| Age | Commit message (Collapse) | Author |
|---|
|
Tree 2.0 and later will unconditionally ignore all options and write
JSON data on file descriptor 3 when available, which causes problems
for the test harness and other scripts that use FD 3. Work around by
closing descriptor 3 for the 'tree' command.
|
|
POSIX sed doesn't support \+ in BREs which causes the regex that
extracts a file's current keys to return nothing, meaning that files
are unecessarily reencrypted.
This converts the regex in question to use ERE.
|
|
The `.extensions` directory can contain extensions code, for example as
git submodules, that have `.gpg` files as part of their code but that
are not files encrypted with the PGP keys of our password store.
One example is `pass-tomb`, that contains `.gpg` files in `tests/gnupg`,
but there are more, like `pass-update`, `pass-otp`, etc.
However those `.gpg` files in the `.extensions` directory are currently
processed by the `grep` and `reencrypt` functions of `pass`.
At best this can cause errors to be shown to the user when
grepping/reencrypting, and at worst it can cause files in the
`.extensions` directory to be decrypted and returned as part of a
search, or reencrypted with the incorrect PGP keys.
This patch tries to mitigate that issue by removing the `*/.extensions`
directories from the list of processed `.gpg` files for the
grep/reencrypt functions.
However this patch is not perfect as it does not take into account the
fact that the `.extensions` directory can be renamed to something else
using `PASSWORD_STORE_EXTENSIONS_DIR`. But knowing if this
`PASSWORD_STORE_EXTENSIONS_DIR` is inside the `PREFIX` or not and
formatting the path exclusion for `find` accordingly could require a
fair bit of additional logic that I am not sure how you want to
implement.
|
|
|
|
The 'which' command is an external command that must be called each and
every time pass is used. 'which' is also not mentioned in the README as
one of the dependencies that might be needed to run pass.
Instead of 'which', we can use the POSIX compatible and shell built-in
'command -v'. It saves pass from making an external call and is,
arguably, more reliable than using 'which' as mentioned in the following
link.
|
|
In the strange case that the user is jumping back and forth from X11 to
Wayland and viceversa, xclip might be installed but wl-clip might not,
and in such combination user might end up with the -c opion not working.
|
|
Afaik fish shell completions don't need a shebang
(plus the script is not executable anyway)
|
|
|
|
In MacOS Catalina, pass fails on accents with 'sed: RE error: illegal
byte sequence'.
|
|
I use a pass-specific gpg home directory. I tell pass about it by using
PASSWORD_STORE_GPG_OPTS="--homedir dir".
I also tell pass to sign files with PASSWORD_STORE_SIGNING_KEY.
However "pass init" returns "Signing of .gpg_id unsuccessful." because
we forgot to hand it GPG_OPTS. This patch fixes that oversight.
|
|
|
|
zsh completion cuts filenames after colons, for example port numbers.
This is fixed by escaping colons.
This will also escape backslashes after the first.
|
|
"__fish_pass_print" enumerates all files in the password store and
uses sed to strip their common prefix - the password store directory.
If $PASSWORD_STORE_DIR had a trailing slash, sed would fail to remove
the prefix. Fix this by canonicalizing $PASSWORD_STORE_DIR.
|
|
This makes fish complete commands starting with "pass git" as if they were
starting with "git".
|
|
fish only loads pass.fish once, so there is no point to erasing them.
|
|
Unfortunately, a command "set x" without explicit scope overwrites the variable
"x" in the innermost scope it is defined in, if any. This can cause problems
if the user defines the variable "x" as global or universal variable (which is
visible in all fishes). Make sure to define a local variable so we use that.
|
|
There is no point to checking the command name, fish already does that.
Additionally fish knows about commands that "wrap" pass; those commands
should inherit pass's completions.
This commit enables fish>=3.1.0 to provide proper completions for this function:
alias p="PASSWORD_STORE_DIR=$HOME/.my-passwords pass"
or, equivalently,
function p --wraps "PASSWORD_STORE_DIR=$HOME/.my-passwords pass"
PASSWORD_STORE_DIR=$HOME/.my-passwords pass $argv
end
|
|
The -A/--authoritative flag no longer has an effect since fish 2.5 which
was released in 2017.
|
|
Reproduce by typing "pass <TAB>" in a shell launched like: HOME=`mktemp -d` fish
Fish prints an error on failing globs - except when used in one of the commands
"set", "for" or "count". Also quotes are unnecessary here.
|
|
"brew --prefix gnu-getopt" takes 2.125s on my very default setup (I
don't even want to know why), dominating the pass wall time.
