Closed timegrid closed 1 year ago
I added a simple migration for the old profile settings, so old profiles are not lost anymore. (Caution: If you want to test this, still consider, that the data structure is changed persistently)
There is still the issue with the translation files. If i add those files, #606 would essentially be reverted. Adding only those hunks with the needed changes for all translation files would be very tedious. Can I prevent, that the header files are added as location filenames? How should I proceed?
I mean those lines, that got added again:
M localization/localization_af_ZA.ts
@@ -5,32 +5,39 @@
<name>ConfigDialog</name>
<message>
<location filename="../src/configdialog.ui" line="20"/>
+ <location filename="../src/ui_configdialog.h" line="860"/>
<source>Configuration</source>
<translation>Konfigurasie</translation>
</message>
[...]
Ii also added native gpg/git functions to implement both signature verification and the signing of gpgid file.
We had some testing on Windows and stumbled upon two issues (the first one was kind of inherited and I'd recommend a more general code review to avoind mixing qt-internal and native path separators). This is what I did:
Pass::getGpgIdPath()
as the pass store path couldn't match with the gpgIdDir because of trailing backslashes so two absolute paths were concatenated, leading to checkmarks not set properly in usersdialog.cpp, for example.ImitatePass::verifyGpgIdFile()
to comply with Windows \r\n linebreaks as QRegularExpression::MultilineOption
won't honor \r as part of a line separator.https://github.com/timegrid/QtPass/commit/a45da0a326fa7b3541d82bf7f4b93ec3751648e9
Reason
The pass store signing key feature would enhance the security of qtpass/pass when used by teams. Teams need fine-grained control over the
.gpg-id
user lists of subpaths/stores, but they also have to be able to verify the.gpg-id
user lists to prevent accidental/malicious privilege escalation. By setting thePASSWORD_STORE_SIGNING_KEY
envvar to a trusted team signing key id, password admins can provide prepared and signed.gpg-id[.sig]
files and team members can easily enable the verification by configuring the new signing key id in the corresponding profile. If the verification fails, the errorSignature for [...]/.gpg-id is invalid.
is visible and further actions are prevented. This PR would fix #624, see further discussion there.Changes
Adds the pass store signing key feature by
QString
toQHash<QString, QString>
in order to be able to represent more key/value pairs for one profile (profile['path']
,profile['signingKey']
)QHash<QString, QString>
toQHash<QString, QHash<QString, QString>>
in order to store the new data structureprofile/NAME/path
,profile/NAME/signingKey
)passSigningKey
for the current value of the profileupdateEnv()
(adding/updating the envvarPASSWORD_STORE_SIGNING_KEY
to the value from thepassSigningKey
setting or removing the envvar, if thepassSigningKey
setting is empty)README.md
Notes
This ispass
only. Using git/gpg would be possible, but quite more time-consumingqmake
, all translation file items included additional location filenames for header files../src/*.h
. I saw #606, but I have no idea, why this happened again and I'm unsure how to proceed, as some line number references need to be updated