mirror of
https://github.com/gopasspw/gopass.git
synced 2025-12-08 19:24:54 +00:00
baad47c7ef
* This change introduces an agent for the age backend to cache passphrases for age identities. The agent is a long-running process that listens on a Unix domain socket. Gopass communicates with the agent to request decryption of secrets. The agent caches the passphrases for the identities and performs the decryption, so the passphrases never leave the agent process. This addresses the security concerns with the initial implementation. The agent can be controlled with the following commands: - `gopass age agent`: starts the agent in the foreground. - `gopass age lock`: locks the agent, clearing all cached passphrases. The age backend will automatically start the agent if it's not already running and the `age.agent-enabled` configuration option is set to `true` (the default). This change includes: - The implementation of the age agent in `internal/backend/crypto/age/agent/`. - Modifications to the age backend to communicate with the agent. - A new configuration option `age.agent-enabled`. - Unit tests for the agent. - Updated documentation for the age backend. The integration test for this feature (`TestAgeAgent`) is currently failing. The issue is that the test environment is non-interactive, and the code path for initializing a new age store requires a password for the identity keyring, which triggers a `pinentry` call that fails without a TTY. I have tried several approaches to work around this, including setting the `GOPASS_PASSWORD` environment variable and providing a custom pinentry script, but none have been successful so far. The core implementation of the agent is believed to be correct, but the integration test needs further work to run in a non-interactive environment. * This change introduces an agent for the age backend to cache passphrases for age identities. The agent is a long-running process that listens on a Unix domain socket. Gopass communicates with the agent to request decryption of secrets. The agent caches the passphrases for the identities and performs the decryption, so the passphrases never leave the agent process. This addresses the security concerns with the initial implementation. The agent can be controlled with the following commands: - `gopass age agent`: starts the agent in the foreground. - `gopass age lock`: locks the agent, clearing all cached passphrases. The age backend will automatically start the agent if it's not already running and the `age.agent-enabled` configuration option is set to `true` (the default). This change includes: - The implementation of the age agent in `internal/backend/crypto/age/agent/`. - Modifications to the age backend to communicate with the agent. - A new configuration option `age.agent-enabled`. - Unit tests for the agent. - Updated documentation for the age backend. * This change introduces an agent for the age backend to cache passphrases for age identities. The agent is a long-running process that listens on a Unix domain socket. Gopass communicates with the agent to request decryption of secrets. The agent caches the passphrases for the identities and performs the decryption, so the passphrases never leave the agent process. This addresses the security concerns with the initial implementation. The agent can be controlled with the following commands: - `gopass age agent`: starts the agent in the foreground. - `gopass age lock`: locks the agent, clearing all cached passphrases. The age backend will automatically start the agent if it's not already running and the `age.agent-enabled` configuration option is set to `true` (the default). This change includes: - The implementation of the age agent in `internal/backend/crypto/age/agent/`. - Modifications to the age backend to communicate with the agent. - A new configuration option `age.agent-enabled`. - Unit tests for the agent. - Updated documentation for the age backend. * This change introduces an agent for the age backend to cache passphrases for age identities. The agent is a long-running process that listens on a Unix domain socket. Gopass communicates with the agent to request decryption of secrets. The agent caches the passphrases for the identities and performs the decryption, so the passphrases never leave the agent process. This addresses the security concerns with the initial implementation. The agent can be controlled with the following commands: - `gopass age agent`: starts the agent in the foreground. - `gopass age lock`: locks the agent, clearing all cached passphrases. The age backend will automatically start the agent if it's not already running and the `age.agent-enabled` configuration option is set to `true` (the default). This change includes: - The implementation of the age agent in `internal/backend/crypto/age/agent/`. - Modifications to the age backend to communicate with the agent. - A new configuration option `age.agent-enabled`. - Unit tests for the agent. - Updated documentation for the age backend. * Fix some test failures and add more logging. Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org> * Fix lint error Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org> * [fix] Fix integration tests Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org> --------- Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org> Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: Dominik Schulz <dominik.schulz@gauner.org>
21 lines
397 B
Go
21 lines
397 B
Go
package appdir
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
)
|
|
|
|
// UserRuntime returns the users runtime dir
|
|
func (a *Appdir) UserRuntime() string {
|
|
if hd := os.Getenv("GOPASS_HOMEDIR"); hd != "" {
|
|
return filepath.Join(hd, ".run")
|
|
}
|
|
|
|
return filepath.Join(os.Getenv("LOCALAPPDATA"), a.name)
|
|
}
|
|
|
|
// UserRuntime returns the users runtime dir.
|
|
func UserRuntime() string {
|
|
return DefaultAppdir.UserRuntime()
|
|
}
|