fc8c9a2286
RELEASE_NOTES=[DOCUMENTATION] Adding doc about YAML entries and unsafe-keys Fixes #1940 Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
6.3 KiB
show command
The show command is the most important and most frequently used command.
It allows displaying and copying the content of the secrets managed by gopass.
Synopsis
$ gopass show entry
$ gopass show entry key
$ gopass show entry --qr
$ gopass show entry --password
Modes of operation
- Show the whole entry:
gopass show entry - Show a specific key of the given entry:
gopass show entry key(only works for key-value or YAML secrets)
Flags
| Flag | Aliases | Description |
|---|---|---|
--clip |
-c |
Copy the password value into the clipboard and don't show the content. |
--alsoclip |
-C |
Copy the password value into the clipboard and show the content. |
--qr |
Encode the password field as a QR code and print it. Note: When combining with -c/-C the unencoded password is copied. Not the QR code. |
|
--unsafe |
-u |
Display unsafe content (e.g. the password) even when the safecontent option is set. No-op when safecontent is false. |
--password |
-o |
Display only the password. For use in scripts. Takes precedence over other flags. |
--revision |
-r |
Display a specific revision of the entry. Use an exact version identifier from gopass history or the special -<N> syntax. Does not work with native (e.g. git) refs. |
--noparsing |
-n |
Do not parse the content, disable YAML and Key-Value functions. |
--chars |
Display selected characters from the password. |
Details
This section describes the expected behaviour of the show command with respect to different combinations of flags and
config options.
Note: This section describes the expected behaviour, not necessarily the observed behaviour. If you notice any discrepancies please file a bug and we will try to fix it.
TODO: We need to specify the expectations around new lines.
- When no flag is set the
showcommand will display the full content of the secret and will parse it to support key-value lookup and YAML entries. If thesafecontentoption is set totrueany secret fields (current default is onlypassword) are replaced with a random number of '*' characters (length: 5-10). Using the--unsafeflag will reveal these fields even ifsafecontentis enabled.--passwordtakes precedence ofsafecontent=trueas well and displays only the password. - The
--noparsingflag will disable all parsing of the output, this can help debugging YAML secrets for example, wherekey: 0123actually parses into octal for 83. - The
--clipflag will copy the value of thePasswordfield to the clipboard and doesn't display any part of the secret. - The
--alsoclipoption will copy the value of thePasswordfield but also display the secret content depending on thesafecontentsetting, i.e. obstructing thePasswordfield ifsafecontentistrueor just displaying it if not. - The
--qrflags operates complementary to other flags. It will additionally format the value of thePasswordentry as a QR code and display it. Other than that it will honor the other options, e.g.gopass show --qrwill display the QR code and the whole secret content below. One special case is the-oflag, this flag doesn't make a lot of sense in combination, so if both--qrand-oare given only the QR code will be displayed. - Since gopass plans to supports different RCS backends we do not support arbitrary git refs as arguments to the
--revisionflag. Using those might work, but this is explicitly not supported and bug reports will be closed aswont-fix. There are two issues with using arbitrary git refs is that (a) this doesn't work with non-git RCS backends and (b) git versions a whole repository, not single files. So the revisionHEAD^might not have any changes for a given entry. Thus we only support specifc revisions obtained fromgopass historyor our custom syntax-Nwhere N is an integer identifying a specific commit beforeHEAD(cf.HEAD~N).
Parsing and secrets
Secrets are stored on disk as provided, but are parsed upon display to provide extra features such as the ability
to show the value of a key using: gopass show entry key.
The secrets are split into 3 categories:
-
the plain type, which is just a plain secret without key-value capabilities
this is a plain secret using multiple lines and that's itgets parsed to the same value
-
the key-value type, which allows to query the value of a specific key. This does not preserve ordering.
this is a KV secret where: the first line is the password and: the keys are separated from their value by : and maybe we have a body text below itwill be parsed into (with
safecontentenabled):and: the keys are separated from their value by : where: the first line is the password and maybe we have a body text below it -
the YAML type which implements YAML support, which means that secrets are parsed as per YAML standard.
s3cret --- invoice: 0123 date : 2001-01-23 bill-to: &id001 given : Bob family : Doe ship-to: *id001will be parsed into (with
safecontentenabled):bill-to: map[family:Doe given:Bob] date: 2001-01-23 00:00:00 +0000 UTC invoice: 83 ship-to: map[family:Doe given:Bob]Note how the
0123is interpreted as octal for 83. If you want to store a string made of digits such as a numerical username, it should be enclosed in string delimiters:username: "0123"will always be parsed as the string0123and not as octal.
Both the key-value and the YAML format support so-called "unsafe-keys", which is a key-value that allows you to specify keys that should be hidden when using gopass show with gopass config safecontent set to true.
E.g:
supersecret
---
age: 27
secret: The rabbit outran the tortoise
name: John Smith
unsafe-keys: age,secret
will display (with safecontent enabled):
age: *****
name: John Smith
secret: *****
unsafe-keys: age,secret
unless it is called with gopass show -n that would disable parsing of the body, but still hide the password, or gopass show -f that would show everything that was hidden, including the password.
Notice that if the option parsing is disabled in the config, then all secrets are handled as plain secrets.