[ { "path": ".codeclimate.yml", "content": "version: \"2\"\n\nchecks:\n argument-count:\n config:\n threshold: 4\n complex-logic:\n config:\n threshold: 4\n file-lines:\n config:\n threshold: 250\n method-complexity:\n config:\n threshold: 16\n method-count:\n config:\n threshold: 20\n method-lines:\n config:\n threshold: 100\n nested-control-flow:\n config:\n threshold: 4\n return-statements:\n config:\n threshold: 4\n\nplugins:\n gofmt:\n enabled: true\n golint:\n enabled: true\n govet:\n enabled: true\n \nratings:\n paths:\n - \"**.go\"\n \nexclude_patterns:\n- \"vendor/\"\n- \"utils/notify/icon.go\"\n- \"**/*_test.go\"\n" }, { "path": ".codecov.yml", "content": "coverage:\n range: 40..90\n round: nearest\n precision: 2\n status:\n project:\n default: on\n patch:\n default: off\n changes:\n default: off\nignore:\n - \"vendor/\"\n" }, { "path": ".errcheck.excl", "content": "fmt.Fprintf\nfmt.Fprintln\nfmt.Fprint\n" }, { "path": ".gemini/settings.json", "content": "{\n \"contextFileName\": \"AGENTS.md\"\n}\n" }, { "path": ".gitattributes", "content": "CHANGELOG.md merge=union\n\n" }, { "path": ".github/FUNDING.yml", "content": "github: dominikschulz\npatreon: gopass \ncustom: \"https://paypal.me/doschulz\"\n" }, { "path": ".github/ISSUE_TEMPLATE.md", "content": "---\nname: Bug report\nabout: Create a report to help us improve gopass\n---\n\n### Summary\n\n\n### Steps To Reproduce\n\n\n### Expected behavior\n\n\n### Environment\n\n\n- OS: [e.g. Mac OS X High Sierra, Ubuntu 18.04, Windows 10, ...]\n- OS version: [uname -a]\n- gopass Version: [gopass version]\n- Installation method: [e.g. from source, brew, gopass repo]\n\n\n\n### Additional context\n\n" }, { "path": ".github/copilot-instructions.md", "content": "Refer to [AGENTS.md](../AGENTS.md) for detailed instructions on how to set up and use agents with gopass.\n" }, { "path": ".github/dependabot.yml", "content": "version: 2\nupdates:\n\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n interval: \"monthly\"\n open-pull-requests-limit: 15\n" }, { "path": ".github/stale.yml", "content": "# Number of days of inactivity before an issue becomes stale\ndaysUntilStale: 120\n# Number of days of inactivity before a stale issue is closed\ndaysUntilClose: 60\n# Issues with these labels will never be considered stale\nexemptLabels:\n - pinned\n - security\n# Label to use when marking an issue as stale\nstaleLabel: wontfix\n# Comment to post when marking an issue as stale. Set to `false` to disable\nmarkComment: >\n This issue has been automatically marked as stale because it has not had\n recent activity. It will be closed if no further activity occurs. Thank you\n for your contributions.\n# Comment to post when closing a stale issue. Set to `false` to disable\ncloseComment: false\n# Set to true to ignore issues in a milestone (defaults to false)\nexemptMilestones: true\n" }, { "path": ".github/workflows/autorelease.yml", "content": "# This is a basic workflow to help you get started with Actions\n\nname: release\n\n# Controls when the action will run. \non:\n # Triggers the workflow on push or pull request events but only for the master branch\n push:\n tags:\n - 'v*'\n\npermissions:\n contents: read\n\njobs:\n goreleaser:\n runs-on: ubuntu-latest\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n egress-policy: audit\n\n -\n name: Checkout\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n -\n name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: 'go.mod'\n\n - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3\n with:\n path: ~/go/pkg/mod\n key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}\n restore-keys: |\n ${{ runner.os }}-go-\n - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0\n - uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0\n # ubuntu is missing wixl https://github.com/actions/virtual-environments/issues/3857\n -\n name: \"Install GNOME msitools (wixl)\"\n run: sudo apt update -qq && sudo apt install -qq -y wixl\n -\n name: Import GPG signing key\n id: import_gpg\n uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0\n with:\n gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}\n passphrase: ${{ secrets.PASSPHRASE }}\n -\n name: Debug\n run: |\n echo \"GPG ---------------------\"\n echo \"fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}\"\n echo \"keyid: ${{ steps.import_gpg.outputs.keyid }}\"\n echo \"name: ${{ steps.import_gpg.outputs.name }}\"\n echo \"email: ${{ steps.import_gpg.outputs.email }}\"\n echo \"Go env ------------------\"\n pwd\n echo ${HOME}\n echo ${GITHUB_WORKSPACE}\n echo ${GOPATH}\n echo ${GOROOT}\n env\n -\n name: Generate release-notes\n run: |\n go run helpers/changelog/main.go >../RELEASE_NOTES\n -\n name: Run GoReleaser\n uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0\n with:\n version: latest\n args: release --release-notes=../RELEASE_NOTES\n env:\n GITHUB_TOKEN: ${{ secrets.GH_PAT }}\n GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}\n GOPATH: /home/runner/go\n -\n name: \"Add Windows installer (msi) to release\"\n run: | # until https://github.com/goreleaser/goreleaser/issues/1295, disabled until #2038 is fixed\n tag=\"${GITHUB_REF#refs/tags/}\"\n version=${tag#v}\n make msi\n msi=dist/gopass-x64-windows-${version}.msi\n gh release upload \"${tag}\" \"${msi}\"\n env:\n GITHUB_TOKEN: ${{ secrets.GH_PAT }}\n -\n name: \"Upload deb files to apt hosting\"\n run: |\n for D in dist/*.deb; do\n curl -H\"X-Filename: ${D}\" -H\"X-Apikey: ${APIKEY}\" -XPOST --data-binary @$D https://packages.gopass.pw/repos/gopass/upload\n curl -H\"X-Filename: ${D}\" -H\"X-Apikey: ${APIKEY}\" -XPOST --data-binary @$D https://packages.gopass.pw/repos/gopass-unstable/upload\n done\n env:\n APIKEY: ${{ secrets.APT_APIKEY }}\n\n" }, { "path": ".github/workflows/build.yml", "content": "name: Build gopass\n\non:\n push:\n branches:\n - master\n pull_request:\n branches:\n - master\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\npermissions:\n contents: read\n\njobs:\n linux:\n runs-on: ubuntu-latest\n strategy:\n matrix:\n go: ['1.25']\n name: Go ${{ matrix.go }}\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n egress-policy: block\n allowed-endpoints: >\n github.com:443\n objects.githubusercontent.com:443\n proxy.golang.org:443\n raw.githubusercontent.com:443\n release-assets.githubusercontent.com:443\n storage.googleapis.com:443\n sum.golang.org:443\n golang.org:443\n go.dev:443\n azure.archive.ubuntu.com:443\n archive.ubuntu.com:443\n security.ubuntu.com:443\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version: ${{ matrix.go }}\n - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3\n with:\n path: ~/go/pkg/mod\n key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}\n restore-keys: |\n ${{ runner.os }}-go-\n - name: Ubuntu Dependencies\n run: sudo apt-get install --yes git gnupg\n - run: git config --global user.name nobody\n - run: git config --global user.email foo.bar@example.org\n\n -\n name: Debug\n run: |\n echo \"Go env ------------------\"\n pwd\n echo ${HOME}\n echo ${GITHUB_WORKSPACE}\n echo ${GOPATH}\n echo ${GOROOT}\n env \n\n - name: Build and Unit Test\n run: make gha-linux\n - name: Integration Test\n run: make test-integration\n\n container:\n runs-on: ubuntu-latest\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n egress-policy: audit\n\n - name: Checkout repository\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Extract metadata (tags, labels) for Docker\n id: meta\n uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051\n env:\n IMAGE_NAME: ${{ github.repository }}\n with:\n images: ${{ env.IMAGE_NAME }}\n\n - name: Build container image\n uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8\n with:\n context: .\n push: false\n tags: ${{ steps.meta.outputs.tags }}\n labels: ${{ steps.meta.outputs.labels }}\n\n windows:\n runs-on: windows-latest\n defaults:\n run:\n shell: msys2 {0}\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n egress-policy: audit\n\n - uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2.29.0\n with:\n release: false\n path-type: inherit\n install: >-\n base-devel\n git\n\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: 'go.mod'\n\n - run: git config --global user.name nobody\n - run: git config --global user.email foo.bar@example.org\n \n - name: Build and Unit Test\n run: make gha-windows\n\n macos:\n runs-on: macos-latest\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n egress-policy: audit\n\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: 'go.mod'\n\n - run: git config --global user.name nobody\n - run: git config --global user.email foo.bar@example.org\n \n - name: Build and Unit Test\n run: make gha-osx\n env:\n SLOW_TEST_FACTOR: 100 \n\n dependabot:\n needs: [linux]\n runs-on: ubuntu-latest\n permissions:\n pull-requests: write\n contents: write\n if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}}\n steps:\n - id: metadata\n uses: dependabot/fetch-metadata@v2\n with:\n github-token: \"${{ secrets.GITHUB_TOKEN }}\"\n - run: |\n gh pr review --approve \"$PR_URL\"\n gh pr merge --squash --auto \"$PR_URL\"\n env:\n PR_URL: ${{github.event.pull_request.html_url}}\n GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n" }, { "path": ".github/workflows/codeql-analysis.yml", "content": "# For most projects, this workflow file will not need changing; you simply need\n# to commit it to your repository.\n#\n# You may wish to alter this file to override the set of languages analyzed,\n# or to provide custom queries or build logic.\n#\n# ******** NOTE ********\n# We have attempted to detect the languages in your repository. Please check\n# the `language` matrix defined below to confirm you have the correct set of\n# supported CodeQL languages.\n#\nname: \"CodeQL\"\n\non:\n push:\n branches:\n - master\n pull_request:\n # The branches below must be a subset of the branches above\n branches:\n - master\n schedule:\n - cron: '19 21 * * 0'\n\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\npermissions:\n contents: read\n\njobs:\n analyze:\n permissions:\n actions: read # for github/codeql-action/init to get workflow details\n contents: read # for actions/checkout to fetch code\n security-events: write # for github/codeql-action/autobuild to send a status report\n name: Analyze\n runs-on: ubuntu-latest\n\n strategy:\n fail-fast: false\n matrix:\n language: [ 'go' ]\n # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]\n # Learn more:\n # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed\n\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n disable-sudo: true\n egress-policy: block\n allowed-endpoints: >\n api.github.com:443\n github.com:443\n objects.githubusercontent.com:443\n release-assets.githubusercontent.com:443\n proxy.golang.org:443\n raw.githubusercontent.com:443\n storage.googleapis.com:443\n sum.golang.org:443\n\n - name: Checkout repository\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n # Initializes the CodeQL tools for scanning.\n - name: Initialize CodeQL\n uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5\n with:\n languages: ${{ matrix.language }}\n # If you wish to specify custom queries, you can do so here or in a config file.\n # By default, queries listed here will override any specified in a config file.\n # Prefix the list here with \"+\" to use these queries and those in the config file.\n # queries: ./path/to/local/query, your-org/your-repo/queries@main\n\n # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).\n # If this step fails, then you should remove it and run the build manually (see below)\n - name: Autobuild\n uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5\n\n # ā„¹ļø Command-line programs to run using the OS shell.\n # šŸ“š https://git.io/JvXDl\n\n # āœļø If the Autobuild fails above, remove it and uncomment the following three lines\n # and modify them (or add more) to build your code if your project\n # uses a compiled language\n\n #- run: |\n # make bootstrap\n # make release\n\n - name: Perform CodeQL Analysis\n uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5\n" }, { "path": ".github/workflows/container.yml", "content": "# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\n\n# GitHub recommends pinning actions to a commit SHA.\n# To get a newer version, you will need to update the SHA.\n# You can also reference a tag or branch, but the action may change without warning.\n\nname: Create and publish a Docker image\n\n# Controls when the action will run. \non:\n push:\n tags:\n - 'v*'\n\npermissions:\n contents: read\n\nenv:\n REGISTRY: ghcr.io\n IMAGE_NAME: ${{ github.repository }}\n\njobs:\n build-and-push-image:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n packages: write\n\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n egress-policy: audit\n\n - name: Checkout repository\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Log in to the Container registry\n uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9\n with:\n registry: ${{ env.REGISTRY }}\n username: ${{ github.actor }}\n password: ${{ secrets.GITHUB_TOKEN }}\n\n - name: Extract metadata (tags, labels) for Docker\n id: meta\n uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051\n with:\n images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}\n\n - name: Build and push Docker image\n uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8\n with:\n context: .\n push: true\n tags: ${{ steps.meta.outputs.tags }}\n labels: ${{ steps.meta.outputs.labels }}\n" }, { "path": ".github/workflows/golangci-lint.yml", "content": "name: golangci-lint\n\non:\n push:\n branches:\n - master\n pull_request:\n branches:\n - master\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\npermissions:\n contents: read\n pull-requests: read\n\njobs:\n golangci:\n name: lint\n runs-on: ubuntu-latest\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n disable-sudo: true\n egress-policy: block\n allowed-endpoints: >\n api.github.com:443\n github.com:443\n golangci-lint.run:443\n objects.githubusercontent.com:443\n release-assets.githubusercontent.com:443\n proxy.golang.org:443\n raw.githubusercontent.com:443\n storage.googleapis.com:443\n sum.golang.org:443\n\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: 'go.mod'\n\n - name: golangci-lint\n uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0\n with:\n # Note: there are 2 different version of golangci-lint used inside the project.\n # https://github.com/gopasspw/gopass/blob/master/.github/workflows/build.yml#L65\n # https://github.com/gopasspw/gopass/blob/master/.github/workflows/golangci-lint.yml#L46\n # https://github.com/gopasspw/gopass/blob/master/Makefile#L136\n version: v2.6.1 # we have a list of linters in our .golangci.yml config file\n only-new-issues: true\n" }, { "path": ".github/workflows/grype.yml", "content": "name: Scan gopass\n\non:\n push:\n branches:\n - master\n pull_request:\n branches:\n - master\n\npermissions:\n contents: read\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\njobs:\n linux:\n runs-on: ubuntu-latest\n steps:\n - name: Harden Runner\n uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0\n with:\n egress-policy: audit\n\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: 'go.mod'\n\n - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3\n with:\n path: ~/go/pkg/mod\n key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}\n restore-keys: |\n ${{ runner.os }}-go-\n - name: Scan current project\n uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2\n with:\n path: \".\"\n fail-build: true\n severity-cutoff: critical\n" }, { "path": ".github/workflows/scorecard.yml", "content": "# This workflow uses actions that are not certified by GitHub. They are provided\n# by a third-party and are governed by separate terms of service, privacy\n# policy, and support documentation.\n\nname: Scorecard supply-chain security\non:\n # For Branch-Protection check. Only the default branch is supported. See\n # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection\n branch_protection_rule:\n # To guarantee Maintained check is occasionally updated. See\n # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained\n schedule:\n - cron: '39 8 * * 2'\n push:\n branches: [ \"master\" ]\n\n# Declare default permissions as read only.\npermissions: read-all\n\njobs:\n analysis:\n name: Scorecard analysis\n runs-on: ubuntu-latest\n permissions:\n # Needed to upload the results to code-scanning dashboard.\n security-events: write\n # Needed to publish results and get a badge (see publish_results below).\n id-token: write\n # Uncomment the permissions below if installing in a private repository.\n # contents: read\n # actions: read\n\n steps:\n - name: \"Checkout code\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n\n - name: \"Run analysis\"\n uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3\n with:\n results_file: results.sarif\n results_format: sarif\n # (Optional) \"write\" PAT token. Uncomment the `repo_token` line below if:\n # - you want to enable the Branch-Protection check on a *public* repository, or\n # - you are installing Scorecard on a *private* repository\n # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.\n # repo_token: ${{ secrets.SCORECARD_TOKEN }}\n\n # Public repositories:\n # - Publish results to OpenSSF REST API for easy access by consumers\n # - Allows the repository to include the Scorecard badge.\n # - See https://github.com/ossf/scorecard-action#publishing-results.\n # For private repositories:\n # - `publish_results` will always be set to `false`, regardless\n # of the value entered here.\n publish_results: true\n\n # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF\n # format to the repository Actions tab.\n - name: \"Upload artifact\"\n uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0\n with:\n name: SARIF file\n path: results.sarif\n retention-days: 5\n\n # Upload the results to GitHub's code scanning dashboard.\n - name: \"Upload to code-scanning\"\n uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5\n with:\n sarif_file: results.sarif\n" }, { "path": ".gitignore", "content": "gopass\ngopass-*-amd64\ngopass-full\ndev.sh\n!pkg/gopass/\ncoverage.out\ncoverage-all.*\n.vscode/\n\n# Profiling\n*.out\n\n# Compiled Object files, Static and Dynamic libs (Shared Objects)\n*.o\n*.a\n*.so\n\n# Folders\n_obj\n_test\n\n# Architecture specific extensions/prefixes\n*.[568vq]\n[568vq].out\n\n*.cgo1.go\n*.cgo2.c\n_cgo_defun.c\n_cgo_gotypes.go\n_cgo_export.*\n\n_testmain.go\n\n*.exe\n*.test\n*.prof\n\n# gopass specific ignores\n*.sublime-*\n*.swp\n/.env\n\n# package files\n*.deb\n*.pkg.tar.xz\n*.rpm\n*.tar.bz2\n\nreleases/\ndist/\n\nmanifest-*.json\n\n# go-fuzz\n*-fuzz.zip\nworkdir/\n\n.vscode/\nNOTICE.new\n\ndebian/\n" }, { "path": ".golangci.yml", "content": "version: \"2\"\noutput:\n sort-order:\n - linter\n - file\nlinters:\n enable:\n - asasalint\n - asciicheck\n - bidichk\n - bodyclose\n - containedctx\n - copyloopvar\n - cyclop\n - decorder\n - dogsled\n - errchkjson\n - errname\n - errorlint\n - exhaustive\n - forcetypeassert\n - funlen\n - ginkgolinter\n - gocheckcompilerdirectives\n - gochecksumtype\n - godot\n - goheader\n - gomoddirectives\n - gomodguard\n - goprintffuncname\n - gosmopolitan\n - grouper\n - importas\n - intrange\n - loggercheck\n - makezero\n - mirror\n - misspell\n - nakedret\n - nestif\n - nilnil\n - nlreturn\n - nonamedreturns\n - nosprintfhostport\n - prealloc\n - predeclared\n - promlinter\n - protogetter\n - reassign\n - sloglint\n - spancheck\n - tagalign\n - testableexamples\n - testifylint\n - thelper\n - unconvert\n - usestdlibvars\n - usetesting\n - whitespace\n - zerologlint\n settings:\n cyclop:\n max-complexity: 24\n errcheck:\n exclude-functions:\n - fmt.Fprint\n - fmt.Fprintf\n - fmt.Fprintln\n funlen:\n lines: -1\n statements: 100\n gocyclo:\n min-complexity: 22\n staticcheck:\n checks:\n - all\n - -SA1019\n - -ST1000\n exclusions:\n generated: lax\n rules:\n - linters:\n - cyclop\n path: (.