Repository: gopasspw/gopass Branch: master Commit: 1890055b9457 Files: 634 Total size: 19.8 MB Directory structure: gitextract_yjed1ue5/ ├── .capabilities.json ├── .codeclimate.yml ├── .codecov.yml ├── .errcheck.excl ├── .gemini/ │ └── settings.json ├── .gitattributes ├── .github/ │ ├── FUNDING.yml │ ├── ISSUE_TEMPLATE.md │ ├── copilot-instructions.md │ ├── dependabot.yml │ ├── stale.yml │ └── workflows/ │ ├── autorelease.yml │ ├── build.yml │ ├── codeql-analysis.yml │ ├── container.yml │ ├── golangci-lint.yml │ ├── grype.yml │ └── scorecard.yml ├── .gitignore ├── .golangci.yml ├── .goreleaser.yml ├── .license-lint.yml ├── .revive.toml ├── AGENTS.md ├── ARCHITECTURE.md ├── CHANGELOG.md ├── CONTRIBUTING.md ├── Dockerfile ├── GOVERNANCE.md ├── LICENSE ├── Makefile ├── README.md ├── VERSION ├── bash.completion ├── docs/ │ ├── backends/ │ │ ├── age.md │ │ ├── cryptfs.md │ │ ├── fossilfs.md │ │ ├── fs.md │ │ ├── gitfs.md │ │ ├── gpg.md │ │ └── jjfs.md │ ├── backends.md │ ├── commands/ │ │ ├── audit.md │ │ ├── cat.md │ │ ├── clone.md │ │ ├── config.md │ │ ├── convert.md │ │ ├── create.md │ │ ├── delete.md │ │ ├── edit.md │ │ ├── env.md │ │ ├── find.md │ │ ├── fsck.md │ │ ├── fscopy.md │ │ ├── fsmove.md │ │ ├── generate.md │ │ ├── gopass.md │ │ ├── grep.md │ │ ├── history.md │ │ ├── init.md │ │ ├── insert.md │ │ ├── link.md │ │ ├── list.md │ │ ├── mounts.md │ │ ├── move.md │ │ ├── otp.md │ │ ├── process.md │ │ ├── pwgen.md │ │ ├── recipients.md │ │ ├── show.md │ │ ├── sync.md │ │ ├── templates.md │ │ └── update.md │ ├── components.dot │ ├── config.md │ ├── entropy.md │ ├── faq.md │ ├── features.md │ ├── hacking.md │ ├── hooks.md │ ├── releases.md │ ├── secrets.md │ ├── security.md │ ├── setup.md │ └── usecases/ │ ├── gpaste.md │ ├── multi-store.md │ ├── readonly-store.md │ ├── secure-otp/ │ │ ├── sign-in.puml │ │ └── sign-up.puml │ └── secure-otp.md ├── fish.completion ├── go.mod ├── go.sum ├── gopass.1 ├── helpers/ │ ├── changelog/ │ │ ├── main.go │ │ └── main_test.go │ ├── gitutils/ │ │ └── gitutils.go │ ├── man/ │ │ ├── main.go │ │ └── main_test.go │ ├── modinfo/ │ │ └── main.go │ ├── msipkg/ │ │ └── main.go │ ├── postrel/ │ │ ├── main.go │ │ └── main_test.go │ ├── proxy/ │ │ ├── Dockerfile.debian │ │ ├── README-3111.md │ │ ├── apt.debughttp │ │ ├── gopass.sources │ │ └── main.go │ └── release/ │ ├── main.go │ └── main_test.go ├── internal/ │ ├── action/ │ │ ├── action.go │ │ ├── action_test.go │ │ ├── aliases.go │ │ ├── aliases_test.go │ │ ├── audit.go │ │ ├── audit_test.go │ │ ├── binary.go │ │ ├── binary_test.go │ │ ├── clihelper.go │ │ ├── clihelper_test.go │ │ ├── clone.go │ │ ├── clone_test.go │ │ ├── commands.go │ │ ├── commands_test.go │ │ ├── completion.go │ │ ├── completion_test.go │ │ ├── config.go │ │ ├── config_test.go │ │ ├── context.go │ │ ├── context_test.go │ │ ├── convert.go │ │ ├── convert_test.go │ │ ├── copy.go │ │ ├── copy_test.go │ │ ├── create.go │ │ ├── create_test.go │ │ ├── delete.go │ │ ├── delete_test.go │ │ ├── doc.go │ │ ├── edit.go │ │ ├── edit_test.go │ │ ├── env.go │ │ ├── env_test.go │ │ ├── exit/ │ │ │ ├── errors.go │ │ │ └── errors_test.go │ │ ├── find.go │ │ ├── find_test.go │ │ ├── fsck.go │ │ ├── fsck_test.go │ │ ├── generate.go │ │ ├── generate_test.go │ │ ├── git.go │ │ ├── grep.go │ │ ├── grep_test.go │ │ ├── history.go │ │ ├── history_test.go │ │ ├── init.go │ │ ├── init_test.go │ │ ├── insert.go │ │ ├── insert_test.go │ │ ├── link.go │ │ ├── link_test.go │ │ ├── list.go │ │ ├── list_test.go │ │ ├── merge.go │ │ ├── merge_test.go │ │ ├── mount.go │ │ ├── mount_test.go │ │ ├── move.go │ │ ├── move_test.go │ │ ├── otp.go │ │ ├── otp_test.go │ │ ├── process.go │ │ ├── process_test.go │ │ ├── pwgen/ │ │ │ ├── commands.go │ │ │ ├── commands_test.go │ │ │ ├── pwgen.go │ │ │ └── pwgen_test.go │ │ ├── rcs.go │ │ ├── rcs_test.go │ │ ├── recipients.go │ │ ├── recipients_test.go │ │ ├── reminder.go │ │ ├── reorg.go │ │ ├── reorg_test.go │ │ ├── repl.go │ │ ├── repl_test.go │ │ ├── setup.go │ │ ├── setup_test.go │ │ ├── show.go │ │ ├── show_test.go │ │ ├── sync.go │ │ ├── sync_test.go │ │ ├── templates.go │ │ ├── templates_test.go │ │ ├── unclip.go │ │ ├── unclip_test.go │ │ ├── update.go │ │ ├── update_test.go │ │ ├── version.go │ │ └── version_test.go │ ├── audit/ │ │ ├── audit.go │ │ ├── audit_test.go │ │ ├── excludes.go │ │ ├── excludes_test.go │ │ ├── output.go │ │ ├── output_test.go │ │ ├── report.go │ │ ├── report_test.go │ │ └── single.go │ ├── backend/ │ │ ├── context.go │ │ ├── context_test.go │ │ ├── crypto/ │ │ │ ├── age/ │ │ │ │ ├── age.go │ │ │ │ ├── age_test.go │ │ │ │ ├── agent/ │ │ │ │ │ ├── agent.go │ │ │ │ │ ├── agent_test.go │ │ │ │ │ ├── client.go │ │ │ │ │ ├── client_unix.go │ │ │ │ │ └── client_windows.go │ │ │ │ ├── agent_starter_unix.go │ │ │ │ ├── agent_starter_windows.go │ │ │ │ ├── askpass.go │ │ │ │ ├── clientUI.go │ │ │ │ ├── commands.go │ │ │ │ ├── context.go │ │ │ │ ├── context_test.go │ │ │ │ ├── decrypt.go │ │ │ │ ├── encrypt.go │ │ │ │ ├── encrypt_test.go │ │ │ │ ├── identities.go │ │ │ │ ├── identities_test.go │ │ │ │ ├── keyring.go │ │ │ │ ├── loader.go │ │ │ │ ├── loader_test.go │ │ │ │ ├── recipients.go │ │ │ │ ├── recipients_test.go │ │ │ │ ├── ssh.go │ │ │ │ └── unsupported.go │ │ │ ├── age.go │ │ │ ├── doc.go │ │ │ ├── gpg/ │ │ │ │ ├── cli/ │ │ │ │ │ ├── decrypt.go │ │ │ │ │ ├── encrypt.go │ │ │ │ │ ├── encrypt_test.go │ │ │ │ │ ├── generate.go │ │ │ │ │ ├── gpg.go │ │ │ │ │ ├── gpg_others_test.go │ │ │ │ │ ├── gpg_test.go │ │ │ │ │ ├── gpg_windows_test.go │ │ │ │ │ ├── identities.go │ │ │ │ │ ├── keyring.go │ │ │ │ │ ├── keyring_test.go │ │ │ │ │ ├── loader.go │ │ │ │ │ ├── recipients.go │ │ │ │ │ ├── recipients_test.go │ │ │ │ │ └── version.go │ │ │ │ ├── colons/ │ │ │ │ │ ├── parse_colons.go │ │ │ │ │ ├── parse_colons_test.go │ │ │ │ │ ├── parse_fuzz.go │ │ │ │ │ └── utils.go │ │ │ │ ├── context.go │ │ │ │ ├── context_test.go │ │ │ │ ├── doc.go │ │ │ │ ├── gpgconf/ │ │ │ │ │ ├── binary.go │ │ │ │ │ ├── binary_others.go │ │ │ │ │ ├── binary_windows.go │ │ │ │ │ ├── binary_windows_test.go │ │ │ │ │ ├── gpgconf.go │ │ │ │ │ ├── utils.go │ │ │ │ │ ├── utils_linux.go │ │ │ │ │ ├── utils_linux_test.go │ │ │ │ │ ├── utils_others.go │ │ │ │ │ ├── utils_test.go │ │ │ │ │ ├── utils_windows.go │ │ │ │ │ ├── version.go │ │ │ │ │ └── version_test.go │ │ │ │ ├── identity.go │ │ │ │ ├── identity_test.go │ │ │ │ ├── key.go │ │ │ │ ├── key_list.go │ │ │ │ ├── key_list_test.go │ │ │ │ └── key_test.go │ │ │ ├── gpgcli.go │ │ │ ├── plain/ │ │ │ │ ├── backend.go │ │ │ │ ├── backend_test.go │ │ │ │ └── loader.go │ │ │ └── plain.go │ │ ├── crypto.go │ │ ├── crypto_test.go │ │ ├── doc.go │ │ ├── rcs.go │ │ ├── rcs_test.go │ │ ├── registry.go │ │ ├── registry_test.go │ │ ├── storage/ │ │ │ ├── cryptfs/ │ │ │ │ ├── crypt.go │ │ │ │ ├── crypt_test.go │ │ │ │ └── loader.go │ │ │ ├── cryptfs.go │ │ │ ├── doc.go │ │ │ ├── fossilfs/ │ │ │ │ ├── context.go │ │ │ │ ├── context_test.go │ │ │ │ ├── fossil.go │ │ │ │ ├── fossil_test.go │ │ │ │ ├── loader.go │ │ │ │ ├── loader_test.go │ │ │ │ ├── settings.go │ │ │ │ ├── status.go │ │ │ │ ├── storage.go │ │ │ │ └── storage_test.go │ │ │ ├── fossilfs.go │ │ │ ├── fs/ │ │ │ │ ├── fsck.go │ │ │ │ ├── fsck_test.go │ │ │ │ ├── link.go │ │ │ │ ├── link_test.go │ │ │ │ ├── loader.go │ │ │ │ ├── rcs.go │ │ │ │ ├── rcs_test.go │ │ │ │ ├── store.go │ │ │ │ ├── store_others.go │ │ │ │ ├── store_test.go │ │ │ │ ├── store_windows.go │ │ │ │ ├── walk.go │ │ │ │ └── walk_test.go │ │ │ ├── fs.go │ │ │ ├── gitfs/ │ │ │ │ ├── commands.go │ │ │ │ ├── config.go │ │ │ │ ├── config_test.go │ │ │ │ ├── git.go │ │ │ │ ├── git_test.go │ │ │ │ ├── loader.go │ │ │ │ ├── ssh_darwin.go │ │ │ │ ├── ssh_others.go │ │ │ │ ├── ssh_windows.go │ │ │ │ └── storage.go │ │ │ ├── gitfs.go │ │ │ ├── jjfs/ │ │ │ │ ├── jj.go │ │ │ │ └── loader.go │ │ │ └── jjfs.go │ │ ├── storage.go │ │ └── storage_test.go │ ├── cache/ │ │ ├── disk.go │ │ ├── disk_test.go │ │ ├── ghssh/ │ │ │ ├── cache.go │ │ │ ├── cache_test.go │ │ │ ├── github.go │ │ │ └── github_test.go │ │ ├── inmem.go │ │ └── inmem_test.go │ ├── completion/ │ │ ├── fish/ │ │ │ ├── completion.go │ │ │ ├── completion_escaping_test.go │ │ │ ├── completion_test.go │ │ │ └── template.go │ │ └── zsh/ │ │ ├── completion.go │ │ ├── completion_escaping_test.go │ │ ├── completion_test.go │ │ └── template.go │ ├── config/ │ │ ├── config.go │ │ ├── config_test.go │ │ ├── config_windows.go │ │ ├── context.go │ │ ├── docs_test.go │ │ ├── legacy/ │ │ │ ├── config.go │ │ │ ├── config_test.go │ │ │ ├── io.go │ │ │ ├── io_test.go │ │ │ ├── legacy.go │ │ │ ├── location.go │ │ │ └── location_xdg_test.go │ │ ├── legacy.go │ │ ├── location.go │ │ ├── location_test.go │ │ ├── location_xdg_test.go │ │ ├── utils.go │ │ └── utils_test.go │ ├── create/ │ │ ├── helpers.go │ │ ├── helpers_test.go │ │ ├── templates.go │ │ ├── wizard.go │ │ └── wizard_test.go │ ├── cui/ │ │ ├── actions.go │ │ ├── actions_test.go │ │ ├── cui.go │ │ ├── cui_test.go │ │ ├── recipients.go │ │ └── recipients_test.go │ ├── diff/ │ │ ├── diff.go │ │ └── diff_test.go │ ├── editor/ │ │ ├── edit_linux.go │ │ ├── edit_others.go │ │ ├── edit_others_test.go │ │ ├── edit_test.go │ │ ├── edit_windows.go │ │ ├── edit_windows_test.go │ │ └── editor.go │ ├── env/ │ │ ├── doc.go │ │ ├── env_darwin.go │ │ └── env_others.go │ ├── hashsum/ │ │ ├── hashsums.go │ │ └── hashsums_test.go │ ├── hook/ │ │ └── hook.go │ ├── notify/ │ │ ├── doc.go │ │ ├── icon.go │ │ ├── notify_darwin.go │ │ ├── notify_darwin_test.go │ │ ├── notify_dbus.go │ │ ├── notify_others.go │ │ ├── notify_test.go │ │ └── notify_windows.go │ ├── out/ │ │ ├── context.go │ │ ├── context_test.go │ │ ├── print.go │ │ └── print_test.go │ ├── pwschemes/ │ │ ├── argon2i/ │ │ │ ├── argon2i.go │ │ │ └── argon2i_test.go │ │ ├── argon2id/ │ │ │ ├── argon2id.go │ │ │ └── argon2id_test.go │ │ └── bcrypt/ │ │ ├── bcrypt.go │ │ └── bcrypt_test.go │ ├── queue/ │ │ ├── background.go │ │ └── background_test.go │ ├── recipients/ │ │ ├── recipients.go │ │ └── recipients_test.go │ ├── reminder/ │ │ ├── reminder.go │ │ └── reminder_test.go │ ├── store/ │ │ ├── err.go │ │ ├── leaf/ │ │ │ ├── context.go │ │ │ ├── context_test.go │ │ │ ├── convert.go │ │ │ ├── crypto.go │ │ │ ├── crypto_test.go │ │ │ ├── fsck.go │ │ │ ├── fsck_test.go │ │ │ ├── init.go │ │ │ ├── init_test.go │ │ │ ├── link.go │ │ │ ├── link_test.go │ │ │ ├── list.go │ │ │ ├── list_test.go │ │ │ ├── move.go │ │ │ ├── move_test.go │ │ │ ├── rcs.go │ │ │ ├── rcs_test.go │ │ │ ├── read.go │ │ │ ├── recipients.go │ │ │ ├── recipients_test.go │ │ │ ├── reencrypt.go │ │ │ ├── storage.go │ │ │ ├── store.go │ │ │ ├── store_test.go │ │ │ ├── templates.go │ │ │ ├── templates_test.go │ │ │ ├── write.go │ │ │ └── write_test.go │ │ ├── mockstore/ │ │ │ ├── inmem/ │ │ │ │ └── store.go │ │ │ ├── store.go │ │ │ └── store_test.go │ │ ├── root/ │ │ │ ├── convert.go │ │ │ ├── crypto.go │ │ │ ├── crypto_test.go │ │ │ ├── errors.go │ │ │ ├── fsck.go │ │ │ ├── fsck_test.go │ │ │ ├── init.go │ │ │ ├── init_test.go │ │ │ ├── link.go │ │ │ ├── list.go │ │ │ ├── list_test.go │ │ │ ├── mount.go │ │ │ ├── mount_test.go │ │ │ ├── move.go │ │ │ ├── move_test.go │ │ │ ├── rcs.go │ │ │ ├── rcs_test.go │ │ │ ├── read.go │ │ │ ├── read_test.go │ │ │ ├── recipients.go │ │ │ ├── recipients_test.go │ │ │ ├── store.go │ │ │ ├── store_test.go │ │ │ ├── templates.go │ │ │ ├── templates_test.go │ │ │ ├── write.go │ │ │ └── write_test.go │ │ ├── sort.go │ │ ├── sort_test.go │ │ └── store.go │ ├── tpl/ │ │ ├── funcs.go │ │ ├── funcs_test.go │ │ ├── template.go │ │ └── template_test.go │ ├── tree/ │ │ ├── node.go │ │ ├── node_test.go │ │ ├── root.go │ │ ├── root_test.go │ │ ├── tree.go │ │ └── tree_test.go │ └── updater/ │ ├── README.md │ ├── access_others.go │ ├── access_windows.go │ ├── download.go │ ├── extract.go │ ├── extract_test.go │ ├── github.go │ ├── github_test.go │ ├── update.go │ ├── update_test.go │ ├── updateable.go │ ├── verify.go │ └── verify_test.go ├── main.go ├── main_test.go ├── main_unix.go ├── pkg/ │ ├── appdir/ │ │ ├── appdir.go │ │ ├── appdir_test.go │ │ ├── appdir_windows.go │ │ ├── appdir_xdg.go │ │ ├── appdir_xdg_test.go │ │ ├── runtime_windows.go │ │ └── runtime_xdg.go │ ├── clipboard/ │ │ ├── clipboard.go │ │ ├── clipboard_others.go │ │ ├── clipboard_test.go │ │ ├── clipboard_windows.go │ │ ├── copy_darwin.go │ │ ├── copy_others.go │ │ ├── kill_others.go │ │ ├── kill_ps.go │ │ ├── unclip.go │ │ ├── unclip_linux.go │ │ ├── unclip_others.go │ │ └── unclip_test.go │ ├── ctxutil/ │ │ ├── ctxutil.go │ │ ├── ctxutil_test.go │ │ └── helper.go │ ├── debug/ │ │ ├── debug.go │ │ ├── debug_test.go │ │ ├── doc.go │ │ ├── version.go │ │ └── version_test.go │ ├── fsutil/ │ │ ├── fsutil.go │ │ ├── fsutil_test.go │ │ ├── umask.go │ │ └── umask_test.go │ ├── otp/ │ │ ├── otp.go │ │ ├── otp_test.go │ │ ├── screenshot_others.go │ │ └── screenshot_supported.go │ ├── passkey/ │ │ ├── passkey.go │ │ └── passkey_test.go │ ├── pinentry/ │ │ └── cli/ │ │ ├── fallback.go │ │ └── fallback_test.go │ ├── protect/ │ │ ├── protect.go │ │ ├── protect_openbsd.go │ │ └── protect_test.go │ ├── pwgen/ │ │ ├── cryptic.go │ │ ├── cryptic_test.go │ │ ├── external.go │ │ ├── memorable.go │ │ ├── pwgen.go │ │ ├── pwgen_others_test.go │ │ ├── pwgen_test.go │ │ ├── pwgen_windows_test.go │ │ ├── pwrules/ │ │ │ ├── aliases.go │ │ │ ├── aliases_test.go │ │ │ ├── change.go │ │ │ ├── change_test.go │ │ │ ├── gen.go │ │ │ ├── pwrules.go │ │ │ ├── pwrules_gen.go │ │ │ └── pwrules_test.go │ │ ├── rand.go │ │ ├── validate.go │ │ ├── validate_test.go │ │ ├── wordlist.go │ │ └── xkcdgen/ │ │ ├── pwgen.go │ │ └── pwgen_test.go │ ├── qrcon/ │ │ ├── qrcon.go │ │ └── qrcon_test.go │ ├── set/ │ │ ├── filter.go │ │ ├── filter_test.go │ │ ├── map.go │ │ ├── map_test.go │ │ ├── set.go │ │ ├── set_test.go │ │ ├── sorted.go │ │ └── sorted_test.go │ ├── tempfile/ │ │ ├── file.go │ │ ├── file_test.go │ │ ├── mount_darwin.go │ │ ├── mount_linux.go │ │ └── mount_others.go │ └── termio/ │ ├── ask.go │ ├── ask_test.go │ ├── context.go │ ├── context_test.go │ ├── identity.go │ ├── identity_test.go │ ├── progress.go │ ├── progress_test.go │ ├── promptpass_others.go │ ├── promptpass_test.go │ ├── promptpass_windows.go │ ├── reader.go │ └── reader_test.go ├── tests/ │ ├── age_agent_test.go │ ├── audit_test.go │ ├── binary_test.go │ ├── can/ │ │ ├── can.go │ │ ├── can_test.go │ │ └── gnupg/ │ │ ├── pubring.gpg │ │ ├── random_seed │ │ ├── secring.gpg │ │ └── trustdb.gpg │ ├── completion_test.go │ ├── config_test.go │ ├── copy_test.go │ ├── delete_test.go │ ├── find_test.go │ ├── generate_test.go │ ├── gptest/ │ │ ├── gunit.go │ │ ├── unit.go │ │ └── utils.go │ ├── grep_test.go │ ├── init_test.go │ ├── insert_test.go │ ├── list_test.go │ ├── mount_test.go │ ├── move_test.go │ ├── show_test.go │ ├── sync_test.go │ ├── tester.go │ ├── uninitialized_test.go │ └── yaml_test.go ├── version.go └── zsh.completion ================================================ FILE CONTENTS ================================================ ================================================ FILE: .capabilities.json ================================================ [File too large to display: 17.8 MB] ================================================ FILE: .codeclimate.yml ================================================ version: "2" checks: argument-count: config: threshold: 4 complex-logic: config: threshold: 4 file-lines: config: threshold: 250 method-complexity: config: threshold: 16 method-count: config: threshold: 20 method-lines: config: threshold: 100 nested-control-flow: config: threshold: 4 return-statements: config: threshold: 4 plugins: gofmt: enabled: true golint: enabled: true govet: enabled: true ratings: paths: - "**.go" exclude_patterns: - "vendor/" - "utils/notify/icon.go" - "**/*_test.go" ================================================ FILE: .codecov.yml ================================================ coverage: range: 40..90 round: nearest precision: 2 status: project: default: on patch: default: off changes: default: off ignore: - "vendor/" ================================================ FILE: .errcheck.excl ================================================ fmt.Fprintf fmt.Fprintln fmt.Fprint ================================================ FILE: .gemini/settings.json ================================================ { "contextFileName": "AGENTS.md" } ================================================ FILE: .gitattributes ================================================ CHANGELOG.md merge=union ================================================ FILE: .github/FUNDING.yml ================================================ github: dominikschulz patreon: gopass custom: "https://paypal.me/doschulz" ================================================ FILE: .github/ISSUE_TEMPLATE.md ================================================ --- name: Bug report about: Create a report to help us improve gopass --- ### Summary ### Steps To Reproduce ### Expected behavior ### Environment - OS: [e.g. Mac OS X High Sierra, Ubuntu 18.04, Windows 10, ...] - OS version: [uname -a] - gopass Version: [gopass version] - Installation method: [e.g. from source, brew, gopass repo] ### Additional context ================================================ FILE: .github/copilot-instructions.md ================================================ Refer to [AGENTS.md](../AGENTS.md) for detailed instructions on how to set up and use agents with gopass. ================================================ FILE: .github/dependabot.yml ================================================ version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "monthly" open-pull-requests-limit: 15 ================================================ FILE: .github/stale.yml ================================================ # Number of days of inactivity before an issue becomes stale daysUntilStale: 120 # Number of days of inactivity before a stale issue is closed daysUntilClose: 60 # Issues with these labels will never be considered stale exemptLabels: - pinned - security # Label to use when marking an issue as stale staleLabel: wontfix # Comment to post when marking an issue as stale. Set to `false` to disable markComment: > This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. # Comment to post when closing a stale issue. Set to `false` to disable closeComment: false # Set to true to ignore issues in a milestone (defaults to false) exemptMilestones: true ================================================ FILE: .github/workflows/autorelease.yml ================================================ # This is a basic workflow to help you get started with Actions name: release # Controls when the action will run. on: # Triggers the workflow on push or pull request events but only for the master branch push: tags: - 'v*' permissions: contents: read jobs: goreleaser: runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: audit - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: 'go.mod' - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0 # ubuntu is missing wixl https://github.com/actions/virtual-environments/issues/3857 - name: "Install GNOME msitools (wixl)" run: sudo apt update -qq && sudo apt install -qq -y wixl - name: Import GPG signing key id: import_gpg uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.PASSPHRASE }} - name: Debug run: | echo "GPG ---------------------" echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}" echo "keyid: ${{ steps.import_gpg.outputs.keyid }}" echo "name: ${{ steps.import_gpg.outputs.name }}" echo "email: ${{ steps.import_gpg.outputs.email }}" echo "Go env ------------------" pwd echo ${HOME} echo ${GITHUB_WORKSPACE} echo ${GOPATH} echo ${GOROOT} env - name: Generate release-notes run: | go run helpers/changelog/main.go >../RELEASE_NOTES - name: Run GoReleaser uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: version: latest args: release --release-notes=../RELEASE_NOTES env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} GOPATH: /home/runner/go - name: "Add Windows installer (msi) to release" run: | # until https://github.com/goreleaser/goreleaser/issues/1295, disabled until #2038 is fixed tag="${GITHUB_REF#refs/tags/}" version=${tag#v} make msi msi=dist/gopass-x64-windows-${version}.msi gh release upload "${tag}" "${msi}" env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} - name: "Upload deb files to apt hosting" run: | for D in dist/*.deb; do curl -H"X-Filename: ${D}" -H"X-Apikey: ${APIKEY}" -XPOST --data-binary @$D https://packages.gopass.pw/repos/gopass/upload curl -H"X-Filename: ${D}" -H"X-Apikey: ${APIKEY}" -XPOST --data-binary @$D https://packages.gopass.pw/repos/gopass-unstable/upload done env: APIKEY: ${{ secrets.APT_APIKEY }} ================================================ FILE: .github/workflows/build.yml ================================================ name: Build gopass on: push: branches: - master pull_request: branches: - master concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: contents: read jobs: linux: runs-on: ubuntu-latest strategy: matrix: go: ['1.25'] name: Go ${{ matrix.go }} steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block allowed-endpoints: > github.com:443 objects.githubusercontent.com:443 proxy.golang.org:443 raw.githubusercontent.com:443 release-assets.githubusercontent.com:443 storage.googleapis.com:443 sum.golang.org:443 golang.org:443 go.dev:443 azure.archive.ubuntu.com:443 archive.ubuntu.com:443 security.ubuntu.