Can you please open a terminal and send me the ouput of the following two commands:
python --version
pass --version
And also please check if the following command gives you the list of your stored entries.
But there is no need do send the list to me:
pass
Sure!
Of course this is over Mobian which is now mostly based on Bullseye, it’s not PureOS, but here goes:
$ pass --version
============================================
= pass: the standard unix password manager =
= =
= v1.7.3 =
= =
= Jason A. Donenfeld =
= Jason@zx2c4.com =
= =
= http://www.passwordstore.org/ =
============================================
$ python --version
-bash: python: command not found
$ python3 --version
Python 3.8.6
$ python3 ./pass-mgr-compact
File "./pass-mgr-compact", line 30
new_time = progressbar.get_fraction()*progress_max_time*progress_bps
^
TabError: inconsistent use of tabs and spaces in indentation
Now for some installation errors of the .deb:
$ sudo dpkg -i ./pass-mgr-compact_0.5.deb
[sudo] password for mobian:
Selecting previously unselected package pass-mgr-compact.
(Reading database ... 81538 files and directories currently installed.)
Preparing to unpack ./pass-mgr-compact_0.5.deb ...
Unpacking pass-mgr-compact (0.5) ...
dpkg: dependency problems prevent configuration of pass-mgr-compact:
pass-mgr-compact depends on python-gi; however:
Package python-gi is not installed.
dpkg: error processing package pass-mgr-compact (--install):
dependency problems - leaving unconfigured
Processing triggers for desktop-file-utils (0.26-1) ...
Processing triggers for mime-support (3.64) ...
Errors were encountered while processing:
pass-mgr-compact
$ sudo apt install python-gi
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package python-gi is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package 'python-gi' has no installation candidate
$ sudo apt install python3-gi
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3-gi is already the newest version (3.38.0-1+b1).
python3-gi set to manually installed.K, I will try it on Debian Bullseye and see if I need to make a new version for python3 or if I can make an universal version.
New features in V0.6
-) Switched to python3 incl. fixes for compatibility
The version 0.6 should work for you.
I tested it under Debian Buster and Bullseye.
0.6 worked perfectly, and I can actually copy the passwords this time after reading the README and installing both wl-clipboard and wl-clipboard-x11
thanks for the quick turnaround!
New Features in V1.0
-) Rounded “Last modified” to only one digit.
-) Successfully tested on a pyhsical Librem5 (incl. OTP & TOMB)
Screen Shots please!!!
TOTP-Code / password is copied to clipboard using a double click.
I am currently experimenting with making the entries bigger.
Folders are generated when “/” are included in the name.
New Features in V1.0
-) Optimized Scalling for Librem5
-) Switched from os.system/os.popen to subprocess
Just installed it for the first time on my desktop - thanks a lot!
A thing I’m really missing is a search field. My list is several screens long.
Otherwise looks great and I’ll try to run it on the Librem5 soon.
I will look into the search field.
I also thought in the past about it.
I’m just trying pass with tomb on my Librem5:
purism@pureos:~$ pass open -v
. pass Opening the password tomb /home/purism/.password.tomb using the key /home/purism/.password.tomb.key
. tomb . Commanded to open tomb /home/purism/.password.tomb
. tomb . An active swap partition is detected...
. tomb [W] This poses a security risk.
. tomb [W] You can deactivate all swap partitions using the command:
. tomb [W] swapoff -a
. tomb [W] [#163] I may not detect plain swaps on an encrypted volume.
. tomb [W] But if you want to proceed like this, use the -f (force) flag.
. tomb [E] Operation aborted.
[x] Error : Unable to open the password tomb.
purism@pureos:~$ swapon -s
Filename Type Size Used Priority
/dev/zram0 partition 1530876 0 100
purism@pureos:~$ sudo zramswap status
NAME ALGORITHM DISKSIZE DATA COMPR TOTAL STREAMS MOUNTPOINT
/dev/zram0 lzo-rle 1,5G 4K 80B 12K 4 [SWAP]
I didn’t dive deep into the subject and I’m willing to accept that an unencrypted swap partition poses a risk to the tomb.
How does this compare to a zram device as swap on a system that is used by one local user? Is there a similar attack vector as for an unencrypted swap written to disk?
Edit: Decided to put it into an issue for tomb.
Edit: Modified the tomb script to recognize zramswap. Pull request is accepted.
If you run into the issue and you want to make sure that you do not accidentality --force other warnings to be ignored now or at some point in the future, use the version from the repo.