+)_test\\.go\n - linters:\n - govet\n path: (.+)_fuzz\\.go\n paths:\n - helpers/\n - third_party$\n - builtin$\n - examples$\nissues:\n max-issues-per-linter: 0\n max-same-issues: 0\nformatters:\n enable:\n - gofmt\n - gofumpt\n - goimports\n exclusions:\n generated: lax\n paths:\n - helpers/\n - third_party$\n - builtin$\n - examples$\n" }, { "path": ".goreleaser.yml", "content": "# yaml-language-server: $schema=https://goreleaser.com/static/schema.json\n# goreleaser.yml\n# Release automation\n#\n# Build customization\nproject_name: gopass\nversion: 2\n\nbefore:\n hooks:\n - make clean\n - make completion\n - go mod download\n\nbuilds:\n - id: gopass\n binary: gopass\n flags:\n - -trimpath\n - -tags=netgo\n env:\n - CGO_ENABLED=0\n asmflags:\n - all=-trimpath={{.Env.HOME}}\n gcflags:\n - all=-trimpath={{.Env.HOME}}\n ldflags: |\n -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -extldflags '-static'\n goos:\n - darwin\n - freebsd\n - linux\n - openbsd\n - windows\n goarch:\n - amd64\n - arm\n - arm64\n goarm:\n - 6\n - 7\n mod_timestamp: '{{ .CommitTimestamp }}'\narchives:\n - id: gopass\n name_template: \"{{.Binary}}-{{.Version}}-{{.Os}}-{{.Arch}}{{ if .Arm }}v{{.Arm }}{{ end }}\"\n formats: ['tar.gz']\n format_overrides:\n - goos: windows\n formats: ['zip']\n files:\n - CHANGELOG.md\n - LICENSE\n - README.md\n - bash.completion\n - fish.completion\n - zsh.completion\n\nrelease:\n github:\n owner: gopasspw\n name: gopass\n draft: false\n prerelease: auto\n\nnfpms:\n - id: gopass_deb\n vendor: Gopass Authors\n homepage: \"https://www.gopass.pw\"\n maintainer: \"Gopass Authors \"\n description: |-\n gopass password manager - full featured CLI replacement for pass, designed for teams.\n .\n gopass is a simple but powerful password manager for your terminal. It is a\n Pass implementation in Go that can be used as a drop in replacement.\n .\n Every secret lives inside of a gpg (or: age) encrypted textfile. These secrets\n can be organized into meaninful hierachies and are by default versioned using\n git.\n .\n This package contains the main gopass binary from gopass.pw. In Debian and\n Ubuntu there is an unfortunate name clash with another gopass package. That is\n completely different and not related to this package.\n license: MIT\n formats:\n - deb\n dependencies:\n - git\n - gnupg\n recommends:\n - rng-tools\n - bash-completion\n contents:\n - src: gopass.1\n dst: /usr/share/man/man1/gopass.1\n - src: LICENSE\n dst: /usr/share/doc/gopass/LICENSE\n - src: CHANGELOG.md\n dst: /usr/share/doc/gopass/CHANGELOG.md\n - src: bash.completion\n dst: /usr/share/bash-completion/completions/gopass\n - src: fish.completion\n dst: /usr/share/fish/vendor_completions.d/gopass.fish\n - src: zsh.completion\n dst: /usr/share/zsh/functions/Completion/Linux/_gopass\n - id: gopass_rpm\n vendor: Gopass Authors\n homepage: \"https://www.gopass.pw\"\n maintainer: \"Gopass Authors \"\n description: |-\n gopass password manager - full featured CLI replacement for pass, designed for teams.\n\n gopass is a simple but powerful password manager for your terminal. It is a\n Pass implementation in Go that can be used as a drop in replacement.\n\n Every secret lives inside of a gpg (or: age) encrypted textfile. These secrets\n can be organized into meaninful hierachies and are by default versioned using\n git.\n license: MIT\n formats:\n - rpm\n dependencies:\n - git\n - gnupg2\n recommends:\n - rng-tools\n - bash-completion\n contents:\n - src: gopass.1\n dst: /usr/share/man/man1/gopass.1\n - src: LICENSE\n dst: /usr/share/doc/gopass/LICENSE\n - src: CHANGELOG.md\n dst: /usr/share/doc/gopass/CHANGELOG.md\n - src: bash.completion\n dst: /usr/share/bash-completion/completions/gopass\n - src: fish.completion\n dst: /usr/share/fish/vendor_completions.d/gopass.fish\n - src: zsh.completion\n dst: /usr/share/zsh/functions/Completion/Linux/_gopass\n\nsource:\n enabled: true\n name_template: \"{{.ProjectName}}-{{.Version}}\"\n \nchecksum:\n name_template: \"{{.ProjectName}}_{{.Version}}_SHA256SUMS\"\n\nmilestones:\n -\n repo:\n owner: gopasspw\n name: gopass\n close: true\n fail_on_error: false\n name_template: \"{{ .Major }}.{{ .Minor }}.{{ .Patch }}\"\n\nsigns:\n -\n id: gopass\n artifacts: checksum\n args: [\"--batch\", \"-u\", \"{{ .Env.GPG_FINGERPRINT }}\", \"--armor\", \"--output\", \"${signature}\", \"--detach-sign\", \"${artifact}\"]\n\n# creates SBOMs of all archives and the source tarball using syft\n# https://goreleaser.com/customization/sbom\nsboms:\n - artifacts: archive\n - id: source # Two different sbom configurations need two different IDs\n artifacts: source\n" }, { "path": ".license-lint.yml", "content": "unrestricted_licenses:\n - Apache-2.0\n - MIT\n - BSD-3-Clause\n - BSD-2-Clause\n - 0BSD\n - WTFPL\n - CC0-1.0\nreciprocal_licenses:\n - MPL-2.0\n - MPL-2.0-no-copyleft-exception\nallowlisted_modules:\n# Simplified BSD (BSD-2-Clause): https://github.com/russross/blackfriday/blob/master/LICENSE.txt\n- github.com/russross/blackfriday\n- github.com/russross/blackfriday/v2\n# Apache license\n- github.com/dgraph-io/ristretto\n- github.com/spf13/afero\n# Modified BSD-2-Clause with extra no-Google clause: https://github.com/jezek/xgb/blob/master/LICENSE\n- github.com/jezek/xgb\n# MIT\n- github.com/jwalton/go-supportscolor" }, { "path": ".revive.toml", "content": "# Ignores files with \"GENERATED\" header, similar to golint\nignoreGeneratedHeader = false\n\n# Sets the default severity to \"warning\"\nseverity = \"error\"\n\n# Sets the default failure confidence. This means that linting errors\n# with less than 0.8 confidence will be ignored.\nconfidence = 0.6\n\n# Sets the error code for failures with severity \"error\"\nerrorCode = 1\n\n# Sets the error code for failures with severity \"warning\"\nwarningCode = 1\n\n[rule.argument-limit]\n arguments = [10]\n[rule.blank-imports]\n[rule.context-as-argument]\n[rule.context-keys-type]\n[rule.cyclomatic]\n arguments = [21]\n[rule.dot-imports]\n[rule.error-naming]\n[rule.error-return]\n[rule.error-strings]\n[rule.errorf]\n[rule.exported]\n[rule.if-return]\n[rule.increment-decrement]\n[rule.indent-error-flow]\n[rule.package-comments]\n[rule.range]\n[rule.receiver-naming]\n[rule.time-naming]\n[rule.unexported-return]\n[rule.var-declaration]\n[rule.var-naming]\n" }, { "path": "AGENTS.md", "content": "# Project Overview\n\ngopass is a command line application that allows users to managed their passwords and other secrets inside encrypted files. Those files are usually encrypted using gpg (but other backends like age do exist). The files are usually managed using git (but other VCS backends exist as well). The CLI is primarily intended for human users.\n\nSeveral integration exist, these are stand alone projects that use the exposed gopass API to interact with an existing password store.\n\ngopass supports multiple password stores. It requires at least one root store but any number of additional stores can be mounted, just like filesystems on Linux, inside the root store. Each store can use a different encryption method and VCS.\n\nThe primary use case of using different password stores is to encrypt and share the content with a different set of recipients.\n\nThe project is specifically targeting users on all major platform, i.e. Linux, Unix, MacOS and Windows.\n\n## Folder Structure\n\n- `/docs`: Contains human readable documentation for the project.\n- `/helpers`: Contains tools used to maintain the project. Users usually don't use those, these are mainly for developers and maintainers of the project. Do not touch this directory unless instructed to do so.\n- `/internal`: Contains most of the implementation of the project. It is visibility restricted so other projects can not depend on it and we can be very liberal with breaking changes.\n- `/pkg`: Contains the public API (inside `/pkg/gopass`) used by our integrations and other projects as well as necessary support packages to make using the API feasible.\n- `/tests`: Contains only integration tests, i.e. those mock a real GPG-based gopass installation. They are quite slow but provide kind of a regression testing. Remember to add or adjust those when adding major new features.\n- `/internal/action`: Contains the different CLI subcommands. Usually one file per top-level subcommand (e.g. the implementation for `gopass ls` is in `/internal/action/list.go`) with an accompanying `_test.go` file that contains the unit tests. All commands need to be registered in `/internal/action/commands.go`.\n- `/internal/audit`: Contains the audit code that checks password stores for weak passwords or related issues.\n- `/internal/backend`: Contains the different backend implementations for both encryption as well as version controlled storage. Storage implementations need to register themselves in `/internal/backend.StorageRegistry` while encryption backends need to register in `/internal/backend.CryptoRegistry`.\n- `/internal/backend/crypto/age`: Contains the `age` encryption backend. It is a pure-Go implementation. Refer to the [docs](docs/backends/age.md) as well.\n- `/internal/backend/crypto/gpg/cli`: Contains the `gpg` encryption backend. It mostly uses the `gpg` binary to support the different configurations (e.g. smart cards) which wouldn't be possible with existing pure-Go implementation. Refer to [docs](docs/backends/gpg.md) as well.\n- `/internal/backend/crypto/plain`: Contains the plaintext backend (no encryption). This should only be used for testing. Users should never use this.\n- `/internal/backend/storage/fossilfs`: Contains an experimental storage backend using the Fossil SCM. It might be removed in the future.\n- `/internal/backend/storage/fs`: Contains a storage backend without SCM integration, i.e. it simply writes to files on disk without versioning support. Should usually only be used for tests or if users have some kind of transparent versioning system underneath.\n- `/internal/backend/storage/gitfs`: Contains the primary storage backend that is using `git` to manage files.\n- `/internal/config`: Contains our custom config handling. It is based on the git configuration file format as implemented by our [gitconfig](http://github.com/gopasspw/gitconfig) package. When reading config settings prefer to using `config.Bool(ctx, key)`, `config.String(ctx, key)` or `config.Int(ctx, key)`. Use the low-level methods only when those are not sufficient. Avoid touching the `legacy` package underneath unless asked to.\n- `/internal/out`: Contains our output helpers. Prefer those over Go standard lib packages (like fmt) for consistency.\n- `/internal/store`: Contains the core of the password store implementation (utilizing the configured backends).\n- `/internal/store/root`: Contains the root store. This always exist once in a gopass process. It delegates most operations to one or more leaf stores.\n- `/internal/store/leaf`: Contains the leaf store. There must be at least one initialized leaf store per gopass instance. But there can be as many as necessary.\n- `/pkg/appdir`: Contains a facility for providing system-dependentt paths for application resources, like config or cache directories. It does honor the `GOPASS_HOMEDIR` variable. This is very useful for testing since a gopass instance running with this variable set to a temporary location will not interfere with the actual production instance a user might be using.\n- `/pkg/clipboard`: Contains methods to interact with clipboards on all major operating systems. It is using our [clipboard](http://github.com/gopasspw/clipboard) package. It also supports clearing the clipboard after a given interval.\n- `/pkg/ctxutil`: Provides the necessary plumbling to interact with config values stored in the context. Avoid adding new context keys if possible and prefer config values. But if adding context keys is necessary they should only be defined in this file.\n- `/pkg/debug`: Contains a debug package with different verbosity levels. Use it to output debug information to a debug log.\n- `/pkg/fsutil`: Contains various helpers for interacting with the filesystem, e.g. checking for presence of files or directories. Prefer those over implementing these checks from scratch.\n- `/pkg/gopass`: Contains the public gopass API to interact with existing password stores. The `api` sub package contains the actual API and the `secrets` sub package the different secret types we support.\n- `/pkg/pwgen`: Contains a pure-Go implementation of the `pwgen` utility.\n- `/pkg/set`: Contains a generic set type.\n- `/pkg/tempfile`: Contains utility functions for creating and dealing with temp files. It attempts to be more secure than the normal temp file functions from the stdlib. Prefer those over the stdlib.\n- `/pkg/termio`: Contains functions for interacting with the user of the terminal.\n\n## Libraries and Frameworks\n\n- Avoid introducing new external dependencies unless absolutely necessary.\n- If a new dependency is required, please state the reason.\n- The project is licensed under the terms of the MIT license and we can only add compatible licenses. See [.license-lint.yml](.license-lint.yml) for a list of compatible licenses.\n- We must avoid introducing CGo dependencies since this make cross-compiling infeasible.\n\n## Testing instructions\n\n- Always run `make test` and `make codequality` before submitting.\n- Run `make fmt` to properly format the code. Run this before `make codequality`.\n- Before mailing a PR run `make test-integration`\n\n" }, { "path": "ARCHITECTURE.md", "content": "# Architecture\n\nThis document describes the high-level architecture of gopass. If you want to\nget familiar with the code base you are in the right place.\n\n## Overview\n\nOn the highest level gopass manages directories (called `stores` or `mounts`)\nthat contain (mostly) GPG encrypted text files. gopass transparently handles\nencryption and decryption when accessing these files. It applies some heuristics\nto parse the file content and support certain operations on that content.\n\n`gopass` is licensed under the terms of the MIT license and we require\ncompatible licenses from our dependencies as well (when we link against them).\n\nFor licensing reasons and security considerations we try to keep the number of\nexternal dependencies (libraries) well-arranged. Try to avoid adding new\ndependencies unless absolutely necessary.\n\n## Generalized control flow\n\n![](docs/components.png)\n\nThis flow chart shows a high level control flow common to most operations.\nIt leaves out a lot of details but should give a better understanding how\ninformation flows within the program and where changes might be necessary.\n\n## Code Map\n\nThis section talks briefly about the various directories and some data\nstructures.\n\nWe're trying to clearly separate between our public API and implementation\ndetails. To that extent we're in the process of moving packages to `internal/`\n(and sometimes back to `pkg/`, if necessary).\n\nA note on semantic versioning: `gopass` is both an CLI and an API (Go module).\nThe expectations around semantic versioning and Go modules make it difficult\nto express both concerns in the same versioning scheme, e.g. does a breaking\nchange in the API require a major version bump even if nothing about the tool\n(CLI) has changed? What about the other way round? Thus we have decided to\napply semantic versioning only to the CLI tool, not the Go module. This is not\nideal and might change with sufficient active contributors.\n\n### `docs/backends`\n\nThis folder contains documentation about each of our supported backends. See\n`internal/backend` below for more information about our backend design.\n\n### `docs/commands`\n\nThis folder contains the specification of each sub command the tool offers.\nWe have many sub commands with sometimes dozens of flags each. In the past we\ndid encounter some inconsistencies and decided to introduce specifications for\neach command. If the specification and the implementation disagree this should\nbe reported as a bug and fixed or the specification needs to be changed (but the\ngeneral assumptions should be that the specification is correct, not the code).\n\n### `docs/usecases`\n\nThis directory contains an (incomplete) list of our core use cases, i.e. the\ncritical user journeys we aim to support. `gopass` can be used in various ways\nand try to remain flexible and extensible, but if we encounter a conflict\nbetween a blessed use case and a corner case we prefer the former.\n\n### `helpers/`\n\nThis directory contains some release automation tooling that is supposed to be\ninvoked with `go run`. The changelog generator in `helpers/changelog` is used\nby our GitHub Action based release automation and shouldn't be invoked manually.\n\nThe tooling in `helpers/release` will prepare a new release and helps to file a\nrelease pull request will all the required updates in place.\n\n### `internal/` and `pkg/`\n\n`gopass` used to not have either of these and all our packages were rooted\ndirectly in the repository. However we began to notice that other projects\nwere starting to depend directly on our internal packages and we sometimes\nbroke them. This put us and the other project into an unpleasant\nsituation so we tried to clarify the expectations by using Go's `internal/`\nvisibility rule to keep other projects from depending on our implementation\ndetails.\n\nNote: If we have a good reasons to use one of our `internal/` packages either\ncopy it (our license should rarely be an issue) or nicely ask us and explain\nwhy something should move to `pkg/`.\n\nAs we are in the process of formalizing a proper API surface we sometimes need\nto move packages from `internal/` to `pkg/`. The other direction might also\noccur, but much less often.\n\n### `internal/action`\n\nThis directory contains one file, and sometimes sub folders, for each command\n`gopass` supports. These are mostly self-contained, but some (e.g. show / edit\n/ find) need to depend on each other.\n\nTODO: There is a lot to be said about this package, e.g. custom errors.\n\n### `internal/backend`\n\n`gopass` is built around the concept of multiple independent password stores\nthat can be mounted into one namespace, much like regular file systems. Each\nof these stores can have a different storage and crypto backend. We used to\nhave independent revision control backends as well, but since the RCS (e.g.\ngit) interacts so closely with the storage (you can't use regular git w/o a\nfilesystem-based storage) we have merged storage and RCS backends.\n\nThe backend package defines the interfaces for the backend implementation\nand provides a registry that returns the concrete backend from the list of\nregistered ones. Registration happens through blank imports of either the\n`internal/backend/crypto` and `internal/backend/storage` packages.\n\nEach backend needs to have a loader implementation in its `loader.go` (please\nstick to this name). We try to auto-detect the most applicable backend when\ninitializing the process, but some backends look alike (e.g. a `fs` and an \nuninitialized `gitfs`). So the loader comes with a priority which is respected\nduring lookup.\n\n### `internal/config`\n\nThe `config` package implements support for a simple YAML-based configuration\nformat for `gopass`. Most of the code in this package is for backwards\ncompatibility. Whenever we introduce or remove a config option we need to\nintroduce a new fallback version that is automatically attempted when loading\na config file. To resolve ambiguities when parsing different config versions\nwe use a \"catch-all\" field to catch any unused keys and check that this is\nempty after parsing - otherwise we need to try a different config version.