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ matrix.go }} - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Ubuntu Dependencies run: sudo apt-get install --yes git gnupg - run: git config --global user.name nobody - run: git config --global user.email foo.bar@example.org - name: Debug run: | echo "Go env ------------------" pwd echo ${HOME} echo ${GITHUB_WORKSPACE} echo ${GOPATH} echo ${GOROOT} env - name: Build and Unit Test run: make gha-linux - name: Integration Test run: make test-integration container: runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 env: IMAGE_NAME: ${{ github.repository }} with: images: ${{ env.IMAGE_NAME }} - name: Build container image uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 with: context: . push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} windows: runs-on: windows-latest defaults: run: shell: msys2 {0} steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: audit - uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2.29.0 with: release: false path-type: inherit install: >- base-devel git - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: 'go.mod' - run: git config --global user.name nobody - run: git config --global user.email foo.bar@example.org - name: Build and Unit Test run: make gha-windows macos: runs-on: macos-latest steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: 'go.mod' - run: git config --global user.name nobody - run: git config --global user.email foo.bar@example.org - name: Build and Unit Test run: make gha-osx env: SLOW_TEST_FACTOR: 100 dependabot: needs: [linux] runs-on: ubuntu-latest permissions: pull-requests: write contents: write if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}} steps: - id: metadata uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - run: | gh pr review --approve "$PR_URL" gh pr merge --squash --auto "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} ================================================ FILE: .github/workflows/codeql-analysis.yml ================================================ # For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. # # ******** NOTE ******** # We have attempted to detect the languages in your repository. Please check # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # name: "CodeQL" on: push: branches: - master pull_request: # The branches below must be a subset of the branches above branches: - master schedule: - cron: '19 21 * * 0' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: contents: read jobs: analyze: permissions: actions: read # for github/codeql-action/init to get workflow details contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest strategy: fail-fast: false matrix: language: [ 'go' ] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] # Learn more: # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 objects.githubusercontent.com:443 release-assets.githubusercontent.com:443 proxy.golang.org:443 raw.githubusercontent.com:443 storage.googleapis.com:443 sum.golang.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # and modify them (or add more) to build your code if your project # uses a compiled language #- run: | # make bootstrap # make release - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5 ================================================ FILE: .github/workflows/container.yml ================================================ # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. # GitHub recommends pinning actions to a commit SHA. # To get a newer version, you will need to update the SHA. # You can also reference a tag or branch, but the action may change without warning. name: Create and publish a Docker image # Controls when the action will run. on: push: tags: - 'v*' permissions: contents: read env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: build-and-push-image: runs-on: ubuntu-latest permissions: contents: read packages: write steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Log in to the Container registry uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} ================================================ FILE: .github/workflows/golangci-lint.yml ================================================ name: golangci-lint on: push: branches: - master pull_request: branches: - master concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: contents: read pull-requests: read jobs: golangci: name: lint runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 golangci-lint.run:443 objects.githubusercontent.com:443 release-assets.githubusercontent.com:443 proxy.golang.org:443 raw.githubusercontent.com:443 storage.googleapis.com:443 sum.golang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: 'go.mod' - name: golangci-lint uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: # Note: there are 2 different version of golangci-lint used inside the project. # https://github.com/gopasspw/gopass/blob/master/.github/workflows/build.yml#L65 # https://github.com/gopasspw/gopass/blob/master/.github/workflows/golangci-lint.yml#L46 # https://github.com/gopasspw/gopass/blob/master/Makefile#L136 version: v2.6.1 # we have a list of linters in our .golangci.yml config file only-new-issues: true ================================================ FILE: .github/workflows/grype.yml ================================================ name: Scan gopass on: push: branches: - master pull_request: branches: - master permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: linux: runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: 'go.mod' - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Scan current project uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 with: path: "." fail-build: true severity-cutoff: critical ================================================ FILE: .github/workflows/scorecard.yml ================================================ # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '39 8 * * 2' push: branches: [ "master" ] # Declare default permissions as read only. permissions: read-all jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write # Uncomment the permissions below if installing in a private repository. # contents: read # actions: read steps: - name: "Checkout code" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecard on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5 with: sarif_file: results.sarif ================================================ FILE: .gitignore ================================================ gopass gopass-*-amd64 gopass-full dev.sh !pkg/gopass/ coverage.out coverage-all.* .vscode/ # Profiling *.out # Compiled Object files, Static and Dynamic libs (Shared Objects) *.o *.a *.so # Folders _obj _test # Architecture specific extensions/prefixes *.[568vq] [568vq].out *.cgo1.go *.cgo2.c _cgo_defun.c _cgo_gotypes.go _cgo_export.* _testmain.go *.exe *.test *.prof # gopass specific ignores *.sublime-* *.swp /.env # package files *.deb *.pkg.tar.xz *.rpm *.tar.bz2 releases/ dist/ manifest-*.json # go-fuzz *-fuzz.zip workdir/ .vscode/ NOTICE.new debian/ ================================================ FILE: .golangci.yml ================================================ version: "2" output: sort-order: - linter - file linters: enable: - asasalint - asciicheck - bidichk - bodyclose - containedctx - copyloopvar - cyclop - decorder - dogsled - errchkjson - errname - errorlint - exhaustive - forcetypeassert - funlen - ginkgolinter - gocheckcompilerdirectives - gochecksumtype - godot - goheader - gomoddirectives - gomodguard - goprintffuncname - gosmopolitan - grouper - importas - intrange - loggercheck - makezero - mirror - misspell - nakedret - nestif - nilnil - nlreturn - nonamedreturns - nosprintfhostport - prealloc - predeclared - promlinter - protogetter - reassign - sloglint - spancheck - tagalign - testableexamples - testifylint - thelper - unconvert - usestdlibvars - usetesting - whitespace - zerologlint settings: cyclop: max-complexity: 24 errcheck: exclude-functions: - fmt.Fprint - fmt.Fprintf - fmt.Fprintln funlen: lines: -1 statements: 100 gocyclo: min-complexity: 22 staticcheck: checks: - all - -SA1019 - -ST1000 exclusions: generated: lax rules: - linters: - cyclop path: (.+)_test\.go - linters: - govet path: (.+)_fuzz\.go paths: - helpers/ - third_party$ - builtin$ - examples$ issues: max-issues-per-linter: 0 max-same-issues: 0 formatters: enable: - gofmt - gofumpt - goimports exclusions: generated: lax paths: - helpers/ - third_party$ - builtin$ - examples$ ================================================ FILE: .goreleaser.yml ================================================ # yaml-language-server: $schema=https://goreleaser.com/static/schema.json # goreleaser.yml # Release automation # # Build customization project_name: gopass version: 2 before: hooks: - make clean - make completion - go mod download builds: - id: gopass binary: gopass flags: - -trimpath - -tags=netgo env: - CGO_ENABLED=0 asmflags: - all=-trimpath={{.Env.HOME}} gcflags: - all=-trimpath={{.Env.HOME}} ldflags: | -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -extldflags '-static' goos: - darwin - freebsd - linux - openbsd - windows goarch: - amd64 - arm - arm64 goarm: - 6 - 7 mod_timestamp: '{{ .CommitTimestamp }}' archives: - id: gopass name_template: "{{.Binary}}-{{.Version}}-{{.Os}}-{{.Arch}}{{ if .Arm }}v{{.Arm }}{{ end }}" formats: ['tar.gz'] format_overrides: - goos: windows formats: ['zip'] files: - CHANGELOG.md - LICENSE - README.md - bash.completion - fish.completion - zsh.completion release: github: owner: gopasspw name: gopass draft: false prerelease: auto nfpms: - id: gopass_deb vendor: Gopass Authors homepage: "https://www.gopass.pw" maintainer: "Gopass Authors " description: |- gopass password manager - full featured CLI replacement for pass, designed for teams. . gopass is a simple but powerful password manager for your terminal. It is a Pass implementation in Go that can be used as a drop in replacement. . Every secret lives inside of a gpg (or: age) encrypted textfile. These secrets can be organized into meaninful hierachies and are by default versioned using git. . This package contains the main gopass binary from gopass.pw. In Debian and Ubuntu there is an unfortunate name clash with another gopass package. That is completely different and not related to this package. license: MIT formats: - deb dependencies: - git - gnupg recommends: - rng-tools - bash-completion contents: - src: gopass.1 dst: /usr/share/man/man1/gopass.1 - src: LICENSE dst: /usr/share/doc/gopass/LICENSE - src: CHANGELOG.md dst: /usr/share/doc/gopass/CHANGELOG.md - src: bash.completion dst: /usr/share/bash-completion/completions/gopass - src: fish.completion dst: /usr/share/fish/vendor_completions.d/gopass.fish - src: zsh.completion dst: /usr/share/zsh/functions/Completion/Linux/_gopass - id: gopass_rpm vendor: Gopass Authors homepage: "https://www.gopass.pw" maintainer: "Gopass Authors " description: |- gopass password manager - full featured CLI replacement for pass, designed for teams. gopass is a simple but powerful password manager for your terminal. It is a Pass implementation in Go that can be used as a drop in replacement. Every secret lives inside of a gpg (or: age) encrypted textfile. These secrets can be organized into meaninful hierachies and are by default versioned using git. license: MIT formats: - rpm dependencies: - git - gnupg2 recommends: - rng-tools - bash-completion contents: - src: gopass.1 dst: /usr/share/man/man1/gopass.1 - src: LICENSE dst: /usr/share/doc/gopass/LICENSE - src: CHANGELOG.md dst: /usr/share/doc/gopass/CHANGELOG.md - src: bash.completion dst: /usr/share/bash-completion/completions/gopass - src: fish.completion dst: /usr/share/fish/vendor_completions.d/gopass.fish - src: zsh.completion dst: /usr/share/zsh/functions/Completion/Linux/_gopass source: enabled: true name_template: "{{.ProjectName}}-{{.Version}}" checksum: name_template: "{{.ProjectName}}_{{.Version}}_SHA256SUMS" milestones: - repo: owner: gopasspw name: gopass close: true fail_on_error: false name_template: "{{ .Major }}.{{ .Minor }}.{{ .Patch }}" signs: - id: gopass artifacts: checksum args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--armor", "--output", "${signature}", "--detach-sign", "${artifact}"] # creates SBOMs of all archives and the source tarball using syft # https://goreleaser.com/customization/sbom sboms: - artifacts: archive - id: source # Two different sbom configurations need two different IDs artifacts: source ================================================ FILE: .license-lint.yml ================================================ unrestricted_licenses: - Apache-2.0 - MIT - BSD-3-Clause - BSD-2-Clause - 0BSD - WTFPL - CC0-1.0 reciprocal_licenses: - MPL-2.0 - MPL-2.0-no-copyleft-exception allowlisted_modules: # Simplified BSD (BSD-2-Clause): https://github.com/russross/blackfriday/blob/master/LICENSE.txt - github.com/russross/blackfriday - github.com/russross/blackfriday/v2 # Apache license - github.com/dgraph-io/ristretto - github.com/spf13/afero # Modified BSD-2-Clause with extra no-Google clause: https://github.com/jezek/xgb/blob/master/LICENSE - github.com/jezek/xgb # MIT - github.com/jwalton/go-supportscolor ================================================ FILE: .revive.toml ================================================ # Ignores files with "GENERATED" header, similar to golint ignoreGeneratedHeader = false # Sets the default severity to "warning" severity = "error" # Sets the default failure confidence. This means that linting errors # with less than 0.8 confidence will be ignored. confidence = 0.6 # Sets the error code for failures with severity "error" errorCode = 1 # Sets the error code for failures with severity "warning" warningCode = 1 [rule.argument-limit] arguments = [10] [rule.blank-imports] [rule.context-as-argument] [rule.context-keys-type] [rule.cyclomatic] arguments = [21] [rule.dot-imports] [rule.error-naming] [rule.error-return] [rule.error-strings] [rule.errorf] [rule.exported] [rule.if-return] [rule.increment-decrement] [rule.indent-error-flow] [rule.package-comments] [rule.range] [rule.receiver-naming] [rule.time-naming] [rule.unexported-return] [rule.var-declaration] [rule.var-naming] ================================================ FILE: AGENTS.md ================================================ # Project Overview gopass is a command line application that allows users to managed their passwords and other secrets inside encrypted files. Those files are usually encrypted using gpg (but other backends like age do exist). The files are usually managed using git (but other VCS backends exist as well). The CLI is primarily intended for human users. Several integration exist, these are stand alone projects that use the exposed gopass API to interact with an existing password store. gopass supports multiple password stores. It requires at least one root store but any number of additional stores can be mounted, just like filesystems on Linux, inside the root store. Each store can use a different encryption method and VCS. The primary use case of using different password stores is to encrypt and share the content with a different set of recipients. The project is specifically targeting users on all major platform, i.e. Linux, Unix, MacOS and Windows. ## Folder Structure - `/docs`: Contains human readable documentation for the project. - `/helpers`: Contains tools used to maintain the project. Users usually don't use those, these are mainly for developers and maintainers of the project. Do not touch this directory unless instructed to do so. - `/internal`: Contains most of the implementation of the project. It is visibility restricted so other projects can not depend on it and we can be very liberal with breaking changes. - `/pkg`: Contains the public API (inside `/pkg/gopass`) used by our integrations and other projects as well as necessary support packages to make using the API feasible. - `/tests`: Contains only integration tests, i.e. those mock a real GPG-based gopass installation. They are quite slow but provide kind of a regression testing. Remember to add or adjust those when adding major new features. - `/internal/action`: Contains the different CLI subcommands. Usually one file per top-level subcommand (e.g. the implementation for `gopass ls` is in `/internal/action/list.go`) with an accompanying `_test.go` file that contains the unit tests. All commands need to be registered in `/internal/action/commands.go`. - `/internal/audit`: Contains the audit code that checks password stores for weak passwords or related issues. - `/internal/backend`: Contains the different backend implementations for both encryption as well as version controlled storage. Storage implementations need to register themselves in `/internal/backend.StorageRegistry` while encryption backends need to register in `/internal/backend.CryptoRegistry`. - `/internal/backend/crypto/age`: Contains the `age` encryption backend. It is a pure-Go implementation. Refer to the [docs](docs/backends/age.md) as well. - `/internal/backend/crypto/gpg/cli`: Contains the `gpg` encryption backend. It mostly uses the `gpg` binary to support the different configurations (e.g. smart cards) which wouldn't be possible with existing pure-Go implementation. Refer to [docs](docs/backends/gpg.md) as well. - `/internal/backend/crypto/plain`: Contains the plaintext backend (no encryption). This should only be used for testing. Users should never use this. - `/internal/backend/storage/fossilfs`: Contains an experimental storage backend using the Fossil SCM. It might be removed in the future. - `/internal/backend/storage/fs`: Contains a storage backend without SCM integration, i.e. it simply writes to files on disk without versioning support. Should usually only be used for tests or if users have some kind of transparent versioning system underneath. - `/internal/backend/storage/gitfs`: Contains the primary storage backend that is using `git` to manage files. - `/internal/config`: Contains our custom config handling. It is based on the git configuration file format as implemented by our [gitconfig](http://github.com/gopasspw/gitconfig) package. When reading config settings prefer to using `config.Bool(ctx, key)`, `config.String(ctx, key)` or `config.Int(ctx, key)`. Use the low-level methods only when those are not sufficient. Avoid touching the `legacy` package underneath unless asked to. - `/internal/out`: Contains our output helpers. Prefer those over Go standard lib packages (like fmt) for consistency. - `/internal/store`: Contains the core of the password store implementation (utilizing the configured backends). - `/internal/store/root`: Contains the root store. This always exist once in a gopass process. It delegates most operations to one or more leaf stores. - `/internal/store/leaf`: Contains the leaf store. There must be at least one initialized leaf store per gopass instance. But there can be as many as necessary. - `/pkg/appdir`: Contains a facility for providing system-dependentt paths for application resources, like config or cache directories. It does honor the `GOPASS_HOMEDIR` variable. This is very useful for testing since a gopass instance running with this variable set to a temporary location will not interfere with the actual production instance a user might be using. - `/pkg/clipboard`: Contains methods to interact with clipboards on all major operating systems. It is using our [clipboard](http://github.com/gopasspw/clipboard) package. It also supports clearing the clipboard after a given interval. - `/pkg/ctxutil`: Provides the necessary plumbling to interact with config values stored in the context. Avoid adding new context keys if possible and prefer config values. But if adding context keys is necessary they should only be defined in this file. - `/pkg/debug`: Contains a debug package with different verbosity levels. Use it to output debug information to a debug log. - `/pkg/fsutil`: Contains various helpers for interacting with the filesystem, e.g. checking for presence of files or directories. Prefer those over implementing these checks from scratch. - `/pkg/gopass`: Contains the public gopass API to interact with existing password stores. The `api` sub package contains the actual API and the `secrets` sub package the different secret types we support. - `/pkg/pwgen`: Contains a pure-Go implementation of the `pwgen` utility. - `/pkg/set`: Contains a generic set type. - `/pkg/tempfile`: Contains utility functions for creating and dealing with temp files. It attempts to be more secure than the normal temp file functions from the stdlib. Prefer those over the stdlib. - `/pkg/termio`: Contains functions for interacting with the user of the terminal. ## Libraries and Frameworks - Avoid introducing new external dependencies unless absolutely necessary. - If a new dependency is required, please state the reason. - The project is licensed under the terms of the MIT license and we can only add compatible licenses. See [.license-lint.yml](.license-lint.yml) for a list of compatible licenses. - We must avoid introducing CGo dependencies since this make cross-compiling infeasible. ## Testing instructions - Always run `make test` and `make codequality` before submitting. - Run `make fmt` to properly format the code. Run this before `make codequality`. - Before mailing a PR run `make test-integration` ================================================ FILE: ARCHITECTURE.md ================================================ # Architecture This document describes the high-level architecture of gopass. If you want to get familiar with the code base you are in the right place. ## Overview On the highest level gopass manages directories (called `stores` or `mounts`) that contain (mostly) GPG encrypted text files. gopass transparently handles encryption and decryption when accessing these files. It applies some heuristics to parse the file content and support certain operations on that content. `gopass` is licensed under the terms of the MIT license and we require compatible licenses from our dependencies as well (when we link against them). For licensing reasons and security considerations we try to keep the number of external dependencies (libraries) well-arranged. Try to avoid adding new dependencies unless absolutely necessary. ## Generalized control flow ![](docs/components.png) This flow chart shows a high level control flow common to most operations. It leaves out a lot of details but should give a better understanding how information flows within the program and where changes might be necessary. ## Code Map This section talks briefly about the various directories and some data structures. We're trying to clearly separate between our public API and implementation details. To that extent we're in the process of moving packages to `internal/` (and sometimes back to `pkg/`, if necessary). A note on semantic versioning: `gopass` is both an CLI and an API (Go module). The expectations around semantic versioning and Go modules make it difficult to express both concerns in the same versioning scheme, e.g. does a breaking change in the API require a major version bump even if nothing about the tool (CLI) has changed? What about the other way round? Thus we have decided to apply semantic versioning only to the CLI tool, not the Go module. This is not ideal and might change with sufficient active contributors. ### `docs/backends` This folder contains documentation about each of our supported backends. See `internal/backend` below for more information about our backend design. ### `docs/commands` This folder contains the specification of each sub command the tool offers. We have many sub commands with sometimes dozens of flags each. In the past we did encounter some inconsistencies and decided to introduce specifications for each command. If the specification and the implementation disagree this should be reported as a bug and fixed or the specification needs to be changed (but the general assumptions should be that the specification is correct, not the code). ### `docs/usecases` This directory contains an (incomplete) list of our core use cases, i.e. the critical user journeys we aim to support. `gopass` can be used in various ways and try to remain flexible and extensible, but if we encounter a conflict between a blessed use case and a corner case we prefer the former. ### `helpers/` This directory contains some release automation tooling that is supposed to be invoked with `go run`. The changelog generator in `helpers/changelog` is used by our GitHub Action based release automation and shouldn't be invoked manually. The tooling in `helpers/release` will prepare a new release and helps to file a release pull request will all the required updates in place. ### `internal/` and `pkg/` `gopass` used to not have either of these and all our packages were rooted directly in the repository. However we began to notice that other projects were starting to depend directly on our internal packages and we sometimes broke them. This put us and the other project into an unpleasant situation so we tried to clarify the expectations by using Go's `internal/` visibility rule to keep other projects from depending on our implementation details. Note: If we have a good reasons to use one of our `internal/` packages either copy it (our license should rarely be an issue) or nicely ask us and explain why something should move to `pkg/`. As we are in the process of formalizing a proper API surface we sometimes need to move packages from `internal/` to `pkg/`. The other direction might also occur, but much less often. ### `internal/action` This directory contains one file, and sometimes sub folders, for each command `gopass` supports. These are mostly self-contained, but some (e.g. show / edit / find) need to depend on each other. TODO: There is a lot to be said about this package, e.g. custom errors. ### `internal/backend` `gopass` is built around the concept of multiple independent password stores that can be mounted into one namespace, much like regular file systems. Each of these stores can have a different storage and crypto backend. We used to have independent revision control backends as well, but since the RCS (e.g. git) interacts so closely with the storage (you can't use regular git w/o a filesystem-based storage) we have merged storage and RCS backends. The backend package defines the interfaces for the backend implementation and provides a registry that returns the concrete backend from the list of registered ones. Registration happens through blank imports of either the `internal/backend/crypto` and `internal/backend/storage` packages. Each backend needs to have a loader implementation in its `loader.go` (please stick to this name). We try to auto-detect the most applicable backend when initializing the process, but some backends look alike (e.g. a `fs` and an uninitialized `gitfs`). So the loader comes with a priority which is respected during lookup. ### `internal/config` The `config` package implements support for a simple YAML-based configuration format for `gopass`. Most of the code in this package is for backwards compatibility. Whenever we introduce or remove a config option we need to introduce a new fallback version that is automatically attempted when loading a config file. To resolve ambiguities when parsing different config versions we use a "catch-all" field to catch any unused keys and check that this is empty after parsing - otherwise we need to try a different config version. NOTE: We did support nested configurations for sub-stores but removed this because the maintenance cost did not justify the benefits of this feature. ### `internal/cui` The name `cui` is an abbreviation for `console-user-interface` and contains several helper functions to interact with humans over a text based interface. Most of these ask the user to select some item from a selection or provide some input. NOTE: We used to support rich terminal UIs with arrow navigation and such. However all existing libraries that were available without CGO were either abandoned or buggy on some platforms and we didn't have any capacity to fix them. So we had to remove support for this feature. ### `internal/queue` The `queue` package implements a FIFO queue that executes in the background. This allows for certain operations, like a git push, to be taken out of the critical path wrt. user interactions. The queue will be fully processed before the process exits. ### `internal/store/root` The `root store` package implements an internal password store API that (only) supports mounting `leaf` stores. It will forward (almost) all operations to its `leaf` stores (moves across stores being a notable exception) and do the necessary manipulations of the affected path components (e.g. removing/adding the mount prefix from the secret name as needed). This package makes `gopass` multi-store capable. ### `internal/store/leaf` The `leaf store` package implements a password store that is mostly compatible with any other password store implementation (while aiming for interoperability, not at 100% feature parity). The low-level operations like filesystem and / or version control and crypto operations are passed to the configured `storage` or `crypto` backend. ### `internal/tree` The `tree` package implements a simple tree structure that prints an output similar to the output of the Unix tool `tree`. It does support different `gopass` specific properties (like mounts or templates) not easily implemented with other tree packages. ### `internal/updater` The `updater` package implements a secure and anonymous self updater. Note: The self updater contacts GitHub. If this is a concern one should use other sources, e.g. distro packages. It retrieves the latest stable release from GitHub, fetches its metadata and verifies the signature against the built-in release signing keyring. It tries to avoid conflicting with any `gopass` binary managed by the OS and refuse to update these. ### `pkg/` The package `pkg/` contains our public API surface, i.e. packages we want or have to expose externally. Some packages (e.g. `otp`) are only exposed because they are being used by some of our integrations. Others (e.g. `pinentry` or `pwgen`) are designed for wider use. We are considering to split some of the more widely used packages into their own repositories to work better with Go module and semantic versioning expectations. #### `pkg/appdir` The `appdir` package contains a set of [XDG Base Directory Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html) compatible implementations with some `gopass` specifics. For testing purposes we want to honor the setting of `GOPASS_HOMEDIR` before everything else, so our implementation has to take this into account before following the XDG spec. #### `pkg/clipboard` The `clipboard` package is a wrapper around a clipboard package that adds support for clearing the clipboard. #### `pkg/ctxutil` The `ctxutil` is the pragmatic (read: non-idiomatic) approach to pass very specific configuration options through multiple layers of abstraction. This is arguably not the best design, but it works well and avoids bloated interfaces. #### `pkg/gopass` This package contains **the** gopass API interface. We provide a concrete implementation that should work with any properly initialized gopass setup and a mock for tests. This package is designed as the main entry point for any integration that wants to integrate with gopass. ### `tests` `gopass` comes with a comprehensive set of integration tests, i.e. tests that are executed by running a newly compiled gopass binary without access to any kind of internal state. These tests can't be as exhaustive as the unit tests but they exist to ensure basic functionality aren't broken by a change. ================================================ FILE: CHANGELOG.md ================================================ # Changelog ## 1.16.1 / 2025-12-13 * chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#3299) * chore(deps): bump actions/setup-go from 6.0.0 to 6.1.0 (#3300) * chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 (#3296) * chore(deps): bump anchore/scan-action from 7.1.0 to 7.2.1 (#3298) * chore(deps): bump docker/metadata-action from 5.8.0 to 5.10.0 (#3297) * chore(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#3295) * chore(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 (#3302) * chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 (#3301) * fix(config): use the config propery generate.strict as default value for Strict rules (#3303) * fix: Fix version check against latest release (#3292) ## 1.16.0 / 2025-11-12 * [BUGFIX] reorg: List all secrets instead of just top-level folders (#3245) * [chore] Add capability and vulnerability checks (#3266) * [chore] Initial fixes and added a warning for CryptFS and JJFS (#3270) * [chore] Logging improvements (#3273) * [chore] Run linux builds with multiple Go versions (#3272) * [fix] Correctly handle IsGitCommit false in store.Move (#3246) * [fix] Drop Go 1.23 (#3274) * [fix] Fix clipboard issues (#3267) * [fix] Fix version check (#3268) * chore(deps): bump actions/cache from 4.2.4 to 4.3.0 (#3263) * chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 (#3262) * chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#3281) * chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 (#3258) * chore(deps): bump anchore/sbom-action from 0.20.6 to 0.20.9 (#3284) * chore(deps): bump anchore/scan-action from 6.5.1 to 7.0.0 (#3264) * chore(deps): bump anchore/scan-action from 7.0.0 to 7.1.0 (#3280) * chore(deps): bump docker/login-action from 3.5.0 to 3.6.0 (#3260) * chore(deps): bump github/codeql-action from 3.30.0 to 3.30.5 (#3261) * chore(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#3282) * chore(deps): bump msys2/setup-msys2 from 2.28.0 to 2.29.0 (#3257) * chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#3259) * chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#3283) * chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 (#3255) * chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 (#3256) * chore: Update golangci-lint (#3287) * docs: Add GoDoc to pkg and improve markdown files (#3251) * feat(age): Add unlock command to age agent (#3244) * feat: Add cryptfs storage backend for filename encryption (#3249) * feat: Clone remote on init (#3247) * fix: Fix release helper and update capabilities for caplos (#3288) ## 1.15.18 / 2025-09-19 * [fix] Enable Windows builders (#3237) * [fix] Fix recipient check error (#3235) * [fix] Update gitconfig to v0.0.3 to pull in Windows fixes (#3236) * [fix] Use Go 1.24 instead of Go 1.25 (#3226) * docs: Add note about pass compatibility (#3229) * feat: Add reorg command (#3232) * feat: Allow to customize commit messages (#3231) * feat: Improve usability of 'gopass mounts add' command (#3238) * fix(config): Make core.exportkeys handling consistent (#3228) * fix(gpg): Opportunistic key comparison on import (#3230) ## 1.15.17 / 2025-09-15 * [BUGFIX] Fix --force flag in recipients add (#3173) * [chore] Add tests and comments for hasPwRuleForSecret (#3162) * [chore] Automatically approve and merge dependabot PRs (#3220) * [chore] Bump github.com/gopasspw/clipboard to v0.0.3 (#3219) * [chore] Disable updating gopasspw.github.io (#3184) * [chore] Expose gopass env in help (#3158) * [chore] Fix hardened runner (#3196) * [chore] Update Go versions (#3139) * [chore] Update dependencies (#3197) * [feat] Add Jujutsu storage backend (#3202) * [feat] Honor generator options in the create workflow (#3149) * [fix] Add workaround for pre-release test failures (#3198) * [fix] Disable Windows tests (#3204) * [fix] Fixes creation template lookup on Windows (#3157) * [fix] avoid length prompt when input is within rule boundary (#3159) * [fix] skip redundant confirmation when --edit is used (#3161) * [fix] use WritePassword for secure write (#3200) * [testing] use `/usr/bin/env cat` instead of `/bin/cat` (#3160) ## 1.15.16 / 2025-04-21 * [BUGFIX] Allow use of trailing slash for cp/mv command (#3080) * [BUGFIX] Check if any usable key matches on clone (#3027) * [BUGFIX] Fixed max length check for strings in create/wizard (#3056) * [BUGFIX] Fixed password not saving to clipboard with safecontent and autoclip true (#3053) * [BUGFIX] replace return of wrong error variable (#3015) * [ENHANCEMENT] Add support for autocompletion with flags in REPL mode (#3057) * [ENHANCEMENT] Make it possible to override `show.autoclip` (#3082) * [FEATURE] Add option -r/--regex to find (#3083) * [UX] Make single store sync more intuitive / verbose (#3076) * [bugfix] Don't check for autosync on manual triggered sync (#3026) (#3029) * [chore] Add keep-sorted linter (#3130) * [chore] Add tpl func tests and fix two small issues (#3058) * [chore] Do not run linters twice (#3119) * [chore] Migrate goreleaser config to v2 (#3122) * [chore] Migrate to golangci-lint v2 (#3104) * [chore] Move gitconfig to their own repo (#3131) * [chore] Move set from internal to pkg (#3129) * [chore] Update dependencies (#3120) * [feat] Add conditional includes for gitconfig (#3128) * [feat] Add unconditional includes for gitconfig (#3127) * [feat] Remove expensive and unmaintained zxcvbn-go strength checker (#3133) * [feat] Replace clipboard library to support wl-copy args (#3123) * [fix] Add LICENSE, Changelog, manpage and shell completions to deb and (#3121) * [fix] Fix a flaky test (#3137) * [fix] Fix debug.ModuleVersion (#3079) * [fix] Fix test failure due to ambient variables (#3135) * [fix] Fix test regressions (#3116) * [fix] Fix this annoying test * [fix] Include git commit hash in tarballs (#3124) * [fix] Relase fixes (#3136) * [fix] Update Makefile and fix lint violations (#3134) ## 1.15.15 / 2024-11-24 * [BUGFIX] Replace ~ with user homedir if `$GOPASS_HOMEDIR` is not set (#2961) * [CLEANUP] Replace experimental `maps` and `slices` with stdlib (#2993) * [CLEANUP] remove unreachable code (#2977) * [DEPRECATION] Remove references to deprecated rand.Seed (#2953) * [ENHANCEMENT] Allow for whitespace-trailing passwords (#2873) (#2954) * [FEATURE] Adding support for `age.Plugin` identities (#2960) * [FEATURE] Allow for non-interactive age setup (#2970) * [FEATURE] Ask for setup if not initialized (#2975) * [bugfix] Copy with trailing slash at destination. (#2966) * [chore] use the same version of golangci-lint (#2948) ## 1.15.14 / 2024-08-03 * [bugfix] Fix parsing of key-value pairs according to the gitconfig (#2911) * [chore] Update dependency to github.com/cenkalti/backoff/v4 (#2864) * [chore] Update dependency to github.com/godbus/dbus/v5 (#2860) * [chore] Update dependency to github.com/google/go-github/v61 (#2863) * [chore] Update dependency to github.com/xhit/go-str2duration/v2 (#2865) * [chore] Update hashicorp/golang-lru to v2 (#2859) ## 1.15.13 / 2024-04-06 * [bugfix] Default to true for core.exportkeys even in substores (#2848) * [bugfix] Do not report findings with severity none in audit summary (#2843) * [bugfix] Fix loading of git configs (#2849) * [chore] Update dependencies (#2850) * [chore] Use clean filepath in all of the fs.Set operation (#2846) * [chore] use the same version of golangci-lint (#2841) * [feat] Add an multi-line input type to the create wizard (#2847) * [feat] Add option to disable notification icon (#2845) * [feat] Add verbosity levels to the debug package (#2851) * [fix] Disble safecontent parsing if noparsing is requested (#2855) * [fix] Pass remote, if given, to local init as well (#2852) ## 1.15.12 / 2024-03-17 * [BUGFIX] Use 'en' as default language for the xkcd generator (#2793) * [DOCUMENTATION] Fix typo: initilize -> initialize (#2796) * [bugfix] Bring back audit summary (#2820) * [bugfix] Do not abort saving if the OTP counter is aborted (#2775) * [bugfix] Fix NPE when using recipients completion (#2823) * [bugfix] Warn if trying to use fscopy inside the store (#2832) * [chore] Upgrade to Go 1.22 (#2805) * [cleanup] Add better logging in case no owner key is found (#2748) * [feat] Add .gopass-audit-ignore support to ignore secrets from audits (#2822) * [feat] Allow supression of password generation in create templates (#2821) * [ux] Add hint that computing recipients takes some time (#2833) * [ux] Do not show create type chooser if only one exists (#2752) ## 1.15.11 / 2023-12-01 * [bugfix] Disable multi-line description for deb packages (#2729) * [bugfix] Fix writes to global config from tests (#2727) * [bugfix] Workaround for goreleaser/nfpm#742 (#2732) * [feature] Allow setting autosync.interval in different time units (#2731) ## 1.15.10 / 2023-11-25 * [BUGFIX] Allow to move shadowed entries into their own folder (#2718) * [BUGFIX] Try to always honor local config for mounts (#2724) * [chore] Add OSSF scorecard link and improve security posture (#2704) * [chore] Update goxkcdpwgen dependency to include my PR (#2722) * [chore] Update grype workflow and pin Docker base images (#2706) * [cleanup] Add package description (#2702) * [feature] Add new pwgen options to