passforios
passforios copied to clipboard
Respect multiple keys in .gpg-id files
Pass uses .gpg-id
files to specify which keys to use for encryption by default and also for specific subfolders. Specifying more than one key is supported by the .gpg-id files and via pass init
. Pass for iOS seems to ignore these files and only encrypt files to the single GPG key that's defined in the app settings. The upshot is that passwords created with the app aren't necessarily readable by other clients with their own keys (which may or may not be even be owned by the same person in the case of a shared password store).
It would be really nice if the app could support this feature of Pass.
One workaround seems to set multiple public keys, tested in "ASCII-Armored Encrypted Key" menu and seems to work.
@stigtsp Any insight into how you got this working? I tried bundling my public keys into gpg_key.pub and cannot decrypt anything. a single key in the .pub, and everything works.
Hi @tonymarsh
I concatenated two public keys using cat pub1 pub2 > pub_both
and pasted these keys in the input box
@stigtsp Awesome, thanks for letting me know. fwiw, catting them together, and importing via itunes also worked for me.
or, one could also
gpg --armor --export key1id key2id ... > gpg_public.txt
The above way assumes that the keys are two different master keys and it doesn't work (as far as I can tell) for subkeys.
I have single master key and bunch of subkeys. Each device (laptop, phone, etc) gets it's subkey, and my master key lives on offline storage. Because Pass for iOS ignores the .gpg-id
file, it tries to encrypt with the first key it finds (I'm assuming), which is the master key, so it can't encrypt as the private key for it is not there. (This works without issues in Pass itself, just remember to specify the keys in .gpg-id
with "!" at the end.)
Edit: Just wanted to point out that this also breaks team shared password stores. Edit (2018-09-17): Decryption now seems to work. Encryption still doesn't.
Does concatenating public keys still work? I concatenated two subkeys via the ASCII-Armored Encrypted Key method, each subkey from a different master key, and only the first was used for encryption.
@natefoo I am not sure. I will try to add some related unit tests so that at least I know what works and what doesn't.
Does concatenating public keys still work? I concatenated two subkeys via the ASCII-Armored Encrypted Key method, each subkey from a different master key, and only the first was used for encryption.
Sorry, it doesn't work anymore.
https://github.com/mssun/passforios/blob/bbc1b8124d41eb0a00ddf34cfb88ce929e17db76/passKit/Models/PGPAgent.swift#L73-83
I think we should use a keyring instead of a single public key. I will try to work on this if I get some time. If anyone is interesting in working on this, please leave a comment here.
I’m still on 0.6.0 (17) and it partially works. I only imported one private subkey, and multiple public subkeys (if I remember correctly, would have been ASCII armoured and prior to 0.6).
Items created in passforios don’t get the other public subkeys added, which is unfortunate. Items created using Pass do have multiple recipient subkeys added, and can be read using passforios.
Remember than when exporting subkeys using gpg, you have to include “!” After the key, otherwise the main key will be exported and used.
Hi !
Same issue here : I use mutliple Public keys to sign my pass content. However when I edit / create a file from pass-ios, it doesn't sign it with all public keys filled in ASCII armoured part (tried to trick the system by pasting all keys together...)
If I can help to solve this issue I'm in
Version used : 0.7.0
#375 has been merged. I'll release it in the TestFlight ASAP. Feel free to report any bugs. Thanks.
Now, the app will select key according to .gpg-id to encrypt and decrypt password entry. You can add multiple keys by concatenating multiple keys into one file.
Why is this github issue still open? Is it not solved by the merge of #375?
Just for my understanding: Will the user get a warning when he updates a password in a folder with a .gpg-id when one gpg public key listed is not existing in the app? Is there a force or abort button in that situation?
With #375 the app picks the right key to sign with, but it still doesn’t include all keys in the signature.
On Jun 2, 2020, at 08:34, christian-weiss [email protected] wrote:
Why is this github issue still open? Is it not solved by the merge of #375?
Just for my understanding: Will the user get a warning when he updates a password in a folder with a .gpg-id when one gpg public key listed is not existing in the app? Is there a force or abort button in that situation?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
Hi all, I just want to make sure the current TestFlight is usable for multiple .gpg-id
files. Since this feature needs a lot of work and I don't want to block the AppStore release. Can I come back and continue to polish this feature later? Thanks.
See, my other comment https://github.com/mssun/passforios/issues/346#issuecomment-660844953 . Maybe you could close one of the related issues and use a single one to track this feature.
@mssun multiple.gpg-id
Files, or multiple entries in .gpg-id
file?
multiple .gpg-id files, we cannot handle mutiple entries for now
@mssun Somewhat - it can read passwords signed by other keys. It does not work when editing passwords, as after saving it drops all recipients, breaking other tools like password-store.
edit breaks as in: tools/machines that don't have the key used by PassForiOS can no longer read passwords and passwords that were edited in PassForiOS have to be re-signed with correct recipients manually.
Hi all, I just want to make sure the current TestFlight is usable for multiple
.gpg-id
files. Since this feature needs a lot of work and I don't want to block the AppStore release. Can I come back and continue to polish this feature later? Thanks.
Hi @mssun! Did you get some time to come over that issue and work on the remaining things you wanted to? That's definitively a feature I'm looking for to share correctly some of my passwords between my private and work GPG keys. Do you have a branch to share on that work in progress?