Skip to content
This repository has been archived by the owner on May 27, 2019. It is now read-only.

Ditch pass dependency in binary #6

Closed
dannyvankooten opened this issue Nov 6, 2016 · 9 comments
Closed

Ditch pass dependency in binary #6

dannyvankooten opened this issue Nov 6, 2016 · 9 comments
Labels
enhancement

Comments

@dannyvankooten
Copy link
Collaborator

Since the files are simply GPG encrypted, we could use GPG directly for decrypting the password files.

This way, other software that use a similar approach to storing passwords can be used too. Some people use GPG directly, for example.
@emersion
Copy link
Contributor

emersion commented Dec 31, 2016
edited
Loading

This will make installation easier and we'll be able to support more platforms too (like Windows without cygwin/mingw/whatever).

One question is: how to get the PGP key's password? Ask it in the extension? How to save the password in memory?

(Note: this could solve #20)

@phryneas
Copy link

phryneas commented Dec 31, 2016
edited
Loading

Start a gpg-agent and keep the correct environment variables. That will also do pop-ups and ask for the password.
No application except gpg itself should ever ask for, or even cache, a gpg key passphrase. This will open all kind of serious attack vectors.

PS: doing a gpg-connect-agent '' /bye should be sufficient and in most cases, environment variables would not need to be modified.

@emersion
Copy link
Contributor

If we ditch the pass dependency, we'll likely also ditch the gpg dependency as soon as there is a good pgp implementation in Go.

There are some pinentry libraries in Go if that helps.

@phryneas
Copy link

That would make the use of hardware tokens like the OpenPGP Smartcard, the Yubikey or the Nitrokey impossible.
Those devices have a growing userbase - I myself would be quite sad to see a promising project that I could not use in the end :/

@emersion emersion mentioned this issue Jan 6, 2017
Closed
@DancingQuanta DancingQuanta mentioned this issue Jan 8, 2017
Closed
@wiktor-k
Copy link

+1 for GPG agent approach. The agent works flawlessly in complex scenarios (Enigmail or SSH via OpenPGP with smart cards) on Windows too.

@emersion
Copy link
Contributor

emersion commented Feb 9, 2017

Note: ditching the GPG dependency would solve issues with env vars such as #28 and #23.

Maybe we could just have an option to use gpg-agent.

dannyvankooten added a commit that referenced this issue Feb 10, 2017
@dannyvankooten
invoke gpg command directly instead of through pass, #6 #19 #23 #28
343722b
@wgroenewold
Copy link

To separate this issue, we could separate the GPG bridge and the frontend, thereby making it more suitable for others to build on. If we clearly define the format of the JSON for the extension and the way it has to connect.

@emersion
Copy link
Contributor

emersion commented May 1, 2017
edited
Loading

We already have an interface for password stores, so adding a store without using the GPG binary should be pretty straightforward.

EDIT: my bad, decrypting with GPG happens somewhere else. We could define something like type ReadLoginFunc func(r io.Reader) (*Login, error).

@maximbaz
Copy link
Member

As I read from the code, pass binary is not used anywhere anymore, everything is being decrypted via gpg binary. I'll close the issue since it seems to be implemented, let me know if this is not so and there is more to be done here.

This was referenced Sep 14, 2017
Closed
Closed
Closed
@sudoforge sudoforge mentioned this issue Sep 15, 2017
Closed
@maximbaz maximbaz mentioned this issue Sep 20, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

No branches or pull requests
6 participants
@emersion @dannyvankooten @maximbaz @wiktor-k @wgroenewold @phryneas