ayushnix / pass-coffin Goto Github PK

A .coffin directory is sometimes created inside $HOME

I was getting errors when running pass close regarding a chmod error. This was because I didn't have PASSWORD_STORE_SIGNING_KEY set. Here is a quick patch to fix the issue:

index 17c8ff3..1c910a1 100755
--- a/coffin.bash
+++ b/usr/lib/password-store/extensions/coffin.bash
@@ -77,8 +77,10 @@ coffin_close() {

   chmod 400 "$coffin_file" \
     || coffin_warn "unable to make the coffin a readonly file"
-  chmod 400 "$coffin_file.sig" \
-    || coffin_warn "unable to make the coffin signature a readonly file"
+  if [[ -n $PASSWORD_STORE_SIGNING_KEY ]]; then
+    chmod 400 "$coffin_file.sig" \
+      || coffin_warn "unable to make the coffin signature a readonly file"
+  fi

   # delete the remaining data inside PREFIX (PASSWORD_STORE_DIR)
   # CAVEAT: pass init supports specifying different .gpg-id files for different

If PASSWORD_STORE_SIGNING_KEY is set by the user, use it to sign the encrypted gpg coffin. This should ensure authenticity of the encrypted coffin.

Filippo Valsorda has released a fork of pass called passage which uses age instead of gpg.

The systemctl list-timers command shows a verbose output that isn't needed when using pass timer. pass timer should only show the amount of time left before the password store data will be hidden inside a coffin. Ideally, this should be done without resorting to hacks from sed and awk. If systemctl supports JSON output for its commands, that would help a lot. There's jc but it doesn't support converting output from list-timers into JSON yet.

If the password store isn't inside a coffin and is already decrypted, detect and indicate that instead of printing a scary message like "Unable to find an encrypted GPG coffin"

I'm wondering what's the best way to use password store with coffin on android?

I'm synchronizing a .coffin.tar.gpg file with rclone to shared storage on android. I guess that one way would be to log into termux and run pass open there (I assume it would work).

I'm wondering though if someone might have created or can think of another way to better integrate it into android? Typing on termux android keyboard a few dozen times every day doesn't sound very smooth.

Why am I getting this error as I do pass open: unable to find the signature for the coffin

If you supply an incorrect password for 3 attempts, on the next correct attempt, binary data is printed on stdout.

I think that pass open command should start a timer by default (e.g. pass open -t 1min) and have an option to open it indefinitely (e.g. -t 0) rather than the other way around. It sounds more secure.

I think that it would be more secure if there was an option not to open the whole coffin, but only a selected file inside it, e.g.:

pass open password-account-1

Besides general privacy it would be also useful for secret files that other programs use - for example aws-cli-credentials file (aws-cli). Programs that don't support gpg require secrets stored in plain text. It would be more secure if these were not extracted from the coffin until explicitly instructed (or if you could blacklist them somehow).

It's just an idea, maybe there is a simpler way to achieve the same thing. Occurred to me when looking at .env files in web development. Curious to know what you think.

I'm trying to install pass coffin on a non-rooted Android device via termux. I'm stuck on sudo make install step. It complains that it can't find /etc/bash_completion.d directory:

install: creating directory '/data/data/com.termux/files/usr/lib/password-store'
install: creating directory '/data/data/com.termux/files/usr/lib/password-store/extensions'
install: cannot change permissions of ‘/etc/bash_completion.d’: No such file or directory
make: *** [Makefile:18: install] Error 1

There may be two things here:

1. no sudo access
2. location is wrong (by default termux uses $PREFIX - /data/data/com.termux/files/usr)

Any advice would be really appreciated.

If gpg-agent's cache expires before a transient timer started using pass open -t <time> finishes and if a user cancels the pinentry prompt when the pass close command is automatically executed, a coffin is created but not signed and the password store tree isn't deleted.

Is there an easy workflow for using Git with pass-coffin?

pass-coffin should not be put in /usr/share/bash-completion/completions/ ?
see https://archlinux.org/todo/use-usrsharebash-completioncompletions-for-package-bash-completions/

If the password is cached in gpg-agent, doing pass close is potentially useless because pass open will just open it up without asking for a password.

This should be the default behavior and should get disabled using an arg.