* feat: Add cryptfs storage backend for filename encryption
This commit introduces a new storage backend called `cryptfs`. This backend encrypts the filenames of secrets to enhance privacy while maintaining compatibility with existing VCS backends like Git.
Key features:
- For each secret, a cryptographically secure hash (SHA-256) of its name is generated and used as the filename for the underlying storage.
- A mapping from the original secret name to the hashed filename is maintained in an encrypted file (`.gopass-mapping.age`) within the repository.
- The mapping file is encrypted using the `age` encryption backend, with recipients read from the store's `.age-recipients` file.
- The `cryptfs` backend is implemented as a wrapper around any existing storage backend (e.g., `gitfs`, `fs`), which can be configured by the user.
- The backend is registered with gopass and can be enabled by setting `storage: cryptfs` in the store's configuration.
This implementation addresses issue #2634.
* [fix] Fix lint errors
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* [chore] Fix the remaining tests and add some docs.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
---------
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Dominik Schulz <dominik.schulz@gauner.org>
* feat: Allow to customize commit messages
This change introduces the ability for users to customize the commit
message when performing actions that modify the secret store.
It adds two new flags to the `edit`, `insert`, `generate`, `copy`,
`move`, and `delete` commands:
- `--commit-message` (`-m`): to specify the commit message directly.
- `--interactive-commit` (`-i`): to open an editor for the commit
message.
The default behavior of using a pre-defined commit message is
preserved.
* fix: Use correct commit message from context
This change fixes a bug where the commit message from the context was
not being used correctly in the `delete` function.
---------
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
* [CLEANUP] Moving options to the correct config section
This adds an easy migration path to our config handling, which should
allow us to migrate option names around much more easily in the future.
Any system level config or env variables options are not migrated.
This also fixes a bug in our test code, where the root mount path was
not properly set in our config, because we used "path:" instead of
"path=" to set it.
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [DOCUMENTATION] Document legacy options and their migration path
This also makes sure that legacy options aren't used in the code anymore using the docs test and its regexp
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [n/a] Removing weird spaces from changelog
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [DOCUMENTATION] Reformatting our Markdown tables properly
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [TESTING] Patching a timezone bug in tests
This is a fun one where if your Timezone isn't UTC and you are past midnight but it's not past midnight UTC, the tests would fail because you're not using the right date to validate it.
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [n/a] Fix a typo and use the correct Env variables in the doc about the custom Env variables
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [BREAKING] Custom Env options moved from GOPASS_CONFIG_CONFIG_KEY_i to GOPASS_CONFIG_KEY_i
As discussed in #2617, this actually reflects the way GIT_CONFIG works.
It also fixes a potential Panic in our codebase when IsSet was called
without any Preset config on a non-existing key.
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [CLEANUP] Patching all of the new linter complaints
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [CLEANUP] Use Go1.21 everywhere
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [n/a] Increase our Golangci timeout
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [n/a] code review comment and extra regression test
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
---------
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* Improve test isolation
These test shouldn't pick up user configs.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Use correct flag names for rcs init test
These flags must use the canonical names since they are not processed
by the CLI library and as such aliases are not applied.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Remove obsolete warning in fsck help
The default format should be fully compatible with other
password store implementations.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Remove unused "Verbose" context property
This was never set anywhere, so we can safely remove it.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Remove --clip option for the find command
When this is invoked as `gopass find` there is actually no
code path that leads to this flag being used.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Remove mount versions from the `version` command
The `version` command should generally only print the version and not
load the full config, trigger auto-sync and other operations the
happend when initializing the mounts.
Moving the mount point information to the new `mounts versions` command.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Update find integration test
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Do not run auto-sync if the command is `sync`
Otherwise sync might run twice.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Reset auto-sync if a full `sync` succeeds
Since a `gopass sync` without the `--store` option is the same
operation as an auto-sync we should reset the interval if it
was successfull.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Remove sync messages about importing and exporting keys
These usually don't take a lot of time and don't need a mention unless
they fail.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Refactor OTP action to reduce code complexity and duplication
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Clean up outdated Git documentation
`gopass` isn't configuring `git` to sign commits anymore.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This commit adds yet another config handler for gopass. It is based on
the format used by git itself. This has the potential to address a lot
of long standing issues, but it also causes a lot of changes to how we
handle configuration, so bugs are inevitable.
