Add a credential helper for gopass #138

sudoforge · 2019-03-29T21:32:21Z

Background Information

gopass is a rewrite of pass written in Go. It provides a very similar interface to zx2c4's pass, while adding some additional functionality that helps using the password manager within team or multi-team environments, such as mounting external stores, encrypting different blobs for different recipients, etc.

It has a configuration file, located at $XDG_CONFIG_HOME/gopass/config.yml, example below:

root:
  askformore: false
  autoclip: true
  autoimport: true
  autosync: true
  check_recipient_hash: false
  cliptimeout: 45
  concurrency: 1
  editrecipients: false
  nocolor: false
  noconfirm: false
  nopager: false
  notifications: true
  path: gpgcli-gitcli-fs+file:///home/username/code/src/github.com/username/my-personal-store
  recipient_hash: {}
  safecontent: false
  usesymbols: false
mounts:
  work:
    askformore: false
    autoclip: true
    autoimport: true
    autosync: true
    check_recipient_hash: false
    cliptimeout: 45
    concurrency: 1
    editrecipients: false
    nocolor: false
    noconfirm: false
    nopager: false
    notifications: true
    path: gpgcli-gitcli-fs+file:///home/username/code/src/git.company.com/username/my-work-store
    recipient_hash: {}
    safecontent: false
    usesymbols: false

The root dictionary, above, holds the configuration for the root ("default") store. The mounts list provides zero or more dictionaries for additional stores which are "mounted" at the top-level name (the mount's name). For example, with the above configuration:

$ gopass foo

would attempt to access and decrypt foo.gpg in /home/username/code/src/github.com/username/my-personal-store, and

$ gopass work/foo

would attempt to access and decrypt foo.gpg in /home/username/code/src/git.company.com/username/my-work-store.

Proposal

I personally switched over to gopass some time ago, as I found it more intuitive than pass when I began managing passwords for clients and other organizations. It would be great to have a credential helper that interfaced with gopass. I currently utilize pass only because it is the only available credential helper that appeals to me; I would like to remove this dependency and utilize the password manager I use for everything else.

Note: I'm drafting this issue here, but fully plan on contributing to the project and writing this helper myself within the next few weeks. If this would be ill received, please advise.

The text was updated successfully, but these errors were encountered:

captn3m0 · 2019-04-09T21:00:13Z

How different is the gopass cli interface from pass? I was going through https://github.com/docker/docker-credential-helpers/blob/master/pass/pass_linux.go and it seems that the helper just invokes the pass command.

Was wondering if a symlink that points /usr/bin/pass to /usr/bin/gopass work?

sudoforge · 2019-04-09T21:59:13Z

@captn3m0 It's not all that different, and at the core, for a user with one password store and who doesn't store additional metadata within it, /usr/bin/pass and /usr/bin/gopass are fairly interchangeable. The difference mostly lies in the fact that gopass supports the management of additional, external "mounts" - separate, unrelated repositories (see my example in the original issue comment); additionally, metadata can be stored/accessed within any particular entry:

$ gopass foo
mysupersucretpassword
username: sudoforge
favorite_color: green

$ gopass foo favorite_color
green

Personally, I'd prefer if the gopass credential helper allowed for the specification of an entry to use - if such an entry is provided, then the token is stored and accessed as metadata, rather than generating one or more new entries altogether.

On a side note from that, I've noticed (but not yet opened or searched existing issues for) several bugs in the pass implementation as it exists today -- so even if it would work, I wouldn't want to reimplement it for gopass or use it to support gopass - although it can serve as a good base or example to start from.

binarin · 2021-12-14T09:35:55Z

There are some slight command-line arguments incompatibilities. It still can be used almost as-is, by using a simple compatibility wrapper installed as pass:

#!/usr/bin/env bash
if [[ $1 == "--clip" ]]; then
   # xmonad pass prompt
    exec gopass show "$@"
elif [[ $1 == "ls" && $# == 1 ]]; then
    # proton-bridge
    # no fancy chars in output
    exec gopass ls -f
elif [[ $1 == "rm" && $2 == "-rf" ]]; then
    # proton-bridge
    # `-rf` as single arg is not supported, split them in 2
    shift 2
    exec gopass rm -r -f "$@"
else
  exec gopass "$@"
fi

alexisph · 2022-01-29T20:42:56Z

I had trouble getting docker-credential-pass to work with podman and gopass, even after adding @binarin 's script above to my $PATH as pass.

To make it work, I had to:

Add credential-helpers = [ "pass" ] to /etc/containers/registries.conf.d/gopass.conf
ln -s ~/.local/share/gopass/stores/root ~/.password-store. See https://github.com/docker/docker-credential-helpers/blob/master/pass/pass.go#L106

sudoforge · 2022-01-29T20:46:15Z

To make it work, I had to:

ln -s ~/.local/share/gopass/stores/root ~/.password-store. See https://github.com/docker/docker-credential-helpers/blob/master/pass/pass.go#L106

You could set PASSWORD_STORE_DIR instead of keeping that symlink around.

This change adds support for `gopass` as a credential store, based on the `pass` implementation. Closes: docker#138 Closes: docker#166

This change adds support for `gopass` as a credential store, based on the `pass` implementation. Closes: docker#138 Closes: docker#166 Signed-off-by: sudoforge <9c001b67637a@sudoforge.com>

This change adds support for `gopass` as a credential store, based on the `pass` implementation. Closes: docker#138 Closes: docker#166 Signed-off-by: sudoforge <no-reply@sudoforge.com>

alexisph mentioned this issue Jan 29, 2022

rootless podman supports credHelper containers/podman#4123

Open

sudoforge linked a pull request May 13, 2023 that will close this issue

feat: add support for gopass as a credential store #268

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add a credential helper for gopass #138

Add a credential helper for gopass #138

sudoforge commented Mar 29, 2019 •

edited

captn3m0 commented Apr 9, 2019

sudoforge commented Apr 9, 2019

binarin commented Dec 14, 2021

alexisph commented Jan 29, 2022 •

edited

sudoforge commented Jan 29, 2022

Add a credential helper for gopass #138

Add a credential helper for gopass #138

Comments

sudoforge commented Mar 29, 2019 • edited

Background Information

Proposal

captn3m0 commented Apr 9, 2019

sudoforge commented Apr 9, 2019

binarin commented Dec 14, 2021

alexisph commented Jan 29, 2022 • edited

sudoforge commented Jan 29, 2022

sudoforge commented Mar 29, 2019 •

edited

alexisph commented Jan 29, 2022 •

edited