\n\nNOTE: We did support nested configurations for sub-stores but removed this\nbecause the maintenance cost did not justify the benefits of this feature.\n\n### `internal/cui`\n\nThe name `cui` is an abbreviation for `console-user-interface` and contains\nseveral helper functions to interact with humans over a text based interface.\n\nMost of these ask the user to select some item from a selection or provide\nsome input.\n\nNOTE: We used to support rich terminal UIs with arrow navigation and such.\nHowever all existing libraries that were available without CGO were either\nabandoned or buggy on some platforms and we didn't have any capacity to fix\nthem. So we had to remove support for this feature.\n\n### `internal/queue`\n\nThe `queue` package implements a FIFO queue that executes\nin the background. This allows for certain operations, like a git push, to be\ntaken out of the critical path wrt. user interactions. The queue will be fully\nprocessed before the process exits.\n\n### `internal/store/root`\n\nThe `root store` package implements an internal password store API that (only)\nsupports mounting `leaf` stores. It will forward (almost) all operations to\nits `leaf` stores (moves across stores being a notable exception) and do the\nnecessary manipulations of the affected path components (e.g. removing/adding\nthe mount prefix from the secret name as needed).\n\nThis package makes `gopass` multi-store capable.\n\n### `internal/store/leaf`\n\nThe `leaf store` package implements a password store that is mostly compatible\nwith any other password store implementation (while aiming for interoperability,\nnot at 100% feature parity). The low-level operations like filesystem and / or\nversion control and crypto operations are passed to the configured `storage`\nor `crypto` backend.\n\n### `internal/tree`\n\nThe `tree` package implements a simple tree structure that prints an output\nsimilar to the output of the Unix tool `tree`. It does support different\n`gopass` specific properties (like mounts or templates) not easily implemented\nwith other tree packages.\n\n### `internal/updater`\n\nThe `updater` package implements a secure and anonymous self updater.\n\nNote: The self updater contacts GitHub. If this is a concern one should use\nother sources, e.g. distro packages.\n\nIt retrieves the latest stable release from GitHub, fetches its metadata\nand verifies the signature against the built-in release signing keyring.\n\nIt tries to avoid conflicting with any `gopass` binary managed by the OS\nand refuse to update these.\n\n### `pkg/`\n\nThe package `pkg/` contains our public API surface, i.e. packages we want or\nhave to expose externally. Some packages (e.g. `otp`) are only exposed because\nthey are being used by some of our integrations. Others (e.g. `pinentry` or\n`pwgen`) are designed for wider use. We are considering to split some of the\nmore widely used packages into their own repositories to work better with\nGo module and semantic versioning expectations.\n\n#### `pkg/appdir`\n\nThe `appdir` package contains a set of [XDG Base Directory Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html)\ncompatible implementations with some `gopass` specifics. For testing purposes\nwe want to honor the setting of `GOPASS_HOMEDIR` before everything else, so our\nimplementation has to take this into account before following the XDG spec.\n\n#### `pkg/clipboard`\n\nThe `clipboard` package is a wrapper around a clipboard package that adds\nsupport for clearing the clipboard.\n\n#### `pkg/ctxutil`\n\nThe `ctxutil` is the pragmatic (read: non-idiomatic) approach to pass very\nspecific configuration options through multiple layers of abstraction. This is\narguably not the best design, but it works well and avoids bloated interfaces.\n\n#### `pkg/gopass`\n\nThis package contains **the** gopass API interface. We provide a concrete\nimplementation that should work with any properly initialized gopass setup\nand a mock for tests.\n\nThis package is designed as the main entry point for any integration that wants\nto integrate with gopass.\n\n### `tests`\n\n`gopass` comes with a comprehensive set of integration tests, i.e. tests that\nare executed by running a newly compiled gopass binary without access to any\nkind of internal state. These tests can't be as exhaustive as the unit tests\nbut they exist to ensure basic functionality aren't broken by a change.\n\n\n" }, { "path": "CHANGELOG.md", "content": "# Changelog\n\n## 1.16.1 / 2025-12-13\n\n* chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#3299)\n* chore(deps): bump actions/setup-go from 6.0.0 to 6.1.0 (#3300)\n* chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 (#3296)\n* chore(deps): bump anchore/scan-action from 7.1.0 to 7.2.1 (#3298)\n* chore(deps): bump docker/metadata-action from 5.8.0 to 5.10.0 (#3297)\n* chore(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#3295)\n* chore(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 (#3302)\n* chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 (#3301)\n* fix(config): use the config propery generate.strict as default value for Strict rules (#3303)\n* fix: Fix version check against latest release (#3292)\n\n## 1.16.0 / 2025-11-12\n\n* [BUGFIX] reorg: List all secrets instead of just top-level folders (#3245)\n* [chore] Add capability and vulnerability checks (#3266)\n* [chore] Initial fixes and added a warning for CryptFS and JJFS (#3270)\n* [chore] Logging improvements (#3273)\n* [chore] Run linux builds with multiple Go versions (#3272)\n* [fix] Correctly handle IsGitCommit false in store.Move (#3246)\n* [fix] Drop Go 1.23 (#3274)\n* [fix] Fix clipboard issues (#3267)\n* [fix] Fix version check (#3268)\n* chore(deps): bump actions/cache from 4.2.4 to 4.3.0 (#3263)\n* chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#3262)\n* chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#3281)\n* chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 (#3258)\n* chore(deps): bump anchore/sbom-action from 0.20.6 to 0.20.9 (#3284)\n* chore(deps): bump anchore/scan-action from 6.5.1 to 7.0.0 (#3264)\n* chore(deps): bump anchore/scan-action from 7.0.0 to 7.1.0 (#3280)\n* chore(deps): bump docker/login-action from 3.5.0 to 3.6.0 (#3260)\n* chore(deps): bump github/codeql-action from 3.30.0 to 3.30.5 (#3261)\n* chore(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#3282)\n* chore(deps): bump msys2/setup-msys2 from 2.28.0 to 2.29.0 (#3257)\n* chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#3259)\n* chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#3283)\n* chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 (#3255)\n* chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 (#3256)\n* chore: Update golangci-lint (#3287)\n* docs: Add GoDoc to pkg and improve markdown files (#3251)\n* feat(age): Add unlock command to age agent (#3244)\n* feat: Add cryptfs storage backend for filename encryption (#3249)\n* feat: Clone remote on init (#3247)\n* fix: Fix release helper and update capabilities for caplos (#3288)\n\n## 1.15.18 / 2025-09-19\n\n* [fix] Enable Windows builders (#3237)\n* [fix] Fix recipient check error (#3235)\n* [fix] Update gitconfig to v0.0.3 to pull in Windows fixes (#3236)\n* [fix] Use Go 1.24 instead of Go 1.25 (#3226)\n* docs: Add note about pass compatibility (#3229)\n* feat: Add reorg command (#3232)\n* feat: Allow to customize commit messages (#3231)\n* feat: Improve usability of 'gopass mounts add' command (#3238)\n* fix(config): Make core.exportkeys handling consistent (#3228)\n* fix(gpg): Opportunistic key comparison on import (#3230)\n\n## 1.15.17 / 2025-09-15\n\n* [BUGFIX] Fix --force flag in recipients add (#3173)\n* [chore] Add tests and comments for hasPwRuleForSecret (#3162)\n* [chore] Automatically approve and merge dependabot PRs (#3220)\n* [chore] Bump github.com/gopasspw/clipboard to v0.0.3 (#3219)\n* [chore] Disable updating gopasspw.github.io (#3184)\n* [chore] Expose gopass env in help (#3158)\n* [chore] Fix hardened runner (#3196)\n* [chore] Update Go versions (#3139)\n* [chore] Update dependencies (#3197)\n* [feat] Add Jujutsu storage backend (#3202)\n* [feat] Honor generator options in the create workflow (#3149)\n* [fix] Add workaround for pre-release test failures (#3198)\n* [fix] Disable Windows tests (#3204)\n* [fix] Fixes creation template lookup on Windows (#3157)\n* [fix] avoid length prompt when input is within rule boundary (#3159)\n* [fix] skip redundant confirmation when --edit is used (#3161)\n* [fix] use WritePassword for secure write (#3200)\n* [testing] use `/usr/bin/env cat` instead of `/bin/cat` (#3160)\n\n## 1.15.16 / 2025-04-21\n\n* [BUGFIX] Allow use of trailing slash for cp/mv command (#3080)\n* [BUGFIX] Check if any usable key matches on clone (#3027)\n* [BUGFIX] Fixed max length check for strings in create/wizard (#3056)\n* [BUGFIX] Fixed password not saving to clipboard with safecontent and autoclip true (#3053)\n* [BUGFIX] replace return of wrong error variable (#3015)\n* [ENHANCEMENT] Add support for autocompletion with flags in REPL mode (#3057)\n* [ENHANCEMENT] Make it possible to override `show.autoclip` (#3082)\n* [FEATURE] Add option -r/--regex to find (#3083)\n* [UX] Make single store sync more intuitive / verbose (#3076)\n* [bugfix] Don't check for autosync on manual triggered sync (#3026) (#3029)\n* [chore] Add keep-sorted linter (#3130)\n* [chore] Add tpl func tests and fix two small issues (#3058)\n* [chore] Do not run linters twice (#3119)\n* [chore] Migrate goreleaser config to v2 (#3122)\n* [chore] Migrate to golangci-lint v2 (#3104)\n* [chore] Move gitconfig to their own repo (#3131)\n* [chore] Move set from internal to pkg (#3129)\n* [chore] Update dependencies (#3120)\n* [feat] Add conditional includes for gitconfig (#3128)\n* [feat] Add unconditional includes for gitconfig (#3127)\n* [feat] Remove expensive and unmaintained zxcvbn-go strength checker (#3133)\n* [feat] Replace clipboard library to support wl-copy args (#3123)\n* [fix] Add LICENSE, Changelog, manpage and shell completions to deb and (#3121)\n* [fix] Fix a flaky test (#3137)\n* [fix] Fix debug.ModuleVersion (#3079)\n* [fix] Fix test failure due to ambient variables (#3135)\n* [fix] Fix test regressions (#3116)\n* [fix] Fix this annoying test\n* [fix] Include git commit hash in tarballs (#3124)\n* [fix] Relase fixes (#3136)\n* [fix] Update Makefile and fix lint violations (#3134)\n\n## 1.15.15 / 2024-11-24\n\n* [BUGFIX] Replace ~ with user homedir if `$GOPASS_HOMEDIR` is not set (#2961)\n* [CLEANUP] Replace experimental `maps` and `slices` with stdlib (#2993)\n* [CLEANUP] remove unreachable code (#2977)\n* [DEPRECATION] Remove references to deprecated rand.Seed (#2953)\n* [ENHANCEMENT] Allow for whitespace-trailing passwords (#2873) (#2954)\n* [FEATURE] Adding support for `age.Plugin` identities (#2960)\n* [FEATURE] Allow for non-interactive age setup (#2970)\n* [FEATURE] Ask for setup if not initialized (#2975)\n* [bugfix] Copy with trailing slash at destination. (#2966)\n* [chore] use the same version of golangci-lint (#2948)\n\n## 1.15.14 / 2024-08-03\n\n* [bugfix] Fix parsing of key-value pairs according to the gitconfig (#2911)\n* [chore] Update dependency to github.com/cenkalti/backoff/v4 (#2864)\n* [chore] Update dependency to github.com/godbus/dbus/v5 (#2860)\n* [chore] Update dependency to github.com/google/go-github/v61 (#2863)\n* [chore] Update dependency to github.com/xhit/go-str2duration/v2 (#2865)\n* [chore] Update hashicorp/golang-lru to v2 (#2859)\n\n## 1.15.13 / 2024-04-06\n\n* [bugfix] Default to true for core.exportkeys even in substores (#2848)\n* [bugfix] Do not report findings with severity none in audit summary (#2843)\n* [bugfix] Fix loading of git configs (#2849)\n* [chore] Update dependencies (#2850)\n* [chore] Use clean filepath in all of the fs.Set operation (#2846)\n* [chore] use the same version of golangci-lint (#2841)\n* [feat] Add an multi-line input type to the create wizard (#2847)\n* [feat] Add option to disable notification icon (#2845)\n* [feat] Add verbosity levels to the debug package (#2851)\n* [fix] Disble safecontent parsing if noparsing is requested (#2855)\n* [fix] Pass remote, if given, to local init as well (#2852)\n\n## 1.15.12 / 2024-03-17\n\n* [BUGFIX] Use 'en' as default language for the xkcd generator (#2793)\n* [DOCUMENTATION] Fix typo: initilize -> initialize (#2796)\n* [bugfix] Bring back audit summary (#2820)\n* [bugfix] Do not abort saving if the OTP counter is aborted (#2775)\n* [bugfix] Fix NPE when using recipients completion (#2823)\n* [bugfix] Warn if trying to use fscopy inside the store (#2832)\n* [chore] Upgrade to Go 1.22 (#2805)\n* [cleanup] Add better logging in case no owner key is found (#2748)\n* [feat] Add .gopass-audit-ignore support to ignore secrets from audits (#2822)\n* [feat] Allow supression of password generation in create templates (#2821)\n* [ux] Add hint that computing recipients takes some time (#2833)\n* [ux] Do not show create type chooser if only one exists (#2752)\n\n## 1.15.11 / 2023-12-01\n\n* [bugfix] Disable multi-line description for deb packages (#2729)\n* [bugfix] Fix writes to global config from tests (#2727)\n* [bugfix] Workaround for goreleaser/nfpm#742 (#2732)\n* [feature] Allow setting autosync.interval in different time units (#2731)\n\n## 1.15.10 / 2023-11-25\n\n* [BUGFIX] Allow to move shadowed entries into their own folder (#2718)\n* [BUGFIX] Try to always honor local config for mounts (#2724)\n* [chore] Add OSSF scorecard link and improve security posture (#2704)\n* [chore] Update goxkcdpwgen dependency to include my PR (#2722)\n* [chore] Update grype workflow and pin Docker base images (#2706)\n* [cleanup] Add package description (#2702)\n* [feature] Add new pwgen options to capitalize and include numbers in (#2703)\n\n## 1.15.9 / 2023-11-18\n\n* [BUGFIX] Disabling the OTP snip screenshot feature on OpenBSD (#2685)\n* [CLEANUP] Migration of options to more appropriate sections (#2681)\n* [bugfix] Improve git version parsing (#2690)\n* [bugfix] Remove leading and trailing slashes from mounts (#2698)\n* [enhancement] Add blake3 to the template functions (#2693)\n* [enhancement] Add input validation to block illegal mount points (#2672)\n\n## 1.15.8 / 2023-09-11\n\n* [BUGFIX] Use goreleaser build for crosscompile (#2635)\n* [bugfix] Allow fsck to check a single secret (#2659)\n* [bugfix] Do not remove unused keys on import by default (#2657)\n* [bugfix] Fix parsing of large secrets (#2654)\n* [chore] Update dependencies (#2660)\n* [docs] add/update choco, scoop, winget instructions (#2647)\n* [feat] Add --store option to gopass fsck (#2658)\n* [feat] Add XCKD pwgen config options (#2651)\n\n## 1.15.7 / 2023-08-04\n\n* [BUGFIX] Fix build issues on various non-Linux platforms (#2630, #2633)\n\n## 1.15.6 / 2023-07-30\n\n* [DOCUMENTATION] fix Arch Linux package url (#2598)\n* [BUGFIX] Only show desktop notifications if there are changes (#2627)\n* [ENHANCEMENT] Add a global nosync flag (#2626)\n* [BUGFIX] Correctly handle multiline secrets (#2625)\n* [ENHANCEMENT] Add screen parsing for OTP QR codes (#2597)\n\n## 1.15.5 / 2023-04-07\n\n* [CLEANUP] Use Go1.20 (#2567)\n* [ENHANCEMENT] Add internal pager (ov). (#2510)\n\n## 1.15.4 / 2023-02-12\n\n* [BUGFIX] Also accept lower case CTE headers. (#2539, #2518)\n* [BUGFIX] Commit changes to mount config changes. (#2542, #2530)\n* [BUGFIX] Do not restrict pwlen when maxlen is zero. (#2537, #2536)\n* [BUGFIX] Fix fossilfs sync (#2549, #2516)\n* [BUGFIX] Fix recipients check for age. (#2545, #2544)\n* [BUGFIX] Hide harmless git error messages. (#2547, #2543)\n* [BUGFIX] Improve error handling for gopass convert (#2548, #2520)\n* [ENHANCEMENT] Add edit.auto-create (#2538)\n\n## 1.15.3 / 2023-01-07\n\n* [BUGFIX] Check recipients before launching editor. (#2488, #1565)\n* [BUGFIX] Fix possible concurrency issues in fsck. (#2486, #2459)\n* [BUGFIX] Honor core.autosync (#2497, #2495)\n* [BUGFIX] Honor fuzzy search abort (#2491, #2490)\n* [ENHANCEMENT] Add nicer gopass audit HTML output (#2508)\n* [ENHANCEMENT] Check recipients before adding a new one. (#2487, #1918)\n* [ENHANCEMENT] Do not enforce lower case keys (#2489, #1777)\n* [ENHANCEMENT] Do not rewrite ~. (#2496, #2083)\n* [ENHANCEMENT] Rewrite gopass audit. Add HTML and CSV (#2506, #2504)\n* [ENHANCEMENT] gitconfig: Support MultiVars (#2476, #2457)\n\n## 1.15.2 / 2022-12-18\n\n* [BUGFIX] [gitconfig] Properly parse Key-Value pairs with (#2482, #2479)\n* [ENHANCEMENT] Add --force-regen flag to generate (#2475, #2474)\n* [ENHANCEMENT] Add recipients hash checking. (#2481, #2478)\n\n## 1.15.1 / 2022-12-11\n\n* [BUGFIX] Fix domain alias lookup (#2455, #2453)\n* [BUGFIX] Fix vim invocation. (#2456, #2424)\n* [CLEANUP] Unhide fscopy and fsmove (#2444, #1831)\n* [ENHANCEMENT] Add DirName template (#2452)\n* [ENHANCEMENT] Add generate.symbols and generate.length (#2443, #2151)\n* [ENHANCEMENT] Add template docs (#2445, #1562)\n* [ENHANCEMENT] Document supported secret formats. (#2439, #1585)\n* [ENHANCEMENT] Pre-populate ID with git values (#2442, #968)\n* [ENHANCEMENT] Support german language in the password (#2454, #2451)\n\n## 1.15.0 / 2022-12-03\n\n* [BREAKING] New config format based on git config. (#2395, #1567, #1764, #1819, #1878, #2387, #2418)\n* [BUGFIX] Fix symlink deduplication. (#2437, #2402)\n* [ENHANCEMENT] Maintain secret structure when parsing (#2433, #2431)\n* [ENHANCEMENT] Retain recipients file format (#2432, #2430)\n\n### New config format: gitconfg\n\nGopass is getting a new config format based on the one use by git itself.\nThe new implementation is much more flexible and extensible and will allow us\nto more easily support new config options going forward. It does also support\na hierachy of configs. That means we can now support system wide defaults\nas well as per mount config options.\n\nThe system wide configuration gives package maintainers and admins of multi\nuser deployments the option to pre-set certain options to their liking.\n\n### New default secret format\n\nThe default secret format has been rewritten to replace two of the existing\nones (KV and Plain). The new format puts a strong emphasis on retaining the\ninput as close as possible. And small change that might be visible in some\ncorner cases is that every secret now contains a terminating new line.\n\n### Recipient files can now contain comments\n\nThe parsing of the recipients files (`.gpg-id`) has become more flexible and\ncan now contain comments. These will be retained when updating these files\nthrough gopass as well.