pass simple

Multi-platform GUI for pass, the standard unix password manager

The advantages of pass simple include the use of GPGME (native C++, seamless integration with Security cards) or rnp (realtime,multithreading and windows support), as well as support for YAML and Markdown.

Homepage: https://sourceforge.net/projects/pass-simple/

Github and support: https://github.com/shemeshg/pass-simple-qt

Screenshots: https://github.com/shemeshg/pass-simple-qt/wiki

Rnp & Security card integration

• create a script that accept keyId as parameter.

  #!/bin/sh
  /usr/local/bin/gpg -d /outside/your/password-store/$1.gpg
  

• chmod +x script name

• Encrypt the /outside/your/password-store/$1.gpg where $1 as your keyId.
  with a content of your password.

• Set Rnp pass std exec path in settings, to your script.

Markdown

• Markdown is CommonMark plus the GitHub extensions for tables and task lists (see https://doc.qt.io/qt-6/qml-qtquick-text.html).

• Inline Images are not supported

• Links with relative path to other .pgp in the same password store are supported,

  link should not include the .pgp extension, for example

  # Header
  
  [ref to a/b file.pgp](<a/b file>)
  
  or <a/b file>
  

Yaml

• Since pass simple store totp in yaml, to read generated totp use

  gopass show fileName|yq '.["totp"]' | oathtool -b --totp -
  

• text starts with - or # can not be YAML, and is considered standard text.

• For YAML compatability with password in first line tools, it is possible to put a dummy null field.

  _: ~
  user: user1
  password: 12345
  

Fields type

• textedit - supports
  • autotype of selected text
  • MarkDown read only view
• texteditMasked
• text
• url
• password
• totp
• datetime

Changing password

Autotype types the last saved value.

After duplicate current filed with an "OLD_" prefix ("OLD_password") in edit field type, remember to save.

R.click tree view

(Not git aware)

• Add folder.

• Delete selected.

• Rename selected.

• Move selected using drag and drop.

  move available only within the same .gpg authorization folder.

Case insensitive search

• Default search is case-sensitive (using std::find). To make it case-insensitive, add an additional .* to the regex.

For example: .*WhatEver.*.* (beware of the std::regex bug in Linux gcc 14).

install platform specific

• install_linux
• install_mac
• install_windows

For all platforms - recommended

• Rnp do not self sign your Id, so import public ID in pass-simple using gnupg mode.

  On windows gnupg mode not applicable, so:

  $ gpg --edit-key jane@acme.org
  gpg> lsign
  gpg> y
  gpg> save
  

• On windows use gopass instead of pass.

Mandatory

1. Create a note with pass command line, ensure all well

   pass
   pass edit whatever
   

   • If pass store not initialized use gopass setup or follow this: https://www.redhat.com/sysadmin/management-password-store

     This document will walk through creating Private and public keys, and init the repository (setup the .gpgid authorization file).

2. Ensure you can read and write the test note created before.

3. setup git

   Avoid this set by using gopass clone

• if not using gopass.

  Prefer manually to ensure gpg absolute path, also mandatory after git clone.

  # New repository
  git init  
  echo '*.gpg diff=gpg' > ".gitattributes"
  # New and Cloned repository
  git config --local diff.gpg.binary true
  git config --local diff.gpg.textconv "`which gpg` -d --quiet --yes --compress-algo=none --no-encrypt-to"
  

  Or using pass, and correct the diff.gpg.textconv with above.

  export PASSWORD_STORE_DIR=/Volumes/volume\ name/password-store
  pass git init
  

4. Ensure you can git commit -am "commit".

5. create additional change and ensure you can git diff HEAD~ and see last change in clear text.

6. Set restoreWindows in vscode to folder or none

   It is always good practice to close all vscode opened tabs before closing pass simple otherwise vscode might recreate temporary files edited.

Optional/Advanced

1. Protect your '.gpg_id' or specific folders with Git-Enforced Policy (git server and client hooks)

   https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-Policy

2. Use disk encryption - tomb/veracrypt or mac's diskutil to protect the repository itself.

   password for the disk encryption can be stored in the default repository (~/.password-store/), and then link mounted encrypted repository with ln -s (like mounts in gopass)

3. Consider using yubikey or move secret keys to USB drive

   Use rotate subkey for different devices, or ASDK for team members.

4. Backup your store to other drive or remote ssh server

   https://stackoverflow.com/questions/39471072/how-to-create-a-local-push-destination-on-a-hard-disk-using-git

   Ensure you can git pull and git push

5. protect application configuration file as readonly with chmod, or AppArmor

Windows specific

Windows runs natively with Rnpgp and gnupg backend. Backup your gnupg keys before converting from sqlite to kbx.

install software

1. install gpg4win

   winget install gpg4win

2. install chocolatey (via copy past into PowerShell)

   https://chocolatey.org/install

3. install gopass

   choco install gopass

   https://github.com/gopasspw/gopass/blob/master/docs/setup.md

4. initialize gopass with gopass setup

5. list keys, and inspect store location and key format.

   gpg --list-keys

6. convert gpg4win sqlite to kbx using gpg-disable-keyboxd.

   https://gpg4win.org/version4.2.html

7. use gopass to create and edit a test document.