If the default brew prefix is in use, just detect the getopt binary with
a cheap "test -x" instead.
|
|
This doesn't detect if XQuartz is installed and running, so it's broken
in most setups, the experience is poor regardless, since it's not
displayed inline in the terminal, but leaves a window that requires
closing, and anyway the the utf8 mode works perfectly on both iTerm2 and
Terminal.app.
|
|
This patch makes sure that variables from the environment cannot
override e.g. the Git directory to operate on, as well as other critical
parts of Git operations. These variables are:
- GIT_DIR
- GIT_WORK_TREE
- GIT_NAMESPACE
- GIT_INDEX_FILE
- GIT_INDEX_VERSION
- GIT_OBJECT_DIRECTORY
- GIT_COMMON_DIR
If any of those are set, pass might end up operating on another
repository, and things would break.
I caught this having GIT_DIR set, but fortunately the other repository
had a .gitignore that would have ignored the file:
```
fishbowl~% echo $GIT_DIR
/home/madduck/.config/vcsh/repo.d/zsh.git
fishbowl~% pass generate test
The following paths are ignored by one of your .gitignore files:
.password-store/test.gpg
Use -f if you really want to add them.
The generated password for test is:
…
```
The result was an orphan file `test.gpg` in the password-store root.
Signed-off-by: Martin F. Krafft <madduck@madduck.net>
|
|
Some implementations of tr (notably the ones in Busybox and Toybox) do
not support the [:graph:] character class, but they do support
[:punct:] and [:alnum:]. This makes pass generate sane passwords
in such environments.
Discussed-on: https://lists.zx2c4.com/pipermail/password-store/2019-July/003702.html
|
|
When rotating encryption subkeys, and revoking the old one,
`pass init keyid` would re-encrypt your stored credentials to the
(now revoked) old subkey(s) in addition to the new one too.
It would also mistakenly encrypt to keys that have been disabled,
and keys that were never validly signed by their master (certify) key.
Fix all of these cases. It was decided NOT to also exclude expired
subkeys.
Signed-off-by: Aaron Jones <aaronmdjones@gmail.com>
|
|
|
|
Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
|
|
Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
|
|
|
|
|
|
Instead we're forced to base64 it, like we do with the clipboard.
|
|
Bash completion now allows usage of extension commands.
(see pass.bash-completion for details)
|
|
Since commit 63ef32a (generate: use nice ansi colors instead.,
2014-05-08), generated passwords are highlighted to make them
distinguishable from the Git output.
However, setting the foreground color to white makes the password hardly
readable when a "black on white" color scheme is used. Drop the
hardcoded foreground color and use the bold attribute only instead.
Signed-off-by: Lukas Fleischer <lfleischer@lfos.de>
|
|
Bash sometimes writes these into temporary files, which isn't okay.
|
|
|
|
For the line-choosing case, this is actually a big deal since we weren't
passing the error code back to the user either.
|
|
While we do not expect any output on stdout from the background task,
keeping the file handle open means that anyone calling `pass` and
waiting for stdout to be closed, will have to wait (by default) for 45
seconds.
|
|
Some EDITORs, notably Linux vi(1), which is the fallback default in pass,
apparently send INT when they exit, and when pass is run under bash
(which is also its default)--if you have /dev/shm/ available--bash catches
this and cleans up your edited password file *before* it can be reencrypted
and saved.
This only happens with `pass edit`; none of the other commands combine
tmpdir and $EDITOR.
|
|
|
|
Fixes CVE-2018-12356.
Reported-by: Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de>
|
|
Allow grep options and arguments. Typical uses may be, for instance,
wanting to ignore case ('-i'), print a few lines of context around the
matched line, multiple patterns with '-e', etc.
(background: grep is deprecating GREP_OPTIONS, so eventually that will
stop working).
|
|
Fish completion spends most of the time in calls to `sed` in for loops over
entries and directories. This patch removes the repeated calls to `sed`.
Signed-off-by: Mathis Antony <sveitser@gmail.com>
|
|
|
|
|
|
Otherwise this expands to a filename if one exists.
Suggested-by: izaberina@gmail.com
|
|
With the $path variable being passed directly to dirname, any pass-names
provided by the user that happened to look like options to dirname would
be processed as options rather than as the path to be split.
This results in a real mess when you happen to run one of:
pass edit --help
pass generate --help
pass insert --help
then in the cmd_foo() function, you have:
mkdir -p -v "$PREFIX/$(dirname --help)"
which (due to the -p option to mkdir) results in the creation of an
entire directory hierarchy made up of the slash-separated help text from
dirname.
|
|
|
|
|
|
|
|
GnuPG 2.2.19 added a warning when no command was given.
* src/password-store.sh (reencrypt_path): Add --decrypt to --list-only
* tests/t0300-reencryption.sh (gpg_keys_from_encrypted_file): same
https://bugs.gnupg.org/gnupg/msg9873
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=810adfd47801fc01e45fb71af9f05c91f7890cdb
https://bugzilla.suse.com/show_bug.cgi?id=1028867
|
|
|