gopass icon indicating copy to clipboard operation
gopass copied to clipboard

Published 20 hours ago verified publisher icon gopasspw

Packaging: Docker

Open dominikschulz opened this issue 4 years ago • 7 comments

I'm thinking about reviving our Docker image.

We did retire it because it was rarely used and broken. But if we get it into usable shape and have proper instructions it might be useful again.

dominikschulz avatar Mar 23 '21 08:03 dominikschulz

How is it supposed to be used? Through exposing the JSON API with Gopass-bridge only?

AnomalRoil avatar Mar 24 '21 08:03 AnomalRoil

That's an excellent question. I'm not sure if it's actually useful, I just wanted to put it up for discussion.

dominikschulz avatar Mar 24 '21 09:03 dominikschulz

IMO, here's the "way" one could use gopass with docker:

  • We provide a Docker image in which the user is supposed to provide as ENV var:

    • the https git repo URL to their repo
    • their username
    • an access token

    then we can use git as explained here: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token#using-a-token-on-the-command-line That would probably work since we could then set (it's not the best security tho) in the docker image:

    git config --global user.name "your username" 
git config --global user.password "your token"

  • Then the docker container could expose the JSON API on some port and allow to connect to it using Gopass browser extension.

Not sure it's worth the hassle, are there people that are only using Gopass with the browser extension and never directly? If you are such a person, please comment here so that we know if it's a use-case we should support.

AnomalRoil avatar Mar 26 '21 09:03 AnomalRoil

Just random lurker here, who is thinking to change password manager for this. I am heavy container user, and would definitely use it, or make own image if none is provided. There would be many benefits on using containers. Some thoughts, (From Linux/unix perspective):

  • Reduced attack surface, by installing only the dependencies which are required. E.g. by using distroless base image.
  • Isolated from the host system. Malwares must be especially targeted to access your secret files
  • Versions of the dependencies does not matter in the container e.g. use always latest working ones without breaking the host.
  • Compatibility support especially between different systems (gpg as major problem) I would like to use elliptic curves on encryption. I can see from the documentation that only RSA and DSA are supported, where DSA is already deprecated and should not be used. Elliptic curves are not in older gpg versions, which would be faster and can provide better security.

I see the major problem here being, that data is not persistent. Even thought to my understanding, gopass syncs to git repository often, it would slow down the usage a lot, by cloning the repository every time you instance new container. One way to speed this up, is by using named volumes (this exposes your files into host, but are root only readable). Also, moving local files into container can be hassle, if there is ever need for that, without using volumes. How to manage gpg keys properly, is one question. I am not aware how you made it in the past, these are just thoughts.

Another problem here is probably clipboard functionality. I'm unsure how it is handled here, but in general it requires X server access, so this socket should be shared into container, and handling of session keys. One other way is to use clipper. Also /dev/urandom must be shared for container that gpg is able to generate keys properly.

Instead of providing credentials as ENV values for your git repository, one way would be to forward ssh-agent into container, and you would be able to use local SSH keys for making commits.

In theory you would make very similar user experience from the container, by creating some simple shell script wrapper which uses required run parameters for the image. Exposing JSON API might be usable in some kind of detached mode. By peeking old documentation, you have been using it only on interactive mode, but single commands could be usable as well, e.g. by using volumes.

Nicceboy avatar Apr 02 '21 17:04 Nicceboy

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 16 '22 12:04 stale[bot]

This is still something I find useful. Maybe a Docker image with all gopass integrations and dependencies installed.

dominikschulz avatar Apr 17 '22 12:04 dominikschulz

This is still something I find useful. Maybe a socket image with all gopass integrations and dependencies installed.

dominikschulz avatar Apr 17 '22 12:04 dominikschulz

I think the Dockerfile is in decent shape. But we should hook it up to our release process and make sure we push updated Docker images on every release.

dominikschulz avatar Dec 04 '22 14:12 dominikschulz

We should automatically build and publish a new Docker image to GHCR on every release.

dominikschulz avatar Dec 05 '22 07:12 dominikschulz