capitalize and include numbers in (#2703) ## 1.15.9 / 2023-11-18 * [BUGFIX] Disabling the OTP snip screenshot feature on OpenBSD (#2685) * [CLEANUP] Migration of options to more appropriate sections (#2681) * [bugfix] Improve git version parsing (#2690) * [bugfix] Remove leading and trailing slashes from mounts (#2698) * [enhancement] Add blake3 to the template functions (#2693) * [enhancement] Add input validation to block illegal mount points (#2672) ## 1.15.8 / 2023-09-11 * [BUGFIX] Use goreleaser build for crosscompile (#2635) * [bugfix] Allow fsck to check a single secret (#2659) * [bugfix] Do not remove unused keys on import by default (#2657) * [bugfix] Fix parsing of large secrets (#2654) * [chore] Update dependencies (#2660) * [docs] add/update choco, scoop, winget instructions (#2647) * [feat] Add --store option to gopass fsck (#2658) * [feat] Add XCKD pwgen config options (#2651) ## 1.15.7 / 2023-08-04 * [BUGFIX] Fix build issues on various non-Linux platforms (#2630, #2633) ## 1.15.6 / 2023-07-30 * [DOCUMENTATION] fix Arch Linux package url (#2598) * [BUGFIX] Only show desktop notifications if there are changes (#2627) * [ENHANCEMENT] Add a global nosync flag (#2626) * [BUGFIX] Correctly handle multiline secrets (#2625) * [ENHANCEMENT] Add screen parsing for OTP QR codes (#2597) ## 1.15.5 / 2023-04-07 * [CLEANUP] Use Go1.20 (#2567) * [ENHANCEMENT] Add internal pager (ov). (#2510) ## 1.15.4 / 2023-02-12 * [BUGFIX] Also accept lower case CTE headers. (#2539, #2518) * [BUGFIX] Commit changes to mount config changes. (#2542, #2530) * [BUGFIX] Do not restrict pwlen when maxlen is zero. (#2537, #2536) * [BUGFIX] Fix fossilfs sync (#2549, #2516) * [BUGFIX] Fix recipients check for age. (#2545, #2544) * [BUGFIX] Hide harmless git error messages. (#2547, #2543) * [BUGFIX] Improve error handling for gopass convert (#2548, #2520) * [ENHANCEMENT] Add edit.auto-create (#2538) ## 1.15.3 / 2023-01-07 * [BUGFIX] Check recipients before launching editor. (#2488, #1565) * [BUGFIX] Fix possible concurrency issues in fsck. (#2486, #2459) * [BUGFIX] Honor core.autosync (#2497, #2495) * [BUGFIX] Honor fuzzy search abort (#2491, #2490) * [ENHANCEMENT] Add nicer gopass audit HTML output (#2508) * [ENHANCEMENT] Check recipients before adding a new one. (#2487, #1918) * [ENHANCEMENT] Do not enforce lower case keys (#2489, #1777) * [ENHANCEMENT] Do not rewrite ~. (#2496, #2083) * [ENHANCEMENT] Rewrite gopass audit. Add HTML and CSV (#2506, #2504) * [ENHANCEMENT] gitconfig: Support MultiVars (#2476, #2457) ## 1.15.2 / 2022-12-18 * [BUGFIX] [gitconfig] Properly parse Key-Value pairs with (#2482, #2479) * [ENHANCEMENT] Add --force-regen flag to generate (#2475, #2474) * [ENHANCEMENT] Add recipients hash checking. (#2481, #2478) ## 1.15.1 / 2022-12-11 * [BUGFIX] Fix domain alias lookup (#2455, #2453) * [BUGFIX] Fix vim invocation. (#2456, #2424) * [CLEANUP] Unhide fscopy and fsmove (#2444, #1831) * [ENHANCEMENT] Add DirName template (#2452) * [ENHANCEMENT] Add generate.symbols and generate.length (#2443, #2151) * [ENHANCEMENT] Add template docs (#2445, #1562) * [ENHANCEMENT] Document supported secret formats. (#2439, #1585) * [ENHANCEMENT] Pre-populate ID with git values (#2442, #968) * [ENHANCEMENT] Support german language in the password (#2454, #2451) ## 1.15.0 / 2022-12-03 * [BREAKING] New config format based on git config. (#2395, #1567, #1764, #1819, #1878, #2387, #2418) * [BUGFIX] Fix symlink deduplication. (#2437, #2402) * [ENHANCEMENT] Maintain secret structure when parsing (#2433, #2431) * [ENHANCEMENT] Retain recipients file format (#2432, #2430) ### New config format: gitconfg Gopass is getting a new config format based on the one use by git itself. The new implementation is much more flexible and extensible and will allow us to more easily support new config options going forward. It does also support a hierachy of configs. That means we can now support system wide defaults as well as per mount config options. The system wide configuration gives package maintainers and admins of multi user deployments the option to pre-set certain options to their liking. ### New default secret format The default secret format has been rewritten to replace two of the existing ones (KV and Plain). The new format puts a strong emphasis on retaining the input as close as possible. And small change that might be visible in some corner cases is that every secret now contains a terminating new line. ### Recipient files can now contain comments The parsing of the recipients files (`.gpg-id`) has become more flexible and can now contain comments. These will be retained when updating these files through gopass as well. ## 1.14.11 / 2022-11-25 * [BUGFIX] Fix edit on MacOS Ventura (#2426, #2400) * [BUGFIX] Handle nvi (#2414) * [BUGFIX] Improve support for non-vim editors (#2427, #2424) * [BUGFIX] Only pass vim options to vim (#2421, #2412) * [ENHANCEMENT] Support combined short flags (#2420, #2419) ## 1.14.10 / 2022-11-09 * [BUGFIX] Correctly handle key removal on Windows (#2372, #2371) * [DOCUMENTATION] (#1878) * [ENHANCEMENT] Ignore comments in recipient files. (#2394, #2393) * [ENHANCEMENT] Improve key expiration handling (#2383, #2369) * [ENHANCEMENT] allow re-encrypting entire directory when (#2373) ## 1.14.9 / 2022-09-28 * [ENHANCEMENT] Make DBus notifications transient (#2364, #2358) ## 1.14.8 / 2022-09-27 * [BUGFIX] Ignore not-existing .ssh dir (#2347, #2333) * [BUGFIX] Use Wait() to avoid Zombies (#2354, #1666) * [ENHANCEMENT] Allow modifying default create templates (#2349, #2291) * [ENHANCEMENT] Improve passage support (#2352, #2059) * [ENHANCEMENT] Use OS keychain for age passphrase caching (new config option, off by default). (#2351, #2350) ## 1.14.7 / 2022-09-20 * [BUGFIX] Do not ignore symlinks when listing (#2344, #2173) * [BUGFIX] Do not shadow entries behind folders. (#2341, #2338) * [BUGFIX] Fix updater on Windows. (#2345, #2011) * [BUGFIX] Handle Ctrl+C in TOTP (#2342, #2320) * [ENHANCEMENT] Set vim options instead of sniffing (#2343, #2317) ## 1.14.6 / 2022-09-10 * [BUGFIX] Do not show setup message on version (#2327) * [BUGFIX] Remove exported public keys of removed (#2328, #2315) * [ENHANCEMENT] Document extension model. (#2329, #2290) ## 1.14.5 / 2022-09-03 * [BUGFIX] Fix fsck progress bar. Mostly. (#2303) * [DOCUMENTATION] fix in recommended vim setting (#2318) ## 1.14.4 / 2022-08-02 * [BREAKING] gopass otp will automatically update the counter key in HTOP secrets! (#2278) * [BUGFIX] Allow removing unknown recipients with --force (#2253) * [BUGFIX] Honor PASSWORD_STORE_DIR (#2272) * [BUGFIX] Honor OTP key period from URL (#2278) * [BUGFIX] Wizard: Enforce min and max length. (#2293) * [CLEANUP] Use Go 1.19 (#2296) * [ENHANCEMENT] Automatically sync once a week (#2191) * [ENHANCEMENT] Scan for vulnerabilities and add SBOM on (#2268) * [ENHANCEMENT] Use packages.gopass.pw for APT packages (#2261) ## 1.14.3 / 2022-05-31 * [BUGFIX] Do not print progress bar on otp --clip (#2243) * [BUGFIX] Removing shadowing warning when using -o/--password (#2245) * [CLEANUP] Deprecate OutputIsRedirected in favour of IsTerminal (#2248) * [DOCUMENTATION] Adding doc about YAML entries and unsafe-keys (#2244) * [ENHANCEMENT] Allow deleting multiple secrets (#2239) ## 1.14.2 / 2022-05-22 * [BUGFIX] Fix gpg identity detection (#2218, #2179) * [BUGFIX] Handle different line breaks in recipient (#2221, #2220) * [BUGFIX] Stop eating secrets on move (#2211, #2210) * [ENHANCEMENT] Add flag to keep env variable capitalization (#2226, #2225) * [ENHANCEMENT] Environment variable GOPASS_PW_DEFAULT_LENGTH can be used to overwrite default password length of 24 characters. (#2219) ## 1.14.1 / 2022-05-02 * [BUGFIX] Do not print missing public key for age. (#2166) * [BUGFIX] Improve convert output (#2171) * [BUGFIX] fix errors in zsh completions (#2005) * [CLEANUP] Migrating to a maintained version of openpgp (#2193) * [ENHANCEMENT] Avoid decryption on move or copy (#2183, #2181) * [UX] Upgrade xkcdpwgen to a new version that removes German (#2187) ## 1.14.0 / 2022-03-16 * Add --chars option to print subset of secrets (#2155, #2068) * [BUGFIX] Always re-encrypt when fsck is invoked with --decrypt. (#2119, #2015) * [BUGFIX] Body only entries are detected now by show -o (#2109) * [BUGFIX] Do not hide git error messages (#2118, #1959) * [BUGFIX] Fix completion when password name contains (#2150) * [BUGFIX] Fix template func arg order (#2117, #2116) * [BUGFIX] Fixes an issue where recipients remove may fail (#2147, #1964) * [BUGFIX] Fixes an issue where recipients remove may fail (#2147, #1964) * [BUGFIX] Handle from prefix correctly on mv (#2110, #2079) * [BUGFIX] Handle unencoded secret on cat (#2105) * [BUGFIX] Make man page consistent with other docs (#2133) * [BUGFIX] Reject invalid salt with MD5Crypt templates (#2128) * [BUGFIX] depend *.deb on gnupg instead of dummy (#2050) * [CLEANUP] Deprecate gopasspw/pinentry (#2095) * [CLEANUP] Use Go 1.18 (#2156) * [CLEANUP] Use debug.ReadBuildInfo (#2032) * [DOCUMENTATION] Fixed link to passwordstore.org (#2129) * [DOCUMENTATION] document 'gopass cat' (#2051) * [DOCUMENTATION] improve 'gopass cat' (#2070) * [DOCUMENTATION] improve 'gopass show -revision -' (#2070) * [ENHANCEMENT] Add age subcommand (#2103, #2098) * [ENHANCEMENT] Add gopass audit --expiry (#2067) * [ENHANCEMENT] Add gopass process (#2066, #1913) * [ENHANCEMENT] Allow overriding GPG path (#2153) * [ENHANCEMENT] Automatically export creators key to the (#2159, #1919) * [ENHANCEMENT] Bump to Go 1.18 (#2058) * [ENHANCEMENT] Enforce TLSv1.3 (#2085) * [ENHANCEMENT] Generics (#2034, #2030) * [ENHANCEMENT] Hide password on MacOS clipboards (#2065) * [ENHANCEMENT] Passage compat improvements (#2060, #2060) * [ENHANCEMENT] gopass git invokes git directly (#2102) * [ENHANCEMENT] Template support for the create wizard (#2064) * [ENHANCENMENT] Check for MacOS Keychain storing the GPG (#2144) * [EXPERIMENTAL] Support the Fossil SCM (#2092, #2022) * [FEATURE] Add env variables for custom clipboard commands. (#2091, #2042) * [FEATURE] only accept keys with "encryption" key capability (#2047, #1917, #1917) * [TESTING] Improve two line test ambiguity. (#2091, #2042) * [TESTING] Use a helper to unset env vars in clipboard tests. (#2091, #2042) * [UX] OTP code now runs in loop until canceled or used with -o (#2041) ## 1.13.1 / 2022-01-15 * [BUGFIX] Handle from prefix correctly on mv (#2110, #2079) * [BUGFIX] Handle unencoded secret on cat ## 1.13.0 / 2021-11-13 * [BUGFIX] Do not print OTP progress bar if not in terminal (#2019) * [BUGFIX] Don't prompt to retype password unnecessarily (#1983) * [BUGFIX] Fix AutoClip handling on generate (#2024, #2023) * [BUGFIX] Replace Build Status badge in README (#2016) * [BUGFIX] The field 'parsing' is now honored with legacy config pre v1.12.7 (#1997) * [BUGFIX] Use default git branch on setup (#2026, #1945) * [ENHANCEMENT] Adding a MSI installer for Windows (#2001) * [ENHANCEMENT] Move password prompts to stderr (#2004) * [FEATURE] Add capitalized words to memorable passwords (#1985, #1984) * [UX] Use new progress bar for OTP expiry time (#2019) ## 1.12.8 / 2021-08-28 * [BUGFIX] Use same default for partial config files (#1968) * [CLEANUP] Remove GOPASS_NOCOLOR in favor of NO_COLOR (#1937, #1936) * [ENHACNEMENT] Add gopass merge (#1979, #1948) * [ENHANCEMENT] Add --symbols to gopass pwgen (#1966) * [ENHANCEMENT] Warn on untracked files (#1972) ## 1.12.7 / 2021-07-02 * DOCUMENTATION Fixed Single Line Formating for Clone Documentation (#1943) * [BUGFIX] Allow --strict to be chained with --symbols (#1952, #1941) * [BUGFIX] Normalize recipient IDs before comparison (#1953, #1900) * [BUGFIX] Use /tmp for GIT_SSH_COMMAND on Mac (#1951, #1896) * [ENHANCEMENT] Add warning when parsing content (#1950) ## 1.12.6 / 2021-05-01 * [BUGFIX] Do not recurse with a key (#1907, #1906) * [BUGFIX] Fix SSH control path (#1899, #1896) * [BUGFIX] Fix gopass env with subtrees (#1894, #1893) * [BUGFIX] Honor create -s flag (#1891) * [BUGFIX] Ignore commented values in gpg config (#1901, #1898) * [ENHANCEMENT] Add better usage instructions (#1912) ## 1.12.5 / 2021-03-27 * [BUGFIX] Allow subkeys (#1843, #1841, #1842) * [BUGFIX] Avoid logging credentials (#1886, #1883) * [BUGFIX] Fix SSH Command override on termux (#1881) * [CLEANUP] Moving pkg/pinentry to gopasspw/pinentry (#1876) * [ENHANCEMENT] Add -f flag to create (#1867, #1811) * [ENHANCEMENT] Add gopass ln (#1828) * [ENHANCEMENT] Add proper diff numbers on sync (#1882) * [ENHANCEMENT] Update password rules (#1861) ## 1.12.4 / 2021-03-20 * [BUGFIX] Bring back --yes (#1862, #1858) * [BUGFIX] Fix make install on BSD (#1859) ## 1.12.3 / 2021-03-20 * [BUGFIX] Fix generate -c (#1846, #1844) * [BUGFIX] Fix gopass update (#1838, #1837) * [BUGFIX] Fix progress bar on 32 bit archs (#1855, #1854) * [CLEANUP] Remove the custom formula in favour of the official one. (#1847) * [ENHANCEMENT] Install manpage when using `make install` (#1845) ## 1.12.2 / 2021-03-13 * [BUGFIX] Do not fail if reminder is unavailable (#1835, #1832) * [BUGFIX] Do not shadow directories (#1817, #1813) * [BUGFIX] Do not trigger ClamAV FP (#1810, #1807) * [BUGFIX] Fix -o (#1822) * [BUGFIX] Honor Ctrl+C while waiting for user input (#1805, #1800) * [ENHANCEMENT] Add gopass.1 man page (#1827, #1824) * [UX] Adding the grep command to --help (#1826, #1825) ## 1.12.1 / 2021-02-17 * [BUGFIX] Enable updater on Windows (#1790, #1789) * [BUGFIX] Fix progress bar nil pointer access (#1790, #1789) * [BUGFIX] Fix % char in passwords being treated as formatting (#1794, #1793, #1801) * [ENHANCEMENT] Add ARCHITECTURE.md (#1787) * [ENHANCEMENT] Added a env var to disable reminders (#1792) * [ENHANCEMENT] Remind to run gopass update/fsck/audit after 90d (#1792) ## 1.12.0 / 2021-02-11 WARNING: The self updater does not support updating from 1.11.0 to 1.12.0. Our release infrastructure does not support the key type used in 1.11.0. NOTE: This release drops the integrations that were moved to their own repos, i.e. `git-credential-gopass`, `gopass-hibp`, `gopass-jsonapi` and `gopass-summon-provider`. We have implemented proper release signing and verification for the self updater and brought it back. * [BUGFIX] Add signature verification for updater (#1717, #1676) * [BUGFIX] Allow using tilde (#1713, #872) * [BUGFIX] Always allow removing mounts (#1748, #1746) * [BUGFIX] Ask passphrase upon key generation (#1715, #1698) * [BUGFIX] Do not overwrite age keyring (#1734, #1678) * [BUGFIX] Remove empty parents on gopass rm -r (#1725, #1723) * [BUGFIX] The empty password must now be confirmed too (#1719) * [BUGFIX] Use the first GPG found in path on Windows (#1751, #1635) * [BUGFIX] Warn about --throw-keyids (#1759, #1756) * [BUGFIX] fixed mixed case keys for key-value, all keys are lower case now (#1778) * [CLEANUP] Remove migrated binaries (#1712, #1673, #1649, #1652, #1631, #1165, #1711, #1670, #1639) * [CLEANUP] Remove the ondisk backend (#1720) * [ENHANCEMENT] Add -A and -B to pwgen (#1716) * [ENHANCEMENT] Add Pinentry CLI fallback (#1697, #1655) * [ENHANCEMENT] Add REPL cmd lock (#1744) * [ENHANCEMENT] Add optional pinentry unescaping (#1621) * [ENHANCEMENT] Add tpl funcs for Bcrypt and Argon2 (#1706, #1689) * [ENHANCEMENT] Add windows support to the self updater (#1724, #1722) * [ENHANCEMENT] Confirm new age keyring passphrases (#1747) * [ENHANCEMENT] KV secrets are now key-values, supporting multiple same key with different values (#1741) * [ENHANCEMENT] UTF-8 emojis (#1715, #1698) * [ENHANCEMENT] Use gpgconf to the the gpg binary (#1758, #1757) * [ENHANCEMENT] Use main as the git default branch (#1749, #1742) * [ENHANCEMENT] Use persistent SSH connections (#1755) * [TESTING] Adding DI to Github Actions (#1728) ## 1.11.0 / 2020-01-12 This is an important bugfix release that should resolve several outstanding issues and concerns. Since 1.10.0 was released was engaged in a lot of discussions and realized that compatibility is more important than we first thought. So we're rolling back some breaking changes and revise some parts of our roadmap. We will strive to remain compatible with other password store implementations - but remember this is a goal, not a promise. This means we'll continue using compatible secrets formats as well as GPG and Git. * [BUGFIX] Allow secret names to have a colon in the name * [BUGFIX] Apply limit in list correctly * [BUGFIX] Correcting newlines handling * [BUGFIX] Correct missing padding to TOTP entry * [BUGFIX] Create cache folder if doesn't exist. Relevant * [BUGFIX] Disable gopass update * [BUGFIX] Disabling all kind of parsing of the input * [BUGFIX] Do not duplicate key password in K/V secrets * [BUGFIX] Do not search for new secrets * [BUGFIX] fixes gopass-jsonapi for MacTools GPGSuite users. * [BUGFIX] Fix legacy config parsing * [BUGFIX] fsck won't correct recipients without --decrypt * [BUGFIX] Insert is not resetting the pw now if a key:value pair is specified inline * [BUGFIX] Insert is now parsing its stdin input * [BUGFIX] Invalidate GPG key list after generation * [BUGFIX] List no longer uses the store size as its default depth * [BUGFIX] Nil dereference in cui * [BUGFIX] Pass arguments to a notification program * [BUGFIX] Password insert prompt now works on Windows but * [BUGFIX] Re-adding the global --yes flag * [BUGFIX] Remove GPG location caching * [BUGFIX] Restore path-removal from old config-format * [BUGFIX] Show now correctly handles -C and -u together * [BUGFIX] The deprecation warning is now output on stderr * [BUGFIX] Trim version prefix in jsonapi * [CLEANUP] Remove MIME * [CLEANUP] Remove the unfinished xc backend * [CLEANUP] Update to minio/v7 * [DOCUMENTATION] Edited features.md * [DOCUMENTATION] Improve contributing guide. * [DOCUMENTATION] Slight updates to reflect the recent code * [ENHANCEMENT] Adding a trailing separator to the listed folders * [ENHANCEMENT] Adding the flag show -n to disable output parsing * [ENHANCEMENT] Adding the option parsing to disable all parsing * [ENHANCEMENT] fsck now detects leftover Mime secrets * [ENHANCEMENT] Full windows support * [ENHANCEMENT] Prompt for edit search result * [ENHANCEMENT] Re-introduce gopass -c * [ENHANCEMENT] Show GPG --gen-key error to the user * [ENHANCEMENT] This is required when using e.g. Gnome Keyring. * [ENHANCEMENT] Use 32 byte salt by default * [UX] Preserve content across retries ## 1.10.1 * [BUGFIX] Fix the Makefile * [BUGFIX] Remove misleading config error message * [BUGFIX] Re-use existing root store * [BUGFIX] Use standard Unix directories on MacOS ## 1.10.0 WARNING: This release contains a few breaking changes as well as necessary packaging changes. This release is building the foundation for an eventual 2.0 release which will drop many legacy features and significantly shrink the codebase to ensure long term maintainability. The goal is to remove the support for multiple backends and any external dependencies, including `git` and `gpg` binaries. By default the tool should be easy to use, secure and modern. We will still support our flagship use cases, like working in teams. Also gopass might eventually move to an fully encrypted backend where we don't leak information through filenames. Any gopass 1.x release should still be compatible with any password store implementation (possibly with some caveats). Beyond that we plan to drop any compatibility goals. If you are using different Password Store implementations to access your secrets, e.g. on mobile devices, you might want to run `gopass config mime false` before performing any kind of write operation on the password store. Otherwise mutated secrets will be written using the new native gopass MIME format and might not be readable from other implementations. This release adds documentation for all supported subcommands in the `docs/commands` folder and starts define our core use cases in the `docs/usecases` folder. Please note that the command documentation also serves as a specification on how these commands are supposed to operate. Note: We have accumulated too many changes so we've decided to skip the 1.9.3 release and issue the first release of the 1.10. series. Note to package maintainers: This release adds additional binaries which should be included in any binary re-distribution of gopass. * [BREAKING] New secrets format * [BUGFIX] Allow deleting shadowed secret * [BUGFIX] Correctly handle exportkeys and auto import for noop * [BUGFIX] Do not allow malformed secrets * [BUGFIX] Do not return error on no grep matches * [BUGFIX] Fix config panic with mounts * [BUGFIX] Fix fsck progress bar. * [BUGFIX] Fix git init * [BUGFIX] Fix optional key passed through find * [BUGFIX] Fix tree shadowing. * [BUGFIX] Handle relative path during init * [BUGFIX] Honor generate --print * [BUGFIX] Honor trust level during onboarding. * [BUGFIX] Print RCS error message * [BUGFIX] Print config