Add .gitconfig parser

This commit adds yet another config handler for gopass. It is based on
the format used by git itself. This has the potential to address a lot
of long standing issues, but it also causes a lot of changes to how we
handle configuration, so bugs are inevitable.

Fixes gopasspw#1567
Fixes gopasspw#1764
Fixes gopasspw#1819
Fixes gopasspw#1878
Fixes gopasspw#2387
Fixes gopasspw#2418

RELEASE_NOTES=[BREAKING] New config format based on git config.

Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>

address comments

Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>

.github/workflows/autorelease.yml

@@ -86,6 +86,7 @@ jobs:
         run: |
           for D in dist/*.deb; do
             curl -H"X-Filename: ${D}" -H"X-Apikey: ${APIKEY}" -XPOST --data-binary @$D https://packages.gopass.pw/repos/gopass/upload
+            curl -H"X-Filename: ${D}" -H"X-Apikey: ${APIKEY}" -XPOST --data-binary @$D https://packages.gopass.pw/repos/gopass-unstable/upload
           done
         env:
           APIKEY: ${{ secrets.APT_APIKEY }}

CHANGELOG.md

@@ -5,6 +5,7 @@
 * [BUGFIX] Improve support for non-vim editors (#2427, #2424)
 * [BUGFIX] Only pass vim options to vim (#2421, #2412)
 * [ENHANCEMENT] Support combined short flags (#2420, #2419)
+# Changelog
 
 ## 1.14.10 / 2022-11-09
 

Makefile

@@ -110,7 +110,7 @@ test-win: $(GOPASS_OUTPUT)
 		$(GO) test -test.short -run '(Test|Example)' $(pkg) || exit 1;)
 
 test-integration: $(GOPASS_OUTPUT)
-	cd tests && GOPASS_BINARY=$(PWD)/$(GOPASS_OUTPUT) GOPASS_TEST_DIR=$(PWD)/tests $(GO) test -v
+	cd tests && GOPASS_BINARY=$(PWD)/$(GOPASS_OUTPUT) GOPASS_TEST_DIR=$(PWD)/tests $(GO) test -v $(TESTFLAGS)
 
 crosscompile:
 	@echo -n ">> CROSSCOMPILE linux/amd64"

docs/commands/config.md

@@ -6,12 +6,14 @@ Note: To manage mounts use `gopass mounts`.
 
 ## Synopsis
 
-```
-$ gopass config
-$ gopass config autoclip
-$ gopass config autoclip false
+```bash
+gopass config
+gopass config core.autoclip
+gopass config core.autoclip false
 ```
 
 ## Flags
 
-None.
+Flag | Description
+---- | -----------
+`--store` | Only sync a specific sub store

docs/commands/create.md

@@ -8,9 +8,9 @@ and asking for the necessary information to create a reasonable secret location.
 
 ## Synopsis
 
-```
-$ gopass create
-$ gopass create --store=foo
+```bash
+gopass create
+gopass create --store=foo
 ```
 
 ## Modes of operation
@@ -26,8 +26,8 @@ To add new templates to the wizard add templates to this folder.
 
 Example:
 
-```
-$ cat $(gopass config path)/.gopass/create/aws.yml
+```bash
+$ cat $(gopass config mounts.path)/.gopass/create/aws.yml
 ---
 priority: 5
 name: "AWS"

docs/config.md

@@ -26,9 +26,17 @@ Some configuration options are only available through setting environment variab
 | `GOPASS_GPG_BINARY` | `string` | Set this to the absolute path to the GPG binary if you need to override the value returned by `gpgconf`, e.g. [QubesOS](https://www.qubes-os.org/doc/split-gpg/). |
 | `GOPASS_PW_DEFAULT_LENGTH`   | `int`    | Set to any integer value larger than zero to define a different default length in the `generate` command. By default the length is 24 characters. |
 | `GOPASS_AUTOSYNC_INTERVAL` | `int` | Set this to the number of days between autosync runs. |
-| `GOPASS_NO_AUTOSYNC` | `bool` | Set this to `true` to disable autosync. |
+| `GOPASS_NO_AUTOSYNC` | `bool` | Set this to `true` to disable autosync. Deprecated. Please use `core.autosync` |
+| `GOPASS_CONFIG_NOSYSTEM` | `bool` | Do not read `/etc/gopass/config` (if it exists) |
+| `GOPASS_CONFIG_NO_MIGRATE` | `bool` | Do not attempt to migrate old gopass configs |
+| `GOPASS_CPU_PROFILE` | `string` | Path to write a CPU Profile to. Use `go tool pprof` to visualize. |
+| `GOPASS_FORCE_CHECK` | `string` | (internal) Force the updater to check for updates. Used for testing. |
+| `GOPASS_MEM_PROFILE` | `string` | Path to write a Memory Profile to. Use `go tool pprof` to visualize.|
+| `GOPASS_UNCLIP_CHECKSUM` | `string` | (internal) Used between gopass and it's unclip helper. |
+| `GOPASS_UNCLIP_NAME` | `string` | (internal) Used between gopass and it's unclip helper. |
+| `PWGEN_RULES_FILE` | `string` | (internal) Used for testing the pwgen rules generator. |
 
