From minterior at gmail.com  Thu Apr  2 16:18:53 2026
From: minterior at gmail.com (Jaume Casado Ruiz)
Date: Thu, 2 Apr 2026 18:18:53 +0200
Subject: [PATCH] gpg: respect user-defined GPG_OPTS precedence
In-Reply-To: <4dd718bf-fbba-4de1-b6a6-1f19973d6559@gmail.com>
References: <4dd718bf-fbba-4de1-b6a6-1f19973d6559@gmail.com>
Message-ID: <99ce31ea-e4ee-4516-9457-ba2fa10f3b3a@gmail.com>

Hello everyone,

I recently encountered an issue while using 'pass' in a remote session
(SSH + screen). When trying to access a password, GPG would fail with
the following error:

 ? ? gpg: can't get input

This happens because the environment requires an interactive TTY-based
pinentry, but 'pass' hardcodes the --batch flag. I found some
discussion on the Arch Linux forums [1] where users suggested
manually removing the --batch flag from the 'pass' source code to
fix this.

Instead of removing a default that might be useful for automation, I
looked into GPG's documentation and found the --no-batch flag.
However, providing --no-batch via $PASSWORD_STORE_GPG_OPTS does
not currently work because 'pass' appends its own --batch flag
*after* the user-defined options. Since GPG honors the last
occurrence of a flag, the hardcoded --batch always wins.

This patch reorders the arguments (or ensures GPG_OPTS precedence)
so that users can explicitly override the default behavior. With this
change, running:

 ? ? PASSWORD_STORE_GPG_OPTS="--no-batch" pass <name>

works perfectly in SSH/screen/tmux sessions by allowing the
interactive pinentry-tty to take over.

[1] https://bbs.archlinux.org/viewtopic.php?id=208059

-----------------------------------------------------------------------------------------------------

 From 35142707165bb67f4514592be411b47d34f02f5e Mon Sep 17 00:00:00 2001
From: Jaume Casado Ruiz <minterior at gmail.com>
Date: Thu, 2 Apr 2026 05:24:45 +0200
Subject: [PATCH] gpg: respect user-defined GPG_OPTS precedence

The current implementation appends internal GPG flags after the
$PASSWORD_STORE_GPG_OPTS variable. Since GPG typically honors the
last occurrence of a flag on the command line, this prevents users
from overriding default behaviors.

A specific case is the hardcoded --batch flag. In remote sessions
(e.g., SSH, screen, or tmux) that require an interactive TTY-based
pinentry, users cannot re-enable interactivity. Even if --no-batch
is provided via PASSWORD_STORE_GPG_OPTS, the trailing --batch forces
a non-interactive mode, resulting in "gpg: can't get input" errors.

By ensuring PASSWORD_STORE_GPG_OPTS takes precedence, users gain the
necessary flexibility to handle interactive prompts in restricted
environments without breaking existing automation.
---
src/password-store.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/password-store.sh b/src/password-store.sh
index 22e818f..456cdc9 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -6,11 +6,12 @@
umask "${PASSWORD_STORE_UMASK:-077}"
set -o pipefail

-GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" 
"--compress-algo=none" "--no-encrypt-to" )
+GPG_OPTS=( "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" )
GPG="gpg"
export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}"
command -v gpg2 &>/dev/null && GPG="gpg2"
[[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch" 
"--use-agent" )
+GPG_OPTS+=( $PASSWORD_STORE_GPG_OPTS )

PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
EXTENSIONS="${PASSWORD_STORE_EXTENSIONS_DIR:-$PREFIX/.extensions}"
-- 
2.53.0


-- 
Jaume Casado Ruiz
GPG Key ID: 0xD9AB39238DF66919

Free software my friend ;-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20260402/d71721b7/attachment.sig>

From jay at gfax.ch  Wed Apr  8 04:23:01 2026
From: jay at gfax.ch (Jay Thomas)
Date: Wed, 08 Apr 2026 04:23:01 +0000
Subject: Fish completion patch
Message-ID: <B2gRdNETUu2Zv34cTu9DLhJgpIvN9oknYPV3F-29v2znpjEiUGYiWZrGaU3zGsKRZwn_9hspGgiWUx3mzh_FhB_esa0lvakJSvC3oYPKvlg=@gfax.ch>

Being an avid user of multi-line password files, I quickly discovered in the fish shell I couldn't do tab completion for `pass -c2 my_site_auth` as it only matched on `-c` or `--clip`. This attached patch allows passing a line number to clip between -c0 (line 0 and line 1 being the same thing) and -c99. I don't know the upper-limit on line number clipping but this seemed like a more-than-generous range for the sake of tab completion.

Thanks,
Jay



-------------- next part --------------
A non-text attachment was scrubbed...
Name: fish_patch.patch
Type: text/x-patch
Size: 1593 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20260408/433919dd/attachment.bin>