parse error to STDERR * [BUGFIX] Properly initialize crypto during onboarding and * [BUGFIX] env command: do not crash if called without a command to execute * [CLEANUP] Merge Storage and RCS backends * [CLEANUP] Move internal packages to internal * [CLEANUP] Remove autoclip for gopass show * [CLEANUP] Remove config option confirm * [CLEANUP] Remove curses UI * [CLEANUP] Remove the --sync flag to gopass show * [CLEANUP] Rename --force to --unsafe for show * [CLEANUP] Rename xkcd generator options * [DEPRECATION] Mark gopass git as deprecated * [DEPRECATION] Remove AutoPrint * [DEPRECATION] Remove askformore, autosync * [DEPRECATION] Retire editrecipients option * [DOCUMENTATION] Document audit, generate, insert and show * [DOCUMENTATION] Document list flags * [DOCUMENTATION] Improve documentation of Zsh completion setup * [ENHANCEMENT] Add GOPASS_DISABLE_MIME to disable new * [ENHANCEMENT] Add arm and arm64 binaries * [ENHANCEMENT] Add gopass API (unstable) * [ENHANCEMENT] Add regexp support to gopass grep * [ENHANCEMENT] Add zxcvbn password strength checker * [ENHANCEMENT] Avoid direct show on gopass search * [ENHANCEMENT] Cache gpg binary location * [ENHANCEMENT] Ignore binary secrets for audit * [ENHANCEMENT] Introduce --generator flag * [ENHANCEMENT] Introduce unsafe-keys * [ENHANCEMENT] Make audit report passwords not changed * [ENHANCEMENT] Make show --qr flag complementary * [ENHANCEMENT] New Debug package * [ENHANCEMENT] New progress bar * [ENHANCEMENT] Print password before sync * [ENHANCEMENT] Provide more helpful config parse errors * [ENHANCEMENT] Rewrite tree implementation * [ENHANCEMENT] Show recipients from subfolder id files * [ENHANCEMENT] Speed up gpg store init * [ENHANCEMENT] Support changing path with gopass config * [ENHANCEMENT] Support relative revisions for show * [ENHANCEMENT] Warn if vim might be leaking secrets * [ENHANCEMENT] env command: more tests * [FEATURE] Add Password Rules and Domain Alias support * [FEATURE] Add experimental backend converter * [FEATURE] Add remote config for ondisk storage * [FEATURE] Add remote sync support for the ondisk backend * [FEATURE] Add summon provider * [FEATURE] Pinentry API: support OPTION API call * [FEATURE] REPL * [TESTING] Add a test to detect shadowing issue with mount ## 1.9.2 / 2020-05-13 * [BUGFIX] Bring back the custom fish completion. * [BUGFIX] Disable AutoClip when redirecting stdout * [ENHANCEMENT] Create new sub stores in XDG compliant locations. ## 1.9.1 / 2020-05-09 * [BUGFIX] Do not copy to clipboard with -f * [BUGFIX] Encrypt parent directory if leaf node exists. * [BUGFIX] Fix -c and -C for default show action. * [BUGFIX] Hide git-credential store warning. * [BUGFIX] Honor notifications setting. * [BUGFIX] Simplify autoclip behavior * [DEPRECATION] Remove PASSWORD_STORE_DIR support * [ENHANCEMENT] Add exportkeys option. * [ENHANCEMENT] Add memorable password generator * [ENHANCEMENT] Add preliminary age encryption support. ## 1.9.0 / 2020-05-01 * [ENHANCEMENT] Proper windows support [#1295] * [ENHANCEMENT] Add pwgen subcommand [#1308] * [ENHANCEMENT] Only decrypt when needed [#1289] * [ENHANCEMENT] Full unattended password generation [#1259] * [ENHANCEMENT] Add -C flag [#1272] * [ENHANCEMENT] Migrate to urface/cli/v2 [#1276] * [ENHANCEMENT] Support Termux [#913] * [BUGFIX] Do not fail if nothing to commit [#1168, #1103] * [BUGFIX] Restore PASSWORD_STORE_DIR support [#1213] * [BUGFIX] Do not remove empty second line [#1235] * [BUGFIX] Do not disable color if no PAGER is available [#1244] * [BUGFIX] Do not overwrite entry when reading from STDIN [#1245] * [BUGFIX] Commit when using concurrency gt 1 [#1246] * [BUGFIX] Do not error out when listing a leaf node [#1300] * [BUGFIX] Do not overwrite config if PASSWORD_STORE_DIR is set [#1286] * [BUGFIX] Fix go get support [#1288] * [DEPRECATION] Remove Dockerfile [#1309] * [DEPRECATION] Remove Bintray [#1304] * [DEPRECATION] Deprecate OTP, Binary, YAML git-credentials and xc support [#1301] * [DEPRECATION] Remove support for OpenPGP (library), GoGit, Vault, Consul and encrypted configs [#1290, #1283, #1282, #1279] ## 1.8.6 / 2019-07-26 * [ENHANCEMENT] Add --password to otp command [#1150] * [ENHANCEMENT] Support adding key values with colons [#1128] * [BUGFIX] Allow overwriting directories with --force [#1149] * [BUGFIX] Sort list of stores when adding recipients [#1144] * [BUGFIX] Sort recipients by Name not by ID [#1143] * [BUGFIX] Handle slashes in recipient names [#1139] ## 1.8.5 / 2019-03-03 * [ENHANCEMENT] Improve template handling [#1029] * [ENHANCEMENT] Remove empty directories [#1009] * [ENHANCEMENT] Improve performance of unclip [#923] * [ENHANCEMENT] Add AutoPrint option [#1065] * [ENHANCEMENT] Follow the rsync convention for cp/mv commands [#1055] * [BUGFIX] Fix bash completion for MSYS on Windows [#1053] * [BUGFIX] Git clone failing [#1036] ## 1.8.4 / 2018-12-26 * [ENHANCEMENT] Evaluate templates when inserting single secrets [#1023] * [ENHANCEMENT] Add fuzzy search dialog for gopass otp [#1021] * [ENHANCEMENT] Add edit option to search dialog [#1019] * [ENHANCEMENT] Introduce build tags for experimental features [#1000] * [BUGFIX] Fix recursive delete [#1024] * [BUGFIX] Abort tests on critical failures [#997] * [BUGFIX] Zsh autocompletion [#996] ## 1.8.3 / 2018-11-19 * [ENHANCEMENT] Add zsh autocompletion for insert and generate [#988] * [ENHANCEMENT] Set exit code for filtered ls without result [#983] * [ENHANCEMENT] Improve generate command [#948] * [ENHANCEMENT] Print summary for grep [#943] * [ENHANCEMENT] Documentation updates [#924, #890, #918, #919, #920, #944, #952, #958, #969, #985] * [ENHANCEMENT] jsonapi: Add windows support for configure [#904] * [ENHANCEMENT] jsonapi: Add getVersion [#893] * [ENHANCEMENT] Support symlinks for fs storage backend [#886] * [BUGFIX] Offer store selection with exactly one mount point as well [#987] * [BUGFIX] Edit entry selected by fuzzy search [#979] * [BUGFIX] Fix path handling on windows [#970] * [BUGFIX] Remove quotes [#967] * [BUGFIX] Properly handle git add for removed files [#946] * [BUGFIX] HAndle already mounted and not initialized errors [#945] * [BUGFIX] Fix HIBP command options [#936] * [BUGFIX] Offer secret selection on edit command [#929] * [BUGFIX] jsonapi: add initialize [#903] * [BUGFIX] Update external dependencies [#884, #932, #981] * [BUGFIX] Use valid crypto backend for key selection [#889] ## 1.8.2 / 2018-06-28 * [ENHANCEMENT] Improve fsck output [#859] * [ENHANCEMENT] Enable notifications on FreeBSD [#863] * [ENHANCEMENT] Redirect errors to stderr [#880] * [ENHANCEMENT] Do not writer version to config [#883] * [BUGFIX] Fix commit on move [#860] * [BUGFIX] Properly check store initialization [#865] ## 1.8.1 / 2018-06-08 * [BUGFIX] Trim fsck path [#856] * [BUGFIX] Handle URL parse errors in create [#855] ## 1.8.0 / 2018-06-06 This release includes several possibly breaking changes. The `gopass move` implementation was refactored to properly support moving entries and subtrees across mount points. This may change the behaviour slightly. Also the build flags were changed to build PIE binaries. This should not affect the runtime behaviour, but we could not test this on all platforms, yet. * [BREAKING] Make move work recursively and across stores [#821] * [FEATURE] Add git credential caching [#743] * [FEATURE] Add local recipient integrity checks [#800 #826] * [ENHANCEMENT] Handle key-value pairs on generate and insert [#790] * [ENHANCEMENT] Add gpg.listKeys caching [#804] * [ENHANCEMENT] Add append mode for gopass insert [#807] * [ENHANCEMENT] Support external password generators [#811] * [ENHANCEMENT] Add gopass generate completion heuristic [#817] * [ENHANCEMENT] Add revive linter checks [#822] * [ENHANCEMENT] Remove -static build flag, enable CGO and -buildmode=PIE [#823] * [ENHANCEMENT] Warn if RCS backend is noop during gopass sync [#825] * [ENHANCEMENT] Support for special password rules on generate [#832] * [ENHANCEMENT] Improve create wizard [#842] * [ENHANCEMENT] Honor templates on generate [#847] * [ENHANCEMENT] Support NO_COLOR [#851] * [BUGFIX] Reset clipboard timer on repeated copy [#813] * [BUGFIX] Add --force to git add invocation [#839] * [BUGFIX] Rename updater GitHub Organisation [#818] * [BUGFIX] Default to origin master for git pull [#819] * [BUGFIX] Properly propagate RCS backend on gopass clone [#820] * [BUGFIX] Fix sub store config propagation [#837 #841] * [BUGFIX] Use default for password store dir [#846] * [BUGFIX] Properly handle autosync on recipients save [#848] * [BUGFIX] Resolve key IDs to fingerprints before adding or removing [#850] ## 1.7.2 / 2018-05-28 * [BUGFIX] Fix tilde expansion [#802] ## 1.7.1 / 2018-05-25 * [BUGFIX] Add nogit compat handler [#792] * [BUGFIX] Fix reencrypt [#796] ## 1.7.0 / 2018-05-22 * [FEATURE] Pluggable crypto, storage and RCS backends. Including a pure-Go NaCl based crypto backend [#645] [#680] [#736] [#777] * [FEATURE] Password history [#660] * [FEATURE] Vault backend [#723] [#730] * [FEATURE] Consul backend [#697] * [FEATURE] HIBPv2 Dump and API support [#666] [#706] * [FEATURE] Select recipients per secret [#703] * [FEATURE] Add experimental OpenPGP crypto backend [#670] * [ENHANCEMENT] Support HIBPv2 API and Dumps [#666] * [ENHANCEMENT] Robust K/V parser with YAML fallback [#659] * [ENHANCEMENT] Restrict fsck to given path [#721] * [ENHANCEMENT] Refactor [#702] [#708] [#715] [#722] [#731] * [ENHANCEMENT] Proper Makefile dependencies [#707] * [ENHANCEMENT] Auto-copy with safecontent [#685] * [ENHANCEMENT] Add disable notifications option [#690] * [ENHANCEMENT] Migrate from govendor to dep [#688] * [ENHANCEMENT] Improve test coverage [#732] [#781] [#782] * [ENHANCEMENT] Improvate YAML handling [#739] * [ENHANCEMENT] Audit freshly generated passwords [#761] * [BUGFIX] Use sh instead of bash [#699] * [BUGFIX] Lookup correct remote for current branch [#692] * [BUGFIX] Fix GPG binary detection on Windows [#681] [#693] * [BUGFIX] Version [#727] * [BUGFIX] Git init [#729] * [BUGFIX] Secret.String() [#738] * [BUGFIX] Fix generate --symbols [#742] [#783] ## 1.6.11 / 2018-02-20 * [ENHANCEMENT] Documentation updates [#648] [#656] * [ENHANCEMENT] Add secret completions to edit command in zsh [#654] * [BUGFIX] Avoid escaping values added to secrets [#658] * [BUGFIX] Fix parsing of GPG UIDs [#650] ## 1.6.10 / 2018-01-18 * [ENHANCEMENT] Add Travis MacOS builds [#618] * [ENHANCEMENT] Make gopass build on DragonFlyBSD [#619] * [ENHANCEMENT] Increase test coverage [#621] [#622] [#624] * [BUGFIX] Properly handle sub-store configuration [#625] * [BUGFIX] Fix Makefile [#615] [#617] * [BUGFIX] Fix failing tests on MacOS [#614] ## 1.6.9 / 2018-01-05 * [BUGFIX] Fix update URL check [#610] ## 1.6.8 / 2018-01-05 * [ENHANCEMENT] Add OpenBSD Ksh completion [#586] * [ENHANCEMENT] Increase test coverage [#589] [#590] [#592] [#595] [#596] [#597] [#601] [#602] [#603] [#604] * [ENHANCEMENT] Update Documentation and Dockerfile [#591] [#605] * [BUGFIX] Use Termwiz CUI on OpenBSD [#588] * [BUGFIX] Fix create wizard [#594] * [BUGFIX] Use persistent bufio.Reader [#607] ## 1.6.7 / 2017-12-31 * [ENHANCEMENT] Add --sync flag to gopass show [#544] * [ENHANCEMENT] Update dependencies [#547] * [ENHANCEMENT] Use gocui for terminal UI [#562] * [ENHANCEMENT] Increase test coverage [#548] [#549] [#567] [#568] [#570] [#572] [#574] [#575] [#577] [#578] [#583] [#584] * [ENHANCEMENT] Add Dockerfile [#561] * [ENHANCEMENT] Add zsh and fish completion generator [#565] * [ENHANCEMENT] Add go-fuzz instrumentation [#576] * [BUGFIX] Catch URL parse errors [#546] ## 1.6.6 / 2017-12-20 * [FEATURE] Selective Sync [#538] * [ENHANCEMENT] Make termwiz honor copy flag [#534] * [ENHANCEMENT] Make shell completion respect binary name [#536] * [ENHANCEMENT] Refactor [#533] [#540] [#541] [#542] * [BUGFIX] Show git output [#529] ## 1.6.5 / 2017-12-15 * [ENHANCEMENT] Handle errors gracefully [#524] * [BUGFIX] Follow symlinks [#519] * [BUGFIX] Improve GPG binary detection [#520] [#522] ## 1.6.4 / 2017-12-13 * [ENHANCEMENT] Support desktop notifications on Mac and Windows [#513] * [BUGFIX] Fix slice out of bounds error [#517] * [BUGFIX] Allow .password-store to be a symlink [#516] * [BUGFIX] Respect --store flag to git sub command [#512] ## 1.6.3 / 2017-12-12 * [ENHANCEMENT] Avoid altering YAML secrets unless necessary [#508] * [ENHANCEMENT] Documentation updates [#493] [#509] * [ENHANCEMENT] Abort if no GPG binary was found [#506] * [ENHANCEMENT] Support GOPASS_GPG_OPTS and GOPASS_UMASK [#504] * [BUGFIX] Create .gpg-keys if it does not exist [#507] ## 1.6.2 / 2017-12-02 * [FEATURE] Add gopass fix command [#471] * [ENHANCEMENT] Add pledge support on OpenBSD [#469] * [ENHANCEMENT] Improve no clipboard warning [#484] * [BUGFIX] Allow OTP entry in password field [#467] * [BUGFIX] Default to vi if no other editor is available [#479] * [BUGFIX] Avoid auto-search running non-interactively [#483] ## 1.6.1 / 2017-11-15 * [FEATURE] Add generic OTP action [#440] * [ENHANCEMENT] Ignore any secret that does not end with .gpg [#461] * [ENHANCEMENT] Add option to display only the password [#455] * [ENHANCEMENT] Disable fuzzy search for gopass find [#454] * [BUGFIX] Fix .gpg-id selection for sub folders [#465] * [BUGFIX] Set gpg.program if possible [#464] * [BUGFIX] Allow access to secrets shadowed by a folder [#463] * [BUGFIX] Set GPG_TTY [#452] * [BUGFIX] Fix termbox UI on OpenBSD [#446] * [BUGFIX] Fix tests and paths on Windows [#421] [#431] [#442] [#450] ## 1.6.0 / 2017-11-03 * [FEATURE] Add Desktop notifications (Linux/DBus only) [#434] [#435] * [ENHANCEMENT] Show public key identities before importing [#427] * [ENHANCEMENT] Initialize local git config on gopass clone [#429] * [ENHANCEMENT] Do not print generated passwords by default [#430] * [ENHANCEMENT] Clear KDE Klipper History on clipboard clearing [#434] * [ENHANCEMENT] Refactor git backend [#437] * [BUGFIX] Fix recipients remove when using email as identifier [#436] ## 1.5.1 / 2017-10-25 * [ENHANCEMENT] Re-introduce usecolor config option [#414] * [ENHANCEMENT] Improve documentation [#407] [#409] [#416] [#417] * [ENHANCEMENT] Add language switch for xckd-style generation [#406] * [BUGFIX] Fix GPG binary detection [#419] * [BUGFIX] Fix tests on windows [#421] ## 1.5.0 / 2017-10-17 * [FEATURE] Add secret creation wizard [#386] * [FEATURE] Add onboarding wizard [#387] * [FEATURE] Wizard for recipients add/remove [#359] * [FEATURE] XKCD#936 inspired password generation [#368] * [FEATURE] Add update wizard [#395] * [ENHANCEMENT] Overhaul documentation [#383] [#384] * [ENHANCEMENT] Attempt to get TOTP key from YAML [#376] * [ENHANCEMENT] Allow find to take -c [#378] * [ENHANCEMENT] Improve terminal wizard [#385] * [ENHANCEMENT] Improve responsiveness by context usage [#388] * [ENHANCEMENT] Improve output readability [#392] [#393] * [ENHANCEMENT] Automatic GPG key generation [#391] * [BUGFIX] Relax YAML document marker handling [#398] ## 1.4.1 / 2017-10-05 * [BUGFIX] Support pre-1.3.0 configs [#382] * [BUGFIX] Turn YAML errors into warnings [#380] ## 1.4.0 / 2017-10-04 * [FEATURE] Add fuzzy search [#317] * [FEATURE] Allow restricting charset of generated passwords [#270] * [FEATURE] Check quality of newly inserted passwords with crunchy [#276] * [FEATURE] JSON API [#326] * [FEATURE] Per-Mount configuration options [#330] * [FEATURE] Terminal selection of results [#259] * [FEATURE] gopass sync [#303] * [ENHANCEMENT] Build with Go 1.9 [#294] * [ENHANCEMENT] Display single find result directly [#265] * [ENHANCEMENT] Global --yes flag [#327] * [ENHANCEMENT] Improve error handling and propagation [#280] * [ENHANCEMENT] Omit newline when not writing to a terminal [#325] * [ENHANCEMENT] Only commit once per recipient batch operation [#329] * [ENHANCEMENT] Provide partial support for .gpg-id files in sub folders [#291] * [ENHANCEMENT] Trim any trailing newlines or carriage returns in show output [#296] * [ENHANCEMENT] Use contexts [#310] * [ENHANCEMENT] Use contexts to cancel long running operations [#358] * [ENHANCEMENT] Use default editors [#286] * [ENHANCEMENT] Improve documentation [#365] * [ENHANCEMENT] Print selected entry [#372] * [BUGFIX] Confirm removal of directories [#309] * [BUGFIX] Only confirm recipients once during batch operations [#328] * [BUGFIX] Only overwrite password on insert [#323] * [BUGFIX] Avoid Show/Find recursion [#360] * [BUGFIX] Remove deprecated special case for .yaml files [#362] * [BUGFIX] Do not offer invalid keys [#364] * [BUGFIX] Assign path only if resolving symlink succeeds [#370] ## 1.3.2 / 2017-08-22 * [BUGFIX] Fix git version output [#274] ## 1.3.1 / 2017-08-15 * [BUGFIX] Enable AutoSync by default [#267] * [BUGFIX] git - do not abort if a store has no remote [#261] * [BUGFIX] Fix IFS in bash completion [#268] ## 1.3.0 / 2017-08-11 * [BREAKING] Enforce YAML document markers [#193] * [BREAKING] Simplify configuration [#213] * [BREAKING] Align gopass init flags with other commands [#252] * [FEATURE] Implement pager feature [#163] * [FEATURE] Add basic fish completion [#168] * [FEATURE] Add version check [#205] * [FEATURE] Add gopass audit command [#228] * [FEATURE] Add gopass audit hibp command [#239] * [ENHANCEMENT] Disable auto-push while re-encrypting [#171] * [ENHANCEMENT] Configure git user and email before initial git commit [#185] * [ENHANCEMENT] Add recursive git operations [#186] * [ENHANCEMENT] Document missing config options [#188] * [ENHANCEMENT] Only check and load missing GPG keys after git pull [#190] * [ENHANCEMENT] Only encrypt for valid recipients [#191] * [ENHANCEMENT] Check and import missing GPG keys on recipients show [#204] * [ENHANCEMENT] Save recipients on show [#207] * [ENHANCEMENT] Include GPG and Git version in gopass version output [#210] * [ENHANCEMENT] Support more flexible YAML documents [#217] * [ENHANCEMENT] Simplify mounts add by inferring local path [#219] * [ENHANCEMENT] Add contributor documentation [#222] * [ENHANCEMENT] Re-use selected encryption key for git signing [#247] * [ENHANCEMENT] Setup git push.default [#248] * [BUGFIX] Fix nil-pointer check on non existing sub tree [#183] * [BUGFIX] Fix load-keys [#203] * [BUGFIX] Only match mounts on folders [#240] * [BUGFIX] Disable checkRecipients as it conflicts with alwaysTrust [#242] ## 1.2.0 / 2017-06-21 * [FEATURE] YAML support [#125] * [FEATURE] Binary support [#136] * [ENHANCEMENT] Increase test coverage [#160] * [ENHANCEMENT] Use secure temporary storage on MacOS [#144] * [ENHANCEMENT] Use goreleaser [#151] * [BUGFIX] Fix git invocation [#140] * [BUGFIX] Fix missing recipients on init [#141] * [BUGFIX] Fix sorting of mount points [#148] ## 1.1.2 / 2017-06-14 * [BUGFIX] Fix gopass init --store [#129] * [BUGFIX] Fix gopass init [#127] ## 1.1.1 / 2017-06-13 * [ENHANCEMENT] Allow files and folders with the same name [#124] * [ENHANCEMENT] Improve error messages [#121] * [ENHANCEMENT] Add rm aliases to remove commands [#119] * [BUGFIX] Several bug fixes for multi-repository handling [#123] ## 1.1.0 / 2017-05-31 * [FEATURE] Support templates [#1] * [FEATURE] QR Code output [#64] * [ENHANCEMENT] If entry was not found start search [#109] * [ENHANCEMENT] Do not write color codes unless terminal [#111] * [ENHANCEMENT] Make find compare case insensitive [#108] * [ENHANCEMENT] Enforce UNIX style line endings [#105] * [ENHANCEMENT] Use XDG_CONFIG_HOME [#67] * [ENHANCEMENT] Support symlinks [#41] * [ENHANCEMENT] Add nocolor config flag [#33] * [ENHANCEMENT] Accept args for editor [#30] * [BUGFIX] Build fixes for Windows [#14] ## 1.0.2 / 2017-03-24 * [ENHANCEMENT] Improve mounts and init commands [#87] * [ENHANCEMENT] Document behavior of `-c` [#82] * [ENHANCEMENT] Pass custom arguments to dmenu completion [#72] * [ENHANCEMENT] Build with Go 1.8 [#65] * [BUGFIX] Improve recursive deletes [#55] * [BUGFIX] Bypass prompts on gopass insert --force [#66] * [BUGFIX] Able to store secrets, but with errors [#13] * [BUGFIX] Don't prompt if input from stdin [#58] * [BUGFIX] Git add fails to "add" removed files [#57] ## 1.0.1 / 2017-02-13 * [FEATURE] Add dmenu support [#47] * [ENHANCEMENT] Extend GOPASS_DEBUG coverage [#31] * [ENHANCEMENT] Accept args for editor [#30] * [ENHANCEMENT] Use gpg2 if available [#9] * [BUGFIX] Fix git error handling in saveRecipients [#32] * [BUGFIX] Check if ExpirationDate is set [#28] * [BUGFIX] Change user.signkey to user.signingkey [#26] * [BUGFIX] Only copy the first line to the clipboard [#21] * [BUGFIX] Add search alias to find [#8] ## 1.0.0 / 2017-02-02 * [ENHANCEMENT] Support mounted sub-stores * [ENHANCEMENT] git auto-push and auto-pull * [ENHANCEMENT] git-style config editing * [ENHANCEMENT] Simplified recipient management * [ENHANCEMENT] Interactive questions for missing parameters ================================================ FILE: CONTRIBUTING.md ================================================ # Contributing `gopass` uses