) + local paste_cmd=( lemonade paste ) + elif command -v doitclient &> /dev/null; then + local copy_cmd=( doitclient wclip ) + local paste_cmd=( doitclient wclip -r ) + elif command -v win32yank &> /dev/null; then + local copy_cmd=( win32yank -i --crlf ) + local paste_cmd=( win32yank -o --lf ) + elif command -v termux-clipboard-set &> /dev/null; then + local copy_cmd=( termux-clipboard-set ) + local paste_cmd=( termux-clipboard-get ) + elif command -v tmux &> /dev/null; then + local copy_cmd=( tmux load-buffer - ) + local paste_cmd=(tmux save-buffer - ) else - die "Error: No X11 or Wayland display and clipper detected" + die "Error: No clipboard detected" fi local sleep_argv0="password store sleep on display $display_name" -- 2.39.0 From wuzhenyu at ustc.edu Thu Jan 19 09:24:52 2023 From: wuzhenyu at ustc.edu (Wu Zhenyu) Date: Thu, 19 Jan 2023 17:24:52 +0800 Subject: [PATCH] feat: support more clippers Message-ID: <20230119092452.aqm54al7rlegmxnb@desktop> Refer https://github.com/neovim/neovim/blob/db407010facc55c19b5ebdf881225ac39cb29d01/runtime/autoload/provider/clipboard.vim#L69-L158 --- src/password-store.sh | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..64652f4 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -163,12 +163,35 @@ clip() { paste_cmd+=( --primary ) fi local display_name="$WAYLAND_DISPLAY" - elif [[ -n $DISPLAY ]] && command -v xclip &> /dev/null; then - local copy_cmd=( xclip -selection "$X_SELECTION" ) - local paste_cmd=( xclip -o -selection "$X_SELECTION" ) + elif [[ -n $DISPLAY ]]; then + if command -v xsel &> /dev/null; then + local copy_cmd=( xsel -i "--$X_SELECTION" ) + local paste_cmd=( xsel -o "--$X_SELECTION" ) + elif command -v xclip &> /dev/null; then + local copy_cmd=( xclip -selection "$X_SELECTION" ) + local paste_cmd=( xclip -o -selection "$X_SELECTION" ) + fi local display_name="$DISPLAY" + elif command -v pbcopy &> /dev/null; then + local copy_cmd=( pbcopy ) + local paste_cmd=( pbpaste ) + elif command -v lemonade &> /dev/null; then + local copy_cmd=( lemonade copy ) + local paste_cmd=( lemonade paste ) + elif command -v doitclient &> /dev/null; then + local copy_cmd=( doitclient wclip ) + local paste_cmd=( doitclient wclip -r ) + elif command -v win32yank &> /dev/null; then + local copy_cmd=( win32yank -i --crlf ) + local paste_cmd=( win32yank -o --lf ) + elif command -v termux-clipboard-set &> /dev/null; then + local copy_cmd=( termux-clipboard-set ) + local paste_cmd=( termux-clipboard-get ) + elif command -v tmux &> /dev/null; then + local copy_cmd=( tmux load-buffer - ) + local paste_cmd=(tmux save-buffer - ) else - die "Error: No X11 or Wayland display and clipper detected" + die "Error: No clipboard detected" fi local sleep_argv0="password store sleep on display $display_name" -- 2.39.0 From wuzhenyu at ustc.edu Thu Jan 19 09:28:15 2023 From: wuzhenyu at ustc.edu (Wu Zhenyu) Date: Thu, 19 Jan 2023 17:28:15 +0800 Subject: [PATCH] feat: support exa Message-ID: <20230119092815.6sjlvuobqsi2lya2@desktop> --- src/password-store.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/password-store.sh b/src/password-store.sh index 22e818f..0dd7e0b 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -402,7 +402,14 @@ cmd_show() { else echo "${path%\/}" fi - tree -N -C -l --noreport "$PREFIX/$path" 3>&- | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' # remove .gpg at end of line, but keep colors + if command -v exa &> /dev/null; then + tree="exa --color=always --icons --tree" + elif command -v tree &> /dev/null; then + tree="tree -N -C -l --noreport" + else + die "Error: please install exa/tree firstly!" + fi + $tree "$PREFIX/$path" 3>&- | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' # remove .gpg at end of line, but keep colors elif [[ -z $path ]]; then die "Error: password store is empty. Try \"pass init\"." else -- 2.39.0 From pass-maillinglist at artursterz.de Thu Jan 19 09:36:51 2023 From: pass-maillinglist at artursterz.de (pass-maillinglist at artursterz.de) Date: Thu, 19 Jan 2023 10:36:51 +0100 Subject: Changing encryption backend (discussion) In-Reply-To: <20230119074621.oa4qjtlakzkwcbes@dviant.localdomain> References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> <20230119074621.oa4qjtlakzkwcbes@dviant.localdomain> Message-ID: <86FF45B6-DE6E-46BD-B2E4-F61FFC26CF97@artursterz.de> >> the other day I was thinking about whether it might be time to >> replace GPG with another backend. age [1] > > Even if Pass were to support Age as an alternate backend, why replace > GPG? None of the reasons given is compelling enough for those already > using GPG to switch. Sure, if you are happy using GPG, why switch to age? If you are happy using OpenVPN, why switch to WireGuard? If