-Variables not exclusively used by gopass
+Variables not exclusively used by gopass:
 
 | **Option**             | **Type** | **Description**                                                                                        |
 | ---------------------- | -------- | ------------------------------------------------------------------------------------------------------ |
@@ -42,31 +50,48 @@ Variables not exclusively used by gopass
 
 ## Configuration Options
 
-During start up, gopass will look for a configuration file at `$HOME/.config/gopass/config.yml` on unix-like systems or at `%APPDATA%\gopass\config.yml` on Windows. If one is not present, it will create one. If the config file already exists, it will attempt to parse it and load the settings. If this fails, the program will abort. Thus, if gopass is giving you trouble with a broken or incompatible configuration file, simply rename it or delete it.
+During start up, gopass will look for a configuration file at `$HOME/.config/gopass/config` on unix-like systems or at `%APPDATA%\gopass\config` on Windows. If one is not present, it will create one. If the config file already exists, it will attempt to parse it and load the settings. If this fails, the program will abort. Thus, if gopass is giving you trouble with a broken or incompatible configuration file, simply rename it or delete it.
 
 All configuration options are also available for reading and writing through the sub-command `gopass config`.
 
 * To display all values: `gopass config`
-* To display a single value: `gopass config autoclip`
-* To update a single value: `gopass config autoclip false`
-* As many other sub-commands this command accepts a `--store` flag to operate on a given sub-store, provided the sub-store is a remote one. Support for different local configurations per mount was dropped in v1.9.3.
+* To display a single value: `gopass config core.autoclip`
+* To update a single value: `gopass config core.autoclip false`
+* As many other sub-commands this command accepts a `--store` flag to operate on a given sub-store, provided the sub-store is a remote one.
+
+### Configuration format
+
+`gopass` uses a configuration format inspired by and mostly compatible with the configuration format used by git. We support
+different configuration sources that take precedence over each other, just like [git](https://mirrors.edge.kernel.org/pub/software/scm/git/docs/git-config.html).
+
+#### Configuration precendence
+
+* Hard-coded presets apply if nothing else if set
+* System-wide configuration file allows operators or package maintainers to supply system-wide defaults in /etc/gopass/config
+* User-wide (aka. global) configuration allows to set per-user settings. This is the closest equivalent to the old gopass configs. Located in `$HOME/.config/gopass/config`
+* Per-store (aka. local) configuration allow to set per-store settings, e.g. read-only. Located in `<STORE_DIR>/config`.
+* Per-store unversioned (aka `config.worktree`) configuration allows to override versioned per-store settings, e.g. disabling read-only. Located in `<STORE_DIR>/config.worktree`
+* Environment variables (or command line flags) override all other values. Read from `GOPASS_CONFIG_KEY_n` and `GOPASS_CONFIG_VALUE_n` up to `GOPASS_CONFIG_COUNT`. Command line flags take precedence over environment variables.
+
+### Configuration options
 
 This is a list of available options:
 