\n\n## 1.14.11 / 2022-11-25\n\n* [BUGFIX] Fix edit on MacOS Ventura (#2426, #2400)\n* [BUGFIX] Handle nvi (#2414)\n* [BUGFIX] Improve support for non-vim editors (#2427, #2424)\n* [BUGFIX] Only pass vim options to vim (#2421, #2412)\n* [ENHANCEMENT] Support combined short flags (#2420, #2419)\n\n## 1.14.10 / 2022-11-09\n\n* [BUGFIX] Correctly handle key removal on Windows (#2372, #2371)\n* [DOCUMENTATION] (#1878)\n* [ENHANCEMENT] Ignore comments in recipient files. (#2394, #2393)\n* [ENHANCEMENT] Improve key expiration handling (#2383, #2369)\n* [ENHANCEMENT] allow re-encrypting entire directory when (#2373)\n\n## 1.14.9 / 2022-09-28\n\n* [ENHANCEMENT] Make DBus notifications transient (#2364, #2358)\n\n## 1.14.8 / 2022-09-27\n\n* [BUGFIX] Ignore not-existing .ssh dir (#2347, #2333)\n* [BUGFIX] Use Wait() to avoid Zombies (#2354, #1666)\n* [ENHANCEMENT] Allow modifying default create templates (#2349, #2291)\n* [ENHANCEMENT] Improve passage support (#2352, #2059)\n* [ENHANCEMENT] Use OS keychain for age passphrase caching (new config option, off by default). (#2351, #2350)\n\n## 1.14.7 / 2022-09-20\n\n* [BUGFIX] Do not ignore symlinks when listing (#2344, #2173)\n* [BUGFIX] Do not shadow entries behind folders. (#2341, #2338)\n* [BUGFIX] Fix updater on Windows. (#2345, #2011)\n* [BUGFIX] Handle Ctrl+C in TOTP (#2342, #2320)\n* [ENHANCEMENT] Set vim options instead of sniffing (#2343, #2317)\n\n## 1.14.6 / 2022-09-10\n\n* [BUGFIX] Do not show setup message on version (#2327)\n* [BUGFIX] Remove exported public keys of removed (#2328, #2315)\n* [ENHANCEMENT] Document extension model. (#2329, #2290)\n\n## 1.14.5 / 2022-09-03\n\n* [BUGFIX] Fix fsck progress bar. Mostly. (#2303)\n* [DOCUMENTATION] fix in recommended vim setting (#2318)\n\n## 1.14.4 / 2022-08-02\n\n* [BREAKING] gopass otp will automatically update the counter key in HTOP secrets! (#2278)\n* [BUGFIX] Allow removing unknown recipients with --force (#2253)\n* [BUGFIX] Honor PASSWORD_STORE_DIR (#2272)\n* [BUGFIX] Honor OTP key period from URL (#2278)\n* [BUGFIX] Wizard: Enforce min and max length. (#2293)\n* [CLEANUP] Use Go 1.19 (#2296)\n* [ENHANCEMENT] Automatically sync once a week (#2191)\n* [ENHANCEMENT] Scan for vulnerabilities and add SBOM on (#2268)\n* [ENHANCEMENT] Use packages.gopass.pw for APT packages (#2261)\n\n## 1.14.3 / 2022-05-31\n\n* [BUGFIX] Do not print progress bar on otp --clip (#2243)\n* [BUGFIX] Removing shadowing warning when using -o/--password (#2245)\n* [CLEANUP] Deprecate OutputIsRedirected in favour of IsTerminal (#2248)\n* [DOCUMENTATION] Adding doc about YAML entries and unsafe-keys (#2244)\n* [ENHANCEMENT] Allow deleting multiple secrets (#2239)\n\n## 1.14.2 / 2022-05-22\n\n* [BUGFIX] Fix gpg identity detection (#2218, #2179)\n* [BUGFIX] Handle different line breaks in recipient (#2221, #2220)\n* [BUGFIX] Stop eating secrets on move (#2211, #2210)\n* [ENHANCEMENT] Add flag to keep env variable capitalization (#2226, #2225)\n* [ENHANCEMENT] Environment variable GOPASS_PW_DEFAULT_LENGTH can be used to overwrite default password length of 24 characters. (#2219)\n\n## 1.14.1 / 2022-05-02\n\n* [BUGFIX] Do not print missing public key for age. (#2166)\n* [BUGFIX] Improve convert output (#2171)\n* [BUGFIX] fix errors in zsh completions (#2005)\n* [CLEANUP] Migrating to a maintained version of openpgp (#2193)\n* [ENHANCEMENT] Avoid decryption on move or copy (#2183, #2181)\n* [UX] Upgrade xkcdpwgen to a new version that removes German (#2187)\n\n## 1.14.0 / 2022-03-16\n\n* Add --chars option to print subset of secrets (#2155, #2068)\n* [BUGFIX] Always re-encrypt when fsck is invoked with --decrypt. (#2119, #2015)\n* [BUGFIX] Body only entries are detected now by show -o (#2109)\n* [BUGFIX] Do not hide git error messages (#2118, #1959)\n* [BUGFIX] Fix completion when password name contains (#2150)\n* [BUGFIX] Fix template func arg order (#2117, #2116)\n* [BUGFIX] Fixes an issue where recipients remove may fail (#2147, #1964)\n* [BUGFIX] Fixes an issue where recipients remove may fail (#2147, #1964)\n* [BUGFIX] Handle from prefix correctly on mv (#2110, #2079)\n* [BUGFIX] Handle unencoded secret on cat (#2105)\n* [BUGFIX] Make man page consistent with other docs (#2133)\n* [BUGFIX] Reject invalid salt with MD5Crypt templates (#2128)\n* [BUGFIX] depend *.deb on gnupg instead of dummy (#2050)\n* [CLEANUP] Deprecate gopasspw/pinentry (#2095)\n* [CLEANUP] Use Go 1.18 (#2156)\n* [CLEANUP] Use debug.ReadBuildInfo (#2032)\n* [DOCUMENTATION] Fixed link to passwordstore.org (#2129)\n* [DOCUMENTATION] document 'gopass cat' (#2051)\n* [DOCUMENTATION] improve 'gopass cat' (#2070)\n* [DOCUMENTATION] improve 'gopass show -revision -' (#2070)\n* [ENHANCEMENT] Add age subcommand (#2103, #2098)\n* [ENHANCEMENT] Add gopass audit --expiry (#2067)\n* [ENHANCEMENT] Add gopass process (#2066, #1913)\n* [ENHANCEMENT] Allow overriding GPG path (#2153)\n* [ENHANCEMENT] Automatically export creators key to the (#2159, #1919)\n* [ENHANCEMENT] Bump to Go 1.18 (#2058)\n* [ENHANCEMENT] Enforce TLSv1.3 (#2085)\n* [ENHANCEMENT] Generics (#2034, #2030)\n* [ENHANCEMENT] Hide password on MacOS clipboards (#2065)\n* [ENHANCEMENT] Passage compat improvements (#2060, #2060)\n* [ENHANCEMENT] gopass git invokes git directly (#2102)\n* [ENHANCEMENT] Template support for the create wizard (#2064)\n* [ENHANCENMENT] Check for MacOS Keychain storing the GPG (#2144)\n* [EXPERIMENTAL] Support the Fossil SCM (#2092, #2022)\n* [FEATURE] Add env variables for custom clipboard commands. (#2091, #2042)\n* [FEATURE] only accept keys with \"encryption\" key capability (#2047, #1917, #1917)\n* [TESTING] Improve two line test ambiguity. (#2091, #2042)\n* [TESTING] Use a helper to unset env vars in clipboard tests. (#2091, #2042)\n* [UX] OTP code now runs in loop until canceled or used with -o (#2041)\n\n## 1.13.1 / 2022-01-15\n\n* [BUGFIX] Handle from prefix correctly on mv (#2110, #2079)\n* [BUGFIX] Handle unencoded secret on cat\n\n## 1.13.0 / 2021-11-13\n\n* [BUGFIX] Do not print OTP progress bar if not in terminal (#2019)\n* [BUGFIX] Don't prompt to retype password unnecessarily (#1983)\n* [BUGFIX] Fix AutoClip handling on generate (#2024, #2023)\n* [BUGFIX] Replace Build Status badge in README (#2016)\n* [BUGFIX] The field 'parsing' is now honored with legacy config pre v1.12.7 (#1997)\n* [BUGFIX] Use default git branch on setup (#2026, #1945)\n* [ENHANCEMENT] Adding a MSI installer for Windows (#2001)\n* [ENHANCEMENT] Move password prompts to stderr (#2004)\n* [FEATURE] Add capitalized words to memorable passwords (#1985, #1984)\n* [UX] Use new progress bar for OTP expiry time (#2019)\n\n## 1.12.8 / 2021-08-28\n\n* [BUGFIX] Use same default for partial config files (#1968)\n* [CLEANUP] Remove GOPASS_NOCOLOR in favor of NO_COLOR (#1937, #1936)\n* [ENHACNEMENT] Add gopass merge (#1979, #1948)\n* [ENHANCEMENT] Add --symbols to gopass pwgen (#1966)\n* [ENHANCEMENT] Warn on untracked files (#1972)\n\n## 1.12.7 / 2021-07-02\n\n* DOCUMENTATION Fixed Single Line Formating for Clone Documentation (#1943)\n* [BUGFIX] Allow --strict to be chained with --symbols (#1952, #1941)\n* [BUGFIX] Normalize recipient IDs before comparison (#1953, #1900)\n* [BUGFIX] Use /tmp for GIT_SSH_COMMAND on Mac (#1951, #1896)\n* [ENHANCEMENT] Add warning when parsing content (#1950)\n\n## 1.12.6 / 2021-05-01\n\n* [BUGFIX] Do not recurse with a key (#1907, #1906)\n* [BUGFIX] Fix SSH control path (#1899, #1896)\n* [BUGFIX] Fix gopass env with subtrees (#1894, #1893)\n* [BUGFIX] Honor create -s flag (#1891)\n* [BUGFIX] Ignore commented values in gpg config (#1901, #1898)\n* [ENHANCEMENT] Add better usage instructions (#1912)\n\n## 1.12.5 / 2021-03-27\n\n* [BUGFIX] Allow subkeys (#1843, #1841, #1842)\n* [BUGFIX] Avoid logging credentials (#1886, #1883)\n* [BUGFIX] Fix SSH Command override on termux (#1881)\n* [CLEANUP] Moving pkg/pinentry to gopasspw/pinentry (#1876)\n* [ENHANCEMENT] Add -f flag to create (#1867, #1811)\n* [ENHANCEMENT] Add gopass ln (#1828)\n* [ENHANCEMENT] Add proper diff numbers on sync (#1882)\n* [ENHANCEMENT] Update password rules (#1861)\n\n## 1.12.4 / 2021-03-20\n\n* [BUGFIX] Bring back --yes (#1862, #1858)\n* [BUGFIX] Fix make install on BSD (#1859)\n\n## 1.12.3 / 2021-03-20\n\n* [BUGFIX] Fix generate -c (#1846, #1844)\n* [BUGFIX] Fix gopass update (#1838, #1837)\n* [BUGFIX] Fix progress bar on 32 bit archs (#1855, #1854)\n* [CLEANUP] Remove the custom formula in favour of the official one. (#1847)\n* [ENHANCEMENT] Install manpage when using `make install` (#1845)\n\n## 1.12.2 / 2021-03-13\n\n* [BUGFIX] Do not fail if reminder is unavailable (#1835, #1832)\n* [BUGFIX] Do not shadow directories (#1817, #1813)\n* [BUGFIX] Do not trigger ClamAV FP (#1810, #1807)\n* [BUGFIX] Fix -o (#1822)\n* [BUGFIX] Honor Ctrl+C while waiting for user input (#1805, #1800)\n* [ENHANCEMENT] Add gopass.1 man page (#1827, #1824)\n* [UX] Adding the grep command to --help (#1826, #1825)\n\n## 1.12.1 / 2021-02-17\n\n* [BUGFIX] Enable updater on Windows (#1790, #1789)\n* [BUGFIX] Fix progress bar nil pointer access (#1790, #1789)\n* [BUGFIX] Fix % char in passwords being treated as formatting (#1794, #1793, #1801)\n* [ENHANCEMENT] Add ARCHITECTURE.md (#1787)\n* [ENHANCEMENT] Added a env var to disable reminders (#1792)\n* [ENHANCEMENT] Remind to run gopass update/fsck/audit after 90d (#1792)\n\n## 1.12.0 / 2021-02-11\n\nWARNING: The self updater does not support updating from 1.11.0 to 1.12.0. Our\nrelease infrastructure does not support the key type used in 1.11.0.\n\nNOTE: This release drops the integrations that were moved to their own repos,\ni.e. `git-credential-gopass`, `gopass-hibp`, `gopass-jsonapi` and\n`gopass-summon-provider`.\n\nWe have implemented proper release signing and verification for the self\nupdater and brought it back.\n\n* [BUGFIX] Add signature verification for updater (#1717, #1676)\n* [BUGFIX] Allow using tilde (#1713, #872)\n* [BUGFIX] Always allow removing mounts (#1748, #1746)\n* [BUGFIX] Ask passphrase upon key generation (#1715, #1698)\n* [BUGFIX] Do not overwrite age keyring (#1734, #1678)\n* [BUGFIX] Remove empty parents on gopass rm -r (#1725, #1723)\n* [BUGFIX] The empty password must now be confirmed too (#1719)\n* [BUGFIX] Use the first GPG found in path on Windows (#1751, #1635)\n* [BUGFIX] Warn about --throw-keyids (#1759, #1756)\n* [BUGFIX] fixed mixed case keys for key-value, all keys are lower case now (#1778)\n* [CLEANUP] Remove migrated binaries (#1712, #1673, #1649, #1652, #1631, #1165, #1711, #1670, #1639)\n* [CLEANUP] Remove the ondisk backend (#1720)\n* [ENHANCEMENT] Add -A and -B to pwgen (#1716)\n* [ENHANCEMENT] Add Pinentry CLI fallback (#1697, #1655)\n* [ENHANCEMENT] Add REPL cmd lock (#1744)\n* [ENHANCEMENT] Add optional pinentry unescaping (#1621)\n* [ENHANCEMENT] Add tpl funcs for Bcrypt and Argon2 (#1706, #1689)\n* [ENHANCEMENT] Add windows support to the self updater (#1724, #1722)\n* [ENHANCEMENT] Confirm new age keyring passphrases (#1747)\n* [ENHANCEMENT] KV secrets are now key-values, supporting multiple same key with different values (#1741)\n* [ENHANCEMENT] UTF-8 emojis (#1715, #1698)\n* [ENHANCEMENT] Use gpgconf to the the gpg binary (#1758, #1757)\n* [ENHANCEMENT] Use main as the git default branch (#1749, #1742)\n* [ENHANCEMENT] Use persistent SSH connections (#1755)\n* [TESTING] Adding DI to Github Actions (#1728)\n\n## 1.11.0 / 2020-01-12\n\nThis is an important bugfix release that should resolve several outstanding\nissues and concerns. Since 1.10.0 was released was engaged in a lot of\ndiscussions and realized that compatibility is more important than we first\nthought. So we're rolling back some breaking changes and revise some parts of\nour roadmap. We will strive to remain compatible with other password store\nimplementations - but remember this is a goal, not a promise. This means we'll\ncontinue using compatible secrets formats as well as GPG and Git.\n\n* [BUGFIX] Allow secret names to have a colon in the name\n* [BUGFIX] Apply limit in list correctly\n* [BUGFIX] Correcting newlines handling\n* [BUGFIX] Correct missing padding to TOTP entry\n* [BUGFIX] Create cache folder if doesn't exist. Relevant\n* [BUGFIX] Disable gopass update\n* [BUGFIX] Disabling all kind of parsing of the input\n* [BUGFIX] Do not duplicate key password in K/V secrets\n* [BUGFIX] Do not search for new secrets\n* [BUGFIX] fixes gopass-jsonapi for MacTools GPGSuite users.\n* [BUGFIX] Fix legacy config parsing\n* [BUGFIX] fsck won't correct recipients without --decrypt\n* [BUGFIX] Insert is not resetting the pw now if a key:value pair is specified inline\n* [BUGFIX] Insert is now parsing its stdin input\n* [BUGFIX] Invalidate GPG key list after generation\n* [BUGFIX] List no longer uses the store size as its default depth\n* [BUGFIX] Nil dereference in cui\n* [BUGFIX] Pass arguments to a notification program\n* [BUGFIX] Password insert prompt now works on Windows but\n* [BUGFIX] Re-adding the global --yes flag\n* [BUGFIX] Remove GPG location caching\n* [BUGFIX] Restore path-removal from old config-format\n* [BUGFIX] Show now correctly handles -C and -u together\n* [BUGFIX] The deprecation warning is now output on stderr\n* [BUGFIX] Trim version prefix in jsonapi\n* [CLEANUP] Remove MIME\n* [CLEANUP] Remove the unfinished xc backend\n* [CLEANUP] Update to minio/v7\n* [DOCUMENTATION] Edited features.md\n* [DOCUMENTATION] Improve contributing guide.\n* [DOCUMENTATION] Slight updates to reflect the recent code\n* [ENHANCEMENT] Adding a trailing separator to the listed folders\n* [ENHANCEMENT] Adding the flag show -n to disable output parsing\n* [ENHANCEMENT] Adding the option parsing to disable all parsing\n* [ENHANCEMENT] fsck now detects leftover Mime secrets\n* [ENHANCEMENT] Full windows support\n* [ENHANCEMENT] Prompt for edit search result\n* [ENHANCEMENT] Re-introduce gopass -c\n* [ENHANCEMENT] Show GPG --gen-key error to the user\n* [ENHANCEMENT] This is required when using e.g. Gnome Keyring.\n* [ENHANCEMENT] Use 32 byte salt by default\n* [UX] Preserve content across retries\n\n## 1.10.1\n\n* [BUGFIX] Fix the Makefile\n* [BUGFIX] Remove misleading config error message\n* [BUGFIX] Re-use existing root store\n* [BUGFIX] Use standard Unix directories on MacOS\n\n## 1.10.0\n\nWARNING: This release contains a few breaking changes as well as necessary\npackaging changes.\n\nThis release is building the foundation for an eventual 2.0 release\nwhich will drop many legacy features and significantly shrink the\ncodebase to ensure long term maintainability. The goal is to remove\nthe support for multiple backends and any external dependencies,\nincluding `git` and `gpg` binaries. By default the tool should be easy to use,\nsecure and modern. We will still support our flagship use cases,\nlike working in teams. Also gopass might eventually move to an\nfully encrypted backend where we don't leak information through\nfilenames.\n\nAny gopass 1.x release should still be compatible with any\npassword store implementation (possibly with some caveats).\nBeyond that we plan to drop any compatibility goals.\n\nIf you are using different Password Store implementations to access your\nsecrets, e.g. on mobile devices, you might want to run `gopass config mime false`\nbefore performing any kind of write operation on the password store. Otherwise\nmutated secrets will be written using the new native gopass MIME format and\nmight not be readable from other implementations.\n\nThis release adds documentation for all supported subcommands in the `docs/commands`\nfolder and starts define our core use cases in the `docs/usecases` folder.\nPlease note that the command documentation also serves as a specification on\nhow these commands are supposed to operate.\n\nNote: We have accumulated too many changes so we've decided to skip the 1.9.3\nrelease and issue the first release of the 1.10. series.\n\nNote to package maintainers: This release adds additional binaries which should\nbe included in any binary re-distribution of gopass.\n\n* [BREAKING] New secrets format\n* [BUGFIX] Allow deleting shadowed secret\n* [BUGFIX] Correctly handle exportkeys and auto import for noop\n* [BUGFIX] Do not allow malformed secrets\n* [BUGFIX] Do not return error on no grep matches\n* [BUGFIX] Fix config panic with mounts\n* [BUGFIX] Fix fsck progress bar.\n* [BUGFIX] Fix git init\n* [BUGFIX] Fix optional key passed through find\n* [BUGFIX] Fix tree shadowing.\n* [BUGFIX] Handle relative path during init\n* [BUGFIX] Honor generate --print\n* [BUGFIX] Honor trust level during onboarding.\n* [BUGFIX] Print RCS error message\n* [BUGFIX] Print config parse error to STDERR\n* [BUGFIX] Properly initialize crypto during onboarding and\n* [BUGFIX] env command: do not crash if called without a command to execute\n* [CLEANUP] Merge Storage and RCS backends\n* [CLEANUP] Move internal packages to internal\n* [CLEANUP] Remove autoclip for gopass show\n* [CLEANUP] Remove config option confirm\n* [CLEANUP] Remove curses UI\n* [CLEANUP] Remove the --sync flag to gopass show\n* [CLEANUP] Rename --force to --unsafe for show\n* [CLEANUP] Rename xkcd generator options\n* [DEPRECATION] Mark gopass git as deprecated\n* [DEPRECATION] Remove AutoPrint\n* [DEPRECATION] Remove askformore, autosync\n* [DEPRECATION] Retire editrecipients option\n* [DOCUMENTATION] Document audit, generate, insert and show\n* [DOCUMENTATION] Document list flags\n* [DOCUMENTATION] Improve documentation of Zsh completion setup\n* [ENHANCEMENT] Add GOPASS_DISABLE_MIME to disable new\n* [ENHANCEMENT] Add arm and arm64 binaries\n* [ENHANCEMENT] Add gopass API (unstable)\n* [ENHANCEMENT] Add regexp support to gopass grep\n* [ENHANCEMENT] Add zxcvbn password strength checker\n* [ENHANCEMENT] Avoid direct show on gopass search\n* [ENHANCEMENT] Cache gpg binary location\n* [ENHANCEMENT] Ignore binary secrets for audit\n* [ENHANCEMENT] Introduce --generator flag\n* [ENHANCEMENT] Introduce unsafe-keys\n* [ENHANCEMENT] Make audit report passwords not changed\n* [ENHANCEMENT] Make show --qr flag complementary\n* [ENHANCEMENT] New Debug package\n* [ENHANCEMENT] New progress bar\n* [ENHANCEMENT] Print password before sync\n* [ENHANCEMENT] Provide more helpful config parse errors\n* [ENHANCEMENT] Rewrite tree implementation\n* [ENHANCEMENT] Show recipients from subfolder id files\n* [ENHANCEMENT] Speed up gpg store init\n* [ENHANCEMENT] Support changing path with gopass config\n* [ENHANCEMENT] Support relative revisions for show\n* [ENHANCEMENT] Warn if vim might be leaking secrets\n* [ENHANCEMENT] env command: more tests\n* [FEATURE] Add Password Rules and Domain Alias support\n* [FEATURE] Add experimental backend converter\n* [FEATURE] Add remote config for ondisk storage\n* [FEATURE] Add remote sync support for the ondisk backend\n* [FEATURE] Add summon provider\n* [FEATURE] Pinentry API: support OPTION API call\n* [FEATURE] REPL\n* [TESTING] Add a test to detect shadowing issue with mount\n\n## 1.9.2 / 2020-05-13\n\n* [BUGFIX] Bring back the custom fish completion.\n* [BUGFIX] Disable AutoClip when redirecting stdout\n* [ENHANCEMENT] Create new sub stores in XDG compliant locations.\n\n## 1.9.1 / 2020-05-09\n\n* [BUGFIX] Do not copy to clipboard with -f\n* [BUGFIX] Encrypt parent directory if leaf node exists.\n* [BUGFIX] Fix -c and -C for default show action.\n* [BUGFIX] Hide git-credential store warning.\n* [BUGFIX] Honor notifications setting.\n* [BUGFIX] Simplify autoclip behavior\n* [DEPRECATION] Remove PASSWORD_STORE_DIR support\n* [ENHANCEMENT] Add exportkeys option.\n* [ENHANCEMENT] Add memorable password generator\n* [ENHANCEMENT] Add preliminary age encryption support.