you are happy using $OLD_CLUNKY_SOFTWARE_WITH_BAD_UX, why switch to a more modern approach? But this is a philosophical discussion, won?t continue it here. From pass-maillinglist at artursterz.de Thu Jan 19 09:37:36 2023 From: pass-maillinglist at artursterz.de (pass-maillinglist at artursterz.de) Date: Thu, 19 Jan 2023 10:37:36 +0100 Subject: Changing encryption backend (discussion) In-Reply-To: References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> Message-ID: <60F901D6-515F-446A-AC91-6A71284FDB4B@artursterz.de> Thanks for all the replies regarding the existing fork of pass. Did not know that, so consider this issue closed. > Am 18.01.2023 um 14:00 schrieb Louis Bettens : > > Hi, > > There already exists a fork of Pass that uses age as a backend.[1] Thus there's no point in reinventing that in our branch. > > I will add that although Age has a lot going for it, I like my setup and will keep using OpenPGP and thus GPG pass for the foreseeable future. Therefore I will follow and contribute to a GPG branch. Feel free to try out passage though. > > [1] https://github.com/FiloSottile/passage > > On 18.01.23 10:16, pass-maillinglist at artursterz.de wrote: >> Hello to all, >> >> the other day I was thinking about whether it might be time to replace GPG with >> another backend. age [1] is written in Go, seems to follow a similar philosophy >> as e.g. WireGuard (reasonable algorithms, no unnecessary configuration, ...) and >> is accepted by the community (about 12.7k stars on Github, if that means >> anything) and is open source and free. In the past, there have been two >> discussions on this mailing list about replacing GPG [2, 3]. At that time the >> discussion was stopped due to lack of alternatives. Now we have an alternative. >> A project that is 100% compatible with pass and has age as an optional backend >> is gopass [4]. However, in my opinion, the developers of gopass have overdone it >> and developed a software monolith that is far too complex. >> >> So: what do you think about the idea of replacing GPG with age as an encryption >> backend? >> >> P.S.: when age was designed, one of the goals of the developers was to become a >> backend of pass [5] :) (but I'm not sure how actual this goal is today). >> >> [1] https://github.com/FiloSottile/age >> [2] https://lists.zx2c4.com/pipermail/password-store/2019-August/003732.html >> [3] https://lists.zx2c4.com/pipermail/password-store/2020-October/004280.html >> [4] https://www.gopass.pw/ >> [5] https://docs.google.com/document/d/11yHom20CrsuX8KQJXBBw04s80Unjv8zCg_A7sPAX_9Y/view > From ngraves at ngraves.fr Thu Jan 19 10:57:01 2023 From: ngraves at ngraves.fr (Nicolas Graves) Date: Thu, 19 Jan 2023 11:57:01 +0100 Subject: Changing encryption backend (discussion) In-Reply-To: References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> Message-ID: <87wn5iiygy.fsf@ngraves.fr> On 2023-01-18 14:00, Louis Bettens wrote: > Hi, > > There already exists a fork of Pass that uses age as a backend.[1] Thus > there's no point in reinventing that in our branch. > > I will add that although Age has a lot going for it, I like my setup and > will keep using OpenPGP and thus GPG pass for the foreseeable future. > Therefore I will follow and contribute to a GPG branch. Feel free to try > out passage though. > > [1] https://github.com/FiloSottile/passage > > On 18.01.23 10:16, pass-maillinglist at artursterz.de wrote: There is still one thing to do for age-compatibility I believe. The emacs extension doesn't take into account the possibility that files might end in .age instead of .gpg. I have made a patch to introduce an option to change that, which doesn't have answers nor reviews to this day. https://lists.zx2c4.com/pipermail/password-store/2022-October/004659.html Thanks if you can review this quickly. -- Best regards, Nicolas Graves From kjetil.homme at redpill-linpro.com Thu Jan 19 15:13:37 2023 From: kjetil.homme at redpill-linpro.com (Kjetil Torgrim Homme) Date: Thu, 19 Jan 2023 16:13:37 +0100 Subject: Changing encryption backend (discussion) In-Reply-To: <86FF45B6-DE6E-46BD-B2E4-F61FFC26CF97@artursterz.de> References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> <20230119074621.oa4qjtlakzkwcbes@dviant.localdomain> <86FF45B6-DE6E-46BD-B2E4-F61FFC26CF97@artursterz.de> Message-ID: <3b719c8d-5603-0163-14d9-61683090a53b@redpill-linpro.com> Den 19/01/2023 10:36, skreiv pass-maillinglist at artursterz.de: >>> the other day I was thinking about whether it might be time to >>> replace GPG with another backend. age [1] >> >> Even if Pass were to support Age as an alternate backend, why replace >> GPG? None of the reasons given is compelling enough for those already >> using GPG to