If you have swap in RAM then it’ll disappear as soon as you cut the power. If its on disk, it’ll remain until it gets overwritten. I guess the vector would be the same while the computer is on, but nobody could steal your powered-off computer and read the disk to find the swap if it was in RAM.
New features in V1.2
-) Fixed progress bar if a password is in clipboard and another one is retrieved
-) Added option for “pass open --force”
-) Added some popups if errors occurs
I didn’t forgot about the search feature but I am still thinking where to put it in the GUI.
Until something is added you can already just click on the password list and type on the keyboard.
This search will only look from the beginning of the text and only in the open levels of the password store. Which means usually not in folders.
But I hope this tip helps a little bit?
Just looked into the project again 
and questions came up:
pass-mgr-compact. I have to close it again and then pass-mgr-compact starts after opening it again.pass-mgr-compact leave the pass tomb in the state it found it in when it quits?
pass-mgr-compact started and pass tomb already had been unlocked: when quitting pass-mgr-compact will leave the tomb open.pass-mgr-compact starts and has to open the pass tomb: when quitting it will close the pass tomb.X-Purism-FormFactor=Workstation;Mobile; to the .desktop file to have it shown in phosh menu as a mobile friendly application - thankfully installed! Could you upload your ./debian/ directory so that the package can be build from the repository
pass-mgr-compact via the app menu on my Librem5 nothing happens. Trying via cli gives me the sudo prompt, because sudo is needed to unlock the pass tomb.
sudo to open pass¹I really like the idea of pass-mgr-compact to have an easy way to access my password store, when not near a keyboard. Thanks for starting and sharing it!
¹) Best would be to offer a way to sudo to open pass
tomb needs to call sudo or doas to get root access to be able to setup a loop device. There’s some discussion about putting the necessary commands into the sudo configuration. Another option would be to use sudo and set export SUDO_ASKPASS=/usr/bin/ssh-askpass for pass-mgr-compact.
There’s a commit to tomb taking in account the SUDO_ASKPASS environment when calling sudo commands.
I locally updated my tomb script to the master branch version, set export SUDO_ASKPASS=/usr/bin/ssh-askpass, started pass-mgr-compact and got a ssh-askpass window asking for my password.
Setting this up to run from the .desktop file (Exec=env SUDO_ASKPASS=/usr/bin/ssh-askpass /usr/bin/pass-mgr-compact) worked also, but I’ve been asked for my password for every sudo command tomb needed to run. Would be nice to find a secure way to avoid this.
New features in V1.3
-) Added handling if tomb is already open
-) Added ‘X-Purism-FormFactor=Workstation;Mobile;’ to show that pass-mgr-compact is mobile friendly
Thx, for your feedback!
I integrated the handling of an open tomb.
If the tomb was open on start of pass-mgr-compact it asks at the end if it should close the tomb.
This way the user always has notice if the tomb stays open.
I also added the flag to highlight is as mobile friendly.
If you use a tomb and it is closed you will still have to manually open it or start it from a terminal.
What I left out is the SUDO_ASKPASS.
I could not find “/usr/bin/ssh-askpass” on my debian installation.
And probably the correct way would be to fix “tomb”.
I don’t have a “.debian” directory. I just use “dpkg-deb --build --root-owner-group pass-mgr-compact_1.3” to build a new version.
Do you have a description how to do this with a “.debian” directory?
SUDO_ASKPASS seems to be the correct way (well, there’s still that issue that nobody wants to enter their password for each command tomb wants to sudo) and it is the solution shortly integrated into tomb: https://github.com/dyne/Tomb/commit/646d2c33fd8cff96ae97814d5d47e7c281df9b83
I’d hope that you’d not need to change anything in pass-mgr-compact except maybe the .desktop file to include the setting of the environment variable SUDO_ASKPASS and the dependencies in the debian package to pull in one of
$ apt-cache search ssh-askpass
ksshaskpass - interactively prompt users for a passphrase for ssh-add
kwalletcli - command line interface to the KDE Wallet
lxqt-openssh-askpass - OpenSSH user/password GUI dialog for LXQt
lxqt-openssh-askpass-l10n - Language package for lxqt-openssh-askpass
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-add
ssh-askpass - under X, asks user for a passphrase for ssh-add
ssh-askpass-fullscreen - Under Gnome2, asks user for a passphrase for ssh-add
I’ll look into that when I find time and on the way I’ll probably be able to provide the ./debian directory.
Thanks a lot for integrating the other stuff so quickly! I need to update .
What about opening the issues in gitlab to keep track of ideas and bugs and the decision made about how to handle them?