On 14. 04. 22 13:50, Johannes Altmanninger wrote:
On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote:
SaltStack strips leading/trailing whitespaces from the password [1],
because pass adds a newline when entering passwords interactively.
SaltStack is removing too much. They should use the equivalent of
pass_show_output.removesuffix("\n").
That's right. I'm planning to address this by sending a pull-request to
SaltStack.
On the other hand, if you store a multiline/binary password in pass, it
can end with a newline, which still would end as an invalid password in
SaltStack.
I hope I'm not abusing pass too much by storing binary keys in it, but
it's quite convenient to have all secrets in one place...
Pass is capable of storing multiline passwords which are stored as
provided. That includes storing binary data as well. If such password
has leading/traling whitespaces, they get stripped in SaltStack
and the password becomes invalid.
This change fixes the inconsistency by always storing the passwords
as provided, with no extra characters added.
To retain good user experience, a newline is printed to stderr after
printing a password.
[1]
https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3
---
src/password-store.sh | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/password-store.sh b/src/password-store.sh
index 22e818f..48b3a79 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -385,7 +385,8 @@ cmd_show() {
if [[ -f $passfile ]]; then
if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then
pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" |
$BASE64)" || exit $?
- echo "$pass" | $BASE64 -d
+ echo -n "$pass" | $BASE64 -d
+ echo >&2
else
[[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location
'$selected_line' is not a number."
pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n
+${selected_line} | head -n 1)" || exit $?
@@ -468,7 +469,7 @@ cmd_insert() {
read -r -p "Retype password for $path: " -s
password_again || exit 1
echo
if [[ $password == "$password_again" ]]; then
- echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o
"$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
+ echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o
"$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
break
else
die "Error: the entered passwords do not match."
@@ -477,7 +478,7 @@ cmd_insert() {
else
local password
read -r -p "Enter password for $path: " -e password
- echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile"
"${GPG_OPTS[@]}" || die "Password encryption aborted."
+ echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile"
"${GPG_OPTS[@]}" || die "Password encryption aborted."
fi
git_add_file "$passfile" "Add given password for $path to store."
}
--
2.35.1