GitHub to manage reviews of pull requests. * If you are a new contributor see: [Steps to Contribute](#steps-to-contribute) * If you have a trivial fix or improvement, go ahead and create a pull request. * If you plan to do something more involved, first raise an issue to discuss your idea. This will avoid unnecessary work. * Relevant coding style guidelines are the [Go Code Review Comments](https://code.google.com/p/go-wiki/wiki/CodeReviewComments) and the _Formatting and style_ section of Peter Bourgon's [Go: Best Practices for Production Environments](http://peter.bourgon.org/go-in-production/#formatting-and-style). ## Steps to Contribute Should you wish to work on an issue, please claim it first by commenting on the GitHub issue you want to work on it. This will prevent duplicated efforts from contributors. Please check the [`help-wanted`](https://github.com/gopasspw/gopass/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) label to find issues that need help. If you have questions about one of the issues please comment on them and one of the maintainers will try to clarify it. ## Pull Request Checklist * Use that [latest stable Go release](https://golang.org/dl/) * Branch from master and, if needed, rebase to the current master branch before submitting your pull request. If it doesn't merge cleanly with master you will be asked to rebase your changes. * Commits should be as small as possible, while ensuring that each commit is correct independently. * Add tests relevant to the fixed bug or new feature. * Commit messages must contain [Developer Certificate of Origin](https://developercertificate.org/) / `Signed-off-by` line, for example: One line description of commit More detailed description of commit, if needed. Signed-off-by: Your Name * The first line of the commit message, the subject line, should be prefix with a tag indicating the type of the change. These tags will be extracted and used to populate the changelog. Valid `[TAG]`s are `[BREAKING]`, `[BUGFIX]`, `[CLEANUP]`, `[DEPRECATION]`, `[DOCUMENTATION]`, `[ENHANCEMENT]`, `[FEATURE]`, `[TESTING]`, and `[UX]`. ## Building & Testing * Build via `go build` to create the binary file `./gopass`. * Run unit tests with: `make test` * Run meta tests with: `make codequality` * Run integration tests `make test-integration` If any of the above don't work check out the [troubleshooting section](#troubleshooting-build). ## Releasing See [docs/releases.md](docs/releases.md). ================================================ FILE: Dockerfile ================================================ FROM docker.io/library/golang:1.25-alpine@sha256:b6ed3fd0452c0e9bcdef5597f29cc1418f61672e9d3a2f55bf02e7222c014abd AS build-env ENV CGO_ENABLED=0 RUN apk add --no-cache make git ncurses # Build gopass WORKDIR /home/runner/work/gopass/gopass COPY go.mod . COPY go.sum . RUN go mod download COPY . . ARG goflags_arg="" ENV GOFLAGS=$goflags_arg RUN make clean RUN make gopass # Build gopass-jsonapi WORKDIR /home/runner/work/gopass RUN git clone https://github.com/gopasspw/gopass-jsonapi.git WORKDIR /home/runner/work/gopass/gopass-jsonapi RUN go mod download RUN make clean RUN make gopass-jsonapi # Build gopass-hibp WORKDIR /home/runner/work/gopass RUN git clone https://github.com/gopasspw/gopass-hibp.git WORKDIR /home/runner/work/gopass/gopass-hibp RUN go mod download RUN make clean RUN make gopass-hibp # Build gopass-summon-provider WORKDIR /home/runner/work/gopass RUN git clone https://github.com/gopasspw/gopass-summon-provider.git WORKDIR /home/runner/work/gopass/gopass-summon-provider RUN go mod download RUN make clean RUN make gopass-summon-provider # Build git-credential-gopass WORKDIR /home/runner/work/gopass RUN git clone https://github.com/gopasspw/git-credential-gopass.git WORKDIR /home/runner/work/gopass/git-credential-gopass RUN go mod download RUN make clean RUN make git-credential-gopass FROM docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1 RUN apk add --no-cache ca-certificates git gnupg COPY --from=build-env /home/runner/work/gopass/gopass/gopass /usr/local/bin/ COPY --from=build-env /home/runner/work/gopass/gopass-jsonapi/gopass-jsonapi /usr/local/bin/ COPY --from=build-env /home/runner/work/gopass/gopass-hibp/gopass-hibp /usr/local/bin/ COPY --from=build-env /home/runner/work/gopass/gopass-summon-provider/gopass-summon-provider /usr/local/bin/ COPY --from=build-env /home/runner/work/gopass/git-credential-gopass/git-credential-gopass /usr/local/bin/ ================================================ FILE: GOVERNANCE.md ================================================ # gopass project governance ## Overview The gopass project uses a governance model commonly described as Benevolent Dictator For Life (BDFL). This document outlines our understanding of what this means. It is derived from the [i3 window manager project governance](https://raw.githubusercontent.com/i3/i3/next/.github/GOVERNANCE.md). ## Roles * user: anyone who interacts with the gopass project * core contributor: a handful of people who have contributed significantly to the project by any means (issue triage, support, documentation, code, etc.). Core contributors are recognizable via GitHub’s “Member” badge. * Benevolent Dictator For Life (BDFL): a single individual who makes decisions when consensus cannot be reached. gopass’s current BDFL is [@dominikschulz](https://github.com/dominikschulz). ## Decision making process In general, we try to reach consensus in discussions. In case consensus cannot be reached, the BDFL makes a decision. ## Contribution process Please see [CONTRIBUTING](CONTRIBUTING.md). ================================================ FILE: LICENSE ================================================ The MIT License (MIT) Copyright 2017 JustWatch GmbH Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: Makefile ================================================ FIRST_GOPATH := $(firstword $(subst :, ,$(GOPATH))) PKGS := $(shell go list ./... | grep -v /tests | grep -v /xcpb | grep -v /gpb) GOFILES_NOVENDOR := $(shell find . -name vendor -prune -o -type f -name '*.go' -not -name '*.pb.go' -print) GOFILES_BUILD := $(shell find . -type f -name '*.go' -not -name '*_test.go') GOPASS_VERSION ?= $(shell cat VERSION) GOPASS_OUTPUT ?= gopass GOPASS_REVISION := $(shell cat COMMIT 2>/dev/null || git rev-parse --short=8 HEAD) BASH_COMPLETION_OUTPUT := bash.completion FISH_COMPLETION_OUTPUT := fish.completion ZSH_COMPLETION_OUTPUT := zsh.completion CLIPHELPERS ?= "" # Support reproducible builds by embedding date according to SOURCE_DATE_EPOCH if present DATE := $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" '+%FT%T%z' 2>/dev/null || date -u '+%FT%T%z') BUILDFLAGS_NOPIE := -buildvcs=true -tags=netgo -trimpath -ldflags="-s -w -X main.version=$(GOPASS_VERSION) -X main.commit=$(GOPASS_REVISION) -X main.date=$(DATE) $(CLIPHELPERS)" -gcflags="-trimpath=$(GOPATH)" -asmflags="-trimpath=$(GOPATH)" BUILDFLAGS ?= $(BUILDFLAGS_NOPIE) -buildmode=pie TESTFLAGS ?= PWD := $(shell pwd) PREFIX ?= $(GOPATH) BINDIR ?= $(PREFIX)/bin GO ?= GO111MODULE=on CGO_ENABLED=0 go GOOS ?= $(shell $(GO) version | cut -d' ' -f4 | cut -d'/' -f1) GOARCH ?= $(shell $(GO) version | cut -d' ' -f4 | cut -d'/' -f2) TAGS ?= netgo export GO111MODULE=on OK := $(shell tput setaf 6; echo ' [OK]'; tput sgr0;) all: sysinfo build build: $(GOPASS_OUTPUT) completion: $(BASH_COMPLETION_OUTPUT) $(FISH_COMPLETION_OUTPUT) $(ZSH_COMPLETION_OUTPUT) gha-linux: sysinfo licensecheck crosscompile build fulltest completion gha-osx: sysinfo build test completion gha-windows: sysinfo build test-win completion sysinfo: @echo ">> SYSTEM INFORMATION" @echo -n " PLATFORM : $(shell uname -a)" @printf '%s\n' '$(OK)' @echo -n " PWD: : $(shell pwd)" @printf '%s\n' '$(OK)' @echo -n " GO : $(shell $(GO) version)" @printf '%s\n' '$(OK)' @echo -n " BUILDFLAGS : $(BUILDFLAGS)" @printf '%s\n' '$(OK)' @echo -n " GIT : $(shell git version)" @printf '%s\n' '$(OK)' @echo -n " GPG : $(shell which gpg) $(shell gpg --version | head -1)" @printf '%s\n' '$(OK)' @echo -n " GPGAgent : $(shell which gpg-agent) $(shell gpg-agent --version | head -1)" @printf '%s\n' '$(OK)' clean: @echo -n ">> CLEAN" @rm -rf vendor/ @$(GO) clean -i ./... @rm -f ./coverage-all.html @rm -f ./coverage-all.out @rm -f ./coverage.out @find . -type f -name "coverage.out" -delete @rm -f gopass_*.deb @rm -f gopass-*.pkg.tar.xz @rm -f gopass-*.rpm @rm -f gopass-*.tar.bz2 @rm -f gopass-*.tar.gz @rm -f gopass-*-* @rm -f tests/tests @rm -f *.test @rm -rf dist/* @printf '%s\n' '$(OK)' $(GOPASS_OUTPUT): $(GOFILES_BUILD) @echo -n ">> BUILD, version = $(GOPASS_VERSION)/$(GOPASS_REVISION), output = $@" @$(GO) build -o $@ $(BUILDFLAGS) @printf '%s\n' '$(OK)' install: all install-completion install-man @echo -n ">> INSTALL, version = $(GOPASS_VERSION)" @install -m 0755 -d $(DESTDIR)$(BINDIR) @install -m 0755 $(GOPASS_OUTPUT) $(DESTDIR)$(BINDIR)/gopass @printf '%s\n' '$(OK)' install-completion: @install -d $(DESTDIR)$(PREFIX)/share/zsh/site-functions $(DESTDIR)$(PREFIX)/share/bash-completion/completions $(DESTDIR)$(PREFIX)/share/fish/vendor_completions.d @install -m 0644 $(ZSH_COMPLETION_OUTPUT) $(DESTDIR)$(PREFIX)/share/zsh/site-functions/_gopass @install -m 0644 $(BASH_COMPLETION_OUTPUT) $(DESTDIR)$(PREFIX)/share/bash-completion/completions/gopass @install -m 0644 $(FISH_COMPLETION_OUTPUT) $(DESTDIR)$(PREFIX)/share/fish/vendor_completions.d/gopass.fish @printf '%s\n' '$(OK)' install-man: gopass.1 @install -d -m 0755 $(DESTDIR)$(PREFIX)/share/man/man1 @install -m 0644 gopass.1 $(DESTDIR)$(PREFIX)/share/man/man1/gopass.1 fulltest: $(GOPASS_OUTPUT) @echo ">> TEST, \"full-mode\": race detector off" @echo "mode: atomic" > coverage-all.out @$(foreach pkg, $(PKGS),\ echo -n " ";\ $(GO) test -run '(Test|Example)' $(BUILDFLAGS) $(TESTFLAGS) -coverprofile=coverage.out -covermode=atomic $(pkg) || exit 1;\ tail -n +2 coverage.out >> coverage-all.out;) @$(GO) tool cover -html=coverage-all.out -o coverage-all.html @which go-cover-treemap > /dev/null; if [ $$? -ne 0 ]; then \ $(GO) install github.com/nikolaydubina/go-cover-treemap@latest; \ fi @go-cover-treemap -coverprofile coverage-all.out > coverage-all.svg test: $(GOPASS_OUTPUT) @echo ">> TEST, \"fast-mode\": race detector off" @$(foreach pkg, $(PKGS),\ echo -n " ";\ $(GO) test -test.short -run '(Test|Example)' $(BUILDFLAGS) $(TESTFLAGS) $(pkg) || exit 1;) test-win: $(GOPASS_OUTPUT) @echo ">> TEST, \"fast-mode-win\": race detector off" @$(foreach pkg, $(PKGS),\ $(GO) test -test.short -run '(Test|Example)' $(pkg) || exit 1;) test-integration: $(GOPASS_OUTPUT) cd tests && GOPASS_BINARY=$(PWD)/$(GOPASS_OUTPUT) GOPASS_TEST_DIR=$(PWD)/tests $(GO) test -v $(TESTFLAGS) crosscompile: @echo ">> CROSSCOMPILE" @which goreleaser > /dev/null; if [ $$? -ne 0 ]; then \ $(GO) install github.com/goreleaser/goreleaser/v2@v2.11.2; \ fi @goreleaser build --snapshot %.completion: $(GOPASS_OUTPUT) @printf ">> $* completion, output = $@" @./gopass completion $* > $@ @printf "%s\n" "$(OK)" codequality: licensecheck @echo ">> CODE QUALITY" @echo -n " GOLANGCI-LINT " @which golangci-lint > /dev/null; if [ $$? -ne 0 ]; then \ $(GO) install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6.1; \ fi @golangci-lint run --max-issues-per-linter 0 --max-same-issues 0 || exit 1 @printf '%s\n' '$(OK)' @echo -n " KEEP-SORTED " @which keep-sorted > /dev/null; if [ $$? -ne 0 ]; then \ $(GO) install github.com/google/keep-sorted@latest; \ fi @keep-sorted --mode lint $(GOFILES_NOVENDOR) || exit 1 @printf '%s\n' '$(OK)' @echo -n " CAPSLOCK " @which capslock > /dev/null; if [ $$? -ne 0 ]; then \ $(GO) install github.com/google/capslock/cmd/capslock@latest; \ fi @capslock -packages ./... -output=compare .capabilities.json || exit 1 @printf '%s\n' '$(OK)' @echo -n " GOVULNCHECK " @which govulncheck > /dev/null; if [ $$? -ne 0 ]; then \ $(GO) install golang.org/x/vuln/cmd/govulncheck@latest; \ fi @govulncheck >/dev/null || exit 1 @printf '%s\n' '$(OK)' licensecheck: @echo ">> LICENSE CHECK" @echo -n " LICENSE-LINT " @which license-lint > /dev/null; if [ $$? -ne 0 ]; then \ $(GO) install istio.io/tools/cmd/license-lint@latest; \ fi @license-lint --config .license-lint.yml >/dev/null || exit 1 @printf '%s\n' '$(OK)' gen: @$(GO) generate ./... fmt: @keep-sorted --mode fix $(GOFILES_NOVENDOR) @gofumpt -w $(GOFILES_NOVENDOR) @$(GO) mod tidy deps: @$(GO) build -v ./... upgrade: gen fmt @$(GO) get -u ./... @$(GO) mod tidy man: @$(GO) run helpers/man/main.go > gopass.1 msi: @$(GO) run helpers/msipkg/main.go docker: docker build -t gopass:latest . .PHONY: clean build completion install sysinfo crosscompile test codequality release goreleaser debsign man msi docker ================================================ FILE: README.md ================================================

gopass Gopher by Vincent Leinweber, remixed from the Renée French original Gopher

# Overview [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/gopasspw/gopass/badge)](https://securityscorecards.dev/viewer/?uri=github.com/gopasspw/gopass) [![Build Status](https://img.shields.io/github/actions/workflow/status/gopasspw/gopass/build.yml?branch=master)](https://github.com/gopasspw/gopass/actions/workflows/build.yml?query=branch%3Amaster) [![Go Report Card](https://goreportcard.com/badge/github.com/gopasspw/gopass)](https://goreportcard.com/report/github.com/gopasspw/gopass) [![Packaging status](https://repology.org/badge/tiny-repos/gopass-gopasspw.svg)](https://repology.org/project/gopass-gopasspw/versions) [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/gopasspw/gopass/blob/master/LICENSE) [![Github All Releases](https://img.shields.io/github/downloads/gopasspw/gopass/total.svg)](https://github.com/gopasspw/gopass/releases) [![Gopass Slack](https://img.shields.io/badge/%23gopass-Slack-brightgreen)](https://join.slack.com/t/gopassworkspace/shared_invite/zt-17jl74b5x-U1OUW4ts4AQ7eAf2V4QaaQ) > The slightly more awesome standard UNIX password manager for teams. Manage your credentials with ease. In a globally distributed team, on multiple devices or fully offline on an air-gapped machine. - **Works everywhere** - The same user experience on Linux, MacOS, *BSD or Windows - **Built for teams** - Built from our experience working in distributed development teams - **Full autonomy** - No network connectivity required, unless you want it # How Does It Work? Gopass is a drop-in replacement for pass, the standard UNIX password manager. By default your credentials are encrypted with GPG and versioned in git. This can be customized easily. Other backends for encryption (e.g. age) and storage (e.g. fossil) are also available. The primary interface is the command line, making it an excellent choice for CLI fans, CI/CD systems or anything you can hook it up with. Gopass can also integrate with your browser so you can largely avoid the command line - if you want. # Installation ## Necessary prerequisites for running `gopass` `gopass` can operate without any dependencies but most users will use it with `gpg` and `git`. An external editor is required to use `gopass edit`. ## Installation through package managers ### [Homebrew](https://brew.sh) (Linux/MacOS) [![homebrew version](https://img.shields.io/homebrew/v/gopass)](https://github.com/Homebrew/homebrew-core/blob/master/Formula/gopass.rb) ```shell brew install gopass ``` ### [MacPorts](https://www.macports.org) (macOS) [![macports version](https://repology.org/badge/version-for-repo/macports/gopass-gopasspw.svg)](https://ports.macports.org/port/gopass/) ```shell sudo port install gopass ``` ### Debian (Ubuntu, Debian, Raspbian, ...) **Warning**: Do not install the `gopass` package from the official repositories. That is a completely different project that has no relation to us. ```shell curl https://packages.gopass.pw/repos/gopass/gopass-archive-keyring.gpg | sudo tee /usr/share/keyrings/gopass-archive-keyring.gpg >/dev/null cat << EOF | sudo tee /etc/apt/sources.list.d/gopass.sources Types: deb URIs: https://packages.gopass.pw/repos/gopass Suites: stable Architectures: all amd64 arm64 armhf Components: main Signed-By: /usr/share/keyrings/gopass-archive-keyring.gpg EOF sudo apt update sudo apt install gopass gopass-archive-keyring ``` ### Fedora / RedHat / CentOS [![Fedora version](https://img.shields.io/fedora/v/gopass)](https://packages.fedoraproject.org/pkgs/gopass/gopass/) ```shell dnf install gopass ``` Note: You might need to run `dnf copr enable daftaupe/gopass` first. ### Arch Linux [![Arch version](https://img.shields.io/archlinux/v/extra/x86_64/gopass)](https://archlinux.org/packages/extra/x86_64/gopass/) ```shell pacman -S gopass ``` ### Windows [![Scoop version](https://img.shields.io/scoop/v/gopass)](https://github.com/ScoopInstaller/Main/blob/master/bucket/gopass.json) ```shell # WinGet winget install Git.Git winget install GnuPG.Gpg4win winget install gopass.gopass # Chocolatey choco install gpg4win choco install gopass # Alternatively scoop install gopass ``` ### FreeBSD / OpenBSD ```shell cd /usr/ports/security/gopass make install ``` ### Alpine Linux ```shell apk add gopass ``` ## Other installation options Please see [docs/setup.md](https://github.com/gopasspw/gopass/blob/master/docs/setup.md) for other options. ### From Source ```shell go install github.com/gopasspw/gopass@latest ``` Note: `latest` is not a stable release. We recommend to only use released versions. ### Manual download Download the [latest release](https://github.com/gopasspw/gopass/releases/latest) and add the binary to your PATH. # Quick start guide Initialize a new `gopass` configuration: ```shell gopass setup __ _ _ _ _ _ ___ ___ /'_ '\ /'_'\ ( '_'\ /'_' )/',__)/',__) ( (_) |( (_) )| (_) )( (_| |\__, \\__, \ '\__ |'\___/'| ,__/''\__,_)(____/(____/ ( )_) | | | \___/' (_) 🌟 Welcome to gopass! 🌟 Initializing a new password store ... 🌟 Configuring your password store ... 