\n\n## 1.9.0 / 2020-05-01\n\n* [ENHANCEMENT] Proper windows support [#1295]\n* [ENHANCEMENT] Add pwgen subcommand [#1308]\n* [ENHANCEMENT] Only decrypt when needed [#1289]\n* [ENHANCEMENT] Full unattended password generation [#1259]\n* [ENHANCEMENT] Add -C flag [#1272]\n* [ENHANCEMENT] Migrate to urface/cli/v2 [#1276]\n* [ENHANCEMENT] Support Termux [#913]\n* [BUGFIX] Do not fail if nothing to commit [#1168, #1103]\n* [BUGFIX] Restore PASSWORD_STORE_DIR support [#1213]\n* [BUGFIX] Do not remove empty second line [#1235]\n* [BUGFIX] Do not disable color if no PAGER is available [#1244]\n* [BUGFIX] Do not overwrite entry when reading from STDIN [#1245]\n* [BUGFIX] Commit when using concurrency gt 1 [#1246]\n* [BUGFIX] Do not error out when listing a leaf node [#1300]\n* [BUGFIX] Do not overwrite config if PASSWORD_STORE_DIR is set [#1286]\n* [BUGFIX] Fix go get support [#1288]\n* [DEPRECATION] Remove Dockerfile [#1309]\n* [DEPRECATION] Remove Bintray [#1304]\n* [DEPRECATION] Deprecate OTP, Binary, YAML git-credentials and xc support [#1301]\n* [DEPRECATION] Remove support for OpenPGP (library), GoGit, Vault, Consul and encrypted configs [#1290, #1283, #1282, #1279]\n\n## 1.8.6 / 2019-07-26\n\n* [ENHANCEMENT] Add --password to otp command [#1150]\n* [ENHANCEMENT] Support adding key values with colons [#1128]\n* [BUGFIX] Allow overwriting directories with --force [#1149]\n* [BUGFIX] Sort list of stores when adding recipients [#1144]\n* [BUGFIX] Sort recipients by Name not by ID [#1143]\n* [BUGFIX] Handle slashes in recipient names [#1139]\n\n## 1.8.5 / 2019-03-03\n\n* [ENHANCEMENT] Improve template handling [#1029]\n* [ENHANCEMENT] Remove empty directories [#1009]\n* [ENHANCEMENT] Improve performance of unclip [#923]\n* [ENHANCEMENT] Add AutoPrint option [#1065]\n* [ENHANCEMENT] Follow the rsync convention for cp/mv commands [#1055]\n* [BUGFIX] Fix bash completion for MSYS on Windows [#1053]\n* [BUGFIX] Git clone failing [#1036]\n\n## 1.8.4 / 2018-12-26\n\n* [ENHANCEMENT] Evaluate templates when inserting single secrets [#1023]\n* [ENHANCEMENT] Add fuzzy search dialog for gopass otp [#1021]\n* [ENHANCEMENT] Add edit option to search dialog [#1019]\n* [ENHANCEMENT] Introduce build tags for experimental features [#1000]\n* [BUGFIX] Fix recursive delete [#1024]\n* [BUGFIX] Abort tests on critical failures [#997]\n* [BUGFIX] Zsh autocompletion [#996]\n\n## 1.8.3 / 2018-11-19\n\n* [ENHANCEMENT] Add zsh autocompletion for insert and generate [#988]\n* [ENHANCEMENT] Set exit code for filtered ls without result [#983]\n* [ENHANCEMENT] Improve generate command [#948]\n* [ENHANCEMENT] Print summary for grep [#943]\n* [ENHANCEMENT] Documentation updates [#924, #890, #918, #919, #920, #944, #952, #958, #969, #985]\n* [ENHANCEMENT] jsonapi: Add windows support for configure [#904]\n* [ENHANCEMENT] jsonapi: Add getVersion [#893]\n* [ENHANCEMENT] Support symlinks for fs storage backend [#886]\n* [BUGFIX] Offer store selection with exactly one mount point as well [#987]\n* [BUGFIX] Edit entry selected by fuzzy search [#979]\n* [BUGFIX] Fix path handling on windows [#970]\n* [BUGFIX] Remove quotes [#967]\n* [BUGFIX] Properly handle git add for removed files [#946]\n* [BUGFIX] HAndle already mounted and not initialized errors [#945]\n* [BUGFIX] Fix HIBP command options [#936]\n* [BUGFIX] Offer secret selection on edit command [#929]\n* [BUGFIX] jsonapi: add initialize [#903]\n* [BUGFIX] Update external dependencies [#884, #932, #981]\n* [BUGFIX] Use valid crypto backend for key selection [#889]\n\n## 1.8.2 / 2018-06-28\n\n* [ENHANCEMENT] Improve fsck output [#859]\n* [ENHANCEMENT] Enable notifications on FreeBSD [#863]\n* [ENHANCEMENT] Redirect errors to stderr [#880]\n* [ENHANCEMENT] Do not writer version to config [#883]\n* [BUGFIX] Fix commit on move [#860]\n* [BUGFIX] Properly check store initialization [#865]\n\n## 1.8.1 / 2018-06-08\n\n* [BUGFIX] Trim fsck path [#856]\n* [BUGFIX] Handle URL parse errors in create [#855]\n\n## 1.8.0 / 2018-06-06\n\nThis release includes several possibly breaking changes.\nThe `gopass move` implementation was refactored to properly support moving\nentries and subtrees across mount points. This may change the behaviour slightly.\nAlso the build flags were changed to build PIE binaries. This should not affect\nthe runtime behaviour, but we could not test this on all platforms, yet.\n\n* [BREAKING] Make move work recursively and across stores [#821]\n* [FEATURE] Add git credential caching [#743]\n* [FEATURE] Add local recipient integrity checks [#800 #826]\n* [ENHANCEMENT] Handle key-value pairs on generate and insert [#790]\n* [ENHANCEMENT] Add gpg.listKeys caching [#804]\n* [ENHANCEMENT] Add append mode for gopass insert [#807]\n* [ENHANCEMENT] Support external password generators [#811]\n* [ENHANCEMENT] Add gopass generate completion heuristic [#817]\n* [ENHANCEMENT] Add revive linter checks [#822]\n* [ENHANCEMENT] Remove -static build flag, enable CGO and -buildmode=PIE [#823]\n* [ENHANCEMENT] Warn if RCS backend is noop during gopass sync [#825]\n* [ENHANCEMENT] Support for special password rules on generate [#832]\n* [ENHANCEMENT] Improve create wizard [#842]\n* [ENHANCEMENT] Honor templates on generate [#847]\n* [ENHANCEMENT] Support NO_COLOR [#851]\n* [BUGFIX] Reset clipboard timer on repeated copy [#813]\n* [BUGFIX] Add --force to git add invocation [#839]\n* [BUGFIX] Rename updater GitHub Organisation [#818]\n* [BUGFIX] Default to origin master for git pull [#819]\n* [BUGFIX] Properly propagate RCS backend on gopass clone [#820]\n* [BUGFIX] Fix sub store config propagation [#837 #841]\n* [BUGFIX] Use default for password store dir [#846]\n* [BUGFIX] Properly handle autosync on recipients save [#848]\n* [BUGFIX] Resolve key IDs to fingerprints before adding or removing [#850]\n\n## 1.7.2 / 2018-05-28\n\n* [BUGFIX] Fix tilde expansion [#802]\n\n## 1.7.1 / 2018-05-25\n\n* [BUGFIX] Add nogit compat handler [#792]\n* [BUGFIX] Fix reencrypt [#796]\n\n## 1.7.0 / 2018-05-22\n\n* [FEATURE] Pluggable crypto, storage and RCS backends. Including a pure-Go NaCl based crypto backend [#645] [#680] [#736] [#777]\n* [FEATURE] Password history [#660]\n* [FEATURE] Vault backend [#723] [#730]\n* [FEATURE] Consul backend [#697]\n* [FEATURE] HIBPv2 Dump and API support [#666] [#706]\n* [FEATURE] Select recipients per secret [#703]\n* [FEATURE] Add experimental OpenPGP crypto backend [#670]\n* [ENHANCEMENT] Support HIBPv2 API and Dumps [#666]\n* [ENHANCEMENT] Robust K/V parser with YAML fallback [#659]\n* [ENHANCEMENT] Restrict fsck to given path [#721]\n* [ENHANCEMENT] Refactor [#702] [#708] [#715] [#722] [#731]\n* [ENHANCEMENT] Proper Makefile dependencies [#707]\n* [ENHANCEMENT] Auto-copy with safecontent [#685]\n* [ENHANCEMENT] Add disable notifications option [#690]\n* [ENHANCEMENT] Migrate from govendor to dep [#688]\n* [ENHANCEMENT] Improve test coverage [#732] [#781] [#782]\n* [ENHANCEMENT] Improvate YAML handling [#739]\n* [ENHANCEMENT] Audit freshly generated passwords [#761]\n* [BUGFIX] Use sh instead of bash [#699]\n* [BUGFIX] Lookup correct remote for current branch [#692]\n* [BUGFIX] Fix GPG binary detection on Windows [#681] [#693]\n* [BUGFIX] Version [#727]\n* [BUGFIX] Git init [#729]\n* [BUGFIX] Secret.String() [#738]\n* [BUGFIX] Fix generate --symbols [#742] [#783]\n\n## 1.6.11 / 2018-02-20\n\n* [ENHANCEMENT] Documentation updates [#648] [#656]\n* [ENHANCEMENT] Add secret completions to edit command in zsh [#654]\n* [BUGFIX] Avoid escaping values added to secrets [#658]\n* [BUGFIX] Fix parsing of GPG UIDs [#650]\n\n## 1.6.10 / 2018-01-18\n\n* [ENHANCEMENT] Add Travis MacOS builds [#618]\n* [ENHANCEMENT] Make gopass build on DragonFlyBSD [#619]\n* [ENHANCEMENT] Increase test coverage [#621] [#622] [#624]\n* [BUGFIX] Properly handle sub-store configuration [#625]\n* [BUGFIX] Fix Makefile [#615] [#617]\n* [BUGFIX] Fix failing tests on MacOS [#614]\n\n## 1.6.9 / 2018-01-05\n\n* [BUGFIX] Fix update URL check [#610]\n\n## 1.6.8 / 2018-01-05\n\n* [ENHANCEMENT] Add OpenBSD Ksh completion [#586]\n* [ENHANCEMENT] Increase test coverage [#589] [#590] [#592] [#595] [#596] [#597] [#601] [#602] [#603] [#604]\n* [ENHANCEMENT] Update Documentation and Dockerfile [#591] [#605]\n* [BUGFIX] Use Termwiz CUI on OpenBSD [#588]\n* [BUGFIX] Fix create wizard [#594]\n* [BUGFIX] Use persistent bufio.Reader [#607]\n\n## 1.6.7 / 2017-12-31\n\n* [ENHANCEMENT] Add --sync flag to gopass show [#544]\n* [ENHANCEMENT] Update dependencies [#547]\n* [ENHANCEMENT] Use gocui for terminal UI [#562]\n* [ENHANCEMENT] Increase test coverage [#548] [#549] [#567] [#568] [#570] [#572] [#574] [#575] [#577] [#578] [#583] [#584]\n* [ENHANCEMENT] Add Dockerfile [#561]\n* [ENHANCEMENT] Add zsh and fish completion generator [#565]\n* [ENHANCEMENT] Add go-fuzz instrumentation [#576]\n* [BUGFIX] Catch URL parse errors [#546]\n\n## 1.6.6 / 2017-12-20\n\n* [FEATURE] Selective Sync [#538]\n* [ENHANCEMENT] Make termwiz honor copy flag [#534]\n* [ENHANCEMENT] Make shell completion respect binary name [#536]\n* [ENHANCEMENT] Refactor [#533] [#540] [#541] [#542]\n* [BUGFIX] Show git output [#529]\n\n## 1.6.5 / 2017-12-15\n\n* [ENHANCEMENT] Handle errors gracefully [#524]\n* [BUGFIX] Follow symlinks [#519]\n* [BUGFIX] Improve GPG binary detection [#520] [#522]\n\n## 1.6.4 / 2017-12-13\n\n* [ENHANCEMENT] Support desktop notifications on Mac and Windows [#513]\n* [BUGFIX] Fix slice out of bounds error [#517]\n* [BUGFIX] Allow .password-store to be a symlink [#516]\n* [BUGFIX] Respect --store flag to git sub command [#512]\n\n## 1.6.3 / 2017-12-12\n\n* [ENHANCEMENT] Avoid altering YAML secrets unless necessary [#508]\n* [ENHANCEMENT] Documentation updates [#493] [#509]\n* [ENHANCEMENT] Abort if no GPG binary was found [#506]\n* [ENHANCEMENT] Support GOPASS_GPG_OPTS and GOPASS_UMASK [#504]\n* [BUGFIX] Create .gpg-keys if it does not exist [#507]\n\n## 1.6.2 / 2017-12-02\n\n* [FEATURE] Add gopass fix command [#471]\n* [ENHANCEMENT] Add pledge support on OpenBSD [#469]\n* [ENHANCEMENT] Improve no clipboard warning [#484]\n* [BUGFIX] Allow OTP entry in password field [#467]\n* [BUGFIX] Default to vi if no other editor is available [#479]\n* [BUGFIX] Avoid auto-search running non-interactively [#483]\n\n## 1.6.1 / 2017-11-15\n\n* [FEATURE] Add generic OTP action [#440]\n* [ENHANCEMENT] Ignore any secret that does not end with .gpg [#461]\n* [ENHANCEMENT] Add option to display only the password [#455]\n* [ENHANCEMENT] Disable fuzzy search for gopass find [#454]\n* [BUGFIX] Fix .gpg-id selection for sub folders [#465]\n* [BUGFIX] Set gpg.program if possible [#464]\n* [BUGFIX] Allow access to secrets shadowed by a folder [#463]\n* [BUGFIX] Set GPG_TTY [#452]\n* [BUGFIX] Fix termbox UI on OpenBSD [#446]\n* [BUGFIX] Fix tests and paths on Windows [#421] [#431] [#442] [#450]\n\n## 1.6.0 / 2017-11-03\n\n* [FEATURE] Add Desktop notifications (Linux/DBus only) [#434] [#435]\n* [ENHANCEMENT] Show public key identities before importing [#427]\n* [ENHANCEMENT] Initialize local git config on gopass clone [#429]\n* [ENHANCEMENT] Do not print generated passwords by default [#430]\n* [ENHANCEMENT] Clear KDE Klipper History on clipboard clearing [#434]\n* [ENHANCEMENT] Refactor git backend [#437]\n* [BUGFIX] Fix recipients remove when using email as identifier [#436]\n\n## 1.5.1 / 2017-10-25\n\n* [ENHANCEMENT] Re-introduce usecolor config option [#414]\n* [ENHANCEMENT] Improve documentation [#407] [#409] [#416] [#417]\n* [ENHANCEMENT] Add language switch for xckd-style generation [#406]\n* [BUGFIX] Fix GPG binary detection [#419]\n* [BUGFIX] Fix tests on windows [#421]\n\n## 1.5.0 / 2017-10-17\n\n* [FEATURE] Add secret creation wizard [#386]\n* [FEATURE] Add onboarding wizard [#387]\n* [FEATURE] Wizard for recipients add/remove [#359]\n* [FEATURE] XKCD#936 inspired password generation [#368]\n* [FEATURE] Add update wizard [#395]\n* [ENHANCEMENT] Overhaul documentation [#383] [#384]\n* [ENHANCEMENT] Attempt to get TOTP key from YAML [#376]\n* [ENHANCEMENT] Allow find to take -c [#378]\n* [ENHANCEMENT] Improve terminal wizard [#385]\n* [ENHANCEMENT] Improve responsiveness by context usage [#388]\n* [ENHANCEMENT] Improve output readability [#392] [#393]\n* [ENHANCEMENT] Automatic GPG key generation [#391]\n* [BUGFIX] Relax YAML document marker handling [#398]\n\n## 1.4.1 / 2017-10-05\n\n* [BUGFIX] Support pre-1.3.0 configs [#382]\n* [BUGFIX] Turn YAML errors into warnings [#380]\n\n## 1.4.0 / 2017-10-04\n\n* [FEATURE] Add fuzzy search [#317]\n* [FEATURE] Allow restricting charset of generated passwords [#270]\n* [FEATURE] Check quality of newly inserted passwords with crunchy [#276]\n* [FEATURE] JSON API [#326]\n* [FEATURE] Per-Mount configuration options [#330]\n* [FEATURE] Terminal selection of results [#259]\n* [FEATURE] gopass sync [#303]\n* [ENHANCEMENT] Build with Go 1.9 [#294]\n* [ENHANCEMENT] Display single find result directly [#265]\n* [ENHANCEMENT] Global --yes flag [#327]\n* [ENHANCEMENT] Improve error handling and propagation [#280]\n* [ENHANCEMENT] Omit newline when not writing to a terminal [#325]\n* [ENHANCEMENT] Only commit once per recipient batch operation [#329]\n* [ENHANCEMENT] Provide partial support for .gpg-id files in sub folders [#291]\n* [ENHANCEMENT] Trim any trailing newlines or carriage returns in show output [#296]\n* [ENHANCEMENT] Use contexts [#310]\n* [ENHANCEMENT] Use contexts to cancel long running operations [#358]\n* [ENHANCEMENT] Use default editors [#286]\n* [ENHANCEMENT] Improve documentation [#365]\n* [ENHANCEMENT] Print selected entry [#372]\n* [BUGFIX] Confirm removal of directories [#309]\n* [BUGFIX] Only confirm recipients once during batch operations [#328]\n* [BUGFIX] Only overwrite password on insert [#323]\n* [BUGFIX] Avoid Show/Find recursion [#360]\n* [BUGFIX] Remove deprecated special case for .yaml files [#362]\n* [BUGFIX] Do not offer invalid keys [#364]\n* [BUGFIX] Assign path only if resolving symlink succeeds [#370]\n\n## 1.3.2 / 2017-08-22\n\n* [BUGFIX] Fix git version output [#274]\n\n## 1.3.1 / 2017-08-15\n\n* [BUGFIX] Enable AutoSync by default [#267]\n* [BUGFIX] git - do not abort if a store has no remote [#261]\n* [BUGFIX] Fix IFS in bash completion [#268]\n\n## 1.3.0 / 2017-08-11\n\n* [BREAKING] Enforce YAML document markers [#193]\n* [BREAKING] Simplify configuration [#213]\n* [BREAKING] Align gopass init flags with other commands [#252]\n* [FEATURE] Implement pager feature [#163]\n* [FEATURE] Add basic fish completion [#168]\n* [FEATURE] Add version check [#205]\n* [FEATURE] Add gopass audit command [#228]\n* [FEATURE] Add gopass audit hibp command [#239]\n* [ENHANCEMENT] Disable auto-push while re-encrypting [#171]\n* [ENHANCEMENT] Configure git user and email before initial git commit [#185]\n* [ENHANCEMENT] Add recursive git operations [#186]\n* [ENHANCEMENT] Document missing config options [#188]\n* [ENHANCEMENT] Only check and load missing GPG keys after git pull [#190]\n* [ENHANCEMENT] Only encrypt for valid recipients [#191]\n* [ENHANCEMENT] Check and import missing GPG keys on recipients show [#204]\n* [ENHANCEMENT] Save recipients on show [#207]\n* [ENHANCEMENT] Include GPG and Git version in gopass version output [#210]\n* [ENHANCEMENT] Support more flexible YAML documents [#217]\n* [ENHANCEMENT] Simplify mounts add by inferring local path [#219]\n* [ENHANCEMENT] Add contributor documentation [#222]\n* [ENHANCEMENT] Re-use selected encryption key for git signing [#247]\n* [ENHANCEMENT] Setup git push.default [#248]\n* [BUGFIX] Fix nil-pointer check on non existing sub tree [#183]\n* [BUGFIX] Fix load-keys [#203]\n* [BUGFIX] Only match mounts on folders [#240]\n* [BUGFIX] Disable checkRecipients as it conflicts with alwaysTrust [#242]\n\n## 1.2.0 / 2017-06-21\n\n* [FEATURE] YAML support [#125]\n* [FEATURE] Binary support [#136]\n* [ENHANCEMENT] Increase test coverage [#160]\n* [ENHANCEMENT] Use secure temporary storage on MacOS [#144]\n* [ENHANCEMENT] Use goreleaser [#151]\n* [BUGFIX] Fix git invocation [#140]\n* [BUGFIX] Fix missing recipients on init [#141]\n* [BUGFIX] Fix sorting of mount points [#148]\n\n## 1.1.2 / 2017-06-14\n\n* [BUGFIX] Fix gopass init --store [#129]\n* [BUGFIX] Fix gopass init [#127]\n\n## 1.1.1 / 2017-06-13\n\n* [ENHANCEMENT] Allow files and folders with the same name [#124]\n* [ENHANCEMENT] Improve error messages [#121]\n* [ENHANCEMENT] Add rm aliases to remove commands [#119]\n* [BUGFIX] Several bug fixes for multi-repository handling [#123]\n\n## 1.1.0 / 2017-05-31\n\n* [FEATURE] Support templates [#1]\n* [FEATURE] QR Code output [#64]\n* [ENHANCEMENT] If entry was not found start search [#109]\n* [ENHANCEMENT] Do not write color codes unless terminal [#111]\n* [ENHANCEMENT] Make find compare case insensitive [#108]\n* [ENHANCEMENT] Enforce UNIX style line endings [#105]\n* [ENHANCEMENT] Use XDG_CONFIG_HOME [#67]\n* [ENHANCEMENT] Support symlinks [#41]\n* [ENHANCEMENT] Add nocolor config flag [#33]\n* [ENHANCEMENT] Accept args for editor [#30]\n* [BUGFIX] Build fixes for Windows [#14]\n\n## 1.0.2 / 2017-03-24\n\n* [ENHANCEMENT] Improve mounts and init commands [#87]\n* [ENHANCEMENT] Document behavior of `-c` [#82]\n* [ENHANCEMENT] Pass custom arguments to dmenu completion [#72]\n* [ENHANCEMENT] Build with Go 1.8 [#65]\n* [BUGFIX] Improve recursive deletes [#55]\n* [BUGFIX] Bypass prompts on gopass insert --force [#66]\n* [BUGFIX] Able to store secrets, but with errors [#13]\n* [BUGFIX] Don't prompt if input from stdin [#58]\n* [BUGFIX] Git add fails to \"add\" removed files [#57]\n\n## 1.0.1 / 2017-02-13\n\n* [FEATURE] Add dmenu support [#47]\n* [ENHANCEMENT] Extend GOPASS_DEBUG coverage [#31]\n* [ENHANCEMENT] Accept args for editor [#30]\n* [ENHANCEMENT] Use gpg2 if available [#9]\n* [BUGFIX] Fix git error handling in saveRecipients [#32]\n* [BUGFIX] Check if ExpirationDate is set [#28]\n* [BUGFIX] Change user.signkey to user.signingkey [#26]\n* [BUGFIX] Only copy the first line to the clipboard [#21]\n* [BUGFIX] Add search alias to find [#8]\n\n## 1.0.0 / 2017-02-02\n\n* [ENHANCEMENT] Support mounted sub-stores\n* [ENHANCEMENT] git auto-push and auto-pull\n* [ENHANCEMENT] git-style config editing\n* [ENHANCEMENT] Simplified recipient management\n* [ENHANCEMENT] Interactive questions for missing parameters\n" }, { "path": "CONTRIBUTING.md", "content": "# Contributing\n\n`gopass` uses GitHub to manage reviews of pull requests.\n\n* If you are a new contributor see: [Steps to Contribute](#steps-to-contribute)\n\n* If you have a trivial fix or improvement, go ahead and create a pull request.\n\n* If you plan to do something more involved, first raise an issue to discuss\n your idea. This will avoid unnecessary work.\n\n* Relevant coding style guidelines are the [Go Code Review Comments](https://code.google.com/p/go-wiki/wiki/CodeReviewComments)\n and the _Formatting and style_ section of Peter Bourgon's [Go: Best Practices for Production Environments](http://peter.bourgon.org/go-in-production/#formatting-and-style).\n\n## Steps to Contribute\n\nShould you wish to work on an issue, please claim it first by commenting on the GitHub issue you want to work on it.\nThis will prevent duplicated efforts from contributors.\n\nPlease check the [`help-wanted`](https://github.com/gopasspw/gopass/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) label to find issues that need help.\nIf you have questions about one of the issues please comment on them and one of the maintainers\nwill try to clarify it.\n\n## Pull Request Checklist\n\n* Use that [latest stable Go release](https://golang.org/dl/)\n\n* Branch from master and, if needed, rebase to the current master branch before submitting your pull request.\n If it doesn't merge cleanly with master you will be asked to rebase your changes.\n\n* Commits should be as small as possible, while ensuring that each commit is correct independently.\n\n* Add tests relevant to the fixed bug or new feature.\n\n* Commit messages must contain [Developer Certificate of Origin](https://developercertificate.org/) / `Signed-off-by` line, for example:\n\n One line description of commit\n\n More detailed description of commit, if needed.\n\n Signed-off-by: Your Name \n\n* The first line of the commit message, the subject line, should be prefix with a tag indicating the type of the change. These tags will be extracted and used to populate the changelog.\n Valid `[TAG]`s are `[BREAKING]`, `[BUGFIX]`, `[CLEANUP]`, `[DEPRECATION]`,\n `[DOCUMENTATION]`, `[ENHANCEMENT]`, `[FEATURE]`, `[TESTING]`, and `[UX]`.\n\n## Building & Testing\n\n* Build via `go build` to create the binary file `./gopass`.\n* Run unit tests with: `make test`\n* Run meta tests with: `make codequality`\n* Run integration tests `make test-integration`\n\nIf any of the above don't work check out the [troubleshooting section](#troubleshooting-build).\n\n## Releasing\n\nSee [docs/releases.md](docs/releases.md).\n\n" }, { "path": "Dockerfile", "content": "FROM docker.io/library/golang:1.25-alpine@sha256:b6ed3fd0452c0e9bcdef5597f29cc1418f61672e9d3a2f55bf02e7222c014abd AS build-env\n\nENV CGO_ENABLED=0\n\nRUN apk add --no-cache make git ncurses\n\n# Build gopass\nWORKDIR /home/runner/work/gopass/gopass\n\nCOPY go.mod .