-| **Option**       | **Type** | Description                                                                                                                                                                                    |
-| ---------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `askformore`     | `bool`   | If enabled - it will ask to add more data after use of `generate` command.  DEPRECATED in v1.10.0                                                                                              |
-| `autoclip`       | `bool`   | Always copy the password created by `gopass generate`. Only applies to generate.                                                                                                               |
-| `autoimport`     | `bool`   | Import missing keys stored in the pass repository without asking.                                                                                                                              |
-| `autosync`       | `bool`   | Always do a `git push` after a commit to the store. Makes sure your local changes are always available on your git remote. DEPRECATED in v1.10.0                                               |
-| `concurrency`    | `int`    | Number of threads to use for batch operations (such as reencrypting).  DEPRECATED in v1.9.3                                                                                                    |
-| `cliptimeout`    | `int`    | How many seconds the secret is stored when using `-c`.                                                                                                                                         |
-| `exportkeys`     | `bool`   | Export public keys of all recipients to the store.                                                                                                                                             |
-| `recipient_hash` | `map`    | Map of recipient ids to their hashes.  DEPRECATED in v1.10.0                                                                                                                                   |
-| `usesymbols`     | `bool`   | If enabled - it will use symbols when generating passwords.  DEPRECATED in v1.9.3                                                                                                              |
-| `nocolor`        | `bool`   | Do not use color.                                                                                                                                                                              |
-| `nopager`        | `bool`   | Do not invoke a pager to display long lists.                                                                                                                                                   |
-| `notifications`  | `bool`   | Enable desktop notifications.                                                                                                                                                                  |
-| `parsing`        | `bool`   | Enable parsing of output to have key-value and yaml secrets.                                                                                                                                   |
-| `path`           | `string` | Path to the root store.                                                                                                                                                                        |
-| `safecontent`    | `bool`   | Only output _safe content_ (i.e. everything but the first line of a secret) to the terminal. Use _copy_ (`-c`) to retrieve the password in the clipboard, or _force_ (`-f`) to still print it. |
+| **Option**       | **Type** | Description | *Default* |
+| ---------------- | -------- | ----------- | --------- |
+| `core.autoclip`        | `bool`   | Always copy the password created by `gopass generate`. Only applies to generate. | `false` |
+| `core.autoimport`      | `bool`   | Import missing keys stored in the pass repository without asking. | `false` |
+| `core.autosync`        | `bool`   | Always do a `git push` after a commit to the store. Makes sure your local changes are always available on your git remote. | `true` |
+| `core.cliptimeout`     | `int`    | How many seconds the secret is stored when using `-c`. | `45` |
+| `core.exportkeys`      | `bool`   | Export public keys of all recipients to the store. | `true` |
+| `core.nocolor`         | `bool`   | Do not use color. | `false` |
+| `core.nopager`         | `bool`   | Do not invoke a pager to display long lists. | `false` |
+| `core.notifications`   | `bool`   | Enable desktop notifications. | `true` |
+| `core.parsing`         | `bool`   | Enable parsing of output to have key-value and yaml secrets. | `true` |
+| `core.readonly`        | `bool`   | Disable writing to a store. Note: This is just a convenience option to prevent accidential writes. Enforcement can only happen on a central server (if repos are set up around a central one). | `false` |
+| `mounts.path`          | `string` | Path to the root store. | `$XDG_DATA_HOME/gopass/stores/root` |
+| `core.showsafecontent` | `bool`   | Only output *safe content* (i.e. everything but the first line of a secret) to the terminal. Use *copy* (`-c`) to retrieve the password in the clipboard, or *force* (`-f`) to still print it. | `false` |
+| `age.usekeychain`      | `bool`   | Use the OS keychain to cache age passphrases. | `false` |
+| `domain-alias.<from>`   | `string` | Alias from domain to the string value of this entry. | `` |
+| `core.showautoclip`      | `bool`   | Use autoclip for gopass show by default. | `false` |
+| `autosync.interval`      | `int`   | AutoSync interval in days. | `3` |

docs/setup.md

@@ -134,7 +134,7 @@ If this fails with an error: "Inappropriate ioctl for device" run the following
 
 If you are using CSH or TCSH:
 
-```
+```bash
 setenv GPG_TTY `tty`
 ```
 
@@ -198,6 +198,8 @@ $ sudo apt update
 $ sudo apt install gopass gopass-archive-keyring
 ```
 
+Note: We also have an unstable track that sometimes contains pre-release versions. Use `https://packages.gopass.pw/repos/gopass-unstable` if you want to help with early testing.
+
 #### Manual download
 
 First, find the latest .deb release from the repository [releases page](https://github.com/gopasspw/gopass/releases). Then, download and install it:
@@ -442,7 +444,7 @@ For example, to use gopass with [Google Drive](https://drive.google.com):
 ```bash
 gopass setup --storage fs
 mv .password-store/ "Google Drive/Password-Store"
-gopass config path "~/Google Drive/Password-Store"
+gopass config mounts.path "~/Google Drive/Password-Store"
 ```
 