🎮 Please select a private key for encrypting secrets: [0] gpg - 0xFEEDBEEF - John Doe Please enter the number of a key (0-12, [q]uit) (q to abort) [0]: 0 ❓ Do you want to add a git remote? [y/N/q]: y Configuring the git remote ... Please enter the git remote for your shared store []: git@gitlab.example.org:john/passwords.git ✅ Configured ``` By default `gopass setup` will use `gpg` encryption and `git` storage. This will create a new password store in `$HOME/.local/share/gopass/stores/root` and a configuration in `$HOME/.config/gopass/config` using `gpg` encryption and `git` for versioned storage. Users can override these with e.g. `--crypto=age` to use `age` encryption instead or opt out of using a versioned store with `--storage=fs`. An existing store can be cloned with e.g. `gopass clone git@gitlab.example.org:john/passwords.git`. Create a new secret: ```shell gopass create ``` List all existing secrets: ```shell gopass ls ``` Copy an existing password to the clipboard: ```shell gopass show -c foo ``` Remove an existing secret: ```shell gopass rm foo ``` Other examples: ```shell # Command structure gopass [] [options] [args] # Shortcut for gopass show [] gopass [] # Enter the gopass REPL gopass # Find all entries matching the search string gopass find github # List your store gopass ls # List all mounts gopass mounts # List all recipients gopass recipients # Sync with all remotes gopass sync # Setup a new store gopass setup ``` ## Screenshot ![screenshot](docs/showcase.png) ## Support Please ask on [Slack](https://join.slack.com/t/gopassworkspace/shared_invite/zt-17jl74b5x-U1OUW4ts4AQ7eAf2V4QaaQ). ## Contributing We welcome any contributions. Please see [CONTRIBUTING.md](https://github.com/gopasspw/gopass/blob/master/CONTRIBUTING.md) for more information. ## Credit & License gopass is licensed under the terms of the MIT license. You can find the complete text in [`LICENSE`](https://github.com/gopasspw/gopass/blob/master/LICENSE). Please refer to our [Contributors](https://github.com/gopasspw/gopass/graphs/contributors) page for a complete list of our contributors. ================================================ FILE: VERSION ================================================ 1.16.1 ================================================ FILE: bash.completion ================================================ _gopass_bash_autocomplete() { local cur opts base COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" # Use error handling to prevent crashes from invalid flags opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-bash-completion 2>/dev/null ) || opts="" local IFS=$'\n' COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) ) return 0 } complete -F _gopass_bash_autocomplete gopass ================================================ FILE: docs/backends/age.md ================================================ # age crypto backend The `age` backend is an experimental crypto backend based on [age](https://age-encryption.org). It adds an encrypted keyring on top (using age in scrypt password mode). It also has (largely untested) support for specifying recipients as github users. This will use their ssh public keys for age encryption. It is well positioned to eventually replace `gpg` as the default crypto backend. ## Getting started WARNING: This backend is experimental and the on-disk format likely to change. To start using the `age` backend initialize a new (sub) store with the `--crypto=age` flag: ``` $ gopass age identity add [AGE-... age1...] $ gopass init --crypto age ``` or use the wizard that will help you create a new age key: ``` $ gopass setup --crypto age ``` This will automatically create a new age keypair and initialize the new store. Existing stores can be migrated using `gopass convert --crypto age`. N.B. for a fully scripted or **non-interactive setup**, you can use the `GOPASS_AGE_PASSWORD` env variable to set your identity file secret passphrase, and specify the age identity and recipients that should be used for encrypting/decrypting passwords as follows: ``` $ gopass age identity add $ GOPASS_AGE_PASSWORD=mypassword gopass init --crypto age ``` Notice the extra space in front of the command to skip most shell's history. You'll need to set your name and username using `git` directly if you're using it as storage backend (the default one). You can also specify the ssh directory by setting environment variable ``` $ GOPASS_SSH_DIR=/Downloads/new_ssh_dir gopass init --crypto age ``` ## Features * Encryption using `age` library, can be decrypted using the `age` CLI * Support for native age, ssh-ed25519 and ssh-rsa recipients * Support for encrypted ssh private keys * Support for using GitHub users' private keys, e.g. `github:user` as recipient * Automatic downloading and caching of SSH keys from GitHub * Encrypted keyring for age keypairs * Support for age plugins * Caching of passphrases via an agent ## Agent The age backend comes with an agent that can cache the passphrases for your age identities. The agent is started automatically by gopass if it's not already running. You can disable the agent by setting `age.agent-enabled` to `false` in your gopass config. The agent performs the decryption and the passphrase never leaves the agent process. The agent listens on a unix socket at `$XDG_RUNTIME_DIR/gopass/gopass-age-agent.sock`. You can interact with the agent using the following commands: - `gopass age agent`: starts the agent in the foreground. - `gopass age lock`: locks the agent, clearing all cached passphrases. ## Usage with a yubikey To use with a Yubikey, `age` requires the usage of the [age-plugin-yubikey plugin](https://github.com/str4d/age-plugin-yubikey/). Assuming you have Rust installed: ```bash $ cargo install age-plugin-yubikey $ age-plugin-yubikey -i $ age-plugin-yubikey ✨ Let's get your YubiKey set up for age! ✨ $ age-plugin-yubikey -i $ gopass age identities add Enter the age identity starting in AGE-: Provide the corresponding age recipient starting in age1: ``` If gopass tells you `waiting on yubikey plugin...` when decrypting secrets, it probably is waiting for you to touch your Yubikey because you've set a Touch policy when setting up your PIV slot. ## Roadmap The future of this backend largely depends on what is happening in the `age` project itself. Assuming `age` is supporting this, we'd like to: * Finalize GitHub recipient support * Add Hardware token support * Make age the default gopass backend ================================================ FILE: docs/backends/cryptfs.md ================================================ # cryptfs storage backend The `cryptfs` backend is an experimental storage backend **PREVIEW**. It hashes secret names and stores the mapping from names to actual file inside an `age` encrypted lookup table. The filesystem backing this storage backend is flexible, but by default uses `gitfs`. **WARNING**: Do not use unless you want to contribute to the development of this backend! ================================================ FILE: docs/backends/fossilfs.md ================================================ # `fossilfs` storage backend This is an **EXPERIMENTAL** storage backend that uses the Fossil SCM. It isn't well tested and only exists to provide an example how a non-git backend could look like. ================================================ FILE: docs/backends/fs.md ================================================ # fs storage backend The simplest storage backend, often used for testing. It stores data directly in the filesystem without any RCS support. ================================================ FILE: docs/backends/gitfs.md ================================================ # `gitfs` storage backend This is the default storage backend. It stores the encrypted data directly in the filesystem. It uses an external git binary to provide history and remote sync operations. gopass configures git to use persistent ssh connections. If you do not want this set `GIT_SSH_COMMAND` to an empty string to override the built-in default. ================================================ FILE: docs/backends/gpg.md ================================================ # gpg crypto backend The `gpgcli` backend is the default crypto backend based on the `gpg` CLI. It depends on the GPG installation to be working and having a properly initialized keyring. ## Getting started WARNING: This backend suffers from myriads of different configuration options, a poor scripting interface and not pure-Go libarary bindings being available. To start using the `gpgcli` backend initialize a new (sub) store with the `--crypto=gpgcli` flag: ``` gopass init --crypto gpgcli gopass recipients add 0xDEADBEEF ``` ## Features * Compatible with other password store implementations * Support for all GPG features, like smart-cards or hardware tokens ## Caveats * Using long key sizes (e.g. 4096 bit or longer) can make many operations a lot slower * Some GPG installations don't work well with concurrent operations ## Roadmap This backend is the single most annoying source of maintenance workload in this project. We try to keep this backend working as good as possible but there are a lot of reasons why we'd prefer eventually move beyond GPG. ### GPG Critism This section is a growing list of references why GPG is bad and why you should avoid it. That might sound like an unusual thing to say for the authors of a tool whose main use case relies on GPG but whenever we tried to move beyond GPG we got a lot of backlash. So I guess first we need to try to make use understand why you shouldn't hold on to GPG and by then we'll try to have a replacement ready for you. * [What's the matter with PGP](https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/) * [The PGP Problem](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) * [I'm giving up on PGP](https://blog.filippo.io/giving-up-on-long-term-pgp/) * [GPG and Me](https://moxie.org/2015/02/24/gpg-and-me.html) ================================================ FILE: docs/backends/jjfs.md ================================================ # `jjfs` storage backend This is an **EXPERIMENTAL** storage backend that uses the JJ / Git. It isn't well tested and only exists to provide an example how a non-git backend could look like. ================================================ FILE: docs/backends.md ================================================ # Backends gopass supports pluggable backends for Storage and Revision Control System (`storage`) and Encryption (`crypto`). As of today, the names and responsibilities of these backends are still unstable and will probably change. By providing suitable backends, gopass can use different kinds of encryption or storage. For example, it is pretty straightforward to add mercurial or bazaar as an SCM backend. All backends are in their own packages below `backend/`. They need to implement the interfaces defined in the backend package and have their identification added to the context handlers in the same package. ## Storage and RCS Backends (storage) * [fs](backends/fs.md) - Filesystem storage without RCS support * [gitfs](backends/gitfs.md) - Filesystem storage with Git RCS * [fossilfs](backends/fossilfs.md) - Filesystem storage with Fossil RCS. **Highly experimental, likely broken**. Use only if you want to contributed to the backend. * [jjfs](backends/jjfs.md) - Filesystem storage with JJ RCS. **Highly experimental, likely broken**. Use only if you want to contributed to the backend. * [cryptfs](backends/cryptfs.md) - Fully encrypted filesystem storage. **Highly experimental, likely broken**. Use only if you want to contributed to the backend. ## Crypto Backends (crypto) * [gpgcli](backends/gpg.md) - depends on a working gpg installation * plain - A no-op backend used for testing. WARNING: DOES NOT ENCRYPT! * [age](backends/age.md) - This backend is based on [age](https://github.com/FiloSottile/age). It adds an encrypted keyring on top (using age in scrypt password mode). It also has (largely untested) support for specifying recipients as github users. This will use their ssh public keys for age encryption. This backend might very well become the new default backend. ================================================ FILE: docs/commands/audit.md ================================================ # `audit` command The `audit` command will decrypt all secrets and scan for weak passwords or other common flaws. ## Synopsis ``` $ gopass audit ``` ## Excludes You can exclude certain secrets from the audit by adding a `.gopass-audit-exclude` file to the secret. The file should contain a list of RE2 patters to exclude, one per line. For example: ``` # Lines starting with # are ignored. Trailing comments are not supported. # Exclude all secrets in the pin folder. # Note: These are RE2, not Glob patterns! pin/.* # Literal matches are also valid RE2 patterns test_folder/ignore_this # Gopass internally uses forward slashes as path separators, even on Windows. So no need to escape backslashes. ``` ## Password strength backends | Backend | Description | |-------------------------------------------------|------------------------------------------------------------------------| | [`crunchy`](https://github.com/muesli/crunchy) | Crunchy password strength checker | | `name` | Checks if password equals the name of the secret | ================================================ FILE: docs/commands/cat.md ================================================ # `cat` command The `cat` command is used to pipe password in and out of STDIN and STDOUT respectively. As it is intended to be used with binary data, it encodes the data-stream to store it. ## Synopsis ```bash $ echo "test" | gopass cat test/new $ gopass cat test/new ``` ## Modes of operation * Create a new entry with data-stream from STDIN * Change an existing entry to data-stream from STDIN * Retrive encoded data from password-store and echo it to STDOUT Cat is intended to work with binary data, so it accepts any kind of stream from STDIN. It reads the binary-stream from STDIN and encodes it Base64 and saves it in the password store encoded, with some metadata about the input-stream and the used encoding (currently only Base64 supported). ### Example ``` $ echo "234" | gopass cat test/new $ gopass show -f test/new Secret: test/new content-disposition: attachment; filename="STDIN" content-transfer-encoding: Base64 MjM0Cg== $ gopass cat test/new 234 ``` ### Differences to `insert` In contrast to `insert` it handles any kind of data-stream from STDIN and encodes it. Drawback: you can not just simply read the password with `gopass show`. ## Flags This command has currently no supported flags except the gopass globals. ================================================ FILE: docs/commands/clone.md ================================================ # `clone` command The `clone` command allows cloning and setting up a new password store from a remote location, e.g. a remote git repo. ## Synopsis ``` $ gopass clone git@example.com/store.git $ gopass clone git@example.com/store.git sub/store ``` ## Flags | Flag | Aliases | Description | |------------|---------|-----------------------------------------------------------------| | `--path` | | The path to clone the repo to. | | `--crypto` | | Override the crypto backend to use if the auto-detection fails. | ================================================ FILE: docs/commands/config.md ================================================ # `config` command The config command allows displaying and altering configuration options. Note: To manage mounts use `gopass mounts`. ## Synopsis ```bash gopass config gopass config generate.autoclip gopass config generate.autoclip false ``` ## Flags | Flag | Description | |-----------|--------------------------------| | `--store` | Only sync a specific sub store | ================================================ FILE: docs/commands/convert.md ================================================ # `convert` command The `convert` command exists to migrate stores between different backend implementations. Note: This command exists to enable a possible migration path. If we agree on a single set of backend implementations the multiple backend support might go away and this command as well. Warning: Converting between different RCS backends will loose part of the history. While we try to retain as much information as possible especially the commit timestamps will be set to the convert time. ## Synopsis ``` $ gopass convert --store=foo --move=true --storage=gitfs --crypto=age $ gopass convert --store=bar --move=false --storage=fs --crypto=plain ``` ## Flags Flag | Description ---- | ----------- `--store` | Substore to convert. `--move` | Remove backup after converting? (default: `false`) `--storage` | Target storage backend. `--crypto` | Target crypto backend. ================================================ FILE: docs/commands/create.md ================================================ # `create` command The `create` command creates a new secret using a set of built-in or custom templates. It implements a wizard that guides inexperienced users through the secret creating. The main design goal of this command was to guide users through the creation of a secret and asking for the necessary information to create a reasonable secret location. ## Synopsis ```bash gopass create gopass create --store=foo ``` ## Modes of operation * Create a new secret using a wizard ## Templates `gopass create` will look for files ending in `.yml` in the folder `.gopass/create` inside the selected store (by default the root store). To add new templates to the wizard add templates to this folder. Example: ```bash $ cat $(gopass config mounts.path)/.gopass/create/aws.yml --- priority: 5 name: "AWS" prefix: "aws" name_from: - "org" - "user" welcome: "🧪 Creating AWS credentials" attributes: - name: "org" type: "string" prompt: "Organization" min: 1 - name: "user" type: "string" prompt: "User" min: 1 - name: "password" type: "password" # hide input prompt: "Password" charset: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%&*" min: 10 strict: true # ensure at least one char from each detected class (upper, lower, digit, symbol) - name: "comment" type: "string" prompt: "Comments" ``` ## Template Attributes Template attributes support the following fields: | Field | Type | Description | |-----------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `name` | string | The name of the attribute. This will be used as the key in the secret's YAML data. | | `type` | string | The type of attribute. Supported values: `string`, `hostname`, `password`. | | `prompt` | string | The prompt text to display to the user. | | `charset` | string | For password type: Custom character set to use when generating the password. If not specified, standard character classes will be used. | | `min` | int | Minimum length validation for the attribute value. | | `max` | int | Maximum length validation for the attribute value. | | `always_prompt` | bool | For password type: Always prompt for the password instead of offering password generation. Default: `false`. | | `strict` | bool | For password type with `charset`: Enforce that all detected character classes (uppercase, lowercase, digits, symbols) present in the charset are represented in the generated password. Similar to `--strict` in `gopass generate`. Default: `false`. | ## Flags | Flag | Aliases | Description | |-----------|---------|------------------------------------------------------------------| | `--store` | `-s` | Select the store to use. Will be used to look up user templates. | | `--force` | `-f` | For overwriting existing entries. | | `--print` | `-p` | Print the password to STDOUT. | ================================================ FILE: docs/commands/delete.md ================================================ # `delete` command The `delete` command is used to remove a single secret or a whole subtree. Note: Recursive operations crossing mount points are intentionally not supported. ## Synopsis ``` $ gopass delete entry $ gopass rm -r path/to/folder $ gopass rm -f entry $ gopass delete entry key ``` ## Modes of operation * Delete a single secret * Delete a single key from an existing secret * Delete a directoy of secrets ## Flags | Flag | Aliases | Description | |---------------|---------|---------------------------------------| | `--recursive` | `-r` | Recursively delete files and folders. | | `--force` | `-f` | Do not ask for confirmation. | ## Details * Removing a single key will need to decrypt the secret ================================================ FILE: docs/commands/edit.md ================================================ # `edit` command The `edit` command loads a new or existing secret into your `$EDITOR` (default: `vim`) and saves the resulting content in the password store. It will attempt to create secure temporary directory (depending on the OS) and will warn if insecure editor configuration (currently only `vim`) is detected. Native `gopass` MIME secrets are syntax checked and invalid encodings are rejected. Any other type of secret is accepted as is. `gopass` will honor templates when creating a new entry. ## Synopsis ``` $ gopass edit entry $ gopass edit -e /bin/nano entry $ EDITOR=/bin/nano gopass edit entry ``` ## Modes of operation * Create a new secret * Edit an existing secret ## Flags | Flag | Aliases | Description | |------------|---------|---------------------------------------------------------------------------------------------------------------------------------------| | `--editor` | `-e` | Specify the path to an editor. Must accept the filename as it's first argument. | | `--create` | `-c` | Create a new secret. You can create a new secret with `edit` with or without `-c`, but `-c` will skip searching for existing matches. | ================================================ FILE: docs/commands/env.md ================================================ # `env` command The `env` command runs a binary as a subprocess with a pre-populated environment. The environment of the subprocess is populated with a set of environment variables corresponding to the secret subtree specified on the command line. ## Synopsis ``` $ gopass env entry env ``` ================================================ FILE: docs/commands/find.md ================================================ # `find` command The `find` command will attempt to do a simple substring match on the names of all secrets. If there is a single match it will directly invoke `show` and display the result. If there are multiple matches a selection will be shown. Note: The find command will not fall back to a fuzzy search. ## Synopsis ``` $ gopass find entry $ gopass find -f entry $ gopass find -c entry ``` ## Flags | Flag | Aliases | Description | |------------|---------|---------------------------------------------------------------| | `--clip` | `-c` | Copy the password into the clipboard. | | `--unsafe` | `-u` | Display any unsafe content, even if `safecontent` is enabled. | ================================================ FILE: docs/commands/fsck.md ================================================ # `fsck` command `gopass` can check integrity of it's password stores with the `fsck` command. It will ensure proper file and directory permissions as well as proper recipient coverage (on supported crypto backends, only). ## Synopsis ``` $ gopass fsck ``` ## Modes of operation * Check the entire password store, incl. all mounts * Check only the specified mount ## Flags Flag | Aliases | Description ---- | ------- | ----------- `--decrypt` | | Decrypt and reencrypt all secrets. ================================================ FILE: docs/commands/fscopy.md ================================================ # `fscopy` command The `fscopy` command is used to copy a file from your filesystem