\nCOPY go.sum .\nRUN go mod download\n\nCOPY . .\n\nARG goflags_arg=\"\"\nENV GOFLAGS=$goflags_arg\n\nRUN make clean\nRUN make gopass\n\n# Build gopass-jsonapi\nWORKDIR /home/runner/work/gopass\n\nRUN git clone https://github.com/gopasspw/gopass-jsonapi.git\n\nWORKDIR /home/runner/work/gopass/gopass-jsonapi\nRUN go mod download\nRUN make clean\nRUN make gopass-jsonapi\n\n# Build gopass-hibp\nWORKDIR /home/runner/work/gopass\n\nRUN git clone https://github.com/gopasspw/gopass-hibp.git\n\nWORKDIR /home/runner/work/gopass/gopass-hibp\nRUN go mod download\nRUN make clean\nRUN make gopass-hibp\n\n# Build gopass-summon-provider\nWORKDIR /home/runner/work/gopass\n\nRUN git clone https://github.com/gopasspw/gopass-summon-provider.git\n\nWORKDIR /home/runner/work/gopass/gopass-summon-provider\nRUN go mod download\nRUN make clean\nRUN make gopass-summon-provider\n\n# Build git-credential-gopass\nWORKDIR /home/runner/work/gopass\n\nRUN git clone https://github.com/gopasspw/git-credential-gopass.git\n\nWORKDIR /home/runner/work/gopass/git-credential-gopass\nRUN go mod download\nRUN make clean\nRUN make git-credential-gopass\n\nFROM docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1\nRUN apk add --no-cache ca-certificates git gnupg\nCOPY --from=build-env /home/runner/work/gopass/gopass/gopass /usr/local/bin/\nCOPY --from=build-env /home/runner/work/gopass/gopass-jsonapi/gopass-jsonapi /usr/local/bin/\nCOPY --from=build-env /home/runner/work/gopass/gopass-hibp/gopass-hibp /usr/local/bin/\nCOPY --from=build-env /home/runner/work/gopass/gopass-summon-provider/gopass-summon-provider /usr/local/bin/\nCOPY --from=build-env /home/runner/work/gopass/git-credential-gopass/git-credential-gopass /usr/local/bin/\n" }, { "path": "GOVERNANCE.md", "content": "# gopass project governance\n\n## Overview\n\nThe gopass project uses a governance model commonly described as Benevolent\nDictator For Life (BDFL). This document outlines our understanding of what this\nmeans. It is derived from the [i3 window manager project\ngovernance](https://raw.githubusercontent.com/i3/i3/next/.github/GOVERNANCE.md). \n\n## Roles\n\n* user: anyone who interacts with the gopass project\n* core contributor: a handful of people who have contributed significantly to\n the project by any means (issue triage, support, documentation, code, etc.).\n Core contributors are recognizable via GitHubā€™s ā€œMemberā€ badge.\n* Benevolent Dictator For Life (BDFL): a single individual who makes decisions\n when consensus cannot be reached. gopassā€™s current BDFL is [@dominikschulz](https://github.com/dominikschulz).\n\n## Decision making process\n\nIn general, we try to reach consensus in discussions. In case consensus cannot\nbe reached, the BDFL makes a decision.\n\n## Contribution process\n\nPlease see [CONTRIBUTING](CONTRIBUTING.md).\n" }, { "path": "LICENSE", "content": "The MIT License (MIT)\n\nCopyright 2017 JustWatch GmbH\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n" }, { "path": "Makefile", "content": "FIRST_GOPATH := $(firstword $(subst :, ,$(GOPATH)))\nPKGS := $(shell go list ./... | grep -v /tests | grep -v /xcpb | grep -v /gpb)\nGOFILES_NOVENDOR := $(shell find . -name vendor -prune -o -type f -name '*.go' -not -name '*.pb.go' -print)\nGOFILES_BUILD := $(shell find . -type f -name '*.go' -not -name '*_test.go')\nGOPASS_VERSION ?= $(shell cat VERSION)\nGOPASS_OUTPUT ?= gopass\nGOPASS_REVISION := $(shell cat COMMIT 2>/dev/null || git rev-parse --short=8 HEAD)\nBASH_COMPLETION_OUTPUT := bash.completion\nFISH_COMPLETION_OUTPUT := fish.completion\nZSH_COMPLETION_OUTPUT := zsh.completion\nCLIPHELPERS ?= \"\"\n# Support reproducible builds by embedding date according to SOURCE_DATE_EPOCH if present\nDATE := $(shell date -u -d \"@$(SOURCE_DATE_EPOCH)\" '+%FT%T%z' 2>/dev/null || date -u '+%FT%T%z')\nBUILDFLAGS_NOPIE := -buildvcs=true -tags=netgo -trimpath -ldflags=\"-s -w -X main.version=$(GOPASS_VERSION) -X main.commit=$(GOPASS_REVISION) -X main.date=$(DATE) $(CLIPHELPERS)\" -gcflags=\"-trimpath=$(GOPATH)\" -asmflags=\"-trimpath=$(GOPATH)\"\nBUILDFLAGS ?= $(BUILDFLAGS_NOPIE) -buildmode=pie\nTESTFLAGS ?=\nPWD := $(shell pwd)\nPREFIX ?= $(GOPATH)\nBINDIR ?= $(PREFIX)/bin\nGO ?= GO111MODULE=on CGO_ENABLED=0 go\nGOOS ?= $(shell $(GO) version | cut -d' ' -f4 | cut -d'/' -f1)\nGOARCH ?= $(shell $(GO) version | cut -d' ' -f4 | cut -d'/' -f2)\nTAGS ?= netgo\nexport GO111MODULE=on\n\nOK := $(shell tput setaf 6; echo ' [OK]'; tput sgr0;)\n\nall: sysinfo build\nbuild: $(GOPASS_OUTPUT)\ncompletion: $(BASH_COMPLETION_OUTPUT) $(FISH_COMPLETION_OUTPUT) $(ZSH_COMPLETION_OUTPUT)\ngha-linux: sysinfo licensecheck crosscompile build fulltest completion\ngha-osx: sysinfo build test completion\ngha-windows: sysinfo build test-win completion\n\nsysinfo:\n\t@echo \">> SYSTEM INFORMATION\"\n\t@echo -n \" PLATFORM : $(shell uname -a)\"\n\t@printf '%s\\n' '$(OK)'\n\t@echo -n \" PWD: : $(shell pwd)\"\n\t@printf '%s\\n' '$(OK)'\n\t@echo -n \" GO : $(shell $(GO) version)\"\n\t@printf '%s\\n' '$(OK)'\n\t@echo -n \" BUILDFLAGS : $(BUILDFLAGS)\"\n\t@printf '%s\\n' '$(OK)'\n\t@echo -n \" GIT : $(shell git version)\"\n\t@printf '%s\\n' '$(OK)'\n\t@echo -n \" GPG : $(shell which gpg) $(shell gpg --version | head -1)\"\n\t@printf '%s\\n' '$(OK)'\n\t@echo -n \" GPGAgent : $(shell which gpg-agent) $(shell gpg-agent --version | head -1)\"\n\t@printf '%s\\n' '$(OK)'\n\nclean:\n\t@echo -n \">> CLEAN\"\n\t@rm -rf vendor/\n\t@$(GO) clean -i ./...\n\t@rm -f ./coverage-all.html\n\t@rm -f ./coverage-all.out\n\t@rm -f ./coverage.out\n\t@find . -type f -name \"coverage.out\" -delete\n\t@rm -f gopass_*.deb\n\t@rm -f gopass-*.pkg.tar.xz\n\t@rm -f gopass-*.rpm\n\t@rm -f gopass-*.tar.bz2\n\t@rm -f gopass-*.tar.gz\n\t@rm -f gopass-*-*\n\t@rm -f tests/tests\n\t@rm -f *.test\n\t@rm -rf dist/*\n\t@printf '%s\\n' '$(OK)'\n\n$(GOPASS_OUTPUT): $(GOFILES_BUILD)\n\t@echo -n \">> BUILD, version = $(GOPASS_VERSION)/$(GOPASS_REVISION), output = $@\"\n\t@$(GO) build -o $@ $(BUILDFLAGS)\n\t@printf '%s\\n' '$(OK)'\n\ninstall: all install-completion install-man\n\t@echo -n \">> INSTALL, version = $(GOPASS_VERSION)\"\n\t@install -m 0755 -d $(DESTDIR)$(BINDIR)\n\t@install -m 0755 $(GOPASS_OUTPUT) $(DESTDIR)$(BINDIR)/gopass\n\t@printf '%s\\n' '$(OK)'\n\ninstall-completion:\n\t@install -d $(DESTDIR)$(PREFIX)/share/zsh/site-functions $(DESTDIR)$(PREFIX)/share/bash-completion/completions $(DESTDIR)$(PREFIX)/share/fish/vendor_completions.d\n\t@install -m 0644 $(ZSH_COMPLETION_OUTPUT) $(DESTDIR)$(PREFIX)/share/zsh/site-functions/_gopass\n\t@install -m 0644 $(BASH_COMPLETION_OUTPUT) $(DESTDIR)$(PREFIX)/share/bash-completion/completions/gopass\n\t@install -m 0644 $(FISH_COMPLETION_OUTPUT) $(DESTDIR)$(PREFIX)/share/fish/vendor_completions.d/gopass.fish\n\t@printf '%s\\n' '$(OK)'\n\ninstall-man: gopass.1\n\t@install -d -m 0755 $(DESTDIR)$(PREFIX)/share/man/man1\n\t@install -m 0644 gopass.1 $(DESTDIR)$(PREFIX)/share/man/man1/gopass.1\n\nfulltest: $(GOPASS_OUTPUT)\n\t@echo \">> TEST, \\\"full-mode\\\": race detector off\"\n\t@echo \"mode: atomic\" > coverage-all.out\n\t@$(foreach pkg, $(PKGS),\\\n\t echo -n \" \";\\\n\t\t$(GO) test -run '(Test|Example)' $(BUILDFLAGS) $(TESTFLAGS) -coverprofile=coverage.out -covermode=atomic $(pkg) || exit 1;\\\n\t\ttail -n +2 coverage.out >> coverage-all.out;)\n\t@$(GO) tool cover -html=coverage-all.out -o coverage-all.html\n\t@which go-cover-treemap > /dev/null; if [ $$? -ne 0 ]; then \\\n\t\t$(GO) install github.com/nikolaydubina/go-cover-treemap@latest; \\\n\tfi\n\t@go-cover-treemap -coverprofile coverage-all.out > coverage-all.svg\n\ntest: $(GOPASS_OUTPUT)\n\t@echo \">> TEST, \\\"fast-mode\\\": race detector off\"\n\t@$(foreach pkg, $(PKGS),\\\n\t echo -n \" \";\\\n\t\t$(GO) test -test.short -run '(Test|Example)' $(BUILDFLAGS) $(TESTFLAGS) $(pkg) || exit 1;)\n\ntest-win: $(GOPASS_OUTPUT)\n\t@echo \">> TEST, \\\"fast-mode-win\\\": race detector off\"\n\t@$(foreach pkg, $(PKGS),\\\n\t\t$(GO) test -test.short -run '(Test|Example)' $(pkg) || exit 1;)\n\ntest-integration: $(GOPASS_OUTPUT)\n\tcd tests && GOPASS_BINARY=$(PWD)/$(GOPASS_OUTPUT) GOPASS_TEST_DIR=$(PWD)/tests $(GO) test -v $(TESTFLAGS)\n\ncrosscompile:\n\t@echo \">> CROSSCOMPILE\"\n\t@which goreleaser > /dev/null; if [ $$? -ne 0 ]; then \\\n\t\t$(GO) install github.com/goreleaser/goreleaser/v2@v2.11.2; \\\n\tfi\n\t@goreleaser build --snapshot\n\n%.completion: $(GOPASS_OUTPUT)\n\t@printf \">> $* completion, output = $@\"\n\t@./gopass completion $* > $@\n\t@printf \"%s\\n\" \"$(OK)\"\n\ncodequality: licensecheck\n\t@echo \">> CODE QUALITY\"\n\n\t@echo -n \" GOLANGCI-LINT \"\n\t@which golangci-lint > /dev/null; if [ $$? -ne 0 ]; then \\\n\t\t$(GO) install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6.1; \\\n\tfi\n\t@golangci-lint run --max-issues-per-linter 0 --max-same-issues 0 || exit 1\n\t@printf '%s\\n' '$(OK)'\n\n\t@echo -n \" KEEP-SORTED \"\n\t@which keep-sorted > /dev/null; if [ $$? -ne 0 ]; then \\\n\t\t$(GO) install github.com/google/keep-sorted@latest; \\\n\tfi\n\t@keep-sorted --mode lint $(GOFILES_NOVENDOR) || exit 1\n\t@printf '%s\\n' '$(OK)'\n\n\t@echo -n \" CAPSLOCK \"\n\t@which capslock > /dev/null; if [ $$? -ne 0 ]; then \\\n\t\t$(GO) install github.com/google/capslock/cmd/capslock@latest; \\\n\tfi\n\t@capslock -packages ./... -output=compare .capabilities.json || exit 1\n\t@printf '%s\\n' '$(OK)'\n\n\t@echo -n \" GOVULNCHECK \"\n\t@which govulncheck > /dev/null; if [ $$? -ne 0 ]; then \\\n\t\t$(GO) install golang.org/x/vuln/cmd/govulncheck@latest; \\\n\tfi\n\t@govulncheck >/dev/null || exit 1\n\t@printf '%s\\n' '$(OK)'\n\nlicensecheck:\n\t@echo \">> LICENSE CHECK\"\n\n\t@echo -n \" LICENSE-LINT \"\n\t@which license-lint > /dev/null; if [ $$? -ne 0 ]; then \\\n\t\t$(GO) install istio.io/tools/cmd/license-lint@latest; \\\n\tfi\n\t@license-lint --config .license-lint.yml >/dev/null || exit 1\n\n\t@printf '%s\\n' '$(OK)'\n\ngen:\n\t@$(GO) generate ./...\n\nfmt:\n\t@keep-sorted --mode fix $(GOFILES_NOVENDOR)\n\t@gofumpt -w $(GOFILES_NOVENDOR)\n\t@$(GO) mod tidy\n\ndeps:\n\t@$(GO) build -v ./...\n\nupgrade: gen fmt\n\t@$(GO) get -u ./...\n\t@$(GO) mod tidy\n\nman:\n\t@$(GO) run helpers/man/main.go > gopass.1\n\nmsi:\n\t@$(GO) run helpers/msipkg/main.go\n\ndocker:\n\tdocker build -t gopass:latest .\n\n.PHONY: clean build completion install sysinfo crosscompile test codequality release goreleaser debsign man msi docker\n" }, { "path": "README.md", "content": "

\n \"gopass\n

\n\n# Overview\n\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/gopasspw/gopass/badge)](https://securityscorecards.dev/viewer/?uri=github.com/gopasspw/gopass)\n[![Build Status](https://img.shields.io/github/actions/workflow/status/gopasspw/gopass/build.yml?branch=master)](https://github.com/gopasspw/gopass/actions/workflows/build.yml?query=branch%3Amaster)\n[![Go Report Card](https://goreportcard.com/badge/github.com/gopasspw/gopass)](https://goreportcard.com/report/github.com/gopasspw/gopass)\n[![Packaging status](https://repology.org/badge/tiny-repos/gopass-gopasspw.svg)](https://repology.org/project/gopass-gopasspw/versions)\n[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/gopasspw/gopass/blob/master/LICENSE)\n[![Github All Releases](https://img.shields.io/github/downloads/gopasspw/gopass/total.svg)](https://github.com/gopasspw/gopass/releases)\n[![Gopass Slack](https://img.shields.io/badge/%23gopass-Slack-brightgreen)](https://join.slack.com/t/gopassworkspace/shared_invite/zt-17jl74b5x-U1OUW4ts4AQ7eAf2V4QaaQ)\n\n> The slightly more awesome standard UNIX password manager for teams.\n\nManage your credentials with ease. In a globally distributed team, on multiple devices or fully offline on an air-gapped machine.\n\n- **Works everywhere** - The same user experience on Linux, MacOS, *BSD or Windows\n- **Built for teams** - Built from our experience working in distributed development teams\n- **Full autonomy** - No network connectivity required, unless you want it\n\n# How Does It Work?\n\nGopass is a drop-in replacement for pass, the standard UNIX password manager.\nBy default your credentials are encrypted with GPG and versioned in git. This can be customized easily.\nOther backends for encryption (e.g. age) and storage (e.g. fossil) are also available.\nThe primary interface is the command line, making it an excellent choice for CLI fans, CI/CD systems or\nanything you can hook it up with. Gopass can also integrate with your browser so you can largely avoid\nthe command line - if you want.\n\n# Installation\n\n## Necessary prerequisites for running `gopass`\n\n`gopass` can operate without any dependencies but most users will use it with `gpg` and `git`.\nAn external editor is required to use `gopass edit`.\n\n## Installation through package managers\n\n### [Homebrew](https://brew.sh) (Linux/MacOS)\n\n[![homebrew version](https://img.shields.io/homebrew/v/gopass)](https://github.com/Homebrew/homebrew-core/blob/master/Formula/gopass.rb)\n\n```shell\nbrew install gopass\n```\n\n### [MacPorts](https://www.macports.org) (macOS)\n\n[![macports version](https://repology.org/badge/version-for-repo/macports/gopass-gopasspw.svg)](https://ports.macports.org/port/gopass/)\n\n```shell\nsudo port install gopass\n```\n\n### Debian (Ubuntu, Debian, Raspbian, ...)\n\n**Warning**: Do not install the `gopass` package from the official repositories. That is a completely different project that has no relation to us.\n\n```shell\ncurl https://packages.gopass.pw/repos/gopass/gopass-archive-keyring.gpg | sudo tee /usr/share/keyrings/gopass-archive-keyring.gpg >/dev/null\ncat << EOF | sudo tee /etc/apt/sources.list.d/gopass.sources\nTypes: deb\nURIs: https://packages.gopass.pw/repos/gopass\nSuites: stable\nArchitectures: all amd64 arm64 armhf\nComponents: main\nSigned-By: /usr/share/keyrings/gopass-archive-keyring.gpg\nEOF\nsudo apt update\nsudo apt install gopass gopass-archive-keyring\n```\n\n### Fedora / RedHat / CentOS\n\n[![Fedora version](https://img.shields.io/fedora/v/gopass)](https://packages.fedoraproject.org/pkgs/gopass/gopass/)\n\n```shell\ndnf install gopass\n```\n\nNote: You might need to run `dnf copr enable daftaupe/gopass` first.\n\n### Arch Linux\n\n[![Arch version](https://img.shields.io/archlinux/v/extra/x86_64/gopass)](https://archlinux.org/packages/extra/x86_64/gopass/)\n\n```shell\npacman -S gopass\n```\n\n### Windows\n\n[![Scoop version](https://img.shields.io/scoop/v/gopass)](https://github.com/ScoopInstaller/Main/blob/master/bucket/gopass.json)\n\n```shell\n# WinGet\nwinget install Git.Git\nwinget install GnuPG.Gpg4win\nwinget install gopass.gopass\n# Chocolatey\nchoco install gpg4win\nchoco install gopass\n# Alternatively\nscoop install gopass\n```\n\n### FreeBSD / OpenBSD\n\n```shell\ncd /usr/ports/security/gopass\nmake install\n```\n\n### Alpine Linux\n\n```shell\napk add gopass\n```\n\n## Other installation options\n\nPlease see [docs/setup.md](https://github.com/gopasspw/gopass/blob/master/docs/setup.md) for other options.\n\n### From Source\n\n```shell\ngo install github.com/gopasspw/gopass@latest\n```\n\nNote: `latest` is not a stable release. We recommend to only use released versions.\n\n### Manual download\n\nDownload the [latest release](https://github.com/gopasspw/gopass/releases/latest) and add the binary to your PATH.\n\n# Quick start guide\n\nInitialize a new `gopass` configuration:\n\n```shell\ngopass setup\n\n __ _ _ _ _ _ ___ ___\n /'_ '\\ /'_'\\ ( '_'\\ /'_' )/',__)/',__)\n( (_) |( (_) )| (_) )( (_| |\\__, \\\\__, \\\n'\\__ |'\\___/'| ,__/''\\__,_)(____/(____/\n( )_) | | |\n \\___/' (_)\n\nšŸŒŸ Welcome to gopass!\nšŸŒŸ Initializing a new password store ...\nšŸŒŸ Configuring your password store ...\nšŸŽ® Please select a private key for encrypting secrets:\n[0] gpg - 0xFEEDBEEF - John Doe \nPlease enter the number of a key (0-12, [q]uit) (q to abort) [0]: 0\nā“ Do you want to add a git remote? [y/N/q]: y\nConfiguring the git remote ...\nPlease enter the git remote for your shared store []: git@gitlab.example.org:john/passwords.git\nāœ… Configured\n```\n\nBy default `gopass setup` will use `gpg` encryption and `git` storage. This will create a new password store in `$HOME/.local/share/gopass/stores/root` and a configuration in `$HOME/.config/gopass/config` using `gpg` encryption and `git` for versioned storage. Users can override these with e.g. `--crypto=age` to use `age` encryption instead or opt out of using a versioned store with `--storage=fs`.\n\nAn existing store can be cloned with e.g. `gopass clone git@gitlab.example.org:john/passwords.git`.\n\nCreate a new secret:\n\n```shell\ngopass create\n```\n\nList all existing secrets:\n\n```shell\ngopass ls\n```\n\nCopy an existing password to the clipboard:\n\n```shell\ngopass show -c foo\n```\n\nRemove an existing secret:\n\n```shell\ngopass rm foo\n```\n\nOther examples:\n\n```shell\n# Command structure\ngopass [] [options] [args]\n# Shortcut for gopass show []\ngopass []\n\n# Enter the gopass REPL\ngopass\n\n# Find all entries matching the search string\ngopass find github\n\n# List your store\ngopass ls\n\n# List all mounts\ngopass mounts\n\n# List all recipients\ngopass recipients\n\n# Sync with all remotes\ngopass sync\n\n# Setup a new store\ngopass setup\n```\n\n## Screenshot\n\n![screenshot](docs/showcase.png)\n\n## Support\n\nPlease ask on [Slack](https://join.slack.com/t/gopassworkspace/shared_invite/zt-17jl74b5x-U1OUW4ts4AQ7eAf2V4QaaQ).\n\n## Contributing\n\nWe welcome any contributions. Please see [CONTRIBUTING.md](https://github.com/gopasspw/gopass/blob/master/CONTRIBUTING.md) for more information.\n\n## Credit & License\n\ngopass is licensed under the terms of the MIT license. You can find the complete text in [`LICENSE`](https://github.com/gopasspw/gopass/blob/master/LICENSE).\n\nPlease refer to our [Contributors](https://github.com/gopasspw/gopass/graphs/contributors) page for a complete list of our contributors.\n" }, { "path": "VERSION", "content": "1.16.1\n" }, { "path": "bash.completion", "content": "_gopass_bash_autocomplete() {\n local cur opts base\n COMPREPLY=()\n cur=\"${COMP_WORDS[COMP_CWORD]}\"\n # Use error handling to prevent crashes from invalid flags\n opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-bash-completion 2>/dev/null ) || opts=\"\"\n local IFS=$'\\n'\n COMPREPLY=( $(compgen -W \"${opts}\" -- ${cur}) )\n return 0\n }\n\ncomplete -F _gopass_bash_autocomplete gopass\n" }, { "path": "docs/backends/age.md", "content": "# age crypto backend\n\nThe `age` backend is an experimental crypto backend based on [age](https://age-encryption.org). It adds an\nencrypted keyring on top (using age in scrypt password mode). It also has\n(largely untested) support for specifying recipients as github users. This will\nuse their ssh public keys for age encryption.\nIt is well positioned to eventually replace `gpg` as the default crypto backend.\n\n## Getting started\n\nWARNING: This backend is experimental and the on-disk format likely to change.\n\nTo start using the `age` backend initialize a new (sub) store with the `--crypto=age` flag:\n\n```\n$ gopass age identity add [AGE-... age1...]\n\n$ gopass init --crypto age\n```\n\nor use the wizard that will help you create a new age key:\n```\n$ gopass setup --crypto age\n```\n\nThis will automatically create a new age keypair and initialize the new store.\n\nExisting stores can be migrated using `gopass convert --crypto age`.\n\nN.B. for a fully scripted or **non-interactive setup**, you can use the `GOPASS_AGE_PASSWORD` env variable\nto set your identity file secret passphrase, and specify the age identity and recipients\nthat should be used for encrypting/decrypting passwords as follows:\n```\n$ gopass age identity add \n$ GOPASS_AGE_PASSWORD=mypassword gopass init --crypto age \n```\nNotice the extra space in front of the command to skip most shell's history.