 ### Download a GUI

docs/usecases/readyonly-store.md → docs/usecases/readonly-store.md

@@ -17,16 +17,16 @@ To workaround this, we can configure "Collaborators & teams" on GitHub side to g
 Ultimately it turns out that this scenario requires a feature such as a store in readonly mode, where people can configure their local store or a set of sub-stores in readonly mode, to disable the writes and the autosync-on-writes to the store, but they can still pull to sync the latest changes from the remote store. This is not a one-stop solution for the RBAC model of the team sharing store, because we still need GitHub to setup the store access at server-side, but it will provide better usage experience from gopass client side.
 
 Configuration examples:
-```console
+```bash
 # To print the config
-$ gopass config readonly
-readonly: false
+$ gopass config core.readonly
+rcore.eadonly: false
 # To setup the config
-$ gopass config readonly true
-readonly: true
+$ gopass config core.readonly true
+core.readonly: true
 # To apply the config to a sub-store
-$ gopass config readly true --store team-sharable
-readonly: true
+$ gopass config --store team-sharable core.readonly true
+core.readonly: true
 ```
 
 ## References

fish.completion

@@ -51,42 +51,6 @@ complete -c $PROG -f -n '__fish_gopass_uses_command age identities -l chars -d "
 complete -c $PROG -f -n '__fish_gopass_uses_command age identities -l help -d "show help"'
 complete -c $PROG -f -n '__fish_gopass_uses_command age identities -l version -d "print the version"'
 complete -c $PROG -f -n '__fish_gopass_needs_command' -a alias -d 'Command: Manage domain aliases'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias' -a add -d 'Subcommand: Add a new alias'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l yes -d "Always answer yes to yes/no questions"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l clip -d "Copy the password value into the clipboard"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l alsoclip -d "Copy the password and show everything"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l qr -d "Print the password as a QR Code"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l unsafe -d "Display unsafe content (e.g. the password) even if safecontent is enabled"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l password -d "Display only the password. Takes precedence over all other flags."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l revision -d "Show a past revision. Does NOT support RCS specific shortcuts. Use exact revision or -<N> to select the Nth oldest revision of this entry."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l noparsing -d "Do not parse the output."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l chars -d "Print specific characters from the secret"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l help -d "show help"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias add -l version -d "print the version"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias' -a remove -d 'Subcommand: Remove an alias from a domain'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l yes -d "Always answer yes to yes/no questions"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l clip -d "Copy the password value into the clipboard"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l alsoclip -d "Copy the password and show everything"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l qr -d "Print the password as a QR Code"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l unsafe -d "Display unsafe content (e.g. the password) even if safecontent is enabled"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l password -d "Display only the password. Takes precedence over all other flags."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l revision -d "Show a past revision. Does NOT support RCS specific shortcuts. Use exact revision or -<N> to select the Nth oldest revision of this entry."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l noparsing -d "Do not parse the output."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l chars -d "Print specific characters from the secret"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l help -d "show help"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias remove -l version -d "print the version"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias' -a delete -d 'Subcommand: Delete an entire domain'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l yes -d "Always answer yes to yes/no questions"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l clip -d "Copy the password value into the clipboard"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l alsoclip -d "Copy the password and show everything"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l qr -d "Print the password as a QR Code"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l unsafe -d "Display unsafe content (e.g. the password) even if safecontent is enabled"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l password -d "Display only the password. Takes precedence over all other flags."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l revision -d "Show a past revision. Does NOT support RCS specific shortcuts. Use exact revision or -<N> to select the Nth oldest revision of this entry."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l noparsing -d "Do not parse the output."'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l chars -d "Print specific characters from the secret"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l help -d "show help"'
-complete -c $PROG -f -n '__fish_gopass_uses_command alias delete -l version -d "print the version"'
 complete -c $PROG -f -n '__fish_gopass_needs_command' -a audit -d 'Command: Decrypt all secrets and scan for weak or leaked passwords'
 complete -c $PROG -f -n '__fish_gopass_needs_command' -a cat -d 'Command: Decode and print content of a binary secret to stdout, or encode and insert from stdin'
 complete -c $PROG -f -n '__fish_gopass_needs_command' -a clone -d 'Command: Clone a password store from a git repository'