into your password store, while keeping it in clear in your local filesystem after having stored it in your encrypted store. ## Synopsis ```bash $ gopass fscopy ~/test/file data/test/file-entry $ gopass fscopy data/test/file-entry ~/file ``` ## Modes of operation This command either reads a file from the filesystem and writes the encoded and encrypted version in the store or it decrypts and decodes a secret and writes the result to a file. Either source or destination must be a file and the other one a secret. If you want the source to be removed use 'gopass fsmove'. `fscopy` is intended to work with raw files. ### Example ``` $ gopass fscopy ~/test/file data/test/file-entry $ gopass cat data/test/file-entry ``` See also the docs for the [`cat` action](cat.md). ## Flags This command has currently no supported flags except the gopass globals. ================================================ FILE: docs/commands/fsmove.md ================================================ # `fsmove` command The `fsmove` command is used to move a file from your filesystem into your password store, erasing it from your local filesystem after having stored it in your encrypted store. ## Synopsis ```bash $ gopass fsmove ~/test/file data/test/file-entry $ gopass fsmove data/test/file-entry ~/file ``` ## Modes of operation This command either reads a file from the filesystem and writes the encoded and encrypted version in the store or it decrypts and decodes a secret and writes the result to a file. Either source or destination must be a file and the other one a secret. The source will be wiped from disk or from the store after it has been copied successfully and validated. If you don't want the source to be removed use 'gopass fscopy'. `fsmove` is intended to work with raw files. ### Example ``` $ gopass fsmove ~/test/file data/test/file-entry $ gopass cat data/test/file-entry ``` See also the docs for the [`cat` action](cat.md). ## Flags This command has currently no supported flags except the gopass globals. ================================================ FILE: docs/commands/generate.md ================================================ # `generate` command The `generate` command is used to generate a new password and store it into the password store. Note: If you only want generate a password without storing it in the store, use the `pwgen` command. ## Synopsis ``` $ gopass generate entry [length] $ gopass generate entry key [length] ``` ## Modes of operation * Generate a new entry with a new password, e.g. a new login. Setting the `Password` field, `gopass generate entry [chars]` * Re-generating a new password and setting it in the `Password` field of an existing entry * Generate a new password and setting it to a new key of an existing secret, e.g. `gopass generate entry key [chars]` * Re-generate a new password for an existing key in an existing entry ## Flags | Flag | Aliases | Description | |---------------|---------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `--clip` | `-c` | Copy the generated password into the clipboard. Default: Value of `autoclip` | | `--print` | `-p` | Print the generated password to the terminal. Default: false. | | `--force` | `-f` | Force overwriting an existing entry. | | `--edit` | `-e` | Generate a password and open the entry for editing in `$EDITOR`. | | `--generator` | `-g` | Choose of of the available password generators, desribed below. Default: `cryptic` | | `--symbols` | `-s` | Include symbols in the generated password (default: `false`) | | `--strict` | | Ensure each requested character class is actually included. Without this option all requested classes can be included, but not necessarily are. (default: `false`) | | `--sep` | | Word separator for multi-word generators. | | `--lang` | | Language for word-based generators. | ## Password Generators Use `--generator` to select one of the available password generators: | Generator | Description | |-------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `cryptic` | The default generator yields cryptic passwords that should work with most sites. Use `--symbols` and `--strict` if the site has specific requirements. Please note that we auto-detect the correct rules for some sites. The length argument specifies the number of characters. | | `xkcd` | Use an [XKCD#936](https://xkcd.com/936/) style password. Use `--lang` and `--sep` to refine it's behaviour. The length argument specifies the number of words. | | `memorable` | Generate a memorable password. The length argument specifies the minimum lenght of characters. Please note that the password might be longer if not all necessary rules were satisfied by the minimum length solution. | | `external` | Use the external generator from `$GOPASS_EXTERNAL_PWGEN` | ## Relevant configuration options * `autoclip` only applies to `generate`. If set the generated password is automatically copied to the clipboard - unless `--clip` is explicitly set to `--clip=false` * `safecontent` will suppress printing of the password, unless `-p` is set. The password will not be copied, unless `-c` or the `autoclip` option are set. ## Templates When creating a new entry gopass will look for the most specific template by going up in the secret path looking for a file called `.pass-template`. If any such file is found it will be used to pre-populate the generated secret. ================================================ FILE: docs/commands/gopass.md ================================================ # `gopass` command Calling `gopass` without any command argument is a common entry point and has two different modes. ## Synopsis ``` $ gopass $ gopass entry $ gopass -c entry ``` ## Modes of operation * Invoked without any arguments `gopass` will start an interactive REPL shell. This includes zero-setup command completion and passphrase caching (for non-GPG backends). * Invoked with one argument it will perform a (fuzzy) search and display a list of matches or the secret directly (if exactly one match). * Invoked with two arguments it will do search and if there is a match display the named key. ## Flags Note: DO NOT use in scripts! Use `gopass show` instead. | Flag | Aliases | Description | |------------|---------|----------------------------------------------------------------------------------------------------------------------------| | `--clip` | `-c` | Copy the password value into the clipboard and don't show the content. | | `--unsafe` | `-u` | Display unsafe content (e.g. the password) even when the `safecontent` option is set. No-op when `safecontent` is `false`. | | `--yes` | | Assume yes on all yes/no questions or use the default on all others. | ================================================ FILE: docs/commands/grep.md ================================================ # `grep` command The `grep` command works like the Unix `grep` tool. It decrypts all secrets and performs a substring or regexp match on the given pattern. ## Synopsis ``` $ gopass grep foobar ``` ## Modes of operations * Search for the given pattern in all secrets ## Flags None. Flag | Aliases | Description ---- | ------- | ----------- `--regexp` | | Parse the pattern as a RE2 regular expression. ================================================ FILE: docs/commands/history.md ================================================ # `history` command The `gopass history` command will show all revisions of a given secret. ## Synopsis ``` $ gopass history entry ``` ## Modes of operation * Display all revisions of the given secret. ## Flags None. ================================================ FILE: docs/commands/init.md ================================================ # `init` command The `init` command is used to initialize a new password store. If no recipients are specified a useable existing private key is used. The `init` command must be used to initilize new mounts. `gopass mounts add` only supports adding existing mounts. Note: We do not support adding recipients using `init`. Please use `gopass recipients add` for that! ## Synopsis ``` $ gopass init $ gopass init --crypto [age|gpg] --storage=[fs|gitfs] ``` ## Flags | Flag | Aliases | Description | |-------------|---------|-------------------------------------------------------------------------------------------------------------| | `--path` | `-p` | Initialize the (sub) store in this location. | | `--store` | `-s` | Mount the newly initialized sub-store at this mount point | | `--crypto` | | Select the crypto backend. Choose one of: `gpgcli`, `age`, `xc` (deprecated) or `plain`. Default: `gpgcli` | | `--storage` | | Select the storage and RCS backend. Choose one of: `gitfs`, `fs`. Default: `gitfs` | See [backends.md](../backends.md) for more information on the available backends. ================================================ FILE: docs/commands/insert.md ================================================ # `insert` command The `insert` command is used to manually set (insert, or change) a password in the store. It applies to either new or existing secrets. ## Synopsis ``` $ gopass insert entry $ gopass insert entry key ``` ## Modes of operation * Create a new entry with a user-supplied password, e.g. a new site with a user-generated password or one picked from `gopass pwgen`: `gopass insert entry` * Change an existing entry to a user-supplied password * Create and change any field of a new or existing secret: `gopass insert entry key` * Read data from STDIN and insert (or append) to a secret Insert is similar in effect to `gopass edit` with the advantage of not displaying any content of the secret when changing a key. Note: `insert` will not change anything but the `Password` field (using the `insert entry` invocation) or the specified key (using the `insert entry key` invocation). ## Flags | Flag | Aliases | Description | |---------------|---------|------------------------------------------------------------------------------------------------------------------------| | `--echo` | `-e` | Display the secret while typing (default: `false`) | | `--multiline` | `-m` | Insert using `$EDITOR` (default: `false`). This identical to running `gopass edit entry`. All other flags are ignored. | | `--force` | `-f` | Overwrite any existing value and do not prompt. (default: `false`) | | `--append` | `-a` | Append to any existing data. Only applies if reading from STDIN. (default: `false`) | ================================================ FILE: docs/commands/link.md ================================================ # `link` command The `link` (or `ln`) command is used to create a symlink from one secret in a store to a target in the same store. Note: Symlinks across different stores / mounts are currently not supported! Note: `audit` and `list` do not recognize symlinks, yet. They will treat symlinks as regular (different) entries. ## Synopsis ``` $ gopass ln foo/bar bar/baz $ gopass show foo/bar $ gopass show bar/baz ``` ## Modes of operations * Create a symlink from an existing secret to a new name, the target must not exist, yet Note: Use `gopass rm` to remove a symlink. ## Flags None. ================================================ FILE: docs/commands/list.md ================================================ # `list` command The `list` command is used to list all the entries in the password store or at a given prefix. ## Synopsis ```bash gopass ls gopass ls path/to/entries ``` - List all the entries in the password store including the one in mounted stores: `gopass list` - List all the entries in a given folder showing their relative path from the root: `gopass list path/to/entries` Note: `list` will not change anything, nor encrypt or decrypt anything. ## Flags | Flag | Aliases | Description | |------------------|------------|-----------------------------------------------------| | `--limit value` | `-l value` | Max tree depth (default: -1) | | `--flat` | `-f` | Print a flat list of secrets (default: false) | | `--folders` | `-d` | Print a flat list of folders (default: false) | | `--strip-prefix` | `-s` | Strip prefix from filtered entries (default: false) | The `--flat` and `--folders` flags provide a plaintext list of the entries located at the given prefix (default prefix being the root `/`). They are notably used to produce the completion results. The `--flat` one will list all entries, one per line, using its full path. The `--folders` one will display all the folders, one per line, recursively per level. For instance an entry `folder/sub/entry` would cause it to list both: ```bash $ gopass list --folders folder folder/sub ``` whereas `gopass list --flat` would have just displayed one line: `folder/sub/entry`. The `--strip-prefix` flag is meant to be used along with `--flat` or `--folders`. It will list the relative path from the current prefix, removing the said prefix, instead of listing the relative paths from the root. For instance on entry `folder/sub/entry`, running `gopass ls -f -s folder` would display only `sub/entry` instead of `folder/sub/entry`. The `--limit` flag starts counting its depth from the root store, which means that a depth of 0 only lists the items in the root gopass store: ```bash $ gopass list -l 0 gopass ├── bar/ ├── foo/ └── test (/home/user/.local/share/gopass/stores/substore1) ``` A value of 1 would list all the items in the root, plus their sub-items but no more: ```bash $ gopass list -l 1 gopass ├── bar/ │ └── bar ├── foo/ │ ├── bar │ └── foo └── test (/home/user/.local/share/gopass/stores/substore1) └── foo ``` A negative value lists all the items without any depth limit. ```bash $ gopass list -l -1 gopass ├── bar/ │ └── bar ├── foo/ │ ├── bar/ │ │ ├── bar/ │ │ │ └── bar │ │ └── baz │ └── foo └── test (/home/user/.local/share/gopass/stores/substore1) └── foo ``` The flags can be used together: `gopass -l 1 -d` will list only the folders up to a depth of 1: ```bash $ gopass list -l 1 -d bar/ foo/ foo/bar/ test/ test/foo/ ``` ## Shadowing It is possible to have a path that is both an entry and a folder. In that case the list command will display the folder with a marker of `(shadowed)`, it can still be accessed using `gopass show path/to/it`, while the content of the folder can be listed using `gopass list path/to/it`. It should also be noted that the `mount` command can completely "shadow" an entry in a password store, simply by having the same name and this entry and its subentries will not be visible using `ls` anymore until the substore is unmounted. The entries shadowed by a mount will not show up in a search and cannot be accessed at all without unmounting. For instance in our example above, maybe there is an entry test/zaz in the root store, but since the substore is mounted as `test/`, it only displays the content of the substore. Unmounting it reveals its shadowed entries: ```bash $ gopass list test test/ └── foo $ gopass mounts rm test $ gopass list test test/ └── zaz ``` ================================================ FILE: docs/commands/mounts.md ================================================ # `mounts` commands The `mounts` commands allow managing mounted substores. This is one of the distinctive core features of `gopass` and we aim making working with substores as seamless as possible. Instead of support for encrypting different parts of a store for different recipients we instead encourage users to mount different stores - each encrypted to a uniform set of recipients - into a semless virtual tree structure. This feature is modeled after standard POSIX mount semantics. ## Synopsis ``` $ gopass mounts $ gopass mounts add mount/point /path/to/store $ gopass mounts remove mount/point ``` ## Modes of operation * Add a new mount * List existing mounts * Remove an existing mount ## Creating new mounts You can also create new mounts using `init` even if your store is already initialized: ``` gopass init --store mynewsubstore pgpkeyidentitfier ``` (You can also specify a specific local path using `--path`, just make sure to keep your PGP key identifier, e.g. its email or fingerprint, as the last argument.) ================================================ FILE: docs/commands/move.md ================================================ # `move` command Note: The implementations for `copy` and `move` are exactly the same. The only difference is that `move` will remove the source after a successful copy. The `move` command works like the Unix `mv` or `rsync` binaries. It allows moving either single entries or whole folders around. Moving across mounts is supported. If the source is a directory, the source directory is re-created at the destination if no trailing slash is found. Otherwise the contained secrets are placed into the destination directory (similar to what `rsync` does). Please note that `move` will always decrypt the source and re-encrypt at the destination. Moving a secret onto itself is a no-op. ## Synopsis ``` # Overwrite new/leaf $ gopass move path/to/leaf new/leaf # Move the content of path/to/somedir to new/dir/somedir $ gopass move path/to/somedirdir new/dir # Does nothing $ gopass move entry entry ``` ## Modes of operation * Move a single secret from source to destination * Move a folder of secrets, possibly with sub folders, from source to destination ## Flags | Flag | Aliases | Description | |-----------|---------|------------------------------------------------| | `--force` | `-f` | Overwrite existing destination without asking. | ## Details * To simplify the implementation and support multiple backends a `copy` or `move` operation will always decrypt and re-encrypt all affected secrets. Even if moving encrypted files around might be possible. * You can move a secret to another secret, i.e. overwrite the destination. But `gopass` won't let you move a directory over a file. In that case you have to delete the destination first. ================================================ FILE: docs/commands/otp.md ================================================ # `otp` command The `otp` command generates TOTP tokens from an OTP URL (`otpauth://`). The command tries to parse the password and the totp fields as an OTP URI. Note: HTOP is supported, but requires a `counter` field to keep track of it. Note: If `show.safecontent` is enabled, OTP URIs are hidden from the `show` command, see the [docs for show](show.md#parsing-and-secrets) to learn more about it. ## Modes of operation * Generate the current TOTP token from a valid OTP URL * Snip the screen to add a TOTP QR code as an OTP field to an entry. ## Flags | Flag | Aliases | Description | |--------------|---------|--------------------------------------------------------------------------| | `--clip` | `-c` | Copy the time-based token into the clipboard. | | `--alsoclip` | `-C` | Copy the time-based token into the clipboard and show it. | | `--qr` | `-q` | Write QR code to file. | | `--chained` | `-p` | chain the token to the password | | `--password` | `-o` | Only display the token. For use in scripts. | | `--snip` | `-s` | Try and find a QR code in the screen content to add as OTP to the entry. | ## Supported formats Your secret needs to either contain a `otpauth`, `hotp` or a `totp` field. When using the OTP code directly you can simply add it to a secret using `gopass insert your/entry totp`. The `otp` command also tries to parse the body of your secret to try and find a line starting by `otpauth://` in case you're not using the key-value format for your secret. Finally, if your secret contains nothing but a password on the first line, the `otp` command will try and use that password to generate an OTP code. This allows use-cases where you store your password in a given entry and your OTP code in another dedicated entry. The otpauth URIs are typically communicated through a QR code which can be read on Linux using the `gopass otp -s your/entry` flag. It should also work if they are added using `gopass insert your/entry otpauth`, but won't work if you add them under the `totp` or `hotp` keys. Steam OTP is supported, but requires using the `otpauth` URI input to specify the encoder, e.g. `otpauth://totp/username%20steam:username?secret=qlt6vmy6svfx4bt4rpmisaiyol6hihca&period=30&digits=5&issuer=username%20steam&encoder=steam`. ================================================ FILE: docs/commands/process.md ================================================ # `process` command The `process` command extends the `gopass` templating to support user-supplied template files that will be processed. These templates can access the users credentials with the template functions documented below. That way users can store their full configuration files publicly accessible and have any of the recipients automatically populate it to generate a complete configuration file on the fly. `gopass process` writes the result to `STDOUT`. You'll likely want to redirect it to a file. ## Synopsis ``` $ gopass process