Fixes#1567Fixes#1764Fixes#1819Fixes#1878Fixes#2387Fixes#2418
RELEASE_NOTES=[BREAKING] New config format based on git config.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
address comments
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This commit replaces `os.MkdirTemp` with `t.TempDir` in tests. The
directory created by `t.TempDir` is automatically removed when the test
and all its subtests complete.
Prior to this commit, temporary directory created using `os.MkdirTemp`
needs to be removed manually by calling `os.RemoveAll`, which is omitted
in some tests. The error handling boilerplate e.g.
defer func() {
if err := os.RemoveAll(dir); err != nil {
t.Fatal(err)
}
}
is also tedious, but `t.TempDir` handles this for us nicely.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* Do not decrypt secrets when moving or copying them
This PR attempts to avoid decrypting secrets needlessly when they are
only copied or moved. All currently supported backends have a filesystem
backing them so the old workaround of Get and Set shouldn't be necessary
anymore. In case we re-introduce such backends or a direct move fails
for some reason we still fall back to Get and Set if necessary.
Fixes#2181
RELEASE_NOTES=[ENHANCEMENT] Avoid decryption on move or copy
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Fix lint issues
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Add debug log statements
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Always re-encrypt when fsck is invoked with --decrypt
* Explain convertedSecret check
Fixes#2015
RELEASE_NOTES=[BUGFIX] Always re-encrypt when fsck is invoked with --decrypt.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This commit adds HIGHLY EXPERIMENTAL support for the Fossil SCM.
It's barely tested but seems to support the most basic use cases
already. A lot of Fossil specifics aren't supported, yet. Cloning
for examples isn't supported so far.
Fixes#2022
RELEASE_NOTES=[EXPERIMENTAL] Support the Fossil SCM
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Running gci in order to make sure we have properly deterministic imports
RELEASE_NOTES=n/a
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
This commit replaces some overly complex constructs with type
parameters.
Fixes#2030
RELEASE_NOTES=[ENHANCEMENT] Generics
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
The SSH Command override for presistent connections was broken on termux
where we don't have /tmp. But since $TMPDIR is set os.TempDir should
return a proper location.
RELEASE_NOTES=[BUGFIX] Fix SSH Command override on termux
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This commit adds a new subcommand to support symlinks within the same
mount. The command is intentionally still hidden since the support
isn't fully fleshed out, yet. Neither audit nor list know of links
and cross mount symlinks aren't supported either (and maybe never will).
RELEASE_NOTES=[ENHANCEMENT] Add gopass ln
Fixes#1820
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This adds a reminder when fsck was not run within the last 90d (or never).
RELEASE_NOTES=[ENHANCEMENT] Remind to run gopass update/fsck/audit after 90d
RELEASE_NOTES=[ENHANCEMENT] Added a env var to disable reminders
This commit renames the existing out methods that expect
a format string to include the common f suffix and introduces
new out methods without this suffix that don't accept a
format string or variadic arguments.
Fixes#1793
RELEASE_NOTES=n/a
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This will be added to the per-store git config on newly
initialized stores.
RELEASE_NOTES=[ENHANCEMENT] Use persistent SSH connections
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This PR adds a small release helper along with some documentation.
This should allow anyone with sufficient permissions to cut and push new
releases.
Fixes#1298
RELEASE_NOTES=n/a
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This backend has never been fully completed and shouldn't be used
as-is.
RELEASE_NOTES=[CLEANUP] Remove the ondisk backend
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This PR moves some packages from internal to pkg to increase the
independence of binaries in cmd/ from internal packages further.
RELEASE_NOTES=n/a
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Fixes#1602Fixes#1614Fixes#1600Fixes#1594Fixes#1601Fixes#1650
RELEASE_NOTES=[BUGFIX] Disabling all kind of parsing of the input
RELEASE_NOTES=[ENHANCEMENT] Adding the flag show -n to disable output parsing
RELEASE_NOTES=[ENHANCEMENT] Adding the option parsing to disable all parsing
Signed-off-by: Yolan Romailler <yolan@romailler.ch>
This commit reduces the usage of internal/ packages in auxiliary
binaries so we can get closer to eventually moving them to their own
repos.
RELEASE_NOTES=n/a
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Dominik Schulz
google-labs-jules[bot]
Yolan Romailler
Eng Zer Jun
Dominik Schulz