[FR] Add batch mode, avoid asking for passphrases

[karampok]

Hi *, I have been using gopass in scripts that run in the background, e.g. script to ask a token using gopass and then fetch emails. I am using gopass with a gpg private key stored in a yubi key, therefore on the first run, a pinentry window appear to unlock the card. Is it possible to instruct gopass to fail if a pin required rather than to proceed to pinentry process?

Thx!

[dominikschulz]

For the age backend this might be something we need to take into account.

For gpg we just call it and it will do whatever it's configured to do, e.g. invoke pinentry. It does have a --batch flag and if that works as I'd expect it to, we might be able to add that. But this would require a few changes.

To justify that I'd first like to understand the use case better.

Without the pinentry interaction you won't be able to decrypt your secrets?! Do you just want gopass to fail in this case?

[karampok]

That is correct and that is the expected behavior, I won't be able to decrypt secrets and the background script will fail.

The use case is that I have many background script with gopass usage that run periodically, and then suddenly pinentry windows appears, which I cannot tell from which script is coming and even if I cancel it it re-appears spamming. Once I choose consciously to unlock the gpg-agent, scripts should start working in the background. Does that make sense?

It does have a --batch flag and if that works as I'd expect it to, we might be able to add that.

I did not know about that flag I will check, thx

[xxxserxxx]

Do you just want gopass to fail in this case?

Yes. I'm not OP, but I have a similar need. I'd like to be able to tell from scripts whether gopass can get a secret. This could be a --no-prompt flag, or have-secret command.

My use case are cron'd user services that sync data: email, ical, etc. These services are started when I log in, but what I don't want is a prompt popping up at a random point asking me for a password. Maybe my screen is locked and the two fight for control over input; maybe I'm watching a movie and don't want the interruption; whatever the case, like UDP, failing is ok. Eventually I'll give the agent the password and syncing will continue, but in the meantime, I'd like to be able to script such that syncing fails rather than prompting.

The easiest thing I can think of is a new command: can-you-decrypt? That would allow a simple if-test in scripts, and would be sufficient. Also would be a --no-interrupt flag added at the root and applying to any operation that could trigger a dialog.

This would make gopass more script-friendly.

[dominikschulz]

Adding a batch mode flag or - if it's easier - a command to check if decryption is possible w/o interactions sounds useful. We should provide this for users that want to use gopass in scripts / unattended workflows.

[karampok]

I am currently able to achive that by doing

PINENTRY_USER_DATA=non-interactive gopass show -n secret

 cat pinentry
#!/bin/bash
[[ -z ${PINENTRY_USER_DATA+z} ]] || exit 1
exec /usr/bin/pinentry-gtk-2 "$@

~/.gnupg> cat gpg-agent.conf
pinentry-timeout 10
pinentry-program /home/kka/.gnupg/pinentry

[xxxserxxx]

@karampok This works with only some gpg agents. The documentation for pinentry-timeout specifies that it may be ignored by agents -- it is not a mandated argument. pinentry-rofi, for example, does not support it.

[karampok]

fair, I agree that is not ideal and it would be nice to be added in gopass.

(nevertheless it works for bash scripts, which is my single non-interactive use case, rofi is only used interactive)