I red about the password management program pass in a question on this forum and decided to try it.
I installed from the download page (tarball 1.6.3).
I created some test entries and then some real entries and committed them to git and pushed them to github. When I looked at my github repository I did see some non .gpg
file with the plain text versions of the passwords pushed to github. Those file also exists local. I have removed my real passwords from ~/.password-store
:
$ pass
Password Store
├── test
│ ├── test
│ └── test
├── test1
│ └── test2
└── test3
└── test4
The double test
is strange already:
$ ls ~/.password-store/test
test test.gpg
$ more !$/test
more ~/.password-store/test/test
uJ94!qmv}E\41GjLxJx`
$ gpg -dq < ~/.password-store/test/test.gpg
uJ94!qmv}E\41GjLxJx`
Is this normal? What can I do against the plain text versions of the passwords being stored?
Best Answer
I have seen that application do that as well. I think it is a result of the bash script (that is the
pass
program) not catching some errors. For me it was reason not to start using the program for real.If you can live with the plain text files being stored locally, you can prevent them from being stored in git (and pushed out to github) by setting up a
.gitignore
file in your~/.password-store
:(this first ignores everything to be stored, then allows subdirs and allows the configuration files as well as all files ending in
.gpg
).If you haven't done so yet, you should immediately change all passwords that you pushed out to github. Also remove
~/password-store/.git
and everything underneath and reinitialize git (pass git init
) for the password store, as the old, committed, plaintext files will still be in there.