\nYou'll need to set your name and username using `git` directly if you're using it as storage backend (the default one).\n\nYou can also specify the ssh directory by setting environment variable\n```\n$ GOPASS_SSH_DIR=/Downloads/new_ssh_dir gopass init --crypto age \n```\n\n## Features\n\n* Encryption using `age` library, can be decrypted using the `age` CLI\n* Support for native age, ssh-ed25519 and ssh-rsa recipients\n* Support for encrypted ssh private keys\n* Support for using GitHub users' private keys, e.g. `github:user` as recipient\n* Automatic downloading and caching of SSH keys from GitHub\n* Encrypted keyring for age keypairs\n* Support for age plugins\n* Caching of passphrases via an agent\n\n## Agent\n\nThe age backend comes with an agent that can cache the passphrases for your age identities.\nThe agent is started automatically by gopass if it's not already running.\nYou can disable the agent by setting `age.agent-enabled` to `false` in your gopass config.\n\nThe agent performs the decryption and the passphrase never leaves the agent process.\nThe agent listens on a unix socket at `$XDG_RUNTIME_DIR/gopass/gopass-age-agent.sock`.\n\nYou can interact with the agent using the following commands:\n- `gopass age agent`: starts the agent in the foreground.\n- `gopass age lock`: locks the agent, clearing all cached passphrases.\n\n## Usage with a yubikey\n\nTo use with a Yubikey, `age` requires the usage of the [age-plugin-yubikey plugin](https://github.com/str4d/age-plugin-yubikey/).\n\nAssuming you have Rust installed:\n```bash\n$ cargo install age-plugin-yubikey\n$ age-plugin-yubikey -i\n\n$ age-plugin-yubikey\nāœØ Let's get your YubiKey set up for age! āœØ\n\n$ age-plugin-yubikey -i\n\n$ gopass age identities add\nEnter the age identity starting in AGE-:\n\nProvide the corresponding age recipient starting in age1:\n\n```\n\nIf gopass tells you `waiting on yubikey plugin...` when decrypting secrets, it probably is waiting for you to touch\nyour Yubikey because you've set a Touch policy when setting up your PIV slot.\n\n## Roadmap\n\nThe future of this backend largely depends on what is happening in the `age` project itself.\n\nAssuming `age` is supporting this, we'd like to:\n\n* Finalize GitHub recipient support\n* Add Hardware token support\n* Make age the default gopass backend\n" }, { "path": "docs/backends/cryptfs.md", "content": "# cryptfs storage backend\n\nThe `cryptfs` backend is an experimental storage backend **PREVIEW**. It hashes secret names and stores the mapping from names to actual file inside an `age` encrypted lookup table. The filesystem backing this storage backend is flexible, but by default uses `gitfs`.\n\n**WARNING**: Do not use unless you want to contribute to the development of this backend!\n" }, { "path": "docs/backends/fossilfs.md", "content": "# `fossilfs` storage backend\n\nThis is an **EXPERIMENTAL** storage backend that uses the Fossil SCM. It isn't well tested and only exists to provide an example how a non-git backend could look like.\n" }, { "path": "docs/backends/fs.md", "content": "# fs storage backend\n\nThe simplest storage backend, often used for testing.\nIt stores data directly in the filesystem without any RCS support.\n" }, { "path": "docs/backends/gitfs.md", "content": "# `gitfs` storage backend\n\nThis is the default storage backend. It stores the encrypted data directly in the filesystem. It uses an external git binary to provide history and remote sync operations.\n\ngopass configures git to use persistent ssh connections. If you do not want\nthis set `GIT_SSH_COMMAND` to an empty string to override the built-in default.\n" }, { "path": "docs/backends/gpg.md", "content": "# gpg crypto backend\n\nThe `gpgcli` backend is the default crypto backend based on the `gpg` CLI. It depends on the GPG installation to be working and having a properly initialized keyring.\n\n## Getting started\n\nWARNING: This backend suffers from myriads of different configuration options, a poor scripting interface and not pure-Go libarary bindings being available.\n\nTo start using the `gpgcli` backend initialize a new (sub) store with the `--crypto=gpgcli` flag:\n\n```\ngopass init --crypto gpgcli\ngopass recipients add 0xDEADBEEF\n```\n\n## Features\n\n* Compatible with other password store implementations\n* Support for all GPG features, like smart-cards or hardware tokens\n\n## Caveats\n\n* Using long key sizes (e.g. 4096 bit or longer) can make many operations a lot slower\n* Some GPG installations don't work well with concurrent operations\n\n## Roadmap\n\nThis backend is the single most annoying source of maintenance workload in this project.\nWe try to keep this backend working as good as possible but there are a lot of reasons\nwhy we'd prefer eventually move beyond GPG.\n\n### GPG Critism\n\nThis section is a growing list of references why GPG is bad and why you should avoid it.\nThat might sound like an unusual thing to say for the authors of a tool whose main use case\nrelies on GPG but whenever we tried to move beyond GPG we got a lot of backlash. So I guess\nfirst we need to try to make use understand why you shouldn't hold on to GPG and by then we'll\ntry to have a replacement ready for you.\n\n* [What's the matter with PGP](https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/)\n* [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html)\n* [I'm giving up on PGP](https://blog.filippo.io/giving-up-on-long-term-pgp/)\n* [GPG and Me](https://moxie.org/2015/02/24/gpg-and-me.html)\n" }, { "path": "docs/backends/jjfs.md", "content": "# `jjfs` storage backend\n\nThis is an **EXPERIMENTAL** storage backend that uses the JJ / Git. It isn't well tested and only exists to provide an example how a non-git backend could look like." }, { "path": "docs/backends.md", "content": "# Backends\n\ngopass supports pluggable backends for Storage and Revision Control System (`storage`) and Encryption (`crypto`).\n\nAs of today, the names and responsibilities of these backends are still unstable and will probably change.\n\nBy providing suitable backends, gopass can use different kinds of encryption or storage.\nFor example, it is pretty straightforward to add mercurial or bazaar as an SCM backend.\n\nAll backends are in their own packages below `backend/`. They need to implement the\ninterfaces defined in the backend package and have their identification added to\nthe context handlers in the same package.\n\n## Storage and RCS Backends (storage)\n\n* [fs](backends/fs.md) - Filesystem storage without RCS support\n* [gitfs](backends/gitfs.md) - Filesystem storage with Git RCS\n* [fossilfs](backends/fossilfs.md) - Filesystem storage with Fossil RCS. **Highly experimental, likely broken**. Use only if you want to contributed to the backend.\n* [jjfs](backends/jjfs.md) - Filesystem storage with JJ RCS. **Highly experimental, likely broken**. Use only if you want to contributed to the backend.\n* [cryptfs](backends/cryptfs.md) - Fully encrypted filesystem storage. **Highly experimental, likely broken**. Use only if you want to contributed to the backend.\n\n## Crypto Backends (crypto)\n\n* [gpgcli](backends/gpg.md) - depends on a working gpg installation\n* plain - A no-op backend used for testing. WARNING: DOES NOT ENCRYPT!\n* [age](backends/age.md) - This backend is based on [age](https://github.com/FiloSottile/age). It adds an encrypted keyring on top (using age in scrypt password mode). It also has (largely untested) support for specifying recipients as github users. This will use their ssh public keys for age encryption. This backend might very well become the new default backend.\n" }, { "path": "docs/commands/audit.md", "content": "# `audit` command\n\nThe `audit` command will decrypt all secrets and scan for weak passwords or other common flaws.\n\n## Synopsis\n\n```\n$ gopass audit\n```\n\n## Excludes\n\nYou can exclude certain secrets from the audit by adding a `.gopass-audit-exclude` file to the secret. The file should contain a list of RE2 patters to exclude, one per line. For example:\n\n```\n# Lines starting with # are ignored. Trailing comments are not supported.\n# Exclude all secrets in the pin folder.\n# Note: These are RE2, not Glob patterns!\npin/.*\n# Literal matches are also valid RE2 patterns\ntest_folder/ignore_this\n# Gopass internally uses forward slashes as path separators, even on Windows. So no need to escape backslashes.\n```\n\n## Password strength backends\n\n| Backend | Description |\n|-------------------------------------------------|------------------------------------------------------------------------|\n| [`crunchy`](https://github.com/muesli/crunchy) | Crunchy password strength checker |\n| `name` | Checks if password equals the name of the secret |\n" }, { "path": "docs/commands/cat.md", "content": "# `cat` command\n\nThe `cat` command is used to pipe password in and out of STDIN and STDOUT\nrespectively. As it is intended to be used with binary data, it encodes the\ndata-stream to store it.\n\n## Synopsis\n\n```bash\n$ echo \"test\" | gopass cat test/new\n$ gopass cat test/new\n```\n\n## Modes of operation\n\n* Create a new entry with data-stream from STDIN\n* Change an existing entry to data-stream from STDIN\n* Retrive encoded data from password-store and echo it to STDOUT\n\nCat is intended to work with binary data, so it accepts any kind of stream from\nSTDIN. It reads the binary-stream from STDIN and encodes it Base64 and saves it\nin the password store encoded, with some metadata about the input-stream and the\nused encoding (currently only Base64 supported).\n\n### Example\n```\n$ echo \"234\" | gopass cat test/new\n$ gopass show -f test/new\nSecret: test/new\n\n\ncontent-disposition: attachment; filename=\"STDIN\"\ncontent-transfer-encoding: Base64\nMjM0Cg==\n$ gopass cat test/new\n234\n```\n\n### Differences to `insert`\n\nIn contrast to `insert` it handles any kind of data-stream from STDIN and\nencodes it.\nDrawback: you can not just simply read the password with `gopass show`.\n\n## Flags\n\nThis command has currently no supported flags except the gopass globals.\n" }, { "path": "docs/commands/clone.md", "content": "# `clone` command\n\nThe `clone` command allows cloning and setting up a new password store\nfrom a remote location, e.g. a remote git repo.\n\n## Synopsis\n\n```\n$ gopass clone git@example.com/store.git\n$ gopass clone git@example.com/store.git sub/store\n```\n\n## Flags\n\n| Flag | Aliases | Description |\n|------------|---------|-----------------------------------------------------------------|\n| `--path` | | The path to clone the repo to. |\n| `--crypto` | | Override the crypto backend to use if the auto-detection fails. |\n" }, { "path": "docs/commands/config.md", "content": "# `config` command\n\nThe config command allows displaying and altering configuration options.\n\nNote: To manage mounts use `gopass mounts`.\n\n## Synopsis\n\n```bash\ngopass config\ngopass config generate.autoclip\ngopass config generate.autoclip false\n```\n\n## Flags\n\n| Flag | Description |\n|-----------|--------------------------------|\n| `--store` | Only sync a specific sub store |\n" }, { "path": "docs/commands/convert.md", "content": "# `convert` command\n\nThe `convert` command exists to migrate stores between different backend\nimplementations.\n\nNote: This command exists to enable a possible migration path. If we agree\non a single set of backend implementations the multiple backend support\nmight go away and this command as well.\n\nWarning: Converting between different RCS backends will loose part of the history. While we try to retain as much information as possible especially the commit timestamps will be set to the convert time.\n\n## Synopsis\n\n```\n$ gopass convert --store=foo --move=true --storage=gitfs --crypto=age\n$ gopass convert --store=bar --move=false --storage=fs --crypto=plain\n```\n\n## Flags\n\nFlag | Description\n---- | -----------\n`--store` | Substore to convert.\n`--move` | Remove backup after converting? (default: `false`)\n`--storage` | Target storage backend.\n`--crypto` | Target crypto backend.\n" }, { "path": "docs/commands/create.md", "content": "# `create` command\n\nThe `create` command creates a new secret using a set of built-in or custom templates.\nIt implements a wizard that guides inexperienced users through the secret creating.\n\nThe main design goal of this command was to guide users through the creation of a secret\nand asking for the necessary information to create a reasonable secret location.\n\n## Synopsis\n\n```bash\ngopass create\ngopass create --store=foo\n```\n\n## Modes of operation\n\n* Create a new secret using a wizard\n\n## Templates\n\n`gopass create` will look for files ending in `.yml` in the folder `.gopass/create` inside\nthe selected store (by default the root store).\n\nTo add new templates to the wizard add templates to this folder.\n\nExample:\n\n```bash\n$ cat $(gopass config mounts.path)/.gopass/create/aws.yml\n---\npriority: 5\nname: \"AWS\"\nprefix: \"aws\"\nname_from:\n - \"org\"\n - \"user\"\nwelcome: \"šŸ§Ŗ Creating AWS credentials\"\nattributes:\n - name: \"org\"\n type: \"string\"\n prompt: \"Organization\"\n min: 1\n - name: \"user\"\n type: \"string\"\n prompt: \"User\"\n min: 1\n - name: \"password\"\n type: \"password\" # hide input\n prompt: \"Password\"\n charset: \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%&*\"\n min: 10\n strict: true # ensure at least one char from each detected class (upper, lower, digit, symbol)\n - name: \"comment\"\n type: \"string\"\n prompt: \"Comments\"\n```\n\n## Template Attributes\n\nTemplate attributes support the following fields:\n\n| Field | Type | Description |\n|-----------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `name` | string | The name of the attribute. This will be used as the key in the secret's YAML data. |\n| `type` | string | The type of attribute. Supported values: `string`, `hostname`, `password`. |\n| `prompt` | string | The prompt text to display to the user. |\n| `charset` | string | For password type: Custom character set to use when generating the password. If not specified, standard character classes will be used. |\n| `min` | int | Minimum length validation for the attribute value. |\n| `max` | int | Maximum length validation for the attribute value. |\n| `always_prompt` | bool | For password type: Always prompt for the password instead of offering password generation. Default: `false`. |\n| `strict` | bool | For password type with `charset`: Enforce that all detected character classes (uppercase, lowercase, digits, symbols) present in the charset are represented in the generated password. Similar to `--strict` in `gopass generate`. Default: `false`. |\n\n## Flags\n\n| Flag | Aliases | Description |\n|-----------|---------|------------------------------------------------------------------|\n| `--store` | `-s` | Select the store to use. Will be used to look up user templates. |\n| `--force` | `-f` | For overwriting existing entries. |\n| `--print` | `-p` | Print the password to STDOUT. |\n" }, { "path": "docs/commands/delete.md", "content": "# `delete` command\n\nThe `delete` command is used to remove a single secret or a whole subtree.\n\nNote: Recursive operations crossing mount points are intentionally not supported.\n\n## Synopsis\n\n```\n$ gopass delete entry\n$ gopass rm -r path/to/folder\n$ gopass rm -f entry\n$ gopass delete entry key\n```\n\n## Modes of operation\n\n* Delete a single secret\n* Delete a single key from an existing secret\n* Delete a directoy of secrets\n\n## Flags\n\n| Flag | Aliases | Description |\n|---------------|---------|---------------------------------------|\n| `--recursive` | `-r` | Recursively delete files and folders. |\n| `--force` | `-f` | Do not ask for confirmation. |\n\n## Details\n\n* Removing a single key will need to decrypt the secret\n" }, { "path": "docs/commands/edit.md", "content": "# `edit` command\n\nThe `edit` command loads a new or existing secret into your `$EDITOR` (default: `vim`)\nand saves the resulting content in the password store. It will attempt to create secure\ntemporary directory (depending on the OS) and will warn if insecure editor configuration\n(currently only `vim`) is detected.\n\nNative `gopass` MIME secrets are syntax checked and invalid encodings are rejected.\nAny other type of secret is accepted as is.\n\n`gopass` will honor templates when creating a new entry.\n\n## Synopsis\n\n```\n$ gopass edit entry\n$ gopass edit -e /bin/nano entry\n$ EDITOR=/bin/nano gopass edit entry\n```\n\n## Modes of operation\n\n* Create a new secret\n* Edit an existing secret\n\n## Flags\n\n| Flag | Aliases | Description |\n|------------|---------|---------------------------------------------------------------------------------------------------------------------------------------|\n| `--editor` | `-e` | Specify the path to an editor. Must accept the filename as it's first argument. |\n| `--create` | `-c` | Create a new secret. You can create a new secret with `edit` with or without `-c`, but `-c` will skip searching for existing matches. |\n" }, { "path": "docs/commands/env.md", "content": "# `env` command\n\nThe `env` command runs a binary as a subprocess with a pre-populated environment.\nThe environment of the subprocess is populated with a set of environment variables corresponding\nto the secret subtree specified on the command line.\n\n## Synopsis\n\n```\n$ gopass env entry env\n```\n\n" }, { "path": "docs/commands/find.md", "content": "# `find` command\n\nThe `find` command will attempt to do a simple substring match on the names of all secrets.\nIf there is a single match it will directly invoke `show` and display the result.\nIf there are multiple matches a selection will be shown.\n\nNote: The find command will not fall back to a fuzzy search.\n\n## Synopsis\n\n```\n$ gopass find entry\n$ gopass find -f entry\n$ gopass find -c entry\n```\n\n## Flags\n\n| Flag | Aliases | Description |\n|------------|---------|---------------------------------------------------------------|\n| `--clip` | `-c` | Copy the password into the clipboard. |\n| `--unsafe` | `-u` | Display any unsafe content, even if `safecontent` is enabled. |\n\n" }, { "path": "docs/commands/fsck.md", "content": "# `fsck` command\n\n`gopass` can check integrity of it's password stores with the `fsck` command.\nIt will ensure proper file and directory permissions as well as proper\nrecipient coverage (on supported crypto backends, only).\n\n## Synopsis\n\n```\n$ gopass fsck\n```\n\n## Modes of operation\n\n* Check the entire password store, incl. all mounts\n* Check only the specified mount\n\n## Flags\n\nFlag | Aliases | Description\n---- | ------- | -----------\n`--decrypt` | | Decrypt and reencrypt all secrets.\n" }, { "path": "docs/commands/fscopy.md", "content": "# `fscopy` command\n\nThe `fscopy` command is used to copy a file from your filesystem into your\npassword store, while keeping it in clear in your local filesystem after\nhaving stored it in your encrypted store.\n\n## Synopsis\n\n```bash\n$ gopass fscopy ~/test/file data/test/file-entry\n$ gopass fscopy data/test/file-entry ~/file\n```\n\n## Modes of operation\n\nThis command either reads a file from the filesystem and writes the\nencoded and encrypted version in the store or it decrypts and decodes\na secret and writes the result to a file. Either source or destination\nmust be a file and the other one a secret.\nIf you want the source to be removed use 'gopass fsmove'.\n\n`fscopy` is intended to work with raw files.\n\n### Example\n```\n$ gopass fscopy ~/test/file data/test/file-entry\n$ gopass cat data/test/file-entry\n```\n\nSee also the docs for the [`cat` action](cat.md).\n\n## Flags\n\nThis command has currently no supported flags except the gopass globals.