switch. > > Sure, if you are happy using GPG, why switch to age? > If you are happy using OpenVPN, why switch to WireGuard? > If you are happy using $OLD_CLUNKY_SOFTWARE_WITH_BAD_UX, why switch to a more modern approach? > > But this is a philosophical discussion, won?t continue it here. as far as I can tell, age(1) has absolutely no concept which can replace web-of-trust (key management in general is ad-hoc), so at this time it is not really appropriate as a PGP replacement. let's hope they add key management in version 2, then I'll take another look. -- Kjetil T. Homme Redpill Linpro - Changing the game From minshall at umich.edu Mon Jan 23 09:56:00 2023 From: minshall at umich.edu (Greg Minshall) Date: Mon, 23 Jan 2023 12:56:00 +0300 Subject: [PATCH] feat: support more clippers In-Reply-To: <20230119092452.aqm54al7rlegmxnb@desktop> References: <20230119092452.aqm54al7rlegmxnb@desktop> Message-ID: <1877195.1674467760@archlinux> hi. for this, and your exa patch, *i* (who have nothing to do with this project, other than being a happy user) would prefer to have command line switches, or some sort of PASS_XCLIP_COMMAND / PASS_LS_COMMAND environmental variables. i can imagine scenarios where something named, e.g., "lemonade", does something other than the desired thing (and, in so doing, might disclose sensitive information). cheers, Greg From dacoda.strack at gmail.com Mon Jan 30 23:36:24 2023 From: dacoda.strack at gmail.com (Dacoda Strack) Date: Mon, 30 Jan 2023 15:36:24 -0800 Subject: [PATCH] The pipe to a tail and then head -1 can fail due to a, pipefail., https://stackoverflow.com/questions/22464786/ignoring-bash-pipefail-for-error-code-141, Since sed is used elsewhere in the script, using sed seems simpler and more, performant. In-Reply-To: References: <32b7b6bc-afc5-6b61-293c-9d21d5fa29e3@jpilot.org> <6f22b0f6-c30d-cac4-3646-b01b0d12c37d@redpill-linpro.com> Message-ID: > Finding the bug and fixing it... maybe 1 hour. > > Figuring out how to contribute my work upstream... maybe 4 hours... Hahahahaha! Alas... Such truth, and not just for this but for many projects From dacoda.strack at gmail.com Mon Jan 30 23:49:26 2023 From: dacoda.strack at gmail.com (Dacoda Strack) Date: Mon, 30 Jan 2023 15:49:26 -0800 Subject: Changing encryption backend (discussion) In-Reply-To: <3b719c8d-5603-0163-14d9-61683090a53b@redpill-linpro.com> References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> <20230119074621.oa4qjtlakzkwcbes@dviant.localdomain> <86FF45B6-DE6E-46BD-B2E4-F61FFC26CF97@artursterz.de> <3b719c8d-5603-0163-14d9-61683090a53b@redpill-linpro.com> Message-ID: On Thu, Jan 19, 2023 at 04:13:37PM +0100, Kjetil Torgrim Homme wrote: > as far as I can tell, age(1) has absolutely no concept which can replace > web-of-trust (key management in general is ad-hoc), so at this time it is > not really appropriate as a PGP replacement. I'm curious. Does pass really rely on the entire web-of-trust model that PGP has? For pass in particular, web-of-trust doesn't appear particularly applicable if you're using it for your own personal password management. Are there use cases of yours where web-of-trust does come into play? Would love to understand and learn more. Thanks, Dacoda Strack From the_jinx at etv.cx Mon Jan 30 23:57:25 2023 From: the_jinx at etv.cx (Anne Jan Brouwer) Date: Tue, 31 Jan 2023 00:57:25 +0100 Subject: Changing encryption backend (discussion) In-Reply-To: References: <2A1EC4AA-A6B4-49FF-8ED9-1AD19BD5DE30@artursterz.de> <9E1E4669-AB12-4A6E-A9E9-22966A5DA364@artursterz.de> <20230119074621.oa4qjtlakzkwcbes@dviant.localdomain> <86FF45B6-DE6E-46BD-B2E4-F61FFC26CF97@artursterz.de> <3b719c8d-5603-0163-14d9-61683090a53b@redpill-linpro.com> Message-ID: <073cbc4d-0481-340d-0573-da2297b4c0d5@etv.cx> Using it in a professional setting this is rather useful. We shared folders with different subsets of users, the biggest bonus was that with correct mail setup we got everybody to also send encrypted emails to each other by default without them even noticing. Kind regards, ??? Anne Jan On 1/31/23 00:49, Dacoda Strack wrote: > On Thu, Jan 19, 2023 at 04:13:37PM +0100, Kjetil Torgrim Homme wrote: >> as far as I can tell, age(1) has absolutely no concept which can replace >> web-of-trust (key management in general is ad-hoc), so at this time it is >> not really appropriate as a PGP replacement. > I'm curious. Does pass really rely on the entire web-of-trust model that > PGP has? For pass in particular, web-of-trust doesn't appear > particularly applicable if you're using it for your own personal > password management. > > Are there use cases of yours where web-of-trust does come into play? > > Would love to understand and learn more. > > Thanks, > Dacoda Strack