8. Run NSIS installer executable

   or manually Extract the deployed windows zip folder, and run pass-simple.exe from windows explorer. (application is not signed, so confirm security screen).

9. Windows Os does not recognize dot initial as hidden, so at the root of the repository.

Get-ChildItem -Path . -Force -Filter ".*" | ForEach-Object { $_.Attributes = 'Hidden' }

Mac specific

1. Install pass

   brew install pass pinentry-mac
   
   echo "pinentry-program `which pinentry-mac`" >> ~/.gnupg/gpg-agent.conf
   
   gpgconf --kill gpg-agent
   
   defaults write org.gpgtools.common UseKeychain -bool NO
   

2. Install pass-simple

   brew install --cask shemeshg/homebrew-tap/pass-simple
   

3. "XYZ Is Damaged and Can’t Be Opened. You Should Move It To The Trash"

   See https://discussions.apple.com/thread/253714860?sortBy=rank

   xattr -c /Applications/pass-simple.app/
   codesign --force --deep --sign - /Applications/pass-simple.app
   

4. Mac has no /dev/shm you can create temporary ram drive after every boot with.

   diskutil erasevolume HFS+ RAM_Disk_4G `hdiutil attach -nomount ram://8192000`
   

5. alias for cli

   alias pass-simple='nohup /Applications/pass-simple.app/Contents/MacOS/pass-simple > /dev/null 2>&1 &'
   

dev packages

brew install gpgme libgpg-error pinentry-mac
brew tap rnpgp/rnp
brew install rnp

Ubuntu specific

The .deb file and the .zip files are already qt-deployed. If you are using other distro like Fedora, you can extract the contents of the .deb file or download the linux zip, extract it to /opt and run.

1. Download the deb file and install

   sudo dpkg -r pass-simple
   sudo dpkg -i ./pass-simple-1.x.x-Linux.deb    
   

   on ubuntu 24.04 sudo apt --fix-broken install and repeat.

2. Install dependencies if compile yourself (or not using the deb file)

   sudo apt-get -y  install pass gnupg2 libgpgme-dev libgpgmepp-dev libbz2-dev libjson-c-dev
   

3. Install ydotool autotype.

   For Manual compilation https://askubuntu.com/questions/1413829/how-can-i-install-the-latest-ydotool-1-0-1-keyboard-automation-tool-working-on

• sudo cp /usr/lib/systemd/user/ydotoold.service /etc/systemd/system

• sudo service ydotool start

• sudo systemctl enable ydotool

• ensure export YDOTOOL_SOCKET=/tmp/.ydotool_socket in /opt/pass-simple/bin/pass-simple.sh.

• Open pass-simple and select setting.

  set autotype to

  ydotool type sequence
  

If compile yourself

1. If compile rnpgp yourself follow https://www.rnpgp.org/software/rnp/docs/installation/ and install the botan version as requested in the document.

2. install qt https://web.stanford.edu/dept/cs_edu/resources/qt/install-linux

   Notice: Qt6 packages in the deb repository are broken, so download the install from Qt.com

3. pull submodules

   https://stackoverflow.com/questions/1030169/pull-latest-changes-for-all-git-submodules

4. qt-cmake and build.

   ~/Qt/6.5.0/gcc_64/bin/qt-cmake -DCMAKE_BUILD_TYPE=Release ../pass-simple-qt/
   cmake --build .
   

keyboard shortcuts

Cmd S Save in preview mode.

Cmd F Toggle Find/search.

Cmd T Toggle tree view.

Cmd , Toggle Settings.

Cmd M Toggle Markdown.

Cmd Y Sync - Add,commit,pull and push.

Cmd L Toggle text and YAML in preview mode.

Cmd Shift L Logout - End gpg session, clear clipboard and search fields.

Cmd U Open Url field found (YAML mode only).

Cmd E Toggle Preview On/Off.

Cmd O Open externally with vscode (available when Preview is ON or OFF).

Built With

• Qt Quick and QT6 Open Source
• Gpgmepp
• GnuPG Made Easy (GPGME)
• LibGpgError
• pinentry-mac (Mac only) On ubuntu 20.04 - already installed and configured for wayland
• https://github.com/jbeder/yaml-cpp/
• Icons by https://icons8.com/icons/
• Icons by https://developers.google.com/fonts/docs/material_icons
• keepassxc totp
• keepassxc allow screen capture
• cog
• thread-pool
• rnp

LICENSE

https://github.com/shemeshg/pass-simple-qt/blob/main/LICENSE