Hi Jason, list, Pass is a very nice tool, thanks for supporting and sharing it.
Using Pass for handling passwords of e.g. Linux servers' root account shared by multiple sysadmins using personal GnuPG keys is a bit difficult currently, as all the sysadmins must have everyone else's GnuPG pubkeys imported and trust levels set in their personal keyring to be able to insert/edit/re-encrypt a password in the Pass store. In my case there's a centrally managed GnuPG keyring file of all sysadmins' pubkeys available, securely distributed to all systems. The problem is there's currently no way to tell Pass to add '--no-default-keyring --keyring /path/to/sysadmin-keyring.gpg' to gpg command line options. GnuPG trust model would need to be overridden in this case, too, with '--trust-model=always'. There's a patch attached introducing two new environment variables, PASSWORD_STORE_GPG_KEYRING and PASSWORD_STORE_GPG_TRUST_MODEL, which make it possible to use a custom keyring instead of the default ~/.gnupg/pubring.gpg and to specify the trust model (and to skip automatic trustdb checks). If you think the patch is not suitable as such, please consider the idea. I'm willing to test/develop alternative implementations, too. Actually it would be very nice to have some generic way to pass in command line options to gpg instead of the suggested patch, but I wasn't able to come up with any nice and clean generic solution as there's AFAIK no simple way to pass in Bash array variables (which Pass is using internally, for a very good reason obviosly) to a process as (POSIX) environment variables. Thanks, Ville -- Ville Mattila, CSC
From 009fcad7a55b401b9ec10f5ae19a386eeb893fca Mon Sep 17 00:00:00 2001 From: Ville Mattila <[email protected]> Date: Tue, 21 Apr 2015 15:35:45 +0300 Subject: [PATCH] gpg keyring file override and trust model spec * Add support for passing a custom --keyring file to gpg as $PASSWORD_STORE_GPG_KEYRING. * Add support for specifying gpg --trust-model as $PASSWORD_STORE_GPG_TRUST_MODEL. --- man/pass.1 | 11 +++++++++++ src/password-store.sh | 2 ++ 2 files changed, 13 insertions(+) diff --git a/man/pass.1 b/man/pass.1 index 0dd6952..6314b7d 100644 --- a/man/pass.1 +++ b/man/pass.1 @@ -412,6 +412,17 @@ Specifies the number of seconds to wait before restoring the clipboard, by defau .I PASSWORD_STORE_UMASK Sets the umask of all files modified by pass, by default \fI077\fP. .TP +.I PASSWORD_STORE_GPG_KEYRING +Overrides the default gpg keyring file. Please refer to descriptions of +\fI--keyring\fP and \fI--no-default-keyring\fP in gpg(1) manual page for more +information. +.TP +.I PASSWORD_STORE_GPG_TRUST_MODEL +Set what trust model gpg should follow. Please refer to description of +\fI--trust-model\fP in gpg(1) manual page for more information. Setting this +environment variable will disable gpg's automatic trustdb checks +(\fI--no-auto-check-trustdb\fP). +.TP .I EDITOR The location of the text editor used by \fBedit\fP. .SH SEE ALSO diff --git a/src/password-store.sh b/src/password-store.sh index 47f7ffa..b69a86f 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -11,6 +11,8 @@ GPG="gpg" export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}" which gpg2 &>/dev/null && GPG="gpg2" [[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch" "--use-agent" ) +[[ -n $PASSWORD_STORE_GPG_KEYRING ]] && GPG_OPTS+=( "--no-default-keyring" "--keyring=$PASSWORD_STORE_GPG_KEYRING" ) +[[ -n $PASSWORD_STORE_GPG_TRUST_MODEL ]] && GPG_OPTS+=( "--trust-model=$PASSWORD_STORE_GPG_TRUST_MODEL" "--no-auto-check-trustdb" ) PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}" X_SELECTION="${PASSWORD_STORE_X_SELECTION:-clipboard}" -- 1.9.1
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