\n" }, { "path": "docs/commands/fsmove.md", "content": "# `fsmove` command\n\nThe `fsmove` command is used to move a file from your filesystem into your\npassword store, erasing it from your local filesystem after having stored it in your encrypted store.\n\n## Synopsis\n\n```bash\n$ gopass fsmove ~/test/file data/test/file-entry\n$ gopass fsmove data/test/file-entry ~/file\n```\n\n## Modes of operation\n\nThis command either reads a file from the filesystem and writes the\nencoded and encrypted version in the store or it decrypts and decodes\na secret and writes the result to a file. Either source or destination\nmust be a file and the other one a secret. The source will be wiped\nfrom disk or from the store after it has been copied successfully\nand validated. If you don't want the source to be removed use\n'gopass fscopy'.\n\n`fsmove` is intended to work with raw files.\n\n### Example\n```\n$ gopass fsmove ~/test/file data/test/file-entry\n$ gopass cat data/test/file-entry\n```\n\nSee also the docs for the [`cat` action](cat.md).\n\n## Flags\n\nThis command has currently no supported flags except the gopass globals.\n" }, { "path": "docs/commands/generate.md", "content": "# `generate` command\n\nThe `generate` command is used to generate a new password and store it into the password store.\n\nNote: If you only want generate a password without storing it in the store, use the `pwgen` command.\n\n## Synopsis\n\n```\n$ gopass generate entry [length]\n$ gopass generate entry key [length]\n```\n\n## Modes of operation\n\n* Generate a new entry with a new password, e.g. a new login. Setting the `Password` field, `gopass generate entry [chars]`\n* Re-generating a new password and setting it in the `Password` field of an existing entry\n* Generate a new password and setting it to a new key of an existing secret, e.g. `gopass generate entry key [chars]`\n* Re-generate a new password for an existing key in an existing entry\n\n## Flags\n\n| Flag | Aliases | Description |\n|---------------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `--clip` | `-c` | Copy the generated password into the clipboard. Default: Value of `autoclip` |\n| `--print` | `-p` | Print the generated password to the terminal. Default: false. |\n| `--force` | `-f` | Force overwriting an existing entry. |\n| `--edit` | `-e` | Generate a password and open the entry for editing in `$EDITOR`. |\n| `--generator` | `-g` | Choose of of the available password generators, desribed below. Default: `cryptic` |\n| `--symbols` | `-s` | Include symbols in the generated password (default: `false`) |\n| `--strict` | | Ensure each requested character class is actually included. Without this option all requested classes can be included, but not necessarily are. (default: `false`) |\n| `--sep` | | Word separator for multi-word generators. |\n| `--lang` | | Language for word-based generators. |\n\n## Password Generators\n\nUse `--generator` to select one of the available password generators:\n\n| Generator | Description |\n|-------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `cryptic` | The default generator yields cryptic passwords that should work with most sites. Use `--symbols` and `--strict` if the site has specific requirements. Please note that we auto-detect the correct rules for some sites. The length argument specifies the number of characters. |\n| `xkcd` | Use an [XKCD#936](https://xkcd.com/936/) style password. Use `--lang` and `--sep` to refine it's behaviour. The length argument specifies the number of words. |\n| `memorable` | Generate a memorable password. The length argument specifies the minimum lenght of characters. Please note that the password might be longer if not all necessary rules were satisfied by the minimum length solution. |\n| `external` | Use the external generator from `$GOPASS_EXTERNAL_PWGEN` |\n\n## Relevant configuration options\n\n* `autoclip` only applies to `generate`. If set the generated password is automatically copied to the clipboard - unless `--clip` is explicitly set to `--clip=false`\n* `safecontent` will suppress printing of the password, unless `-p` is set. The password will not be copied, unless `-c` or the `autoclip` option are set.\n\n## Templates\n\nWhen creating a new entry gopass will look for the most specific template\nby going up in the secret path looking for a file called `.pass-template`.\n\nIf any such file is found it will be used to pre-populate the generated\nsecret.\n" }, { "path": "docs/commands/gopass.md", "content": "# `gopass` command\n\nCalling `gopass` without any command argument is a common entry point and\nhas two different modes.\n\n## Synopsis\n\n```\n$ gopass\n$ gopass entry\n$ gopass -c entry\n```\n\n## Modes of operation\n\n* Invoked without any arguments `gopass` will start an interactive REPL shell. This includes zero-setup command completion and passphrase caching (for non-GPG backends).\n* Invoked with one argument it will perform a (fuzzy) search and display a list of matches or the secret directly (if exactly one match).\n* Invoked with two arguments it will do search and if there is a match display the named key.\n\n## Flags\n\nNote: DO NOT use in scripts! Use `gopass show` instead.\n\n| Flag | Aliases | Description |\n|------------|---------|----------------------------------------------------------------------------------------------------------------------------|\n| `--clip` | `-c` | Copy the password value into the clipboard and don't show the content. |\n| `--unsafe` | `-u` | Display unsafe content (e.g. the password) even when the `safecontent` option is set. No-op when `safecontent` is `false`. |\n| `--yes` | | Assume yes on all yes/no questions or use the default on all others. |\n\n" }, { "path": "docs/commands/grep.md", "content": "# `grep` command\n\nThe `grep` command works like the Unix `grep` tool. It decrypts all secrets\nand performs a substring or regexp match on the given pattern.\n\n## Synopsis\n\n```\n$ gopass grep foobar\n```\n\n## Modes of operations\n\n* Search for the given pattern in all secrets\n\n## Flags\n\nNone.\nFlag | Aliases | Description\n---- | ------- | -----------\n`--regexp` | | Parse the pattern as a RE2 regular expression.\n" }, { "path": "docs/commands/history.md", "content": "# `history` command\n\nThe `gopass history` command will show all revisions of a given secret.\n\n## Synopsis\n\n```\n$ gopass history entry\n```\n\n## Modes of operation\n\n* Display all revisions of the given secret.\n\n## Flags\n\nNone.\n" }, { "path": "docs/commands/init.md", "content": "# `init` command\n\nThe `init` command is used to initialize a new password store.\nIf no recipients are specified a useable existing private key is used.\n\nThe `init` command must be used to initilize new mounts. `gopass mounts add` only supports adding existing mounts.\n\nNote: We do not support adding recipients using `init`. Please use `gopass recipients add` for that!\n\n## Synopsis\n\n```\n$ gopass init\n$ gopass init --crypto [age|gpg] --storage=[fs|gitfs]\n```\n\n## Flags\n\n| Flag | Aliases | Description |\n|-------------|---------|-------------------------------------------------------------------------------------------------------------|\n| `--path` | `-p` | Initialize the (sub) store in this location. |\n| `--store` | `-s` | Mount the newly initialized sub-store at this mount point |\n| `--crypto` | | Select the crypto backend. Choose one of: `gpgcli`, `age`, `xc` (deprecated) or `plain`. Default: `gpgcli` |\n| `--storage` | | Select the storage and RCS backend. Choose one of: `gitfs`, `fs`. Default: `gitfs` |\n\nSee [backends.md](../backends.md) for more information on the available backends.\n" }, { "path": "docs/commands/insert.md", "content": "# `insert` command\n\nThe `insert` command is used to manually set (insert, or change) a password in the store. It applies to either new or existing secrets.\n\n## Synopsis\n\n```\n$ gopass insert entry\n$ gopass insert entry key\n```\n\n## Modes of operation\n\n* Create a new entry with a user-supplied password, e.g. a new site with a user-generated password or one picked from `gopass pwgen`: `gopass insert entry`\n* Change an existing entry to a user-supplied password\n* Create and change any field of a new or existing secret: `gopass insert entry key`\n* Read data from STDIN and insert (or append) to a secret\n\nInsert is similar in effect to `gopass edit` with the advantage of not displaying any content of the secret when changing a key.\n\nNote: `insert` will not change anything but the `Password` field (using the `insert entry` invocation) or the specified key (using the `insert entry key` invocation).\n\n## Flags\n\n| Flag | Aliases | Description |\n|---------------|---------|------------------------------------------------------------------------------------------------------------------------|\n| `--echo` | `-e` | Display the secret while typing (default: `false`) |\n| `--multiline` | `-m` | Insert using `$EDITOR` (default: `false`). This identical to running `gopass edit entry`. All other flags are ignored. |\n| `--force` | `-f` | Overwrite any existing value and do not prompt. (default: `false`) |\n| `--append` | `-a` | Append to any existing data. Only applies if reading from STDIN. (default: `false`) |\n" }, { "path": "docs/commands/link.md", "content": "# `link` command\n\nThe `link` (or `ln`) command is used to create a symlink from one secret in a\nstore to a target in the same store.\n\nNote: Symlinks across different stores / mounts are currently not supported!\n\nNote: `audit` and `list` do not recognize symlinks, yet. They will treat\nsymlinks as regular (different) entries.\n\n## Synopsis\n\n```\n$ gopass ln foo/bar bar/baz\n$ gopass show foo/bar\n$ gopass show bar/baz\n```\n\n## Modes of operations\n\n* Create a symlink from an existing secret to a new name, the target must not exist, yet\n\nNote: Use `gopass rm` to remove a symlink.\n\n## Flags\n\nNone.\n\n" }, { "path": "docs/commands/list.md", "content": "# `list` command\n\nThe `list` command is used to list all the entries in the password store or at a given prefix.\n\n## Synopsis\n\n```bash\ngopass ls\ngopass ls path/to/entries\n```\n\n- List all the entries in the password store including the one in mounted stores: `gopass list`\n- List all the entries in a given folder showing their relative path from the root: `gopass list path/to/entries`\n\nNote: `list` will not change anything, nor encrypt or decrypt anything.\n\n## Flags\n\n| Flag | Aliases | Description |\n|------------------|------------|-----------------------------------------------------|\n| `--limit value` | `-l value` | Max tree depth (default: -1) |\n| `--flat` | `-f` | Print a flat list of secrets (default: false) |\n| `--folders` | `-d` | Print a flat list of folders (default: false) |\n| `--strip-prefix` | `-s` | Strip prefix from filtered entries (default: false) |\n\nThe `--flat` and `--folders` flags provide a plaintext list of the entries located at\nthe given prefix (default prefix being the root `/`). They are notably used to produce the\ncompletion results.\nThe `--flat` one will list all entries, one per line, using its full path.\nThe `--folders` one will display all the folders, one per line, recursively per level.\nFor instance an entry `folder/sub/entry` would cause it to list both:\n\n```bash\n$ gopass list --folders\nfolder\nfolder/sub\n```\n\nwhereas `gopass list --flat` would have just displayed one line: `folder/sub/entry`.\n\nThe `--strip-prefix` flag is meant to be used along with `--flat` or `--folders`.\nIt will list the relative path from the current prefix, removing the said prefix,\ninstead of listing the relative paths from the root.\nFor instance on entry `folder/sub/entry`, running `gopass ls -f -s folder` would display\n only `sub/entry` instead of `folder/sub/entry`.\n\nThe `--limit` flag starts counting its depth from the root store, which means that\na depth of 0 only lists the items in the root gopass store:\n\n```bash\n$ gopass list -l 0\ngopass\nā”œā”€ā”€ bar/\nā”œā”€ā”€ foo/\nā””ā”€ā”€ test (/home/user/.local/share/gopass/stores/substore1)\n```\n\nA value of 1 would list all the items in the root, plus their sub-items but no more:\n\n```bash\n$ gopass list -l 1\ngopass\nā”œā”€ā”€ bar/\nā”‚ ā””ā”€ā”€ bar\nā”œā”€ā”€ foo/\nā”‚ ā”œā”€ā”€ bar\nā”‚ ā””ā”€ā”€ foo\nā””ā”€ā”€ test (/home/user/.local/share/gopass/stores/substore1)\n ā””ā”€ā”€ foo\n```\n\nA negative value lists all the items without any depth limit.\n\n```bash\n$ gopass list -l -1\ngopass\nā”œā”€ā”€ bar/\nā”‚ ā””ā”€ā”€ bar\nā”œā”€ā”€ foo/\nā”‚ ā”œā”€ā”€ bar/\nā”‚ ā”‚ ā”œā”€ā”€ bar/\nā”‚ ā”‚ ā”‚ ā””ā”€ā”€ bar\nā”‚ ā”‚ ā””ā”€ā”€ baz\nā”‚ ā””ā”€ā”€ foo\nā””ā”€ā”€ test (/home/user/.local/share/gopass/stores/substore1)\n ā””ā”€ā”€ foo\n```\n\nThe flags can be used together: `gopass -l 1 -d` will list only the folders up to a depth of 1:\n\n```bash\n$ gopass list -l 1 -d\nbar/\nfoo/\nfoo/bar/\ntest/\ntest/foo/\n```\n\n## Shadowing\n\nIt is possible to have a path that is both an entry and a folder. In that case the list command\nwill display the folder with a marker of `(shadowed)`, it can still be accessed using\n`gopass show path/to/it`, while the content of the folder can be listed using `gopass list path/to/it`.\n\nIt should also be noted that the `mount` command can completely \"shadow\" an entry in a password store,\nsimply by having the same name and this entry and its subentries will not be visible\nusing `ls` anymore until the substore is unmounted.\nThe entries shadowed by a mount will not show up in a search and cannot be accessed at all without unmounting.\n\nFor instance in our example above, maybe there is an entry test/zaz in the root store,\nbut since the substore is mounted as `test/`, it only displays the content of the substore.\nUnmounting it reveals its shadowed entries:\n\n```bash\n$ gopass list test\ntest/ \nā””ā”€ā”€ foo\n$ gopass mounts rm test\n$ gopass list test\ntest/ \nā””ā”€ā”€ zaz\n```\n" }, { "path": "docs/commands/mounts.md", "content": "# `mounts` commands\n\nThe `mounts` commands allow managing mounted substores. This is one of the\ndistinctive core features of `gopass` and we aim making working with substores\nas seamless as possible.\n\nInstead of support for encrypting different parts of a store for different\nrecipients we instead encourage users to mount different stores - each\nencrypted to a uniform set of recipients - into a semless virtual tree structure.\n\nThis feature is modeled after standard POSIX mount semantics.\n\n## Synopsis\n\n```\n$ gopass mounts\n$ gopass mounts add mount/point /path/to/store\n$ gopass mounts remove mount/point\n```\n\n## Modes of operation\n\n* Add a new mount\n* List existing mounts\n* Remove an existing mount\n\n## Creating new mounts\n\nYou can also create new mounts using `init` even if your store is already initialized:\n\n```\ngopass init --store mynewsubstore pgpkeyidentitfier\n```\n\n(You can also specify a specific local path using `--path`, just make sure to keep your PGP key identifier, e.g. its email or fingerprint, as the last argument.)\n" }, { "path": "docs/commands/move.md", "content": "# `move` command\n\nNote: The implementations for `copy` and `move` are exactly the same. The only difference is that `move` will remove the source after a successful copy.\n\nThe `move` command works like the Unix `mv` or `rsync` binaries. It allows moving either single entries or whole folders around. Moving across mounts is supported.\n\nIf the source is a directory, the source directory is re-created at the destination if no trailing slash is found. Otherwise the contained secrets are placed into the destination directory (similar to what `rsync` does).\n\nPlease note that `move` will always decrypt the source and re-encrypt at the destination.\n\nMoving a secret onto itself is a no-op.\n\n## Synopsis\n\n```\n# Overwrite new/leaf\n$ gopass move path/to/leaf new/leaf\n# Move the content of path/to/somedir to new/dir/somedir\n$ gopass move path/to/somedirdir new/dir\n# Does nothing\n$ gopass move entry entry\n```\n\n## Modes of operation\n\n* Move a single secret from source to destination\n* Move a folder of secrets, possibly with sub folders, from source to destination\n\n## Flags\n\n| Flag | Aliases | Description |\n|-----------|---------|------------------------------------------------|\n| `--force` | `-f` | Overwrite existing destination without asking. |\n\n## Details\n\n* To simplify the implementation and support multiple backends a `copy` or `move` operation will always decrypt and re-encrypt all affected secrets. Even if moving encrypted files around might be possible.\n* You can move a secret to another secret, i.e. overwrite the destination. But `gopass` won't let you move a directory over a file. In that case you have to delete the destination first.\n\n" }, { "path": "docs/commands/otp.md", "content": "# `otp` command\n\nThe `otp` command generates TOTP tokens from an OTP URL (`otpauth://`).\nThe command tries to parse the password and the totp fields as an OTP URI.\n\nNote: HTOP is supported, but requires a `counter` field to keep track of it.\n\nNote: If `show.safecontent` is enabled, OTP URIs are hidden from the `show` command,\nsee the [docs for show](show.md#parsing-and-secrets) to learn more about it.\n\n## Modes of operation\n\n* Generate the current TOTP token from a valid OTP URL\n* Snip the screen to add a TOTP QR code as an OTP field to an entry.\n\n## Flags\n\n| Flag | Aliases | Description |\n|--------------|---------|--------------------------------------------------------------------------|\n| `--clip` | `-c` | Copy the time-based token into the clipboard. |\n| `--alsoclip` | `-C` | Copy the time-based token into the clipboard and show it. |\n| `--qr` | `-q` | Write QR code to file. |\n| `--chained` | `-p` | chain the token to the password |\n| `--password` | `-o` | Only display the token. For use in scripts. |\n| `--snip` | `-s` | Try and find a QR code in the screen content to add as OTP to the entry. |\n\n## Supported formats\n\nYour secret needs to either contain a `otpauth`, `hotp` or a `totp` field.\nWhen using the OTP code directly you can simply add it to a secret using\n`gopass insert your/entry totp`.\n\nThe `otp` command also tries to parse the body of your secret to try and find a line starting\nby `otpauth://` in case you're not using the key-value format for your secret.\n\nFinally, if your secret contains nothing but a password on the first line, the `otp` command\nwill try and use that password to generate an OTP code. This allows use-cases where you\nstore your password in a given entry and your OTP code in another dedicated entry.\n\nThe otpauth URIs are typically communicated through a QR code which can be read on Linux using\nthe `gopass otp -s your/entry` flag. It should also work if they are added using\n`gopass insert your/entry otpauth`, but won't work if you add them under the `totp`\nor `hotp` keys.\n\nSteam OTP is supported, but requires using the `otpauth` URI input to specify the\nencoder, e.g. `otpauth://totp/username%20steam:username?secret=qlt6vmy6svfx4bt4rpmisaiyol6hihca&period=30&digits=5&issuer=username%20steam&encoder=steam`.\n" }, { "path": "docs/commands/process.md", "content": "# `process` command\n\nThe `process` command extends the `gopass` templating to support user-supplied\ntemplate files that will be processed. These templates can access the users\ncredentials with the template functions documented below. That way users can\nstore their full configuration files publicly accessible and have any of the\nrecipients automatically populate it to generate a complete configuration file\non the fly.\n\n`gopass process` writes the result to `STDOUT`. You'll likely want to redirect\nit to a file.\n\n## Synopsis\n\n```\n$ gopass process